Lexploria - Legal research enhanced by smart algorithms
Lexploria beta Legal research enhanced by smart algorithms
Search in dataset:
Menu
Browsing history:
Document text Analytics

Judgment of the General Court (Tenth Chamber, Extended Composition) of 29 January 2025 (Extracts). Data Protection Commission v European Data Protection Board.

• 62023TJ0070 • ECLI:EU:T:2025:116

  • Inbound citations: 0
  • Cited paragraphs: 0
  • Outbound citations: 59

Judgment of the General Court (Tenth Chamber, Extended Composition) of 29 January 2025 (Extracts). Data Protection Commission v European Data Protection Board.

• 62023TJ0070 • ECLI:EU:T:2025:116

Cited paragraphs only

JUDGMENT OF THE GENERAL COURT (Tenth Chamber, Extended Composition)

29 January 2025 ( * )

( Protection of personal data – Article 65(1)(a) of Regulation (EU) 2016/679 – Binding decision instructing a lead supervisory authority to broaden the scope of its investigation and issue a new draft decision – Competence of the European Data Protection Board )

In Joined Cases T‑70/23, T‑84/23 and T‑111/23,

Data Protection Commission, established in Dublin (Ireland), represented by D. Young, A. Bateman, R. Minch, M. Delargy, K. Donnelly, Solicitors, B. Kennelly, Senior Counsel, D. Fennelly, E. Synnott and R. Costello, Barristers-at-Law,

applicant,

v

European Data Protection Board, represented by I. Vereecken, C. Foglia and M. Gufflet, acting as Agents, and by G. Ryelandt, E. de Lophem and P. Vernet, lawyers,

defendant,

THE GENERAL COURT (Tenth Chamber, Extended Composition),

composed of O. Porchia, President, M. Jaeger, L. Madise (Rapporteur), P. Nihoul and S. Verschuur, Judges,

Registrar: M. Zwozdziak-Carbonne, Administrator,

having regard to the written part of the procedure,

further to the hearing on 16 April 2024,

gives the following

Judgment ( 1 )

1 By its actions under Article 263 TFEU, the applicant, the Data Protection Commission, which is the Irish supervisory authority for personal data protection, seeks annulment in part of Binding Decisions 3/2022, 4/2022 and 5/2022 of 5 December 2022 of the European Data Protection Board (‘the EDPB’) on the disputes between the supervisory authorities concerned arising from the Data Protection Commission’s draft decisions regarding, respectively, the social network Facebook, the social network Instagram and the messaging service WhatsApp, in so far as those binding decisions require it to carry out new investigations into the processing of data carried out in connection with the use of those applications and to issue new draft decisions on the basis of the results thereof.

Facts and proceedings

6 Following discussions with the other supervisory authorities concerned, the applicant found that a consensus had not been reached in respect of the objections to its draft decisions and submitted the matter to the EDPB in the context of the consistency mechanism established in Regulation 2016/679, in accordance with Article 60(4) of that regulation.

7 Following the examination of the three files, the EDPB adopted Binding Decisions 3/2022, 4/2022 and 5/2022 on 5 December 2022 under Article 65(1)(a) of Regulation 2016/679. In those three binding decisions, the EDPB first of all took the view that most of the objections to the applicant’s draft decisions were relevant and reasoned, within the meaning of Article 4(24) of Regulation 2016/679, and that it was able to adopt a position on the issues which they raised. In that regard, the EDPB endorsed the merits of a number of those objections which it had considered relevant and reasoned.

Forms of order sought

15 The applicant claims that the Court should:

– in Case T‑70/23, annul the second sentence of paragraphs 198 and 487 of EDPB Binding Decision 3/2022;

– in Case T‑84/23, annul the second sentence of paragraphs 203 and 454 of EDPB Binding Decision 4/2022;

– in Case T‑111/23, annul paragraphs 222 and 326.8 of EDPB Binding Decision 5/2022;

– in the three cases, order the EDPB to pay its costs.

16 The EDPB, in the three cases, contends that the Court should:

– dismiss the actions;

– in the alternative, limit the annulment of the contested decisions to the relevant parts thereof;

– order the applicant to pay the costs.

Law

17 In all three cases, the applicant puts forward a single plea in law, alleging that the EDPB exceeded the competence conferred on it by Article 65(1)(a) of Regulation 2016/679 by requiring it, in each of the binding decisions at issue, (i) to carry out a new investigation on aspects not yet examined, and (ii) to issue a new draft decision in accordance with Article 60(3) of that regulation on the basis of the results of that new investigation.

