The Battle for the Soul of the GDPR: Clashing Decisions of Supervisory Authorities Highlight Potential Limits of Procedural Data Protection

107 Minnesota Law Review Headnotes 167 (2023)

30 Pages Posted: 12 May 2023

See all articles by Jordan Francis

Jordan Francis

Washington University in St. Louis - The Cordell Institute for Policy in Medicine & Law

Date Written: April 28, 2023

Abstract

For privacy professionals, 2023 got off to a big start as the Irish Data Protection Commission (DPC) announced €390 million in fines against Meta Platforms Ireland Limited (“Meta”) for General Data Protection Regulation (GDPR) violations by its services Facebook and Instagram. Meta is no stranger to GDPR enforcement, having accumulated over €1 billion in fines over the last year alone, but these two decisions are notable for more than just the size of their fines.

Meta has announced plans to appeal these decisions concerning Facebook and Instagram, and privacy professionals around the globe should wait with bated breath as this process plays out. The future of behavioral advertising is murky, and there are many different ways this situation could yet unfold. It remains to be seen whether these decisions will stand and how Meta will respond. But the substance of the decisions and the conceptual differences underlying the divergent views of regulators make this nothing less than a battle for the soul of the GDPR.

This Essay proceeds in three parts. Focusing on the aspects of the decisions concerning the lawfulness of the data processing in question, Part I briefly explains key GDPR concepts such as lawful bases and the Article 65 dispute resolution process. Part II then walks through the portions of the Instagram decision concerning whether Meta could rely on performance of a contract as the lawful basis for the delivery of behavioral ads, examining how the DPC and EDPB each analyzed the relevant issues. Finally, Part III contrasts the differing ideological approaches of the DPC and EDPB and explores the implications of this growing rift, arguing that the EDPB’s embrace of substantive principles such as relational vulnerability further the GDPR’s objectives and should serve as a guide for US policymakers.

Keywords: GDPR, EDPB, privacy, data, data protection, relational vulnerability

Suggested Citation

Francis, Jordan, The Battle for the Soul of the GDPR: Clashing Decisions of Supervisory Authorities Highlight Potential Limits of Procedural Data Protection (April 28, 2023). 107 Minnesota Law Review Headnotes 167 (2023), Available at SSRN: https://ssrn.com/abstract=4432665

Jordan Francis (Contact Author)

Washington University in St. Louis - The Cordell Institute for Policy in Medicine & Law ( email )

One Brookings Drive
Campus Box 1208
Saint Louis, MO MO 63130-4899
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
99
Abstract Views
308
Rank
482,506
PlumX Metrics