[Note: I changed my newsletter’s address to EUTechReg.com, hoping it will be easier to remember than my difficult surname.]

Just as we learn that the European Commission’s “GDPR reform” plan is likely to be a performative window-dressing exercise, the EU General Court again denied direct judicial review of a privacy-fundamentalist guidance document from the European Data Protection Board (EDPB) on “pay or OK.” The EDPB is acting like an unaccountable legislator, issuing theoretically non-binding guidance, which easily becomes the law in action. This occurs even when the guidance extends EU data protection law beyond its intended scope, driven by ideological extremism. 

In Case T-319/24, Meta Platforms Ireland v EDPB, Meta challenged the EDPB's Opinion 8/2024 on “pay or OK" (see also my comments here). In its decision, the General Court noted that

although, as Meta observes, the contested opinion uses words such as ‘should’, ‘should not’ and ‘in most cases’, the passages containing such wording, read in the light of the document as a whole, appear to be calling for an in-depth consideration... rather than censuring ‘consent or pay’ models across the board. 

The central problem is this: the General Court rejected Meta's case because the EDPB's Opinion was considered non-binding and lacked direct legal consequences for Meta. Consequently, the EDPB can issue highly detailed “non-binding” documents filled with mandatory language that significantly influence market behavior and national DPA enforcement, but these pronouncements avoid direct EU judicial scrutiny. This leaves businesses in a precarious situation where “guidance” effectively operates as law, yet lacks the oversight inherent in formal law-making.

Contrast this with Advocate General Ćapeta's recent opinion in Case C-97/23 P, WhatsApp/EDPB. Here, the AG took a refreshingly pragmatic approach to the EDPB's binding decisions under Article 65 GDPR. She recommended that the Court of Justice find WhatsApp's action for annulment against such a decision admissible. Her reasoning was that Article 65 decisions are legally binding on national supervisory authorities and directly impact the legal position of companies like WhatsApp, leaving the national authority no discretion regarding the EDPB's findings.   

If the CJEU follows AG Ćapeta, it would indeed be a step towards accountability, allowing direct challenges to the EDPB's formal, binding directives. This would be a welcome development, potentially accelerating legal clarification and forcing the EDPB to be more rigorous when it issues these powerful Article 65 decisions.   

AG Ćapeta's reasonable stance on binding decisions highlights the problem with  “non-binding” guidance. While labeled as such, EDPB interpretations and recommendations are often treated as mandatory by national DPAs and carry significant weight for businesses. However, as the Meta v EDPB case illustrates, their “non-binding” status may shield these influential instruments from direct EU judicial review, creating an accountability loophole (any indirect review that may eventually happen is likely to be too little, too late).

This is quasi-legislation without accountability, transparency, and adequate judicial control. The EDPB, a body of regulators, effectively makes law through the back door, pushing its maximalist interpretations of data protection law without the checks and balances inherent in a proper legislative or even a fully reviewable administrative process. The “pay or OK” opinion is a prime example, where the EDPB heavily suggested that large online platforms should consider providing users with an “equivalent alternative” that does not entail payment of a fee, a significant market intervention not mandated by the GDPR. Similarly with the opinion on AI models, which I criticised as an example of privacy myopia, which is a structural problem of GDPR enforcement.

This situation is untenable and cries out for GDPR reform. As I argued, we need a system that reins in the EDPB's tendency towards privacy fundamentalism and that allows for independent review of all the past guidance. The GDPR was not meant to put two rights—privacy and data protection—above all other rights and vital interests of Europeans. The EDPB has proven institutionally incapable of adhering to this fundamental feature of EU law.   

AG Ćapeta's opinion, if followed, might plug one hole in the dam of EDPB accountability. But the Meta v EDPB case shows that other significant leaks remain, allowing the EDPB's influence to flood the regulatory landscape unchecked. It's time to rebuild the dam. It's time for GDPR reform that ensures the rule of law applies as much to the regulators as it does to the regulated. The kind of reform I've advocated for previously is needed to ensure the GDPR serves its intended purpose without stifling the digital economy and common sense through unchecked regulatory overreach.