Data Protection Commission v European Data Protection Board (Protection of personal data - Binding decision instructing a lead supervisory authority to broaden the scope of its investigation and issue a new draft decision - Judgment) [2025] EUECJ T-70/23 (29 January 2025)
Court of Justice of the European Communities (including Court of First Instance Decisions)
You are here:BAILII >>
Databases >>
Court of Justice of the European Communities (including Court of First Instance Decisions) >>
Data Protection Commission v European Data Protection Board (Protection of personal data - Binding decision instructing a lead supervisory authority to broaden the scope of its investigation and issue a new draft decision - Judgment) [2025] EUECJ T-70/23 (29 January 2025)
URL: http://www.bailii.org/eu/cases/EUECJ/2025/T7023.html Cite as:
EU:T:2025:116,
[2025] EUECJ T-70/23,
ECLI:EU:T:2025:116
( Protection of personal data - Article 65(1)(a) of Regulation (EU) 2016/679 - Binding decision instructing a lead supervisory authority to broaden the scope of its investigation and issue a new draft decision - Competence of the European Data Protection Board )
In Joined Cases T‑70/23, T‑84/23 and T‑111/23,
Data Protection Commission, established in Dublin (Ireland), represented by D. Young, A. Bateman, R. Minch, M. Delargy, K. Donnelly, Solicitors, B. Kennelly, Senior Counsel, D. Fennelly, E. Synnott and R. Costello, Barristers-at-Law,
applicant,
v
European Data Protection Board, represented by I. Vereecken, C. Foglia and M. Gufflet, acting as Agents, and by G. Ryelandt, E. de Lophem and P. Vernet, lawyers,
defendant,
THE GENERAL COURT (Tenth Chamber, Extended Composition),
composed of O. Porchia, President, M. Jaeger, L. Madise (Rapporteur), P. Nihoul and S. Verschuur, Judges,
Registrar: M. Zwozdziak-Carbonne, Administrator,
having regard to the written part of the procedure,
further to the hearing on 16 April 2024,
gives the following
Judgment
1 By its actions under Article 263 TFEU, the applicant, the Data Protection Commission, which is the Irish supervisory authority for personal data protection, seeks annulment in part of Binding Decisions 3/2022, 4/2022 and 5/2022 of 5 December 2022 of the European Data Protection Board (‘the EDPB’) on the disputes between the supervisory authorities concerned arising from the Data Protection Commission’s draft decisions regarding, respectively, the social network Facebook, the social network Instagram and the messaging service WhatsApp, in so far as those binding decisions require it to carry out new investigations into the processing of data carried out in connection with the use of those applications and to issue new draft decisions on the basis of the results thereof.
Facts and proceedings
2 In 2018, three individuals living in Belgium, Germany and Austria, respectively, each lodged, through the non-profit association ‘NOYB – European Center for Digital Rights’, before the respective data protection supervisory authority of their place of residence, complaints against Facebook Ireland Ltd (which, in 2022, became Meta Platforms Ireland Ltd; ‘Meta’), regarding the processing of data in connection with the use of Facebook and Instagram, and against WhatsApp Ireland Ltd (‘WhatsApp’), regarding the processing of data in connection with the use of the messaging service WhatsApp.
3 Given the cross-border nature of the processing of personal data in connection with the use of those applications and the place of establishment of Meta and WhatsApp in Ireland, the applicant is the lead supervisory authority responsible for handling those complaints in accordance with Article 56(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1). Following the three investigations that it carried out, that authority submitted to the other supervisory authorities concerned, namely all the supervisory authorities of the Member States and other States party to the Agreement on the European Economic Area (EEA), three draft decisions, as provided for in Article 60(3) of Regulation 2016/679.
4 The complaints giving rise to the three procedures alleged possible infringements of several provisions of Regulation 2016/679, in particular Articles 6 and 9. Article 6(1) lists the alternative general conditions governing the lawfulness of processing personal data, while Article 9 specifically concerns the alternative conditions under which special categories of personal data, considered to be sensitive, such as data revealing opinions or beliefs, racial or ethnic origin, health or sexual orientation, may be processed. In its three draft decisions, the applicant considered, inter alia, that the complainants had failed to demonstrate that Meta and WhatsApp could not rely on one of the conditions laid down in Article 6(1) of Regulation 2016/679, namely the one referred to in Article 6(1)(b), which does not require the consent of the data subjects for the processing of their personal data, in order to justify the lawfulness of data processing carried out in connection with the use of the social networks Facebook and Instagram and the messaging service WhatsApp.
5 A number of the other supervisory authorities concerned raised objections to the applicant’s assessments, in particular as regards the targeted advertising which the users of the social networks Facebook and Instagram and the messaging service WhatsApp might be subjected to on the basis of their behaviour on those applications. Some supervisory authorities also drew attention to the fact that failure to obtain users’ consent for the processing of data coming within the scope of Article 9 of Regulation 2016/679 would result in an infringement of that provision and stressed that the applicant should broaden its investigations in order to determine whether and how Meta and WhatsApp processed such data.
6 Following discussions with the other supervisory authorities concerned, the applicant found that a consensus had not been reached in respect of the objections to its draft decisions and submitted the matter to the EDPB in the context of the consistency mechanism established in Regulation 2016/679, in accordance with Article 60(4) of that regulation.
7 Following the examination of the three files, the EDPB adopted Binding Decisions 3/2022, 4/2022 and 5/2022 on 5 December 2022 under Article 65(1)(a) of Regulation 2016/679. In those three binding decisions, the EDPB first of all took the view that most of the objections to the applicant’s draft decisions were relevant and reasoned, within the meaning of Article 4(24) of Regulation 2016/679, and that it was able to adopt a position on the issues which they raised. In that regard, the EDPB endorsed the merits of a number of those objections which it had considered relevant and reasoned.
8 In particular, the EDPB did not follow the applicant in its analysis that Meta and WhatsApp could, a priori, rely on Article 6(1)(b) of Regulation 2016/679 to justify the lawfulness of the data processing that they carried out in connection with the use of the three applications in question. Therefore, by the three Binding Decisions 3/2022, 4/2022 and 5/2022, it demanded that the applicant exclude from its final decisions the findings relating to that analysis, including, where appropriate, the finding that it was not necessary to have the users’ consent for the data processing carried out. By contrast it required it to find in its three final decisions certain infringements of Regulation 2016/679, in particular of Article 6(1), and to adopt corrective measures in respect of Meta and WhatsApp.