The single plea in law alleging lack of competence on the part of the EDPB to adopt the contested provisions

29 Nevertheless, it should be borne in mind that it is settled case-law that, in principle, for the purpose of interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it is part (see, to that effect, judgment of 29 November 2018, Mensing , C‑264/17, EU:C:2018:968, paragraph 24 and the case-law cited). In the present case, some of the applicant’s arguments are also based on considerations or principles drawn from beyond Regulation 2016/679 itself. The Court will therefore rule on the scope of the EDPB’s competence under Article 65(1)(a) of Regulation 2016/679 by examining, where necessary, first the applicant’s arguments put forward in the context of a literal, contextual, purposive and historical analysis of that regulation, then those relating to the conditions for conferral of competence on an EU body, the characteristics of the judicial review carried out at national level and the independence of the supervisory authorities responsible for the protection of personal data.

The arguments concerning the scope of the EDPB’s competence under Article 65(1)(a) of Regulation 2016/679 put forward in the context of a literal, contextual, purposive and historical analysis of that regulation

30 The applicant relies on the wording of Article 65(1)(a), Article 65(6) and Article 4(24) of Regulation 2016/679 in order to claim that the EDPB does not have the power to require, in a binding decision adopted under the first of those provisions, a lead supervisory authority to broaden its investigation and submit a new draft decision in order to draw conclusions from that additional investigation. It also relies to that effect on recitals 126 and 136 of that regulation.

31 Article 65(1)(a) of Regulation 2016/679 provides:

‘In order to ensure the correct and consistent application of this Regulation in individual cases, the [EDPB] shall adopt a binding decision … where … a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation.’

32 Article 4(24) of Regulation 2016/679 defines a relevant and reasoned objection as follows:

‘an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union’.

33 Article 65(6) of Regulation 2016/679 provides inter alia the following:

‘The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the [EDPB] has notified its decision. … The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the [EDPB] in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.’

34 According to the applicant, the three provisions cited in paragraphs 31 to 33 above limit the scope of a binding decision of the EDPB, adopted under Article 65(1)(a) of Regulation 2016/679, to the scope of the analyses carried out in the lead supervisory authority’s draft decision communicated to the other supervisory authorities concerned by the case file. Such a binding decision can only respond to a relevant and reasoned objection, which must relate to the content of the draft decision and not to what is not contained therein. The legal effect of the binding decision is limited to the amendments which, under Article 65(6) of that regulation, the competent supervisory authority must make, within one month of notification of that binding decision, in the final decision as compared to the draft decision. Thus, in the applicant’s view, the binding decision can relate only to the correct interpretation of Regulation 2016/679 with respect to what is contained in the lead supervisory authority’s draft decision; the provisions in question do not confer any power on the EDPB to issue instructions to that authority concerning another subject, for example, to oblige it to carry out an investigation or submit a new draft decision.

35 However, that reading is restrictive in the light of the wording of the provisions cited in paragraphs 31 to 33 above. It should be borne in mind that Article 4(24) of Regulation 2016/679 includes in the concept of ‘relevant and reasoned objection’ an ‘objection to a draft decision as to whether there is an infringement of this Regulation … which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects’. Although Article 65(1)(a) of Regulation 2016/679 provides that a binding decision adopted in that regard ‘shall concern all the matters which are the subject of the relevant and reasoned objection’, there is nothing to prevent such an objection from relating to the absence or inadequacy of analysis, in that draft decision of the lead supervisory authority, of an aspect of the case, which makes it impossible to know whether or not there is an infringement of that regulation as regards that aspect. The words ‘objection to a draft decision’ are not limited, contrary to what the applicant claims, to objections to the considerations set out in the draft decision. Consequently, since the EDPB’s binding decision must concern all matters which are the subject of relevant and reasoned objections, there is nothing to prevent, where the EDPB approves a relevant and reasoned objection relating to an absence or inadequacy of that nature, that decision from including an instruction to the lead supervisory authority to remedy that lack of analysis and, if it appears necessary in the light of the file before the EDPB, to deepen or broaden to that end the investigation carried out up to that point. If it appears that the case file is insufficient for the purpose of carrying out the required analysis in full, the EDPB must be able to require the lead supervisory authority to undertake further investigation.

