Facebook’s problems with European privacy law could be about to get a whole lot worse. But ahead of what may soon be a major (and long overdue) regulatory showdown over the legality of its surveillance-based business model, Ireland’s Data Protection Commission (DPC) is facing a Facebook-shaped problem of its own: It’s now the subject of a criminal complaint alleging corruption and even bribery in the service of covering its own backside (we paraphrase) and shrinking the public understand of the regulatory problems facing Facebook’s business.
European privacy campaign group noyb has filed the criminal complaint against the Irish DPC, which is Facebook’s lead regulator in the EU for data protection.
noyb is making the complaint under Austrian law — reporting the Irish regulator to the Austrian Office for the Prosecution of Corruption (aka WKStA) after the DPC sought to use what noyb terms “procedural blackmail” to try to gag it and prevent it from publishing documents related to General Data Protection Regulation (GDPR) complaints against Facebook.
The not-for-profit alleges that the Irish regulator sought to pressure it to sign an “illegal” non-disclosure agreement (NDA) in relation to a public procedure — its complaint argues there is no legal basis for such a requirement — accusing the DPC of seeking to coerce it into silence, as Facebook would surely wish, by threatening not to comply with its regulatory duty to hear the complainant unless noyb signed the NDA. Which is quite the (alleged) quid pro quo.
The letter sent by the DPC to noyb seeking an agreement to maintain the confidentiality of all material relating to objections by other DPAs (as well as any associated observations by the data controller (Facebook), complainant (noyb et al), DPC or other EU supervisory authorities) vis-a-vis a draft decision related a complaint against Facebook that’s undergoing an active dispute resolution procedure — “on the grounds that such arrangements are necessary to preserve/maintain free and frank exchanges” and to ensure that “interim views” are not aired in order to “preserve the confidentiality and integrity of the co-decision-making procedure” as the DPC’s letter circularly demands — has been published by noyb here (redacting the name/s of the DPC officer/s who put their name/s to the demand).
“The DPC acknowledges that it has a legal duty to hear us but it now engaged in a form of ‘procedural coercion,'” said noyb chair, Max Schrems, in a statement. “The right to be heard was made conditional on us signing an agreement, to the benefit of the DPC and Facebook. It is nothing but an authority demanding to give up the freedom of speech in exchange for procedural rights.”
The regulator has also demanded noyb remove documents it has previously made public — related to the DPC’s draft decision of a GDPR complaint against Facebook — again without clarifying what legal basis it has to make such a demand.
As noyb points out, it is based in Austria, not Ireland — so is subject to Austrian law, not Irish law. But, regardless, even under Irish law it argues there’s no legal duty for parties to keep documents confidential — pointing out that Section 26 of the Irish Data Protection Act, which was cited by the DPC in this matter, only applies to DPC staff (“relevant person”), not to parties.
“Generally we have very good and professional relationships with authorities. We have not taken this step lightly, but the conduct of the DPC has finally crossed all red lines. They basically deny us all our rights to a fair procedure unless we agree to shut up,” added Schrems.
He went on to warn that “Austrian corruption laws are far-reaching” — and to further emphasize: “When an official requests the slightest benefit to conduct a legal duty, the corruption provisions may be triggered. Legally there is no difference between demanding an unlawful agreement or a bottle of wine.”
All of which looks exceptionally awkward for the Irish regulator. Which already, let’s not forget — at the literal start of this year — agreed to “swiftly” finalize another fractious complaint made by Schrems, this one relating to Facebook’s EU-U.S. data transfers, and which dates all the way back to 2013, following noyb bringing a legal procedure.
(But of course there’s still no sign of a DPC resolution of that Facebook complaint either … So, uhhh, “Siri: Show me regulatory capture” … )
Last month noyb published a draft decision by the DPC in relation to another (slightly less vintage) complaint against Facebook — which suggested the tech giant’s lead EU data regulator intended not to challenge Facebook’s attempt to use an opaque legal switch to bypass EU rules (by claiming that users are actually in a contract with it receive targeted ads, ergo GDPR consent requirements do not apply).
The DPC had furthermore suggested a wrist-slap penalty of $36 million — for Facebook failing transparency requirements over the aforementioned “ad contract.”
That decision remains to be finalized because — under the GDPR’s one-stop-shop mechanism for deciding cross-border complaints — other EU DPAs have a right to object to a lead supervisor’s preliminary decision and can ratchet out a different outcome. Which is what noyb is suggesting may be about to happen vis-a-vis this particular Facebook complaint saga.
