The latest episode of Joost’s Case Corner on PrivacyPod delivers essential insights into recent European data protection case law that every privacy professional, supervisory authority, and legal consultant needs to understand. Our CEO Joost Gerritsen, joined by hosts Yuri Pautala and Pilvi Ylijääskö, unpacks five significant cases that shape how we interpret and apply the GDPR.
Meta vs EDPB: When Opinions Matter But Don’t Bind
The headline case reveals Meta’s failed attempt to annul the European Data Protection Board’s opinion on “pay or OK” models. This April 2024 opinion criticised large platforms’ practice of forcing users to choose between paying for services or consenting to data processing for advertising.
The General Court‘s ruling provides crucial clarity for supervisory authorities and businesses:
- Article 64.2 opinions are genuinely just opinions – not binding decisions
- Supervisory authorities remain free to adopt or ignore EDPB opinions in their enforcement actions
- Companies cannot claim damages from EDPB opinions since they lack direct legal effect
- The court’s mysterious handling of this case – published without press release and hidden in interim proceedings – raises questions about transparency
As Gerritsen notes, this case may not be over, particularly given the pending WhatsApp Ireland v EDPB case dealing with similar issues. For businesses navigating compliance, this highlights the complex interplay between EDPB guidance and actual enforcement decisions.
Bulgarian Banking Case: 22 References Define Core Concepts
The Inspektorat kam Visshia sadeben savet case from Bulgaria might seem niche – involving judicial oversight bodies accessing judges’ bank accounts for anti-corruption purposes – but it’s a goldmine for legal professionals. The Court references no fewer than 22 other data protection cases, making it essential reading for anyone building GDPR arguments.
Key takeaways for practitioners:
- National security exemptions don’t automatically apply to judicial oversight activities
- Courts authorising data disclosure aren’t automatically controllers – it depends who determines the processing purposes
- Courts aren’t supervisory authorities unless explicitly designated in national law
- The case serves as a comprehensive cross-referenced legal database for controllership arguments
For those engaged in litigation or regulatory decision monitoring, this case provides a roadmap of precedents that can strengthen legal arguments across multiple GDPR concepts.
Austrian COVID Case: Vague Entities Can Still Be Controllers
The Amt der Tiroler Landesregierung case tackles a problem familiar to many working with government entities: what happens when administrative bodies without clear legal personality process personal data? During COVID-19, many such “auxiliary administrative entities” handled vaccination invitations and registry access without proper legal frameworks.
The Court’s practical approach benefits data protection professionals dealing with complex organisational structures:
- Legal personality isn’t required to be a controller
- What matters is the practical ability to fulfil controller obligations toward data subjects
- Vague governmental entities cannot escape GDPR by claiming lack of legal status
- The ruling prevents easy circumvention of data protection responsibilities
This resonates particularly in countries where government departments operate semi-autonomously. As the hosts discuss, even Finnish ministers initially misunderstood these concepts, claiming they couldn’t be controllers because they were “just persons.”
Online Marketplaces: The Controller-Processor Complexity
The Russmedia Digital and Inform Media Press case from Romania addresses a horrifying scenario – false advertisements claiming someone offered sexual services – but provides essential guidance on platform liability and data protection roles. This Advocate General opinion bridges the gap between the old e-Commerce Directive and current GDPR requirements.
Critical insights for platforms and businesses navigating digital compliance:
- Marketplace operators can be processors for user-uploaded content containing personal data
- They become controllers for advertiser registration and account management
- Remaining “purely technical” preserves liability exemptions under e-Commerce rules (now DSA)
- Active involvement in content editing or promotion shifts both liability and controller status
The episode’s quiz format – challenging listeners to determine when platforms act as controllers versus processors – highlights the ongoing complexity of these determinations even years after GDPR implementation.
The Persistence of Fundamental Questions
A recurring theme throughout the episode is how fundamental GDPR concepts remain contested territory. Despite years of enforcement, courts continue refining basic definitions: Who is a controller? What constitutes personal data? When do entities share controllership?
The hosts’ advice resonates with experienced practitioners: when complex cases arise, return to basics. As Pilvi notes, “Make it super childish, stupid, easy, and then it becomes clearer. Because usually whenever something is confusing, it’s confusing because it is confusing or someone is trying to make it confusing.”
This approach proves particularly valuable when dealing with sophisticated attempts to circumvent GDPR. The Court consistently sees through “smart” legal manoeuvres, whether it’s claiming lack of legal personality, attempting to reframe data processing relationships, or exploiting technical loopholes.
Practical Implications for Different Stakeholders
For supervisory authorities, these cases provide essential precedents for enforcement actions while clarifying their independence from EDPB opinions. The Bulgarian case’s extensive references offer a comprehensive framework for building enforcement arguments.
For law firms advising clients, understanding the nuances of controllership determination becomes crucial, especially when dealing with complex organisational structures or platform businesses. The Russmedia case provides specific guidance for marketplace operators navigating both data protection and platform liability rules.
For businesses, particularly those operating platforms or within government structures, these rulings emphasise that technical attempts to avoid GDPR obligations rarely succeed. The Court’s practical approach means focusing on substance over form.
Master the Evolving Landscape of EU Case Law
This episode of Joost’s Case Corner demonstrates why staying current with EU digital law requires more than reading individual cases – it demands understanding how decisions interconnect and build upon each other. From Meta’s strategic litigation to the practical challenges of COVID-era data processing, each case adds layers to our understanding of GDPR application.
Digibeetle transforms this complexity into actionable intelligence. Our expert-curated platform doesn’t just track cases – we reveal the connections between decisions, opinions, and enforcement actions. While others struggle to keep pace with daily-updated case law, our cross-referenced approach shows you exactly how new rulings relate to established precedents.
Whether you’re building litigation strategies, advising on platform operations, or ensuring AI Act compliance alongside GDPR obligations, we provide the comprehensive European legal intelligence you need. Start your 30-day free trial to experience how we make sense of the avalanche of legal developments, or book a consultation to discuss how we can support your organisation’s specific compliance challenges.
