Privacy campaigner Max Schrems has written to Europe’s data protection regulators demanding action over Ireland’s lack of progress in its investigation into complaints that Facebook is in breach of European privacy law.
In a letter to European data protection authorities (DPAs), the European Commission and Parliament, Schrems accused the Irish Data Protection Commission (DPC) of “Kafkaesque” delays to its investigation into three high-profile complaints made against Facebook, Instagram and WhatsApp.
Facebook Ireland, which has its headquarters in Dublin, employs an estimated 4,000 people both directly and in companies that provide outsourcing services, and benefits from low business tax rates in the country.
The letter, from privacy campaign group Noyb.eu, said the Irish DPC had taken two years to complete the first of six stages in an investigation against Instagram and WhatsApp and to reach the second stage in its investigation into Facebook.
This is in contrast with the French data protection regulator CNIL, which was able to “single-handedly” investigate a complaint against Google and issue a £50m fine in seven months.
“At the current speed, these cases will easily take more than 10 years until all appeals are decided and a final decision is reached. These overly long durations expose the lack of any effective remedies for average citizens,” the letter said.
The Irish DPC has issued no penalties against private sector companies in over two years, despite more than 7,125 complaints in 2019 alone, the letter noted.
Schrems claimed the Irish DPC and Facebook Group held a series of 10 private meetings before the General Data Protection Regulation (GDPR) came into law to develop a way to continue its services without asking for consent from its customers to process their data.
According to the letter, Facebook relied on its submissions in the meetings with the DPC as well as a whitepaper it shared with the DPC to legitimise its approach under the GDPR.
Max Schrems, Noyb.eu
Despite repeated requests, the DPC and Facebook have refused to disclose the contents of the meetings and the whitepaper.
“Given these exchanges between DPC and Facebook we have to assume that the DPC is following the Irish government’s approach of catering to large foreign investors through upfront legal advice on how to bypass the law,” the letter said.
Schrems said it was concerning that the Irish DPC apparently engaged with Facebook when it was designing a way to bypass the need to obtain consent, and is now supposed to independently review it.
“Overall, it seems likely that the DPC has manoeuvred itself into a situation where it is structurally biased because it is essentially reviewing its own legal advice to Facebook on how to bypass Article 6(a)(a) of GDPR,” the letter said.
“Keeping these meetings confidential is only adding to the impression that the Irish DPC and Facebook have engaged in a relationship that is inappropriate for a neutral and independent oversight authority.”
Facebook changed the wording to its terms and conditions at midnight on 25 May 2018, when GDPR came into force. It claims the change allows it to continue providing services to customers by setting up a contract with them, rather than obtaining their consent for data processing.
Schrems argues that Facebook did little more than make a cosmetic change.
“Since Roman times, the law prohibits ‘renaming something’ just to bypass the law. What Facebook tried to do is not smart, but laughable,” he said. “It is nothing but lipstick on a pig.”
The DPC has concluded that it does not have powers to scrutinise Facebook’s data processing contract. This is based on the definition of the word ‘contract’ taken from the Oxford English Dictionary rather than a proper analysis of contract law, claimed Schrems.
“It is incomprehensible how a DPA should ever review whether processing is ‘necessary’ for a contract without reviewing the relevant contract,” the letter said.
Noyb.eu has informed the Irish Data Protection Commission that it plans to file a judicial review over the DPC’s handling of its complaints into Facebook, Instagram and WhatsApp, as soon as the courts re-open after coronavirus.
“Despite extremely high costs, we want to use all possible options within the Irish legal system to overcome the inaction by the Irish DPC,” it said.
It called on the Irish DPC to “fundamentally streamline” its procedures, so that complaints under GDPR lead to decisions in months, not years.
“We also expect the DPC to disclose as a matter of routine all exchanges with controllers (including emails, documents, calls and meetings) to all parties to the procedure, as well as to all concerned DPAs, to ensure that no doubt can exist as to a fair and transparent procedure,” it said.
The letter invited the European Commission to issue infringement procedures against the Irish DPC or any other member state with “overly complicated and long procedures”.
Noyb.eu said it had taken the usual step of sharing documents with all European data protection authorities, European data protection supervisors, and data protection commissioners, after the Irish DPC had failed to do so, as required under provisions of the GDPR.
“We hope this will also allow other DPAs to understand the problem that data subjects are facing when confronted with the Irish authority,” the letter said.
Graham Doyle, Data Protection Commission, Ireland
Graham Doyle, deputy commissioner at the Irish DPC, said it had 23 big tech inquiries open and there had been significant developments in a number of them, including three initiated by Noyb.eu.
He said the DPC’s inquiry into Facebook Ireland’s obligations to establish a lawful basis for personal data processing had now moved to the decision-making phase.
Doyle said that in the case of Instagram and WhatsApp, the DPC had sent draft inquiry reports to the complainants and the companies concerned.
“I can also confirm that there were no ‘secret meetings’ held between the DPC and Facebook. We regularly engage and meet with companies from all sectors as part of our regulatory enforcement and supervision functions, in accordance with Article 57 of the GDPR, in the same way that many of our EU colleague data protection authorities do,” he said.
Schrems claimed that analysis by plagiarism software showed that the DPC had taken more than 10 months to produce a draft report on Instagram and WhatsApp that was largely identical to a draft report on Facebook produced a year earlier.