Meta’s challenge to DPC draft decision fails
The High Court has rejected a challenge by Facebook owner Meta to a preliminary draft decision by the data-protection watchdog that would impose fines of up to €430 million on the technology giant.
The draft decision by the Data Protection Commission (DPC) signalled that it had found Meta to be in breach of GDPR rules. It also included a compliance order affecting Meta’s general data-access practices.
The DPC inquiry came after a complaint made by an individual in 2018 about Facebook’s failure to give him access to his personal data on its ‘Hive’ data warehouse.
Meta had challenged the preliminary findings, arguing that the DPC had unlawfully expanded the inquiry, after the investigation stage had concluded, into a systemic, EEA-wide assessment.
The social-media firm contended that by doing so, the watchdog effectively converted the probe into an ‘own-volition inquiry’, thereby exceeding its powers under the GDPR and the Data Protection Act 2018.
‘Wide powers’
In her judgment, however, Ms Justice Siobhán Phelan found that Meta’s argument that the DPC draft decision was ultra vires was not borne out by the legislative framework.
She referred to articles 57 and 58 of the GDPR, which conferred “wide investigative and corrective powers – including the obligation to investigate complaints ‘to the extent appropriate’ and to take measures necessary to ensure compliance”.
Ms Justice Phelan said that these provisions did not differentiate between complaint-based and own-volition inquiries in terms of the extent of powers of investigation or the nature of corrective measures available.
She added that there was nothing in article 77 of the GDPR or in the 2018 act that prevented a single-user complaint from raising systemic issues, provided the complainant was personally affected.
‘Systemic deficiencies’
The judge found that a data regulator was required to consider corrective measures where a GDPR infringement was found.
“These powers are not confined to addressing the individual complainant’s position but may extend to systemic deficiencies identified during the inquiry,” she added.
Ms Justice Phelan found that “there has been no impermissible extension of the process from an individual-complaint process to an own-volition process and no breach of rights of fair procedures”.
Meta ‘on notice from outset’
She added that Meta had been “on notice from the outset” that corrective measures were possible and were not confined to the individual complainant.
Correspondence during the probe, the judge stated, had “repeatedly signalled” that the commission retained the full scope of its powers.
“The statutory framework under the GDPR and the 2018 act clearly empowers, and indeed obliges, the commission to consider the full range of corrective measures, including those of general application and administrative fines, once an infringement is identified,” she concluded.