Austrian privacy campaigner Max Schrems has accused Ireland’s data protection commissioner (DPC) of improperly lobbying other European regulators over a contested data collection policy used by Facebook.
On Sunday Mr Schrems published documents he says indicate the DPC pushed for a particular interpretation of EU data protection rules while investigating a complaint on the same issue by Mr Schrems and his Vienna-based data protection organisation, Noyb.
This has been disputed by the DPC. It confirmed to the Irish Times it had drafted the document in question but said there was “absolutely nothing unusual” about it.
The latest round in the long-running battle between Mr Schrems, Facebook and the Irish DPC dates back to May 2018, when the EU’s new data protection rulebook (GDPR) came into effect.
Aimed at modernising and simplifying EU citizens’ control of their personal data, it required Facebook to change the legal basis of its European operations.
Just as GDPR came into effect, Facebook overhauled its legal relationship with users from a consent- to a contract-based approach to alllow its data collection.
Mr Schrems has criticised the decision, which he says came after the DPC “consulted with” Facebook in 10 meetings to devise a “GDPR bypass” that makes it impossible for users to opt-out of sharing their data.
Documents released to the Austrian campaigner under EU freedom of information rules show how, he says, the Irish DPC pushed for other EU regulators from April 2018 to back a particular contractual approach to data collection under GDPR, as adopted by Facebook in Ireland.
The Irish DPC’s so-called “freedom to contract” approach appears to have met with resistance from some European regulators, who consult with each other via the European Data Protection Board (EDPB).
One complains that the Irish proposal “reduces the GDPR to a proforma instrument”. Other regulators appear to question the Irish assumptions and the proposal’s approach, as it “seems to accept monetisation of personal data and circumventing the other legal bases … we think that this interpretation undermines the system and spirit of the GDPR”.
Under GDPR’s “one-stop-shop” rules, the Irish DPC is responsible for regulating the EU operations of Facebook and other Irish-based tech companies.
Responding to questions by the Irish Times, the DPC said the ongoing nature of proceedings referred to in the documents meant it could not comment on any specifics.
In general, however, it said that consultation with other regulators via the EDPB was a part of its daily work under GDPR rules.
“To suggest that there is any issue with how this process worked then, or now, demonstrates a lacking of basic understanding of the workings of the EPDB,” the DPC said to the Irish Times.
The Irish regulator said that, after “intense debate” on its proposals, it made changes and issued another draft, which was adopted.
“Subject to some comparatively minor adjustments,” it added, “the final guidelines have their origins in a document prepared by the DPC.”