9 Furthermore, in its three binding decisions, the EDPB also endorsed the objections that it had considered relevant and reasoned relating to the excessively narrow scope of the analyses and investigations carried out by the applicant. In view of the removal of the findings referred to in paragraph 8 above, the issues raised by a number of the supervisory authorities concerned, in particular as regards the processing of data referred to in Article 9 of Regulation 2016/679, and the uncertainty highlighted by the complainants over what was done with those data, the EDPB decided, first, that the applicant had to carry out new investigations to determine whether the processing operations performed by Meta and WhatsApp related to those special categories of personal data and whether those companies complied in that regard with the relevant obligations laid down in Regulation 2016/679, and, second, that the applicant then had to issue new draft decisions in that regard in accordance with Article 60(3) of the same regulation, in addition to the three final decisions which it already had to adopt.
10 Thus, the second sentence in points 198 and 487 (summary operative part) of Binding Decision 3/2022 and in points 203 and 454 (summary operative part) of Binding Decision 4/2022 is worded as follows:
‘The EDPB decides that the [applicant] shall carry out a new investigation into [Meta’s] processing operations [with regard to its applications Facebook and Instagram] to determine if it processes special categories of personal data (Article 9 [of Regulation 2016/679]) and complies with the relevant obligations under [Regulation 2016/679], to the extent that this new investigation complements the findings made in [its final decisions] adopted on the basis of [these binding decisions], and based on the results of this investigation, issue a new draft decision in accordance with Article 60(3) [of Regulation 2016/679]’.
11 In points 222 and 326.8 (summary operative part) of Binding Decision 5/2022, the EDPB instructed the applicant, first, to carry out a new investigation in order to determine (i) whether the processing operations carried out by WhatsApp in the context of its WhatsApp messaging service relate to special categories of personal data, within the meaning of Article 9 of Regulation 2016/679, and whether they are used for targeted advertising based on user behaviour, marketing or the provision of metrics to third parties and the exchange of data with affiliated companies for the purpose of improving the service, and (ii) if WhatsApp complies in that regard with the obligations set out in Regulation 2016/679 and, second, to issue a new draft decision under Article 60(3) of that regulation.
12 In the present actions, lodged on 14, 17 and 24 February 2023, the applicant disputes the EDPB’s power to impose on it, in the context of binding decisions adopted under Article 65(1)(a) of Regulation 2016/679, the measures referred to in paragraphs 9 and 11 above.
13 Cases T‑70/23, T‑84/23 and T‑111/23 were joined by decision of 21 April 2023 of the President of the Tenth Chamber of the General Court.
14 By orders of 26 October 2023, Data Protection Commission v European Data Protection Board (T‑70/23, T‑84/23 and T‑111/23, not published, EU:T:2023:681), and of 26 October 2023, Data Protection Commission v European Data Protection Board (T‑70/23, T‑84/23 and T‑111/23, not published, EU:T:2023:683), the requests to intervene made by the European Data Protection Supervisor, those made by the three persons who lodged the complaints giving rise to the present cases and those made by Meta and WhatsApp were rejected.
– in Case T‑70/23, annul the second sentence of paragraphs 198 and 487 of EDPB Binding Decision 3/2022;
– in Case T‑84/23, annul the second sentence of paragraphs 203 and 454 of EDPB Binding Decision 4/2022;
– in Case T‑111/23, annul paragraphs 222 and 326.8 of EDPB Binding Decision 5/2022;
– in the three cases, order the EDPB to pay its costs.
16 The EDPB, in the three cases, contends that the Court should:
– dismiss the actions;
– in the alternative, limit the annulment of the contested decisions to the relevant parts thereof;
– order the applicant to pay the costs.
Law
17 In all three cases, the applicant puts forward a single plea in law, alleging that the EDPB exceeded the competence conferred on it by Article 65(1)(a) of Regulation 2016/679 by requiring it, in each of the binding decisions at issue, (i) to carry out a new investigation on aspects not yet examined, and (ii) to issue a new draft decision in accordance with Article 60(3) of that regulation on the basis of the results of that new investigation.
Preliminary observations
18 In its actions, as is apparent from its forms of order sought, the applicant does not dispute other instructions set out in Binding Decisions 3/2022, 4/2022 and 5/2022, but only those requiring it to broaden the scope of its investigations and to issue new draft decisions.
19 The EDPB relies on this to argue that the applicant does not challenge ‘any other parts’ of those decisions, and in particular does not challenge the assessment of the objections put forward by the supervisory authorities, which considered that the scope of the applicant’s investigations was too narrow and explicitly requested that those investigations be broadened, where appropriate. In its view, the classification of the objections as relevant and reasoned, within the meaning of Article 4(24) of Regulation 2016/679, in the three binding decisions should therefore be regarded as final. Arguments against that classification, put forward in the reply, in its view constitute a new plea submitted out of time and, if the General Court were to examine them, it would rule ultra petita. According to the EDPB, since Article 65(1)(a) of Regulation 2016/679 empowers it to take a binding decision on ‘all the matters which are the subject of [a] relevant and reasoned objection’, its competence cannot be called into question in the present actions. Following that logic, the EDPB addresses only in the alternative the question as to whether an objection by a supervisory authority to the scope of the investigation carried out by the lead supervisory authority may be classified as a relevant and reasoned objection, within the meaning of Article 4(24) of Regulation 2016/679.
20 However, those arguments of the EDPB are based on incorrect premisses. Although the applicant seeks only the annulment of the provisions instructing it to broaden the scope of its investigations and subsequently issue new draft decisions, and although it states that it seeks neither the annulment of the instructions to remove certain findings from its draft decisions, in particular the finding that it was not necessary to obtain the users’ consent for the data processing carried out, nor the annulment of considerations concerning the lack of diligence with which it allegedly dealt with the complaints giving rise to the procedures, which were not included in the operative parts of the binding decisions at issue, it expressly states in the three applications that it disputes the EDPB’s interpretation of Article 4(24) of Regulation 2016/679 concerning the concept of ‘relevant and reasoned objection’. In that regard, the sentences highlighted by the EDPB, which appear in the applications in the three cases and relate to aspects of the binding decisions which are not the subject of the actions, clearly refer, when read in context, only to the removal of findings from the draft decisions and to the considerations on the way in which the Irish supervisory authority dealt with the complaints referred to. The applications deal extensively with the scope of Article 4(24) of Regulation 2016/679 and the impossibility, according to the applicant, of raising a relevant and reasoned objection with regard to the scope of the investigation and the draft decision.
