-CJEU Rules on Access to EDPB Documents-
On 16th July, the CJEU ruled that the applicable provisions on access to EDPB documents are relatively broad and that the applicant in Ballmann v EDPB should have been granted access to the preparatory documents to Binding Decision 3/2022. As to the facts of the case, in May 2018, the applicant, acting through NOYB, submitted a complaint under Article 77 GDPR against Facebook (now Meta) with the Austrian Data Protection Authority (DPA). The Austrian DPA forwarded the complaint to the Irish DPC as the latter is the lead supervisory authority for Facebook. The Irish DPC forwarded its draft decision to the other EU/EEA DPAs. Since the involved DPAs could not reach an agreement on the decision to be issued against Meta, the Irish DPC referred the matter to the EDBP, triggering the consistency mechanism, which resulted in EDPB Binding Decision 3/2022 and the Irish final decision against Meta, which implements Binding Decision 3/2022. Subsequently, ‘NOYB requested the EDPB to send to it Binding Decision 3/2022, the Irish supervisory authority’s final decision, together with the relevant and reasoned objections raised by the supervisory authorities concerned in relation to the draft decision of the Irish supervisory authority, relying on Article 41 of the Charter, Articles 60 and 65 of Regulation 2016/679, and ‘the right to access to documents under EU law’’. NOYB had only partial success with its request, mainly because the EDPB argued that ‘the applicant was not likely to be adversely affected by that binding decision’ and had no right to be heard. Eventually, the dispute reached the CJEU, in front of which the applicant claimed that the refusal to grant full access to the requested documents infringed the applicant’s right under Article 41(2)(b) CFREU ‘to have access to his or her file’. In its ruling, the CJEU first established that ‘as is common ground between the parties, there is no legal text specifically regulating or, a fortiori, limiting the right of the person lodging a complaint under Article 77 of Regulation 2016/679 to have access to the EDPB file prepared for the purposes of the adoption of a binding decision under Article 65(1)(a) of that regulation. In particular, limitations on the exercise of that right cannot be found either in Regulation 2016/679 or in the EDPB’s Rules of Procedure, as the EDPB confirmed in response to a question put by the Court at the hearing’. In a second step, the CJEU decided to examine whether the right of access to documents under Article 41(2)(b) CFREU is independent from the right to be heard under Article 41(2)(a) CFREU. It concluded that ‘everyone has the right of access to his or her file based on Article 41(2)(b) of the Charter, including where that file is not linked to a procedure liable to culminate in a measure adversely affecting him or her, subject, however, to there being no specific rules in the field in question establishing limitations on the exercise of that right of access to the file in accordance with the requirements of Article 52(1) of the Charter’. Third and finally, the CJEU examined whether, in casu, the requested documents concern the applicant and answered this question in the positive, because even ‘if the complainant under Article 77 of Regulation 2016/679 is not a formal party to the procedure before the EDPB leading to the adoption of a binding decision under Article 65(1)(a) of Regulation 2016/679, that complaint plays an essential role in that procedure’.
-EDPB Publications-
Over the past two weeks, the EDPB has published the following important documents:
- ‘EDPB contribution to the EBA public consultation on draft regulatory technical standards on AML/CFT’;
- ‘Statement 4/2025 on the European Commission’s Recommendation on draft non-binding model contractual terms on data sharing under the Data Act’.
-Publication of General-Purpose AI Code of Practice-
On 10th July, the General-Purpose AI Code of Practice was published. In essence, the ‘Code of Practice is a voluntary tool, prepared by independent experts in a multi-stakeholder process’, facilitated by the European AI Office, ‘designed to help industry comply with the AI Act’s obligations for providers of general-purpose AI models’. In terms of next steps, in ‘the following weeks, Member States and the Commission will assess its adequacy. Additionally, the code will be complemented by Commission guidelines on key concepts related to general-purpose AI models, to be published still in July’. Following this, after ‘the code is endorsed by Member States and the Commission, AI model providers who voluntarily sign it can show they comply with the AI Act by adhering to the code’. According to the Commission, this ‘will reduce their administrative burden and give them more legal certainty than if they proved compliance through other methods’. In terms of content, the Code consists of three chapters, on ‘Transparency, Copyright, and Safety and Security’. More specifically, the ‘Chapters on Transparency and Copyright offer all providers of general-purpose AI models a way to demonstrate compliance with their obligations under Article 53 AI Act’. The final chapter is then ‘only relevant to the small number of providers of the most advanced models, those that are subject to the AI Act’s obligations for providers of general-purpose AI models with systemic risk under Article 55 AI Act’. We appreciate this event happened outside the usual two-week reporting period for Data Protection Insider. We felt, however, that it may be of interest to the audience, and, accordingly, chose to include it in this issue.