36 It should also be noted that the wording of the three provisions cited in paragraphs 31 to 33 above, considered together, does not limit the scope of a binding decision solely to the immediate amendments to be made to the draft decision submitted by the lead supervisory authority with a view to adopting a final decision under the conditions set out in Article 65(6) of Regulation 2016/679, that is to say, solely to amendments relating to the content of the draft decision to the exclusion of what is not contained therein. In that regard, contrary to what the applicant claims, the latter provision seeks only to specify the detailed rules for the adoption of the final decision where that decision may immediately follow an EDPB binding decision, in particular where there is no need to resume an investigation or to carry out a broader or more in-depth analysis of certain aspects of the case. It is not a provision concerning the possible content of a binding decision, which is determined by the legal basis on which that decision is adopted, in the present case Article 65(1)(a) of Regulation 2016/679, which must itself be read in conjunction with Article 4(24) of that regulation as regards the definition of the concept of a ‘relevant and reasoned objection’. It must be pointed out, in that regard, that Article 65(1) of Regulation 2016/679 provides for various types of EDPB binding decisions which do not necessarily entail the subsequent and immediate adoption of a final decision of a supervisory authority.

38 The literal analysis undertaken in paragraphs 35 and 36 above of the three provisions cited in paragraphs 31 to 33 above cannot be invalidated by the wording of recitals 126 and 136 of Regulation 2016/679, contrary to what the applicant claims. Indeed, in the first of those recitals, by stating that ‘the decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned’, the legislature does not in any way exclude the matter of the scope of analysis that such a decision must cover in a particular case from the assessment of the supervisory authorities concerned other than the lead supervisory authority; rather the opposite is true, since ‘the decision’ takes its form not only from the assessments contained therein, but also from the scope of the matters which it covers. As a result, if the supervisory authorities concerned do not reach a consensus and the matter is referred to the EDPB, the wording of that recital does not preclude the EDPB from requiring the analysis and, if necessary, the investigation to be broadened. Similarly, recital 136 of Regulation 2016/679 states that the EDPB ‘should issue … legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation’. Contrary to what the applicant claims, the scope of the investigation is not a procedural matter but relates to the substance of the case, since it determines the extent of what must be examined in order to assess whether the data processing operation or operations at issue comply with Regulation 2016/679.

39 In that regard, another argument of the applicant, to the effect that the interpretation of the concept of ‘relevant and reasoned objection’ adopted in paragraph 35 above would give the EDPB the opportunity to issue directions to the lead supervisory authority concerning all the powers held by that authority, on the sole condition that the question raised by a supervisory authority concerned is classified as a relevant and reasoned objection in the sense thus accepted, may now be rejected. As stated in Article 4(24) of Regulation 2016/679, a relevant and reasoned objection to a draft decision of the lead supervisory authority may only relate to a matter concerning whether that regulation is complied with or whether the corrective measures envisaged in relation to the controller or processor are themselves compliant with it. Such an objection may therefore relate only to the substance of the case and to the final decision-making powers of the lead supervisory authority, provided in particular in Article 58(2) of that regulation, which also relate to the substance. As a result, such an objection cannot relate to the conduct of the investigation itself (as opposed to the scope of the investigation), which is based on the investigative powers of the supervisory authorities referred to in Article 58(1) of Regulation 2016/679.

40 The literal analysis of Article 65(1)(a) of Regulation 2016/679, carried out by taking into account the wording of Article 4(24), Article 65(6) and recitals 126 and 136 of that regulation, therefore supports the EDPB’s competence to adopt provisions, such as the contested provisions, instructing the applicant to carry out a new investigation into certain aspects of the files in question and then to adopt new draft decisions based on the results. It is necessary to examine whether the arguments put forward by the applicant in the context of its contextual and purposive interpretations of Regulation 2016/679 are such as to contradict the results of that initial analysis.