21 It should be added that the Court does not rule ultra petita by examining the applicant’s arguments challenging the classification of the objections which led to the adoption of the contested provisions as relevant and reasoned objections within the meaning of Article 4(24) of Regulation 2016/679, since that classification forms part of the grounds of those provisions, but does not itself constitute an independent part of the operative part of the binding decisions at issue, the annulment of which the applicant allegedly neglected to seek. In that regard, the applicant was entitled to confine itself to seeking the annulment of binding provisions of those decisions. Indeed, it has been consistently held that only the operative part of an act is capable of producing legal effects and, as a consequence, of adversely affecting the interests of those concerned. The assessments made in the grounds of an act are not in themselves capable of forming the subject of an action for annulment and may be subject to review by the Courts of the European Union only to the extent that they constitute the essential basis for the operative part of that act (see, to that effect, orders of 28 January 2004, Netherlands v Commission, C‑164/02, EU:C:2004:54, paragraph 21, and of 30 April 2007, EnBW Energie Baden-Württemberg v Commission, T‑387/04, EU:T:2007:117, paragraph 127 and the case-law cited). In principle, the enacting terms of an act are inextricably linked to the statement of reasons for them (see order of 30 April 2007, EnBW Energie Baden-Württemberg v Commission, T‑387/04, EU:T:2007:117, paragraph 127 and the case-law cited).
22 The EDPB also argues that not disputing the obligation referred to in paragraph 8 above to remove certain findings from its draft decisions (more specifically the obligation to remove Finding 1 from the draft decisions that are the subject of Binding Decisions 3/2022 and 4/2022, according to which Meta did not have to seek the consent of users in order to process their personal data in connection with the use of the applications Facebook and Instagram, an obligation signifying in essence that it is not established that Meta can dispense with obtaining consent from users to process those data) implies in itself that the applicant must broaden the investigations and that the instructions relating to those investigations cannot therefore be annulled.
23 However, even if the removal of the abovementioned findings meant that the applicant had to carry out an additional examination in order to learn more about the data processing carried out in connection with the use of the applications concerned and to determine whether Meta, as controller of those processing operations, fully complied with the obligations laid down in Regulation 2016/679 in respect of those operations, that does not imply that the EDPB had the power itself to impose such an examination and to specify its scope in the context of a binding decision adopted on the basis of Article 65(1)(a) of Regulation 2016/679. The applicant therefore has an interest in having the contested instructions annulled.
24 In those circumstances, the arguments referred to in paragraphs 19 and 22 above are unfounded.
The single plea in law alleging lack of competence on the part of the EDPB to adopt the contested provisions
25 In support of this plea in law, the applicant puts forward arguments relating to:
– the conditions for conferring competence on an EU body;
– the literal interpretation of Article 65(1)(a), Article 65(6) and Article 4(24) of Regulation 2016/679;
– the contextual interpretation of those provisions in the light of the procedures, provided for in Regulation 2016/679, for adopting the various decisions such as those at issue and of the powers conferred on the national supervisory authorities and national courts;
– the purposive interpretation of those provisions in the light of the ‘one-stop-shop’ mechanism used to scrutinise compliance with the obligations laid down in Regulation 2016/679, the desired effectiveness of that scrutiny, the cooperation and consistency mechanisms as well as the judicial review carried out at national level;
– the characteristics of the judicial review carried out at national level which it considers is appropriate for settling disputes concerning the scope of the investigations of a supervisory authority;
– the travaux préparatoires for the adoption of Regulation 2016/679, relating to the EDPB’s powers and to the scope of the relevant and reasoned objections which could trigger the EDPB’s intervention;
– the independence of the supervisory authorities responsible for personal data protection, required by Article 16(2) TFEU, Article 39 TEU and Article 8(3) of the Charter of Fundamental Rights of the European Union.
26 The applicant supports its single plea for annulment with numerous arguments intended to show that the EDPB lacked competence to adopt the contested provisions under Article 65(1)(a) of Regulation 2016/679. Those arguments therefore relate to the scope of that provision. To that end, the applicant relies, inter alia, on other provisions of that regulation, in particular Article 4(24) and Article 65(6).
27 Even if some of those other provisions were invoked at a later stage than that of the application, their invocation would come within the scope of arguments supplementing the single plea or, in other words, an amplification of that plea. Such invocation would therefore not be out of time in the light of Article 84(1) of the Rules of Procedure of the General Court, which provides that no new plea in law may be introduced in the course of proceedings unless it is based on matters of law or fact which have come to light in the course of the procedure (see, to that effect, judgments of 21 December 1954, Italy v High Authority, 2/54, EU:C:1954:8, p. 51, and of 15 December 2005, Italy v Commission, C‑66/02, EU:C:2005:768, paragraphs 85 to 89).
28 The EDPB is therefore wrong to maintain, in the rejoinder, that the applicant’s arguments based on Article 65(6) of Regulation 2016/679 are inadmissible on the ground that they were put forward out of time in the reply. Moreover, that provision is expressly referred to in each of the applications; first it is cited in the presentation of the legislative framework, and then the applicant uses it in a contextual demonstration, maintaining that the short period of one month laid down for the adoption of the lead supervisory authority’s final decision on the basis of the EDPB’s binding decision implies that that decision may relate only to aspects already addressed in the lead supervisory authority’s draft decision which, consequently, had already been the subject of an investigation at that stage. Therefore, the applicant was entitled, in any event, at the stage of the reply, to again rely on that provision in support of its literal interpretation of Article 65(1)(a) of Regulation 2016/679.
29 Nevertheless, it should be borne in mind that it is settled case-law that, in principle, for the purpose of interpreting a provision of EU law, it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it is part (see, to that effect, judgment of 29 November 2018, Mensing, C‑264/17, EU:C:2018:968, paragraph 24 and the case-law cited). In the present case, some of the applicant’s arguments are also based on considerations or principles drawn from beyond Regulation 2016/679 itself. The Court will therefore rule on the scope of the EDPB’s competence under Article 65(1)(a) of Regulation 2016/679 by examining, where necessary, first the applicant’s arguments put forward in the context of a literal, contextual, purposive and historical analysis of that regulation, then those relating to the conditions for conferral of competence on an EU body, the characteristics of the judicial review carried out at national level and the independence of the supervisory authorities responsible for the protection of personal data.
