DPC at odds with Europe on GDPR enforcement
I’m sorry but we really need to talk about the Data Protection Commission (DPC). Again. I don’t want to, believe me, but it just keeps doing things that really need to be talked about. And not things that need to be talked about in a positive manner. Unfortunately, when the DPC is in the news, it’s quite often not a cause for celebration.
You may recall that in January, the DPC was forced to grudgingly impose fines against Meta Ireland following investigations into breaches of the General Data Protection Regulation (GDPR) by Facebook and Instagram. You might also recollect that the DPC had originally taken Meta’s side against complainants in the case revolving around whether Meta was justified in arguing that, on accepting its updated terms of service, “a contract was entered into between Meta Ireland and the user”.
We don’t have the time or space to explore the intricacies of that particular case beyond noting that the DPC claimed “Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis”.
A number of peer regulators in the EU/EEA disputed this interpretation. The DPC took Meta’s side again, arguing that the delivery of personalised services, including personalised advertising, “is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service”.
The European Data Protection Board (EDPB) was not impressed, stating that “as a matter of principle, Meta Ireland was not entitled to rely on the “contract” legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising”.
At this stage, you might want to consider how the DPC could have an entirely different “principle” concerning the GDPR to the EDPB.
Anyway, the encouraging news is that the DPC “came good” in May when it released an exhaustive 216 page account of its decision concerning Meta Platforms Ireland Ltd. Strangely, though, despite concluding that Meta’s attempt to use a “contractual necessity derogation” to justify the systematic, bulk, repetitive and ongoing transfers to the US “would give rise to a breach of the essence of a fundamental right of EU/EEA users”, the DPC recommended that no fine be imposed on the company.
It argued a fine would not be “effective, proportionate and dissuasive”, which is an interesting take but one that the EDPB gave short shrift, stating that fines were “a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities”.
The DPC’s argument against imposing a fine might have a smidgeon of credibility if Meta had shown some contrition, accepted the ruling, apologised and adapted its processes to meet GDPR requirements. It did none of those things, pledging instead to “appeal both the decision’s substance and its orders, including the fine”.
But that’s enough space devoted to the DPC’s past glories, it’s time to focus on the latest triumph in its relentless fight tor the little guys and gals of Ireland and their data against the tech giants, especially those with corporate EU headquarters here.
Oh wait, no we can’t. Thanks to the section 26 Amendment to the Courts and Civil Law Bill 2022, the DPC has been given powers by the government to ban discussion of elements of a complaint it deems to be confidential or commercially sensitive. I don’t know about you, but judging from the DPC’s past record, how can anyone not have full confidence in its impartiality as the adjudicator of what elements of a complaint are confidential or commercially sensitive.
That man Schrems again
In a column in the Irish Times last week, Karlin Lillington suggested the amendment appeared to be “an anti-Max Schrems move”. Schrems is the well-known (or infamous if you’re Meta/Facebook) Austrian lawyer and data protection campaigner who “has drawn the ire of the DPC and Meta/Facebook for publicly discussing elements of his complaints”.
She notes that despite the government’s bland assurances that the amendment was limited in scope and would not shut down all discussion (in which case why bother?), it had been opposed by Amnesty International, BEUC (the representative body for EU consumer rights organisations), and EDRi (the representative organisation for more than 40 European digital rights groups).
Lillington quoted Simon McGarr, solicitor and director of Data Compliance Europe, who tweeted: “What is particularly striking is that the Dept of Justice is trying to deal with widespread – at a EU and even global level – criticism of DPC processes without addressing any of the things it is criticised for. Instead, it is looking to stifle complaints.”
No doubt this will come as a total surprise to those of you who have been following the DPC’s handling of the Meta complaints. “Stifle complaints?” Really? Would the DPC which came down on the side of a multinational with its EU headquarters in Ireland in a GDPR-centred complaint, arguing that “in principle” the GDPR did not preclude what Meta was doing, and was then over-ruled by the EDPB which stated Meta was, in principle not entitled to do so, really not be addressing any of the things it was criticised for?
What kind of organisation would do that? More importantly, what kind of government would pass legislation that allowed that to happen? The kind of government that leads a country where many US technology companies have located their European headquarters? The government of a country where the data protection commission is, by the unfortunate circumstance of being located in the same place as all those European headquarters, the primary arbiter and enforcer of EU data privacy law?
In his role as chairman of None Of Your Business, Schrems accused the DPC of trying to “criminalise us. We did not think this would be possible in a European democracy. The DPC and the Irish Justice Ministry follow Orban’s footsteps with this law”.
Ironically, the Irish government and DPC appear to have decided that for people in Ireland, when it comes to discussing the substance of cases being determined by this country’s data protection enforcer, it really is none of our business.