43 In that regard, contrary to what the applicant maintains, the procedure for cooperation between supervisory authorities concerned by a case, described in Article 60 of Regulation 2016/679, which may involve triggering the consistency mechanism operated by the EDPB, provided for in Article 60(4), is not a ‘one-way’ procedure in which the stages always follow each other in the order of the provisions providing for them, without the possibility of returning to a previous stage or temporarily remaining at the same stage. Thus, for example, starting from the situation highlighted by the applicant, provided for in Article 60(5), in which the lead supervisory authority itself intended to follow the objections of other supervisory authorities concerned to its draft decision submitted under Article 60(3), and in which it submitted a revised draft decision to those authorities, the procedure may evolve in several ways. If those authorities do not object to the revised draft, the final decision(s) are then to be adopted directly in accordance with paragraphs 6 to 9 of that article. Otherwise, that is to say, where there are objections to the revised draft, if the lead supervisory authority accepts those objections in whole or in part, the phase provided for in Article 60(5) is repeated, requiring the lead supervisory authority to submit a new revised draft taking into account the objections it has accepted. If the lead supervisory authority does not accept all or some of the objections to the revised draft, it must, in accordance with Article 60(4), trigger the consistency mechanism by referring the matter to the EDPB on the basis of the most successful revised draft decision.

44 The EDPB provides in its defence another example illustrating that the procedure for cooperation between supervisory authorities concerned by a case, provided for in Article 60 of Regulation 2016/679, is not necessarily a ‘one-way’ system. Following objections from other supervisory authorities concerned to its draft decision submitted under Article 60(3), the lead supervisory authority may itself take the view that, instead of immediately submitting a revised draft decision or triggering the consistency mechanism, it is appropriate to go back and further investigate before resubmitting a draft decision under Article 60(3). The EDPB notes that the French supervisory authority did this in one case.

45 Similarly, where the EDPB intervenes under Article 60(4) and a binding decision is adopted, several situations are possible. If all relevant aspects of the case have been sufficiently addressed in the lead supervisory authority’s draft decision, the lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged, may adopt, in accordance with Article 60(6) to (9), a final decision or decisions closing the case, taking into account in particular the binding decision of the EDPB. If, by contrast, the EDPB’s binding decision finds, following objections to that effect, that the draft decision of the lead supervisory authority does not address, or does not sufficiently address, all the relevant aspects of the case and, as the case may be, that a reopening of the investigation is therefore necessary, one or more partial final decision(s) may be adopted by the lead supervisory authority or by the supervisory authority to which the complaint was lodged, in accordance with the abovementioned provisions, but the lead supervisory authority must at the same time supplement its analysis, if necessary after conducting a new investigation, with a view to submitting, in accordance with Article 60(3), a new draft decision to the other supervisory authorities concerned.

46 The applicant puts forward a second argument in respect of the contextual interpretation to the effect that, read in the light of recital 141 of Regulation 2016/679, Article 57(1)(f) of that regulation, stating that the supervisory authority is to handle complaints and investigate their subject matter to the extent appropriate, demonstrates that the scope of the investigation to be conducted following a complaint comes within the discretion of the national supervisory authorities, subject only to national judicial review.

47 Recital 141 of Regulation 2016/679 states inter alia the following:

‘Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy … if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. …’

48 Article 57(1)(f) of Regulation 2016/679 and the considerations relied on by the applicant do not, however, exclude the question of the appropriateness of the scope of the investigation from the mechanism of cooperation between supervisory authorities concerned and the consistency mechanism operated by the EDPB.

49 Article 57 of Regulation 2016/679, which concerns the tasks of the supervisory authorities, provides as the first task, in paragraph 1(a) of that article, the task of monitoring and enforcing the application of that regulation. Therefore, contrary to what the applicant stated in essence at the hearing, the analysis of the conditions under which the processing of personal data is carried out and of its conformity with that regulation does not have to be limited to what is highlighted in the complaint made.

50 Above all, fully carrying out the tasks provided for in Article 57(1)(a) and (f) of Regulation 2016/679 of enforcing the application of that regulation and handling complaints to the extent appropriate involves adopting an appropriate scope of analysis of the file in the light of the complaint that gave rise to it, but also in the light of other factors which may supplement it. Where the processing of personal data in question is cross-border, that analysis must lead to the adoption of decisions which are the subject of the cooperation procedure provided for in Article 60 of that regulation. In the context of that procedure, the criterion to be satisfied in order for a matter to be the subject of an EDPB binding decision, adopted under Article 65(1)(a) of that regulation, is that it has given rise to a relevant and reasoned objection, as defined in Article 4(24) of that regulation. The relevant and reasoned objection, according to its definition, relates to aspects the analysis of which comes within the scope of the two abovementioned tasks. As a result, the fact that a relevant and reasoned objection concerns the scope of the analysis and, where applicable, the scope of the investigation and that the EDPB follows that objection in no way undermines those tasks. Furthermore, the fact that interim decisions of supervisory authorities following a complaint may be the subject of an action before the national courts does not prevent the draft decision of the lead supervisory authority from itself being subject, within the substantive limits assigned to the consistency mechanism established in Regulation 2016/679, to review by the EDPB.