The arguments concerning the scope of the EDPB’s competence under Article 65(1)(a) of Regulation 2016/679 put forward in the context of a literal, contextual, purposive and historical analysis of that regulation
30 The applicant relies on the wording of Article 65(1)(a), Article 65(6) and Article 4(24) of Regulation 2016/679 in order to claim that the EDPB does not have the power to require, in a binding decision adopted under the first of those provisions, a lead supervisory authority to broaden its investigation and submit a new draft decision in order to draw conclusions from that additional investigation. It also relies to that effect on recitals 126 and 136 of that regulation.
31 Article 65(1)(a) of Regulation 2016/679 provides:
‘In order to ensure the correct and consistent application of this Regulation in individual cases, the [EDPB] shall adopt a binding decision … where … a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation.’
32 Article 4(24) of Regulation 2016/679 defines a relevant and reasoned objection as follows:
‘an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union’.
33 Article 65(6) of Regulation 2016/679 provides inter alia the following:
‘The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the [EDPB] has notified its decision. … The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the [EDPB] in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.’
34 According to the applicant, the three provisions cited in paragraphs 31 to 33 above limit the scope of a binding decision of the EDPB, adopted under Article 65(1)(a) of Regulation 2016/679, to the scope of the analyses carried out in the lead supervisory authority’s draft decision communicated to the other supervisory authorities concerned by the case file. Such a binding decision can only respond to a relevant and reasoned objection, which must relate to the content of the draft decision and not to what is not contained therein. The legal effect of the binding decision is limited to the amendments which, under Article 65(6) of that regulation, the competent supervisory authority must make, within one month of notification of that binding decision, in the final decision as compared to the draft decision. Thus, in the applicant’s view, the binding decision can relate only to the correct interpretation of Regulation 2016/679 with respect to what is contained in the lead supervisory authority’s draft decision; the provisions in question do not confer any power on the EDPB to issue instructions to that authority concerning another subject, for example, to oblige it to carry out an investigation or submit a new draft decision.
35 However, that reading is restrictive in the light of the wording of the provisions cited in paragraphs 31 to 33 above. It should be borne in mind that Article 4(24) of Regulation 2016/679 includes in the concept of ‘relevant and reasoned objection’ an ‘objection to a draft decision as to whether there is an infringement of this Regulation … which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects’. Although Article 65(1)(a) of Regulation 2016/679 provides that a binding decision adopted in that regard ‘shall concern all the matters which are the subject of the relevant and reasoned objection’, there is nothing to prevent such an objection from relating to the absence or inadequacy of analysis, in that draft decision of the lead supervisory authority, of an aspect of the case, which makes it impossible to know whether or not there is an infringement of that regulation as regards that aspect. The words ‘objection to a draft decision’ are not limited, contrary to what the applicant claims, to objections to the considerations set out in the draft decision. Consequently, since the EDPB’s binding decision must concern all matters which are the subject of relevant and reasoned objections, there is nothing to prevent, where the EDPB approves a relevant and reasoned objection relating to an absence or inadequacy of that nature, that decision from including an instruction to the lead supervisory authority to remedy that lack of analysis and, if it appears necessary in the light of the file before the EDPB, to deepen or broaden to that end the investigation carried out up to that point. If it appears that the case file is insufficient for the purpose of carrying out the required analysis in full, the EDPB must be able to require the lead supervisory authority to undertake further investigation.
36 It should also be noted that the wording of the three provisions cited in paragraphs 31 to 33 above, considered together, does not limit the scope of a binding decision solely to the immediate amendments to be made to the draft decision submitted by the lead supervisory authority with a view to adopting a final decision under the conditions set out in Article 65(6) of Regulation 2016/679, that is to say, solely to amendments relating to the content of the draft decision to the exclusion of what is not contained therein. In that regard, contrary to what the applicant claims, the latter provision seeks only to specify the detailed rules for the adoption of the final decision where that decision may immediately follow an EDPB binding decision, in particular where there is no need to resume an investigation or to carry out a broader or more in-depth analysis of certain aspects of the case. It is not a provision concerning the possible content of a binding decision, which is determined by the legal basis on which that decision is adopted, in the present case Article 65(1)(a) of Regulation 2016/679, which must itself be read in conjunction with Article 4(24) of that regulation as regards the definition of the concept of a ‘relevant and reasoned objection’. It must be pointed out, in that regard, that Article 65(1) of Regulation 2016/679 provides for various types of EDPB binding decisions which do not necessarily entail the subsequent and immediate adoption of a final decision of a supervisory authority.
37 Moreover, the applicant acknowledges, in the reply, that, in Regulation 2016/679, it is Article 4(24) which defines the substantive scope, in other words the possible content, of a binding decision of the EDPB adopted under Article 65(1)(a) of that regulation, even though it maintains that Article 65(6) of that regulation defines its legal effect. The latter assessment is incorrect. It is Article 65(2) of Regulation 2016/679 that defines the legal effect of a binding decision of the EDPB, by providing that such a decision is to be binding on the lead supervisory authority and all the supervisory authorities concerned. Thus, by stating that the final decision of the competent authority is to be adopted on the basis of the EDPB’s binding decision without undue delay and at the latest one month after the EDPB has notified its decision, Article 65(6) of Regulation 2016/679 does not define either the scope or the legal effect of a binding decision adopted on the basis of Article 65(1)(a) of that regulation, but has the sole purpose, as stated in paragraph 36 above, of specifying the detailed rules for the adoption of final decisions of the competent authorities where those decisions may be adopted immediately on the basis of an EDPB binding decision. In other words, once the applicant has admitted that the substantive scope of binding decisions, such as those at issue in the present case, results from one provision of Regulation 2016/679, namely Article 4(24), it cannot rely on another provision of that regulation, namely Article 65(6), which it claims is devoted to the legal effect of such decisions, in order to defend a more restrictive definition of that substantive scope.
38 The literal analysis undertaken in paragraphs 35 and 36 above of the three provisions cited in paragraphs 31 to 33 above cannot be invalidated by the wording of recitals 126 and 136 of Regulation 2016/679, contrary to what the applicant claims. Indeed, in the first of those recitals, by stating that ‘the decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned’, the legislature does not in any way exclude the matter of the scope of analysis that such a decision must cover in a particular case from the assessment of the supervisory authorities concerned other than the lead supervisory authority; rather the opposite is true, since ‘the decision’ takes its form not only from the assessments contained therein, but also from the scope of the matters which it covers. As a result, if the supervisory authorities concerned do not reach a consensus and the matter is referred to the EDPB, the wording of that recital does not preclude the EDPB from requiring the analysis and, if necessary, the investigation to be broadened. Similarly, recital 136 of Regulation 2016/679 states that the EDPB ‘should issue … legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation’. Contrary to what the applicant claims, the scope of the investigation is not a procedural matter but relates to the substance of the case, since it determines the extent of what must be examined in order to assess whether the data processing operation or operations at issue comply with Regulation 2016/679.
