Privacy activism group noyb, which has made headlines for its high-profile cases against Facebook in the EU since the General Data Protection Regulation (GDPR) went into effect, has brought a corruption complaint against the Irish Data Protection Commission (DPC) over its handling of a case that dates back years.
noyb is most well-known for the Schrems II decision, which was handed down last year and greatly complicated transfers of personal data from the EU to other countries (particularly the United States). This new and separate complaint centers on charges of “consent bypass” by Facebook that the GDPR may render illegal, and stands to potentially be even more devastating to the company’s business model if it is ultimately upheld.
Corruption complaint filed over forced non-disclosure requirements
The specific issue that noyb’s corruption complaint centers on is a requirement that the group sign a non-disclosure agreement (NDA) to continue having its GDPR case heard. But that case has dragged on for over three years now, as have several other complaints against Facebook; the Irish DPC has yet to issue one decision involving the social media giant.
noyb calls the requirement “procedural blackmail” and says that “Only if we shut up, the DPC would ‘grant’ us our legal right to be heard.” The privacy advocates point out that this is an unusual measure, one not invoked before in the Irish DPC’s prior cases. This has sent noyb to the Austrian Office for the Prosecution of Corruption with its corruption complaint.
Though the Irish DPC still has this particular case open, it did issue a draft decision on it in October. The decision determined that Facebook’s alleged “consent bypass” mechanism, in which it legally defined user agreements as contracts rather than consent forms to bypass some GDPR requirements, was legal. It appears that the Irish DPC did not expect noyb to make the draft decision public, and issued an order for it to be taken down. This has now been followed up with the demand for an NDA, apparently to prevent noyb from publishing any further documents that the agency does not want made public.
noyb is arguing that the Irish DPC has no legal basis to make these demands. Austria’s DPC is a partner in the complaint, and noyb contends that due to data sharing requirements between the agencies the documents must be served without confidentiality limitations. The group further argues that the corruption complaint is protected by the terms of the Austrian Criminal Act, which forbids “quid pro quo” arrangements in cases that involve the right to be heard by public agencies. noyb is attempting to bolster the corruption complaint with a criminal report filed in Austria, which names members of the Irish DPC.
Issue highlights Irish DPC’s track record with big tech firms
The biggest victory for noyb, the Schrems II decision, perhaps best illustrates the situation with (and the public perception of) the Irish DPC. The June 2020 ruling by the Court of Justice of the European Union (CJEU), the EU’s highest court, was essentially effective immediately and required tech platforms to scramble to find new data transfer mechanisms to the US that complied with the strict letter of the GDPR. In spite of this being a new reality across Europe, the Irish DPC still has yet to finalize its own decision in the 2013 complaint by noyb that initiated the whole saga.
The Irish High Court issued a ruling in May dismissing Facebook’s last-ditch appeal of the decision. The Irish DPC promised to “swiftly” finalize its own decision on the complaint, but that was now about seven months ago. The decision is still pending.
Another element that tied in with the current corruption complaint was the Irish DPC’s proposed penalty of only $36 million to Facebook for its failure to adhere to transparency requirements in its “contracts” with end users. This follows a pattern of the agency penalizing not just Facebook, but other tech firms that are based in tax-friendly Dublin with trivial fine amounts.
Another pattern that can be observed here is a seemingly extremely long process of rendering decisions when it comes to these big tech companies, but especially Facebook. While the Irish DPC hit Facebook-owned WhatsApp with a $267 million fine several months ago, it has yet to fine Facebook itself in spite of numerous complaints outstanding against the company (and in some cases in the pipes for years now).
Upholding these complaints could shatter Facebook’s business model in Europe, not to mention that of quite a few of the companies Ireland has been courting for years with low corporate tax rates. Given this apparent conflict of interest, noyb’s jump to a criminal complaint is at least understandable.