51 The applicant’s arguments put forward in respect of the contextual interpretation do not therefore support its position on the EDPB’s lack of competence to adopt the contested provisions.

52 On the contrary, the general context of the obligation of cooperation between the supervisory authorities concerned by a case, enshrined in Regulation 2016/679, confirms the EDPB’s competence in that regard. Article 60(1) of that regulation provides that ‘the lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus.’ Article 60(3) of the same regulation states that ‘the lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned’ and that it ‘shall without delay submit a draft decision [to them] for their opinion and take due account of their views’.

53 It follows that the cooperation between the supervisory authorities concerned relates in particular to the analysis of the case as a whole and to the preparation of the decision, and that the lead supervisory authority must seek the agreement of the other supervisory authorities concerned in that regard. There is nothing in the abovementioned provisions that makes it possible to exclude from that cooperation obligation the question of the scope of the analysis to be carried out or, where appropriate, the question of the scope of the preliminary investigation to be conducted. In the judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraphs 63 and 64), the Court noted the indispensable nature of dialogue and sincere and effective cooperation between supervisory authorities concerned by a case.

54 It follows from paragraphs 41 to 53 above that an examination of the context resulting from the provisions of Regulation 2016/679 confirms the literal analysis carried out above.

55 On the basis of a purposive interpretation, the applicant submits, first of all, that recognising that the EDPB has the power to direct a lead supervisory authority to issue a new draft decision and broaden the scope of its investigation beforehand for that purpose is not consistent with the ‘one-stop-shop’ mechanism that was intended by the legislature when it adopted Regulation 2016/679. The establishment of a sole supervisory authority for the persons concerned aimed in particular to avoid superfluous costs and excessive inconveniences for them, as stated in recital 129 of Regulation 2016/679. Reopening an inquiry on the ground of a mere disagreement between supervisory authorities would disregard that objective by obliging the complainants and respondent undertakings to undergo a reopening of the investigation, with attendant costs and inconveniences, when that phase should have been completed.

56 However, without it being necessary to rule on the legislature’s intentions, it is sufficient to note that a one-stop shop meets an objective of procedural simplification that cannot take precedence over the essential objective of Regulation 2016/679, which is to ensure compliance with the fundamental right of natural persons to the protection of their personal data. Recital 1 of that regulation states in that regard that Article 8(1) of the Charter of Fundamental Rights and Article 16(1) TFEU provide that everyone has the right to the protection of personal data concerning him or her. A broadening of the investigation, necessarily requested by at least half of the supervisory authorities within the framework of the EDPB, does not, contrary to what the applicant claims, complicate the task of the person who lodged a complaint or that of the controller concerned by that complaint, but constitutes a measure to defend their respective rights. Moreover, the disadvantages referred to by the applicant can be avoided if the lead supervisory authority carries out an investigation and analysis covering from the outset all the aspects required to draw up a complete final decision regarding the case in question.

57 The applicant’s argument that the reopening of an investigation delays reaching consensus on the matters already investigated and determined must also be rejected.

58 In such a situation the competent authority must, on the contrary, as indeed the applicant did in the present case, adopt a final decision on the substantive aspects that have been investigated and determined following an EDPB binding decision within the period provided for in Article 65(6) of Regulation 2016/679. This does not prevent it from carrying out an additional investigation and analysing those aspects of the case that have not yet been examined.

59 The applicant further claims that the EDPB’s lack of involvement in determining the scope of analysis required for a particular case, which is an interim or procedural matter, does not prevent the cooperation mechanism between supervisory authorities from functioning.

60 However, the cooperation mechanism reaches its limits where consensus cannot be reached between the supervisory authorities concerned. It is in that situation, expressly provided for in Article 60(4) of Regulation 2016/679, that the matter in respect of which consensus has not been reached must be submitted by the lead supervisory authority to the consistency mechanism, which results in an EDPB binding decision, as stated in that provision.

61 Lastly, the applicant argues that such a lack of consensus is resolved by recourse to judicial review in the national courts. It notes that Article 58(4) and recital 141 of Regulation 2016/679 state that the investigation is subject to effective judicial review.