39 In that regard, another argument of the applicant, to the effect that the interpretation of the concept of ‘relevant and reasoned objection’ adopted in paragraph 35 above would give the EDPB the opportunity to issue directions to the lead supervisory authority concerning all the powers held by that authority, on the sole condition that the question raised by a supervisory authority concerned is classified as a relevant and reasoned objection in the sense thus accepted, may now be rejected. As stated in Article 4(24) of Regulation 2016/679, a relevant and reasoned objection to a draft decision of the lead supervisory authority may only relate to a matter concerning whether that regulation is complied with or whether the corrective measures envisaged in relation to the controller or processor are themselves compliant with it. Such an objection may therefore relate only to the substance of the case and to the final decision-making powers of the lead supervisory authority, provided in particular in Article 58(2) of that regulation, which also relate to the substance. As a result, such an objection cannot relate to the conduct of the investigation itself (as opposed to the scope of the investigation), which is based on the investigative powers of the supervisory authorities referred to in Article 58(1) of Regulation 2016/679.
40 The literal analysis of Article 65(1)(a) of Regulation 2016/679, carried out by taking into account the wording of Article 4(24), Article 65(6) and recitals 126 and 136 of that regulation, therefore supports the EDPB’s competence to adopt provisions, such as the contested provisions, instructing the applicant to carry out a new investigation into certain aspects of the files in question and then to adopt new draft decisions based on the results. It is necessary to examine whether the arguments put forward by the applicant in the context of its contextual and purposive interpretations of Regulation 2016/679 are such as to contradict the results of that initial analysis.
41 The applicant argues, first, in respect of a contextual interpretation, that the procedure for cooperation between the lead supervisory authority and the other supervisory authorities concerned, which is the subject of Article 60 of Regulation 2016/679, prevents the EDPB from requiring that the investigation be resumed. That ‘one-way’ procedure, delimited by a succession of short deadlines, does not permit a draft decision to be withdrawn so that the inquiry may be reopened to facilitate the investigation of a new matter. Accordingly, Article 60(5) of that regulation, which applies where the lead supervisory authority itself follows an objection by submitting an accordingly revised draft decision, provides for a period of only two weeks for the other supervisory authorities concerned to give their opinion on that revised draft decision by submitting, where appropriate, new objections. That suggests that a revised draft decision cannot include major amendments that would result from the broadening of the investigation. Similarly, Article 65(6) of that regulation grants the lead supervisory authority a period of one month to respond, in its final decision, to a binding decision of the EDPB, which shows that the EDPB cannot require the reopening of the investigation.
42 However, Article 60(5) and Article 65(6) of Regulation 2016/679 are not applicable where a new investigation or further analysis, to be presented to the supervisory authorities concerned, is needed; those provisions refer only to situations where the draft decision can immediately be amended on the basis of relevant and reasoned objections that are either directly accepted by the lead supervisory authority or endorsed by the EDPB in a binding decision.
43 In that regard, contrary to what the applicant maintains, the procedure for cooperation between supervisory authorities concerned by a case, described in Article 60 of Regulation 2016/679, which may involve triggering the consistency mechanism operated by the EDPB, provided for in Article 60(4), is not a ‘one-way’ procedure in which the stages always follow each other in the order of the provisions providing for them, without the possibility of returning to a previous stage or temporarily remaining at the same stage. Thus, for example, starting from the situation highlighted by the applicant, provided for in Article 60(5), in which the lead supervisory authority itself intended to follow the objections of other supervisory authorities concerned to its draft decision submitted under Article 60(3), and in which it submitted a revised draft decision to those authorities, the procedure may evolve in several ways. If those authorities do not object to the revised draft, the final decision(s) are then to be adopted directly in accordance with paragraphs 6 to 9 of that article. Otherwise, that is to say, where there are objections to the revised draft, if the lead supervisory authority accepts those objections in whole or in part, the phase provided for in Article 60(5) is repeated, requiring the lead supervisory authority to submit a new revised draft taking into account the objections it has accepted. If the lead supervisory authority does not accept all or some of the objections to the revised draft, it must, in accordance with Article 60(4), trigger the consistency mechanism by referring the matter to the EDPB on the basis of the most successful revised draft decision.
44 The EDPB provides in its defence another example illustrating that the procedure for cooperation between supervisory authorities concerned by a case, provided for in Article 60 of Regulation 2016/679, is not necessarily a ‘one-way’ system. Following objections from other supervisory authorities concerned to its draft decision submitted under Article 60(3), the lead supervisory authority may itself take the view that, instead of immediately submitting a revised draft decision or triggering the consistency mechanism, it is appropriate to go back and further investigate before resubmitting a draft decision under Article 60(3). The EDPB notes that the French supervisory authority did this in one case.
45 Similarly, where the EDPB intervenes under Article 60(4) and a binding decision is adopted, several situations are possible. If all relevant aspects of the case have been sufficiently addressed in the lead supervisory authority’s draft decision, the lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged, may adopt, in accordance with Article 60(6) to (9), a final decision or decisions closing the case, taking into account in particular the binding decision of the EDPB. If, by contrast, the EDPB’s binding decision finds, following objections to that effect, that the draft decision of the lead supervisory authority does not address, or does not sufficiently address, all the relevant aspects of the case and, as the case may be, that a reopening of the investigation is therefore necessary, one or more partial final decision(s) may be adopted by the lead supervisory authority or by the supervisory authority to which the complaint was lodged, in accordance with the abovementioned provisions, but the lead supervisory authority must at the same time supplement its analysis, if necessary after conducting a new investigation, with a view to submitting, in accordance with Article 60(3), a new draft decision to the other supervisory authorities concerned.
46 The applicant puts forward a second argument in respect of the contextual interpretation to the effect that, read in the light of recital 141 of Regulation 2016/679, Article 57(1)(f) of that regulation, stating that the supervisory authority is to handle complaints and investigate their subject matter to the extent appropriate, demonstrates that the scope of the investigation to be conducted following a complaint comes within the discretion of the national supervisory authorities, subject only to national judicial review.
47 Recital 141 of Regulation 2016/679 states inter alia the following:
‘Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy … if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. …’
48 Article 57(1)(f) of Regulation 2016/679 and the considerations relied on by the applicant do not, however, exclude the question of the appropriateness of the scope of the investigation from the mechanism of cooperation between supervisory authorities concerned and the consistency mechanism operated by the EDPB.
