Rights campaigners are criticising Ireland’s Data Protection Commission (DPC) for failing to properly investigate a GDPR complaint made against Meta Platforms Ireland Ltd. (Meta), and not following the European Data Protection Board’s (EDPB) guidelines for amicable settlements.
A Norwegian citizen who made a General Data Protection Regulation (GDPR) complaint against Meta in 2024, was asked by the DPC in April 2026 to consider dropping the matter, allowing the regulator to mark the case as “resolved through amicable resolution”, and avoid a proper investigation and determination. The complainant has rejected the proposal, emailing Norway’s data protection authority on 6 May to pass the message on to Ireland, where GDPR complaints concerning tech companies with a European HQ there ultimately land under the GDPR’s one-stop-shop rule.
“What’s the point of having a tech regulator, if they behave like Meta’s assistant, sending copy-pasted messages to Europeans with complaints about digital rights? If the DPC believes that there’s nothing to the complaint, then they should make that determination so that it can be challenged, and not misuse ‘amicable resolution’ to bury it,” said Eoin Dubsky, digital rights campaigner at Ekō. “The 2024 complaint shows clearly that Meta continues to process personal data for direct marketing purposes despite clear objections. Simply repeating that Meta says it’s not so is insulting.”
Dr. Johnny Ryan, ICCL Enforce director said: “The Irish Data Protection Commission is procedurally evading its responsibility to investigate and enforce against Meta. This is consistent with Ireland’s decade-long sabotage of Europe’s digital protections. Meta is refusing peoples demands to opt out of its surveillance-based advertising. In cases like this, that affect people everywhere in Europe, EU watchdogs have agreed among themselves that private “amicable” settlements of the kind the DPC is proposing are not appropriate. The DPC’s actions raise another concern: how many other EU-wide problems has it handled in this way?”
The DPC says in its One-Stop-Shop Cross-Border Complaints Statistics Report to September 2023 that “Of the 1,097 concluded cross-border complaints handled by the DPC as the [lead supervisory authority], 83% were resolved through amicable resolution in the interests of the complainant.”
The DPC’s letter is mostly a statement copy-pasted from Meta, in which the company explains that since it updated its terms in 2024, it “no longer reviewed and processed objections specifically related to the use of certain information for ads.” The company would commit however not to phone, SMS or email the complainant about, for example, events. That was apparently enough to satisfy the DPC, which wrote below Meta’s statement: “Meta has confirmed it has honoured your objection rejection for direct marketing, advising that it has taken steps to make sure that the information associated with your account is no longer used for direct marketing purposes by Meta.”
Ireland’s Data Protection Commission is Europe’s primary data enforcer for Meta and other big tech firms. In 2025, former Meta executive Sarah Wynn Williams wrote in her New York Times bestseller Careless People that Meta views the DPC as its “lapdog”. Ireland recently appointed a former Meta spokesperson as its new Data Protection Commissioner. Ireland’s previous Data Protection Commissioner recently took up a senior role at Meta’s primary law firm in Ireland.
Four European members of Ekō, a global consumer watchdog, filed similar detailed complaints against Meta, after they had each sent the company an objection in 2024 concerning the absolute right in GDPR Article 21(2) to stop personal data processing for direct marketing purposes. The complaints were filed in Norway, Spain and Germany following an investigation by Ekō tracking Meta’s surveillance ad program. Ekō campaigners also submitted a tip-off to the Dutch DPA with further details of the investigation.
###
Notes to editor:
DPC letter and complainant’s reply available here (names redacted).
The EDPB Guidelines 06/2022 on the practical implementation of amicable settlementssays at paragraph 14 what criteria authorities including the DPC should follow. Clearly the complaint from Norway is not suitable, as the issue affects a large number of data subjects, reflects a systemic failure, is not incidental or accidental, involves a large number of personal data, the likelihood of further violations is high, there is a broad public interest in enforcement by the supervisory authority, and action by the authority would be decisive.
The EDPB Opinion 08/2024 addresses the validity of Pay-or-Consent policies, such as Meta’s, under the GDPR. The EDPB concluded that these models generally do not comply with the GDPR requirements for valid consent. What’s more, “Pay-or-Consent” does not override the right to object or withdraw consent without detriment.
Meta processes personal data to profile users and target them with ads on and off Facebook and Instagram based on personal characteristics and interests.
For more information about a current Ekō campaign or to arrange an interview with a spokesperson please contact us at