The Battle for the Soul of the GDPR: Clashing Decisions of Supervisory Authorities Highlight Potential Limits of Procedural Data Protection

By Jordan Francis. Full Text.

For privacy professionals, 2023 got off to a big start as the Irish Data Protection Commission (DPC) announced €390 million in fines against Meta Platforms Ireland Limited (“Meta”) for General Data Protection Regulation (GDPR) violations by its services Facebook and Instagram. Meta is no stranger to GDPR enforcement, having accumulated over €1 billion in fines over the last year alone, but these two decisions are notable for more than just the size of their fines.

Meta has announced plans to appeal these decisions concerning Facebook and Instagram, and privacy professionals around the globe should wait with bated breath as this process plays out. The future of behavioral advertising is murky, and there are many different ways this situation could yet unfold. It remains to be seen whether these decisions will stand and how Meta will respond. But the substance of the decisions and the conceptual differences underlying the divergent views of regulators make this nothing less than a battle for the soul of the GDPR.

This Essay proceeds in three parts. Focusing on the aspects of the decisions concerning the lawfulness of the data processing in question, Part I briefly explains key GDPR concepts such as lawful bases and the Article 65 dispute resolution process. Part II then walks through the portions of the Instagram decision concerning whether Meta could rely on performance of a contract as the lawful basis for the delivery of behavioral ads, examining how the DPC and EDPB each analyzed the relevant issues. Finally, Part III contrasts the differing ideological approaches of the DPC and EDPB and explores the implications of this growing rift, arguing that the EDPB’s embrace of substantive principles such as relational vulnerability further the GDPR’s objectives and should serve as a guide for US policymakers.