49 Article 57 of Regulation 2016/679, which concerns the tasks of the supervisory authorities, provides as the first task, in paragraph 1(a) of that article, the task of monitoring and enforcing the application of that regulation. Therefore, contrary to what the applicant stated in essence at the hearing, the analysis of the conditions under which the processing of personal data is carried out and of its conformity with that regulation does not have to be limited to what is highlighted in the complaint made.
50 Above all, fully carrying out the tasks provided for in Article 57(1)(a) and (f) of Regulation 2016/679 of enforcing the application of that regulation and handling complaints to the extent appropriate involves adopting an appropriate scope of analysis of the file in the light of the complaint that gave rise to it, but also in the light of other factors which may supplement it. Where the processing of personal data in question is cross-border, that analysis must lead to the adoption of decisions which are the subject of the cooperation procedure provided for in Article 60 of that regulation. In the context of that procedure, the criterion to be satisfied in order for a matter to be the subject of an EDPB binding decision, adopted under Article 65(1)(a) of that regulation, is that it has given rise to a relevant and reasoned objection, as defined in Article 4(24) of that regulation. The relevant and reasoned objection, according to its definition, relates to aspects the analysis of which comes within the scope of the two abovementioned tasks. As a result, the fact that a relevant and reasoned objection concerns the scope of the analysis and, where applicable, the scope of the investigation and that the EDPB follows that objection in no way undermines those tasks. Furthermore, the fact that interim decisions of supervisory authorities following a complaint may be the subject of an action before the national courts does not prevent the draft decision of the lead supervisory authority from itself being subject, within the substantive limits assigned to the consistency mechanism established in Regulation 2016/679, to review by the EDPB.
51 The applicant’s arguments put forward in respect of the contextual interpretation do not therefore support its position on the EDPB’s lack of competence to adopt the contested provisions.
52 On the contrary, the general context of the obligation of cooperation between the supervisory authorities concerned by a case, enshrined in Regulation 2016/679, confirms the EDPB’s competence in that regard. Article 60(1) of that regulation provides that ‘the lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus.’ Article 60(3) of the same regulation states that ‘the lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned’ and that it ‘shall without delay submit a draft decision [to them] for their opinion and take due account of their views’.
53 It follows that the cooperation between the supervisory authorities concerned relates in particular to the analysis of the case as a whole and to the preparation of the decision, and that the lead supervisory authority must seek the agreement of the other supervisory authorities concerned in that regard. There is nothing in the abovementioned provisions that makes it possible to exclude from that cooperation obligation the question of the scope of the analysis to be carried out or, where appropriate, the question of the scope of the preliminary investigation to be conducted. In the judgment of 15 June 2021, Facebook Ireland and Others (C‑645/19, EU:C:2021:483, paragraphs 63 and 64), the Court noted the indispensable nature of dialogue and sincere and effective cooperation between supervisory authorities concerned by a case.
54 It follows from paragraphs 41 to 53 above that an examination of the context resulting from the provisions of Regulation 2016/679 confirms the literal analysis carried out above.
55 On the basis of a purposive interpretation, the applicant submits, first of all, that recognising that the EDPB has the power to direct a lead supervisory authority to issue a new draft decision and broaden the scope of its investigation beforehand for that purpose is not consistent with the ‘one-stop-shop’ mechanism that was intended by the legislature when it adopted Regulation 2016/679. The establishment of a sole supervisory authority for the persons concerned aimed in particular to avoid superfluous costs and excessive inconveniences for them, as stated in recital 129 of Regulation 2016/679. Reopening an inquiry on the ground of a mere disagreement between supervisory authorities would disregard that objective by obliging the complainants and respondent undertakings to undergo a reopening of the investigation, with attendant costs and inconveniences, when that phase should have been completed.
56 However, without it being necessary to rule on the legislature’s intentions, it is sufficient to note that a one-stop shop meets an objective of procedural simplification that cannot take precedence over the essential objective of Regulation 2016/679, which is to ensure compliance with the fundamental right of natural persons to the protection of their personal data. Recital 1 of that regulation states in that regard that Article 8(1) of the Charter of Fundamental Rights and Article 16(1) TFEU provide that everyone has the right to the protection of personal data concerning him or her. A broadening of the investigation, necessarily requested by at least half of the supervisory authorities within the framework of the EDPB, does not, contrary to what the applicant claims, complicate the task of the person who lodged a complaint or that of the controller concerned by that complaint, but constitutes a measure to defend their respective rights. Moreover, the disadvantages referred to by the applicant can be avoided if the lead supervisory authority carries out an investigation and analysis covering from the outset all the aspects required to draw up a complete final decision regarding the case in question.
57 The applicant’s argument that the reopening of an investigation delays reaching consensus on the matters already investigated and determined must also be rejected.
58 In such a situation the competent authority must, on the contrary, as indeed the applicant did in the present case, adopt a final decision on the substantive aspects that have been investigated and determined following an EDPB binding decision within the period provided for in Article 65(6) of Regulation 2016/679. This does not prevent it from carrying out an additional investigation and analysing those aspects of the case that have not yet been examined.
59 The applicant further claims that the EDPB’s lack of involvement in determining the scope of analysis required for a particular case, which is an interim or procedural matter, does not prevent the cooperation mechanism between supervisory authorities from functioning.
60 However, the cooperation mechanism reaches its limits where consensus cannot be reached between the supervisory authorities concerned. It is in that situation, expressly provided for in Article 60(4) of Regulation 2016/679, that the matter in respect of which consensus has not been reached must be submitted by the lead supervisory authority to the consistency mechanism, which results in an EDPB binding decision, as stated in that provision.
61 Lastly, the applicant argues that such a lack of consensus is resolved by recourse to judicial review in the national courts. It notes that Article 58(4) and recital 141 of Regulation 2016/679 state that the investigation is subject to effective judicial review.
62 It is true that, if the EDPB was unable to resolve a problem relating to the scope of the analysis carried out by the lead supervisory authority, the national court could intervene in that regard. However, Regulation 2016/679 provides that issues raised in the context of a relevant and reasoned objection by a supervisory authority concerned, within the meaning of Article 4(24) of that regulation, are to be dealt with within the framework of the cooperation mechanism and, where appropriate, the consistency mechanism, between supervisory authorities. However, as examined above, an issue concerning the scope of the analysis and, where appropriate, the investigation carried out by the lead supervisory authority may give rise to a relevant and reasoned objection in the aforementioned sense. Consequently, the possibility of referring an issue of that nature to the national court, which, moreover, would not necessarily be easy for a complainant residing in a State other than that of the lead supervisory authority, cannot mean that persistent disagreements between the supervisory authorities concerned on matters that have been the subject of relevant and reasoned objections cannot be resolved within the EDPB.