Winding back slightly, despite the EU’s GDPR being well over three years old (in technical application terms), the DPC has yet to make a single final finding against Facebook proper.
So far it’s only managed one decision against Facebook-owned WhatsApp — which resulted in an inflated financial penalty for transparency failures by the messaging platform after other EU DPAs intervened to object to a (similarly) low-ball draft sanction Ireland had initially suggested. In the end WhatsApp was hit with a fine of $267 million — also for breaching GDPR transparency obligations. A notable increase on the DPC’s offer of a fine of up to $56 million.
The tech giant is appealing that penalty — but has also said it will be tweaking its privacy policy in Europe in the meanwhile. So it’s a (hard won) win for European privacy advocates — for now.
The WhatsApp GDPR complaint is just the tip, of course. The DPC has been sitting, hen-like, on a raft of data protection complaints against Facebook and other Facebook-owned platforms — including several filed by noyb on the very the day the regulation came into technical application all the way back in May 2018.
These “forced consent” complaints by noyb strike at the heart of the headlock Facebook applies to users by not offering them an opt-out from tracking-based advertising. Instead the “deal” Facebook (now known as Meta) offers is a take-it-or-leave-it “choice” — either accept ads or delete your account — despite the GDPR setting a robust standard for what can legally constitute consent that states it must be specific, informed and freely given.
Arm twisting is not allowed. Yet Facebook has been twisting European arms before and since the GDPR all the same.
So the “forced consent” complaints — if they do ever actually get enforced — have the potential to purge the tech giant’s surveillance-based business model once and for all. As, perhaps, does the vintage EU-U.S. data transfers issue. (Certainly it would crank up Facebook’s operational costs if it had to federate its service so that Europeans’ data was stored and processed within the EU to fix the risk of U.S. government mass surveillance.)
However, per the draft DPC decision on the forced consent issue, published (by noyb) last month, the Irish regulator appeared to be preparing to (at best) sidestep the crux question of the legality of Facebook’s data mining, writing in a summary:
There is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data. Nor has Facebook purported to rely on consent under the GDPR.
noyb has previously accused the DPC of holding secret meetings with Facebook around the time it came up with the claimed consent bypass and just as the GDPR was about come into application — implying the regulator was seeking to support Facebook in finding a workaround for EU law.
The not-for-profit also warned last month that if Facebook’s relabelling “trick” (i.e., switching a claim of “consent” to a claim of “contract”) were to be accepted by EU regulators it would undermine the whole of the GDPR — making the much lauded data protection regime trivially easy for data-mining giants to bypass.
Likewise, noyb argues, had it signed the DPC’s demanded NDA it would have “greatly benefited Facebook.”
It would also have helped the DPC by keeping a lid on the awkward detail of lengthy and labyrinthine proceedings — at a time when the regulator is facing rising heat over its inaction against Big Tech, including from lawmakers on home soil. (Some of which are now pushing for reform of the Commission — including the suggestion that more commissioners should be recruited to remove sole decision-making power from the current incumbent, Helen Dixon.)
“The DPC is continuously under fire by other DPAs, in public inquiries and the media. If an NDA would hinder noyb’s freedom of speech, the DPC’s reputational damage could be limited,” noyb suggests in a press release, before going on to note that had it been granted a benefit by signing an NDA (“in direct exchange for the DPC to conduct its legal duties”) its own staff could have potentially committed a crime under the Austrian Criminal Act.
The not-for-profit instead opted to dial up publicity — and threaten a little disinfecting sunlight — by filing a criminal complaint with the Austrian Office for the Prosecution of Corruption.
It’s essentially telling the DPC to put up a legal defence of its procedural gagging attempts — or, well, shut up.
Here’s Schrems again:
We very much hope that Facebook or the DPC will file legal proceedings against us, to finally clarify that freedom of speech prevails over the scare tactics of a multinational and its taxpayer-funded minion. Unfortunately we must expect that they know themselves that they have no legal basis to take any action, which is why they reverted to procedural blackmail in the first place.
Nor is noyb alone in receiving correspondence from the DPC that’s seeking to apply swingeing confidentiality clauses to complainants.
Following publication of noyb’s criminal complaint, Johnny Ryan, a fellow at the Irish Council for Civil Liberties, tweeted that it received a “confidentiality demand” from the DPC in relation to a GDPR complaint raised against Google’s adtech — suggesting the regulator is seeking to use the same threat of silence or be removed from the proceeding against another complainant against Big Tech.
“Everything I and my lawyers read would be tracked in a ‘data room.’ Otherwise, DPC withholds all materials from us (including Google docs that are already public),” he wrote.
