Austrian privacy activist Max Schrams has accused Ireland’s Data Protection Commissioner (DPC) of improperly pressuring other European regulators over the disputed data collection policy used by Facebook.
On Sunday, Mr. Schrems released documents he says indicate that the DPC pushed for a specific interpretation of EU data protection rules while investigating a complaint about the same issue by Mr Schrems and his Vienna-based data protection organization NOYB.
The DPC has objected to this. She confirmed to The Irish Times that she drafted the document in question but said there was « absolutely nothing unusual » about it.
The latest round of the long-running battle between Mr Schrems, Facebook and the Irish DPC dates back to May 2018, when a new EU Data Protection Rulebook (GDPR) came into force.
With the aim of modernizing and simplifying the control of EU citizens over their personal data, Facebook has been asked to change the legal basis for its European operations.
Just as the General Data Protection Regulation (GDPR) came into effect, Facebook overhauled its legal relationship with users from consent to a contract-based approach to allowing data collection.
Mr Schrems has criticized the decision, which he says came after the DPC « consulted » Facebook in 10 meetings to devise a « GDP bypass » that would make it impossible for users to opt out of sharing their data.
Documents released to the Austrian activist under EU Freedom of Information rules show how the Irish DPC, he says, paid other EU regulators from April 2018 to support a particular contractual approach to data collection under the General Data Protection Regulation (GDPR), as adopted by Facebook in Ireland.
The Irish DPC’s so-called « freedom to contract » approach appears to have met with resistance from some European regulators, who are consulting with each other via the European Data Protection Board (EDPB).
One complains that the Irish proposal « reduces the GDPR to an elementary tool ». Other regulators appear to question the Irish assumptions and approach to the proposal, as it « appears to accept monetization of personal data and circumvent other legal grounds…we believe this interpretation undermines the system and spirit of the GDPR ».
Under the « single window » rules of the General Data Protection Regulation (GDPR), the Irish DPC is responsible for regulating the EU operations of Facebook and other Irish technology companies.
In response to questions from The Irish Times, the DPC said the ongoing nature of the procedures referred to in the documents meant it could not comment on any details.
Overall, he said that consulting with other regulators via the EDPB was part of its day-to-day work under the GDPR.
“The suggestion that there was any issue with how this process worked then, or now, is indicative of a lack of basic understanding of EDPB’s work,” DPC told The Irish Times.
The Irish regulator said that after an « extensive discussion » of his proposals, he made changes and released another draft, which was adopted.
He added that « subject to some relatively minor modifications, the final guidelines trace their origins to a document prepared by the DPC. »
« Spécialiste de la télévision sans vergogne. Pionnier des zombies inconditionnels. Résolveur de problèmes d’une humilité exaspérante. »