63 It follows from paragraphs 55 to 62 above that an examination of the objectives of Regulation 2016/679 also confirms the literal analysis carried out above.
64 Since, according to the assessment carried out above, the literal analysis of Article 65(1)(a) of Regulation No 2016/679, read in conjunction with Article 4(24) of that regulation, and the contextual and purposive analyses also carried out indicate that the EDPB has competence to adopt the contested provisions, it is not necessary to take account of the origins of that regulation through its travaux préparatoires, as the applicant claims, or to rule on the arguments put forward by the applicant and the EDPB, which are contradictory in that regard (see, to that effect, judgment of 9 March 2010, Commission v Germany, C‑518/07, EU:C:2010:125, paragraph 29). Moreover, those arguments are supported by very little evidence, in particular in the light of the provisions of Article 72(3) of the Rules of Procedure, which provides that ‘to every procedural document there shall be annexed the material relied on in support of it’.
The arguments relating to the conditions for conferring powers on an EU body, the characteristics of the judicial review carried out at national level and the independence of the supervisory authorities responsible for the protection of personal data
65 In the first place, the applicant submits, in essence, that the principles governing the conferral of powers on an EU body do not permit an interpretation of Regulation 2016/679 in the sense identified by the earlier analyses, namely the sense in which it confers the contested competence on the EDPB.
66 The applicant refers to Article 5 TEU to point out that the European Union may act only within the limits of the competences conferred on it. This principle applies to EU institutions and bodies, such as the EDPB. The latter are, moreover, subject to the ‘Meroni doctrine’ resulting from the judgment of 13 June 1958, Meroni v High Authority (9/56, EU:C:1958:7), which is applicable to EU bodies as the Court of Justice held in relation to the European Securities and Markets Authority (ESMA) in the judgment of 22 January 2014, United Kingdom v Parliament and Council (C‑270/12, EU:C:2014:18, paragraphs 53 and 54). That doctrine requires that the powers of the EU bodies be precisely delineated and amenable to judicial review in the light of the objectives set for the body concerned. In particular, in paragraph 45 of the second abovementioned judgment, it was found that the power of ESMA that was discussed in that case, which was ultimately confirmed by the Court of Justice, was circumscribed by various conditions and criteria which limit ESMA’s discretion. In the judgment of 15 July 2021, FBF (C‑911/19, EU:C:2021:599, paragraphs 67 and 75), concerning the European Banking Authority (EBA), the Court of Justice stated that a power of an EU body had to be expressly provided for by the legislature and that judicial review of that power had to be stringent.
67 Those principles applied in the case-law indeed concern the EDPB, which was established as an EU body in Article 68 of Regulation 2016/679.
68 It must therefore first of all be ascertained whether the interpretation adopted earlier in the present judgment permits the inference that the exercise of the EDPB’s power, when it requires a lead supervisory authority to broaden its analysis and, where appropriate, its investigation, ‘is circumscribed by various conditions and criteria which limit [its] discretion’, as the Court held with regard to the power of ESMA that was challenged in the case giving rise to the judgment of 22 January 2014, United Kingdom v Parliament and Council (C‑270/12, EU:C:2014:18).
69 In that regard, as is apparent from Article 65(1)(a) of Regulation 2016/679, read in conjunction with Article 4(24) of that regulation, that power to require a lead supervisory authority to broaden its analysis and, where appropriate, its investigation may be used only following the formulation, by a supervisory authority concerned, of a relevant and reasoned objection to the lead supervisory authority’s draft decision on the case in question, relating to failure to analyse an aspect of ‘whether there is an infringement of … Regulation [2016/679], or whether envisaged action in relation to the controller or processor complies with [that] Regulation’ and which ‘clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union’.
70 In addition, under Article 65(2) and (3) of Regulation 2016/679, the implementation of the abovementioned power presupposes that, within the EDPB, a two-thirds majority, or at least half of its members in certain circumstances, including, where the vote is split, the Chair of the Board, have, in essence, approved that relevant and reasoned objection and the action to be taken on it. A significant number of supervisory authorities must therefore confirm the lack or insufficiency of analysis of an important aspect of the case in question and agree on the action to be taken by the lead supervisory authority in order to remedy that failure. Account must be taken in that regard of the fact that the EDPB is itself composed of a large number of independent authorities specialising in the matter and, consequently, of the fact that a majority opinion of those authorities within it provides guarantees as to the exercise of that power. Furthermore, although the concept of ‘relevant and reasoned objection’, referred to in paragraph 69 above, does indeed leave room for discretion, in particular in determining whether there is an infringement of Regulation 2016/679 by the controller or processor concerned or whether a particular aspect needs to be examined in order to find out, those matters nevertheless all relate to specific legal rules set out in that regulation, as a result of which a ‘broad discretion’ cannot be exercised.
71 In summary, as regards the question of the scope of the EDPB’s power, which is disputed by the applicant, it must thus be held, first, that that power is exercised only in the event of a clearly identified shortcoming in the analysis undertaken by the lead supervisory authority in its handling of the case which may have significant consequences, as is apparent from the definition of a relevant and reasoned objection set out in Article 4(24) of Regulation 2016/679, and, second, that that power results from the collective assessment of the supervisory authorities comprising the EDPB that takes place in the circumstances set out in paragraph 70 above.
72 As regards the question whether the power at issue is ‘explicitly’ provided for by the legislature, it must be pointed out that the adverb ‘explicitly’ and the adverbs ‘expressly’ and ‘clearly’, which are synonyms and which refer respectively to the adjectives ‘explicit’, ‘express’ and ‘clear’, mean that there is no doubt as to the scope of what is expressed. It follows from the above literal, contextual and purposive interpretations that there is no doubt that the EDPB has the contested competence and therefore that it is expressly provided for by the legislature. It may be observed that, in the judgment of 15 July 2021, FBF (C‑911/19, EU:C:2021:599), which concerned the EBA, in dispute was that authority’s competence to adopt its guidelines concerning ‘product oversight and governance arrangements for retail banking products’. None of the texts applicable to that authority explicitly stated that it could adopt guidelines in that regard. It was by means of an overall analysis of those texts, that is to say, of the regulation establishing the EBA, which provided in general terms for its competence to adopt guidelines for certain purposes, and of various directives concerning financial institutions and products, that the Court of Justice held that the contested guidelines came within that competence.
