Max Schrems has struck the latest blow in the ongoing privacy battle with Facebook being played out before the Irish data protection authorities (DPAs).
In an unusual move, his NGO, noyb.eu, has published an open letter to all European DPAs expressing concern, not about Facebook (and its subsidiaries Instagram and WhatsApp), but about the Irish Data Protection Commission’s handling of the cases.
Within hours of the EU’s General Data Protection Regulation (GDPR) coming into force two years ago, noyb.eu filed three complaints against Facebook, Instagram and WhatsApp with the Irish Data Protection Commissioner’s office. Under the GDPR’s one-stop-shop (OSS) mechanism for cross-border cases, the Irish DPA is the lead authority. It will liaise with other European DPAs, but the main responsibility for the case rests in Dublin.
However Schrems is concerned that after two years, the Irish DPA has only completed the first of six steps in the Instagram and WhatsApp cases, and just two steps in the Facebook case. At the current speed, these cases will easily take more than ten years until all appeals are decided and a final decision is reached, he said.
“These three cases do not only concern the three complainants that we represent under Article 80 GDPR, but millions of European users. The fact that the DPA has very recently publicly highlighted these cases as alleged proof of their efficiency is a slap in the face of EU data subjects who have been waiting for their fundamental rights to be enforced for more than 2 years,” says the open letter.
The infamous data protection advocate, Schrems, has long sought to highlight how, despite the best intentions of European law, real data protection redress is beyond the reach of the average citizen. His landmark case that eventually led the Court of Justice of the European Union to scrap the EU-US Safe Harbour framework on October 6, 2015, took several years.
Under the GDPR, the OSS mechanism is supposed to make matters easier for complainants. But, at least according to the European consumer rights group, BEUC, that is not happening. “Of particular concern is the current delay with rendering decisions in important cases based on the so-called ‘one-stop-shop’ mechanism which is triggered in case of EU-wide infringements,” said BEUC and called on the European Data Protection Board (EDPB) to issue guidance for common administrative procedures to handle complaints in cross-border cases.
But Schrems feels the Irish DPA has a particular case to answer: “So far [the DPA] has not issued a single fine under the GDPR against a private actor, despite reporting 7,215 complaints in 2019. It comes as no surprise that Google immediately tried to switch to the jurisdiction of the Irish DPA right after the French CNIL issued its fine in a parallel procedure. After two years, we feel that the time has come to shine light on the shortcomings of GDPR enforcement as we experience in Ireland and trigger a public debate.”
Against the requests of the Irish authority, noyb.eu decided to share access to all case documents with other European data protection authorities.
The biggest issue, according to Schrems, are the confidential meetings that took place between the authority and Facebook to discuss “consent bypass.” Essentially the DPA colluded with Facebook on legal “workarounds” reminiscent of so-called “sweetheart tax rulings” – an area where Ireland has form!
“In the procedures that were triggered by three complaints filed by noyb.eu.eu two years ago, the Facebook Group openly acknowledges that it simply switched from highly regulated “consent” to an alleged “data use contract”. This contract allegedly obliges Facebook to track, target and conduct research on its users. According to Facebook, this switch happened at the stroke of midnight when the GDPR became applicable. Such a (mutual) reframing of an agreement (in this case from consent to contract) to bypass the law is called simulatio and is invalid,” explained Schrems.
Schrems: “It is nothing but lipstick on a pig. Since Roman times, the law prohibits ‘renaming’ something just to bypass the law. What Facebook tried to do is not smart, but laughable. In law school, you learn to read law books for legal questions, not a dictionary.”
However he added that the Irish watchdog has a case to answer itself: “The thing that is really concerning is that the Irish DPA apparently engaged with Facebook when they were designing this scam and is now supposed to independently review it.”
The Irish Data Protection Commissioner’s office has not denied meetings took place, but may well prefer to frame them as standard “regulatory consultations.” Spokesman Graham Doyle told ComputerWeekly that “there were no ‘secret meetings’ held between the DPC and Facebook. We regularly engage and meet with companies from all sectors as part of our regulatory enforcement and supervision functions, in accordance with Article 57 of the GDPR, in the same way that many of our EU colleague data protection authorities do.”