Ireland’s privacy regulator took “highly disturbing” actions in the course of an investigation into possible legal breaches by Facebook and has generally fallen short enforcing Europe’s privacy rules, Austrian campaigner Max Schrems argued in an open letter Monday.
The letter, which was sent to the European Commission and Parliament as well as several data protection bodies, accuses the Dublin-based regulator of improperly providing legal advice to Facebook on how to avoid penalties before Europe’s new privacy rules came online, as well as being insufficiently transparent with other regulators.
A probe targeting Facebook was plagued by “highly inefficient and partly Kafkaesque” investigative procedures, added Schrems, whose activist group noyb.eu filed complaints two years ago to the day against Facebook as well as its subsidiaries WhatsApp and Instagram for allegedly relying on “forced consent” to use users’ personal data.
“We are deeply concerned about the approach the Irish Data Protection Commission (DPC) has taken in three high profile cases against Facebook, Instagram and WhatsApp,” Schrems said in the letter. “At the current speed, these cases will easily take more than ten years until all appeals are decided and a final decision is reached.”
Ireland is responsible for overseeing several Silicon Valley firms due to the General Data Protection Regulation’s one-stop-shop mechanism, which gives authority to the regulator in the country where the firm’s operations are based.
Call to action
The Austrian lawyer — whose complaints have led to several high-profile privacy cases before the Court of Justice of the EU — also said that the Irish regulator had improperly advised Facebook during a series of meetings in the run-up to the GDPR coming online.Schrems said those meetings went against the spirit of the law, according to which the watchdog should merely “promote awareness” of the law among companies.
After the meetings, Facebook changed the legal basis under which it processed users’ data from consent to “alleged data use contract” on the day before the GDPR came online, on May 25, 2018. The change allows the Menlo Park-based company to track, target and conduct research on its users without obtaining explicit consent, Schrems said.
While the content of meetings between Facebook and the DPC was not disclosed, Facebook did refer to them in later legal submissions, he added.
Facebook declined to comment on Schrems’ letter.
In an emailed statement, a spokesperson for the Irish Data Protection Commission said: “There were no ‘secret meetings’ held between the DPC and Facebook. We regularly engage and meet with companies from all sectors as part of our regulatory enforcement and supervision functions, in accordance with Article 57 of the GDPR, in the same way that many of our EU colleague Data Protection Authorities do.”
A spokesperson for Europe’s grouping of privacy regulators, the European Data Protection Board, said the body is aware of Schrems’s open letter and will discuss it at upcoming plenary meetings.
Appealing to other European data protection authorities, Schrems said they should invoke emergency powers in the GDPR to circumvent the lead authority.
“Many DPAs are frustrated with situations like in Ireland, but only calling them out is not enough. They also have to use the tools that the GDPR foresees,” he said.