After last week’s EU General Court judgment in the Irish DPC vs EDPB case, some claimed that this makes EDPB Guidelines and Opinions unassailable. (Yes, really.) That’s wrong. Let’s look at what the judgment means for the EDPB’s authority – and some issues it raises:
1/ Scope of EDPB binding decisions
The judgment of the EU General Court [= GCEU] can be summarised like so:
(i) EDPB binding decisions must concern “all matters which are the subject of relevant and reasoned objections” [= RRAs];
(ii) an RRA can for instance relate to “an absence or inadequacy of analysis, in that draft decision of the lead supervisory authority [= LSA], of an aspect of the case, which makes it impossible to know whether or not there is an infringement of [the GDPR] as regards that aspect”;
(iii) if the EDPB approves such an RRA, the binding decision must address the issue(s) underlying that RRA;
(iv) if the issue highlighted is then a “lack of analysis”, the EDPB must be able to instruct the LSA to “remedy that lack of analysis” – and if necessary, to “deepen or broaden to that end the investigation carried out up to that point”.
(Para. 35 is the key section of the judgment)
So the EDPB has the authority to include in its binding decisions certain instructions to the LSA.
Seems to make sense, right?
The problem is that of unintended consequences – notably if the instruction is of a nature to require serious work from the LSA.
Art. 65(6) GDPR requires the LSA to “adopt its final decision on the basis of the [binding decision] without undue delay and at the latest by one month after the Board has notified its decision”.
This leads to 2 possibilities, neither good:
a) either any instruction that requires additional work before a final decision must be wrapped up in a month (!) (and re-submitted to the EDPB? on what basis?);
b) or the EDPB’s instruction leads to a split of the LSA’s final decision, as it must adopt a “final decision” within 1 month but might need to investigate a matter further and re-submit it to the EDPB. The GDPR doesn’t cover this, so the GCEU’s judgment could be seen as creating a new power for the EDPB to create new cases.
[Para. 45 suggests these are “partial” final decisions – really? How is “final” “partial”?]
My view? Not a good judgment for data protection.
2/ What of Guidelines & Opinions?
Let’s be clear: this reasoning is of no relevance whatsoever to the issues of the legal value of EDPB Guidelines and Opinions and whether they can be challenged. The judgment only has to do with the issue of the scope of Binding Opinions and of RRAs. Different GDPR articles.
In my view, it should still be possible to challenge Guidelines and Opinions directly, whether before the GCEU (one CJEU case pending on that) or before the EU Ombudsman, and their validity and constitutionality could also be challenged indirectly before national courts.
Challenges allow for debate – and we need more of that here. So consider challenging more!