62 It is true that, if the EDPB was unable to resolve a problem relating to the scope of the analysis carried out by the lead supervisory authority, the national court could intervene in that regard. However, Regulation 2016/679 provides that issues raised in the context of a relevant and reasoned objection by a supervisory authority concerned, within the meaning of Article 4(24) of that regulation, are to be dealt with within the framework of the cooperation mechanism and, where appropriate, the consistency mechanism, between supervisory authorities. However, as examined above, an issue concerning the scope of the analysis and, where appropriate, the investigation carried out by the lead supervisory authority may give rise to a relevant and reasoned objection in the aforementioned sense. Consequently, the possibility of referring an issue of that nature to the national court, which, moreover, would not necessarily be easy for a complainant residing in a State other than that of the lead supervisory authority, cannot mean that persistent disagreements between the supervisory authorities concerned on matters that have been the subject of relevant and reasoned objections cannot be resolved within the EDPB.

63 It follows from paragraphs 55 to 62 above that an examination of the objectives of Regulation 2016/679 also confirms the literal analysis carried out above.

The arguments relating to the conditions for conferring powers on an EU body, the characteristics of the judicial review carried out at national level and the independence of the supervisory authorities responsible for the protection of personal data

65 In the first place, the applicant submits, in essence, that the principles governing the conferral of powers on an EU body do not permit an interpretation of Regulation 2016/679 in the sense identified by the earlier analyses, namely the sense in which it confers the contested competence on the EDPB.

66 The applicant refers to Article 5 TEU to point out that the European Union may act only within the limits of the competences conferred on it. This principle applies to EU institutions and bodies, such as the EDPB. The latter are, moreover, subject to the ‘Meroni doctrine’ resulting from the judgment of 13 June 1958, Meroni v High Authority (9/56, EU:C:1958:7), which is applicable to EU bodies as the Court of Justice held in relation to the European Securities and Markets Authority (ESMA) in the judgment of 22 January 2014, United Kingdom v Parliament and Council (C‑270/12, EU:C:2014:18, paragraphs 53 and 54). That doctrine requires that the powers of the EU bodies be precisely delineated and amenable to judicial review in the light of the objectives set for the body concerned. In particular, in paragraph 45 of the second abovementioned judgment, it was found that the power of ESMA that was discussed in that case, which was ultimately confirmed by the Court of Justice, was circumscribed by various conditions and criteria which limit ESMA’s discretion. In the judgment of 15 July 2021, FBF (C‑911/19, EU:C:2021:599, paragraphs 67 and 75), concerning the European Banking Authority (EBA), the Court of Justice stated that a power of an EU body had to be expressly provided for by the legislature and that judicial review of that power had to be stringent.

67 Those principles applied in the case-law indeed concern the EDPB, which was established as an EU body in Article 68 of Regulation 2016/679.

68 It must therefore first of all be ascertained whether the interpretation adopted earlier in the present judgment permits the inference that the exercise of the EDPB’s power, when it requires a lead supervisory authority to broaden its analysis and, where appropriate, its investigation, ‘is circumscribed by various conditions and criteria which limit [its] discretion’, as the Court held with regard to the power of ESMA that was challenged in the case giving rise to the judgment of 22 January 2014, United Kingdom v Parliament and Council (C‑270/12, EU:C:2014:18).

69 In that regard, as is apparent from Article 65(1)(a) of Regulation 2016/679, read in conjunction with Article 4(24) of that regulation, that power to require a lead supervisory authority to broaden its analysis and, where appropriate, its investigation may be used only following the formulation, by a supervisory authority concerned, of a relevant and reasoned objection to the lead supervisory authority’s draft decision on the case in question, relating to failure to analyse an aspect of ‘whether there is an infringement of … Regulation [2016/679], or whether envisaged action in relation to the controller or processor complies with [that] Regulation’ and which ‘clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union’.

