ARTICLE
7 February 2025

CJEU Upholds EDPB's Authority To Order Broader Investigations In Cross-Border Cases

KG
K&L Gates LLP

Contributor

K&L Gates LLP logo
At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
Explore Firm Details
In a landmark judgment delivered on 29 January 2025, the General Court of the European Union has affirmed the European Data Protection Board‘s (EDPB) authority to require national...
European Union Intellectual Property
Claude-Étienne Armingaud and Josefine Beil

In a landmark judgment delivered on 29 January 2025, the General Court of the European Union has affirmed the European Data Protection Board's (EDPB) authority to require national supervisory authorities to broaden their investigations in cross-border data protection cases.

The case arose from the Irish Data Protection Commission's (DPC) challenge to three EDPB binding decisions concerning Meta's data processing practices for Facebook, Instagram, and WhatsApp. The EDPB had instructed the DPC to conduct new investigations into Meta's processing of special categories of personal data and issue new draft decisions.

The Court's ruling emphasizes that the EDPB's power to order broader investigations is subject to specific safeguards. Such orders can only be issued following a "relevant and reasoned objection" from another supervisory authority that demonstrates significant risks to data subjects' rights. Additionally, these decisions require approval from a two-thirds majority of EDPB members.

Notably, the Court rejected the DPC's argument that this authority undermines national supervisory authorities' independence. Instead, it found that the EDPB's role supports the consistent application of the GDPR across the EU while respecting national authorities' operational autonomy in conducting investigations.

This decision reinforces the EDPB's role as a central authority in ensuring comprehensive data protection investigations, particularly in cases involving major tech platforms. It clarifies that while the one-stop-shop mechanism aims for procedural efficiency, this cannot override the fundamental right to data protection.

The ruling sets a significant precedent for future cross-border enforcement actions, emphasizing that national supervisory authorities must be prepared to expand their investigations when legitimate concerns are raised by their counterparts in other EU member states.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Claude-Étienne Armingaud
Claude-Étienne Armingaud
Person photo placeholder
Josefine Beil
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More