73 In addition, it must be noted that the exercise of the EDPB’s power to require a lead supervisory authority to broaden its analysis and, if necessary, its investigation is indeed subject to judicial review. It is true that, in the present case, the applicant chose to challenge the contested provisions solely on the ground that the EDPB lacked competence, without calling into question the actual assessment made by the EDPB of the objections raised by certain supervisory authorities with regard to its draft decisions, which led to the adoption of those provisions. However, within the limits of the pleas relied on before them, the Courts of the European Union are able to review the substantive legality of such provisions in the light of the circumstances of the case. In particular, it is open to them, first, to verify whether the EDPB, by adopting provisions of that nature, did indeed act on a relevant and reasoned objection by a supervisory authority, within the meaning of Article 4(24) of Regulation 2016/679. It is open to them, second, to examine the legality of the very substance of such provisions giving instructions to the supervisory authorities.
74 Such a type of judicial review is ‘stringent’, in the sense used in the judgment of 15 July 2021, FBF (C‑911/19, EU:C:2021:599, paragraph 67). The court with jurisdiction to rule on legality is, in general, bound by its mandate and by the rules of procedure and its review is necessarily stringent if it fully fulfils its mandate in the context of those rules. On the substantive issues, it is in accordance with the margin of discretion which the author of the contested act has, or does not have, that the court with jurisdiction to rule on legality exercises a normal review (in principle as regards legal aspects, the establishment of facts and cases of circumscribed powers) or a limited review (in principle over complex technical aspects or where the authority has a margin of discretion, in which cases the court penalises only manifest error of assessment) (see, to that effect and by analogy, as regards the review by the national courts of the decisions of the national authorities on the protection of personal data, judgment of 7 December 2023, SCHUFA Holding (Discharge from remaining debts), C‑26/22 and C‑64/22, EU:C:2023:958, paragraphs 68 and 69).
75 It follows from paragraphs 67 to 74 above that the conditions for conferring competence on an EU body do not oppose the analysis carried out earlier in the present judgment.
76 In the second place, the applicant puts forward various reasons in order to demonstrate that the national courts are the ‘appropriate forum’ to deal with disputes related to the investigation, that is to say, that they are best placed to do so.
77 However, as set out in paragraph 62 above, the EU legislature decided that persistent disagreements between the supervisory authorities concerned relating to the scope of the analysis of a case and, where appropriate, to the scope of the investigation conducted in respect of that case should be arbitrated in the context of the consistency mechanism within the EDPB. As a result, the applicant’s arguments seeking to demonstrate that the national courts are the ‘appropriate forum’ for dealing with disputes linked to the investigation are ineffective.
78 It must be added, in so far as both the national court and the EDPB may be called upon to adopt a position on the scope of the analysis and the investigation, that, within the scope of the competition rules laid down in Articles 101 and 102 TFEU, where responsibilities are also shared between the national level and the EU level for the implementation of an EU policy, a number of principles have been identified in the case-law of the Court of Justice in order to coordinate the actions of the national courts and the EU entity responsible for ensuring consistency in the application of the policy in question, namely the Commission (judgments of 28 February 1991, Delimitis, C‑234/89, EU:C:1991:91, and of 14 December 2000, Masterfoods and HB, C‑344/98, EU:C:2000:689). While it cannot be ruled out that, in accordance with those principles, a national court may consider it preferable to stay the proceedings pending a decision of the competent EU entity or that it may, where that decision has been taken, be bound by it, unless it doubts its validity and asks the Court of Justice for a preliminary ruling on the matter, those situations are inherent in such a division of responsibilities and in the need to ensure that the policy in question is applied consistently throughout the European Union.
79 It must also be added that, contrary to what the applicant claims in the third place, an EDPB binding decision, adopted under Article 65(1)(a) of Regulation 2016/679, requiring the applicant to broaden its analysis and its investigation does not call into question its ability to prioritise the performance of its various tasks as an independent authority, which is for the national court alone to review. Nor does it call into question, more generally, its independence enshrined in Article 39 TEU, Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights.
80 Indeed, if the lead supervisory authority has to supplement its analysis and investigation in respect of a case, on its own initiative, at the stage of cooperation between the supervisory authorities concerned following interventions to that effect by its counterparts, or following an EDPB binding decision, it is not obliged to do so without delay, as a priority over its other tasks. It may, for example, announce that a first draft decision or an initial decision adopted by it addresses only some of the issues arising from the case in question and that it will subsequently continue its analysis and investigation.
81 It is only in the circumstances provided for in Article 66 of Regulation 2016/679, where another supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, that an urgent binding decision of the EDPB may oblige the lead supervisory authority to review without delay the order of its priorities in order to deal with a case. The legislature therefore provided for that possibility in exceptional cases only. Indeed, Binding Decisions 3/2022, 4/2022 and 5/2022 were not adopted on the basis of Article 66 and, consequently, they did not impose on the applicant an order of priority between its various tasks.
82 Moreover, the provisions of primary law relied on by the applicant do not imply that the authorities of the Member States having primary responsibility for ensuring that the rules on the protection of personal data are applied have absolute independence, in the sense of the absence of any scrutiny. Those provisions merely state that the monitoring of compliance with those rules is entrusted to independent authorities, which therefore in no way precludes a system of mutual scrutiny between independent authorities, such as the cooperation and consistency mechanisms provided for in Regulation 2016/679, or, of course, judicial review of the decisions adopted by the various authorities involved. What is important is that the bodies scrutinising the supervisory bodies should themselves be independent. This is the case with the EDPB, as it is composed of the supervisory authorities of the Member States and the European Data Protection Supervisor, which is itself an independent authority vis-à-vis the EU institutions and other entities under its supervision.
83 It follows from all of the foregoing that the single plea in law alleging lack of competence on the part of the EDPB must be rejected and, consequently, the actions in Cases T‑70/23, T‑84/23 and T‑111/23 must be dismissed.
Costs
84 Under Article 134(1) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Since the applicant has been unsuccessful, it must be ordered to pay the costs, in accordance with the form of order sought by EDPB.
On those grounds,
THE GENERAL COURT (Tenth Chamber, Extended Composition)
hereby:
1. Dismisses the actions in Cases T‑70/23, T‑84/23 and T‑111/23;
2. Orders the Data Protection Commission to pay the costs.
Porchia
Jaeger
Madise
Nihoul
Verschuur
Delivered in open court in Luxembourg on 29 January 2025.