70 In addition, under Article 65(2) and (3) of Regulation 2016/679, the implementation of the abovementioned power presupposes that, within the EDPB, a two-thirds majority, or at least half of its members in certain circumstances, including, where the vote is split, the Chair of the Board, have, in essence, approved that relevant and reasoned objection and the action to be taken on it. A significant number of supervisory authorities must therefore confirm the lack or insufficiency of analysis of an important aspect of the case in question and agree on the action to be taken by the lead supervisory authority in order to remedy that failure. Account must be taken in that regard of the fact that the EDPB is itself composed of a large number of independent authorities specialising in the matter and, consequently, of the fact that a majority opinion of those authorities within it provides guarantees as to the exercise of that power. Furthermore, although the concept of ‘relevant and reasoned objection’, referred to in paragraph 69 above, does indeed leave room for discretion, in particular in determining whether there is an infringement of Regulation 2016/679 by the controller or processor concerned or whether a particular aspect needs to be examined in order to find out, those matters nevertheless all relate to specific legal rules set out in that regulation, as a result of which a ‘broad discretion’ cannot be exercised.

71 In summary, as regards the question of the scope of the EDPB’s power, which is disputed by the applicant, it must thus be held, first, that that power is exercised only in the event of a clearly identified shortcoming in the analysis undertaken by the lead supervisory authority in its handling of the case which may have significant consequences, as is apparent from the definition of a relevant and reasoned objection set out in Article 4(24) of Regulation 2016/679, and, second, that that power results from the collective assessment of the supervisory authorities comprising the EDPB that takes place in the circumstances set out in paragraph 70 above.

72 As regards the question whether the power at issue is ‘explicitly’ provided for by the legislature, it must be pointed out that the adverb ‘explicitly’ and the adverbs ‘expressly’ and ‘clearly’, which are synonyms and which refer respectively to the adjectives ‘explicit’, ‘express’ and ‘clear’, mean that there is no doubt as to the scope of what is expressed. It follows from the above literal, contextual and purposive interpretations that there is no doubt that the EDPB has the contested competence and therefore that it is expressly provided for by the legislature. It may be observed that, in the judgment of 15 July 2021, FBF (C‑911/19, EU:C:2021:599), which concerned the EBA, in dispute was that authority’s competence to adopt its guidelines concerning ‘product oversight and governance arrangements for retail banking products’. None of the texts applicable to that authority explicitly stated that it could adopt guidelines in that regard. It was by means of an overall analysis of those texts, that is to say, of the regulation establishing the EBA, which provided in general terms for its competence to adopt guidelines for certain purposes, and of various directives concerning financial institutions and products, that the Court of Justice held that the contested guidelines came within that competence.

73 In addition, it must be noted that the exercise of the EDPB’s power to require a lead supervisory authority to broaden its analysis and, if necessary, its investigation is indeed subject to judicial review. It is true that, in the present case, the applicant chose to challenge the contested provisions solely on the ground that the EDPB lacked competence, without calling into question the actual assessment made by the EDPB of the objections raised by certain supervisory authorities with regard to its draft decisions, which led to the adoption of those provisions. However, within the limits of the pleas relied on before them, the Courts of the European Union are able to review the substantive legality of such provisions in the light of the circumstances of the case. In particular, it is open to them, first, to verify whether the EDPB, by adopting provisions of that nature, did indeed act on a relevant and reasoned objection by a supervisory authority, within the meaning of Article 4(24) of Regulation 2016/679. It is open to them, second, to examine the legality of the very substance of such provisions giving instructions to the supervisory authorities.

74 Such a type of judicial review is ‘stringent’, in the sense used in the judgment of 15 July 2021, FBF (C‑911/19, EU:C:2021:599, paragraph 67). The court with jurisdiction to rule on legality is, in general, bound by its mandate and by the rules of procedure and its review is necessarily stringent if it fully fulfils its mandate in the context of those rules. On the substantive issues, it is in accordance with the margin of discretion which the author of the contested act has, or does not have, that the court with jurisdiction to rule on legality exercises a normal review (in principle as regards legal aspects, the establishment of facts and cases of circumscribed powers) or a limited review (in principle over complex technical aspects or where the authority has a margin of discretion, in which cases the court penalises only manifest error of assessment) (see, to that effect and by analogy, as regards the review by the national courts of the decisions of the national authorities on the protection of personal data, judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts ), C‑26/22 and C‑64/22, EU:C:2023:958, paragraphs 68 and 69).

75 It follows from paragraphs 67 to 74 above that the conditions for conferring competence on an EU body do not oppose the analysis carried out earlier in the present judgment.

76 In the second place, the applicant puts forward various reasons in order to demonstrate that the national courts are the ‘appropriate forum’ to deal with disputes related to the investigation, that is to say, that they are best placed to do so.

