Reddit BV – Court Ruling (Netherlands, 2026)

Reddit BV (the controller) is a social media platform. In March 2025, the Dutch DPA initiated an ex-officio investigation into the controller’s data processing activities. This investigation began as a result of media coverage revealing that the users’ public content was shared or sold to train developers’ AI models. While the DPA initially limited its investigations to Articles 6, 13 and 21 GDPR, it later widened the research to include Article 5 GDPR, and considered hearing personnel from the US. During the investigations, the controller objected to the DPA’s requests for information, and later ceased cooperating on the grounds that the DPA had not provided clear explanations on the reasons behind the investigation. In addition, the controller argued that the DPA had access to incorrect or unlawfully obtained information (including from a former employee seeking legal advice after copying confidential information), which it was not allowed to verify during the investigations. Some of the information the controller objected to was covered by legal professional privilege, which the DPA obtained through a procedure designed for this type of information. The DPA later informed the controller that it will impose a fine for refusing to grant it access to the necessary information during its investigations, in violation of Article 31 GDPR. The controller brought a case to the court in January 2025. The controller requested the court to order the DPA to provide information regarding the confidential information it had obtained, or alternatively, allow the controller to seize the evidence obtained by the DPA for potential future litigation. The controller later amended the request, asking the court to order the DPA to ensure the controller's right to refuse to give evidence. Finally, the controller requested the court order(s) to be subject to a €1,000,000 fine for noncompliance. The DPA requested the court to declare the controller’s case as inadmissible, as there was n