Business

European court dismisses Irish watchdog’s case against EU data board

Ruling likely to fuel further criticism of Data Protection Commission’s enforcement of GDPR against US tech companies

Wednesday’s judgment has its origins in a series of complaints against Meta made to the Irish Data Protection Commission, then headed by Helen Dixon, in 2018. Photograph Nick Bradshaw
Wednesday’s judgment has its origins in a series of complaints against Meta made to the Irish Data Protection Commission, then headed by Helen Dixon, in 2018. Photograph Nick Bradshaw
Ian Curran
Wed Jan 29 2025 - 15:27

An EU court has dismissed a challenge taken by the Data Protection Commission (DPC) against Europe’s top data protection board, a ruling likely to fuel further criticism of the Irish regulator’s enforcement of European data protection laws against US tech companies.

In a decision published on Wednesday, the General Court of the European Court of Justice also ordered the DPC to pay the European Data Protection Board’s (EDPB’s) legal costs after the Irish body’s case was rejected.

The court found that the EDPB is entitled to overrule a national regulator – in this case, the Irish DPC – and require it to conduct fresh investigations into complaints or issue new rulings if it disagrees with the national authority’s analysis.

Wednesday’s judgment has its origins in a series of complaints against Meta by individuals living in Belgium, Germany and Austria relating to the tech giant’s processing of their data under the EU General Data Protection Regulation (GDPR). The complaints were made in 2018 through the non-profit NOYB-European Centre for Digital Rights.

READ MORE

Because the Facebook owner is headquartered in Dublin, the Irish DPC, then headed by Helen Dixon, was the lead national regulator in the case.

After conducting its investigations, the Irish watchdog prepared draft decisions finding that the complainants had failed to demonstrate that Meta and WhatsApp could not rely on one of the conditions set out in the GDPR to process their data without their express consent.

Other European data watchdogs raised objections to the DPC’s analysis, prompting the watchdog to refer the matter to the EDPB for a ruling.

In late 2022, the European board issued binding decisions going against Ms Dixon’s analysis and asked the Irish DPC to withdraw its findings, including that user consent was not required for the data processing that Meta had carried out. It also required the Irish DPC to carry out further investigations into Meta’s alleged violations.

EU to review investigations into Apple, Google and Meta as US pressure mounts ]

Disputing the EDPB’s authority to issue those rulings, the Irish DPC launched three separate legal actions in the European General Court, challenging the board.

In its judgment on Wednesday, the court dismissed all three of the DPC’s cases. The judges also found that the EDPB has the authority to issue binding decisions to national regulators to conduct new investigations and issue new decisions if “the case file is insufficient for the purpose of carrying out the required analysis in full”.

A spokesman for the DPC said: “We note the Courts judgment and are currently reviewing it.”

  • Sign up for the Business Today newsletter and get the latest business news and commentary in your inbox every weekday morning
  • Opt in to Business push alerts and have the best news, analysis and comment delivered directly to your phone
  • Join The Irish Times on WhatsApp and stay up to date
  • Our Inside Business podcast is published weekly – Find the latest episode here
Ian Curran

Ian Curran

Ian Curran is a Business reporter with The Irish Times

Business Today

Business Today

Get the latest business news and commentary from our expert business team in your inbox every weekday morning