77 However, as set out in paragraph 62 above, the EU legislature decided that persistent disagreements between the supervisory authorities concerned relating to the scope of the analysis of a case and, where appropriate, to the scope of the investigation conducted in respect of that case should be arbitrated in the context of the consistency mechanism within the EDPB. As a result, the applicant’s arguments seeking to demonstrate that the national courts are the ‘appropriate forum’ for dealing with disputes linked to the investigation are ineffective.

78 It must be added, in so far as both the national court and the EDPB may be called upon to adopt a position on the scope of the analysis and the investigation, that, within the scope of the competition rules laid down in Articles 101 and 102 TFEU, where responsibilities are also shared between the national level and the EU level for the implementation of an EU policy, a number of principles have been identified in the case-law of the Court of Justice in order to coordinate the actions of the national courts and the EU entity responsible for ensuring consistency in the application of the policy in question, namely the Commission (judgments of 28 February 1991, Delimitis , C‑234/89, EU:C:1991:91, and of 14 December 2000, Masterfoods and HB , C‑344/98, EU:C:2000:689). While it cannot be ruled out that, in accordance with those principles, a national court may consider it preferable to stay the proceedings pending a decision of the competent EU entity or that it may, where that decision has been taken, be bound by it, unless it doubts its validity and asks the Court of Justice for a preliminary ruling on the matter, those situations are inherent in such a division of responsibilities and in the need to ensure that the policy in question is applied consistently throughout the European Union.

79 It must also be added that, contrary to what the applicant claims in the third place, an EDPB binding decision, adopted under Article 65(1)(a) of Regulation 2016/679, requiring the applicant to broaden its analysis and its investigation does not call into question its ability to prioritise the performance of its various tasks as an independent authority, which is for the national court alone to review. Nor does it call into question, more generally, its independence enshrined in Article 39 TEU, Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights.

80 Indeed, if the lead supervisory authority has to supplement its analysis and investigation in respect of a case, on its own initiative, at the stage of cooperation between the supervisory authorities concerned following interventions to that effect by its counterparts, or following an EDPB binding decision, it is not obliged to do so without delay, as a priority over its other tasks. It may, for example, announce that a first draft decision or an initial decision adopted by it addresses only some of the issues arising from the case in question and that it will subsequently continue its analysis and investigation.

81 It is only in the circumstances provided for in Article 66 of Regulation 2016/679, where another supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, that an urgent binding decision of the EDPB may oblige the lead supervisory authority to review without delay the order of its priorities in order to deal with a case. The legislature therefore provided for that possibility in exceptional cases only. Indeed, Binding Decisions 3/2022, 4/2022 and 5/2022 were not adopted on the basis of Article 66 and, consequently, they did not impose on the applicant an order of priority between its various tasks.

82 Moreover, the provisions of primary law relied on by the applicant do not imply that the authorities of the Member States having primary responsibility for ensuring that the rules on the protection of personal data are applied have absolute independence, in the sense of the absence of any scrutiny. Those provisions merely state that the monitoring of compliance with those rules is entrusted to independent authorities, which therefore in no way precludes a system of mutual scrutiny between independent authorities, such as the cooperation and consistency mechanisms provided for in Regulation 2016/679, or, of course, judicial review of the decisions adopted by the various authorities involved. What is important is that the bodies scrutinising the supervisory bodies should themselves be independent. This is the case with the EDPB, as it is composed of the supervisory authorities of the Member States and the European Data Protection Supervisor, which is itself an independent authority vis-à-vis the EU institutions and other entities under its supervision.

Costs

84 Under Article 134(1) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Since the applicant has been unsuccessful, it must be ordered to pay the costs, in accordance with the form of order sought by EDPB.

On those grounds,

THE GENERAL COURT (Tenth Chamber, Extended Composition)

hereby:

1. Dismisses the actions in Cases T 70/23, T 84/23 and T 111/23;

2. Orders the Data Protection Commission to pay the costs.

Porchia

Jaeger

Madise

Nihoul

Verschuur

Delivered in open court in Luxembourg on 29 January 2025.

[Signatures]

* Language of the case: English.

1 Only the paragraphs of the present judgment which the Court considers it appropriate to publish are reproduced here.

© European Union, https://eur-lex.europa.eu, 1998 - 2025
Active Products: EUCJ + ECHR Data Package + Citation Analytics • Documents in DB: 399069 • Paragraphs parsed: 44316438 • Citations processed 3428932