TechCrunch has also reviewed correspondence sent to the Irish regulator earlier this fall by (yet) another complainant — who writes to query its legal basis for a request to gag disclosure of correspondence and draft reports.
Despite repeated requests for clarification by the complainant, the DPC appears to have entirely failed — over the course of more than a month — to reply to the request for its legal basis for making such a gag request.
This suggests noyb’s experience of threats and scare tactics lacking legal substance is not unique — by looks rather more like modus operandi — backing up its claim that the DPC has questions to answer about “how it conducts its office.”
We’ve reached out to the DPC for comment on the allegations it’s facing.
Update 1: The DPC has responded at length to what it says have been multiple media queries related to noyb’s action. In its remarks, which are written in a Q&A style — ostensibly responding to a number of specific questions it suggests were received from numerous media outlets (none of which were asked by this media outlet, however) — the regulator claims that information related to an ongoing procedure must be kept confidential in order to ensure “fairness to all parties”, which it further describes as a “Constitutional obligation”.
It also writes that it “must balance its obligations to protect confidential information against the complainant’s and [emphasis its] the data controller’s rights to fair procedures.” But it does not specify the legal basis for this claimed ‘balancing obligation’.
On the question of what legal basis the DPC is relying on to demand confidentiality, it writes vaguely that it “draws on its obligations under the GDPR, the Irish Data Protection Act 2018 and its Constitutional obligation to apply fair procedures”.
Later it reiterates its claim that Section 26 of the Data Protection Act “provides that the DPC may designate [emphasis its] information as being confidential so that it must be kept confidential while the inquiry is ongoing” for a number of reasons it already claimed in its letter to noyb — such as wanting to preserve a free and frank exchange; avoid parallel exchanges around an ongoing procedure; and avoid the publication of material that “may reasonably be considered likely to compromise the decision-making process and/or give rise to procedural unfairness and/or cause harm to the interests of the complainant and/or controller”.
Section 26 of the Irish Data Protection Act does deal with prohibitions on the disclosure of confidential information — where clause (1) states: “A relevant person shall not disclose confidential information obtained by him or her while performing functions under this Act or the Data Protection Regulation unless he or she is required or permitted by law, or duly authorised by the Commission, to do so.”
However — as Schrems/noyb already pointed out — the Act goes on to define “a relevant person” as either a Commissioner; a member of staff of the Commission; an authorized officer; any other person engaged under a contract for services by the Commission or a member of the staff of such a person; or a person who has acted in any of those capacities — none of which describes Schrems or noyb.
So here the DPC appears to be attempting to misdirect the crux legal question — i.e. on what lawful grounds is the regulator demanding confidentiality around the procedure? — by not engaging with the substance of the legal critique.
In short, it looks like copy-paste bluster.
The DPC’s response includes further misdirection when it makes a reference to the Austria data protection authority — where the GDPR complaint in question was originally filed, before being referred to the Irish DPC under the regulation’s one-stop-shop mechanism for dealing with cross-border cases — writing that the Austrian DPA “held that Mr Schrems was not entitled to sight of documents exchanged between the DPC and its fellow data protection authorities”.
But given this section of the procedure is being undertaken in Ireland by the Irish regulator, not in Austria by the Austrian regulator, it’s not clear what relevance Austrian procedural decisions vis-a-vis process openness have here.
TechCrunch asked Schrems about this point — and he described it as “typical ‘reframing” by the DPC, accusing the regulator of “deliberately” mixing up two separate issues. Aka, whether a part of the procedure is open to the parties in general (as is the case in Ireland; but not in Austria); and “details about documents within a procedure”.
“The Austrian DPA takes the view that the entire [GDPR] Article 60 cooperation procedure is not open to the parties at all (neither Facebook nor noyb), but only among DPAs. That’s arguable, even when I disagree personally,” Schrems explained. “The DPC takes the view it is open to the parties.
“We urged them to coordinate, but they didn’t. Now we have one DPA that sees the procedure to be open (to Facebook in Ireland) and the other DPA to be closed (that’s ours in Austria).
“IF it would be open to the parties, the Austrians would provide the documents (no doubt about it), they even made USB drives for us. So they [the DPC] deliberately mix up two things: If a part of the procedure is open to the parties in general — and — the details about documents within a procedure… ”
NB: noyb has now responded in detail to the DPC’s claims — see update (1)b below for their full commentary.
The DPC’s 1,339-word response (which we’ve pasted below in full for reference; see update (1)a) also does not directly address the question of the fairness of removing noyb from the procedure as its earlier letter threatens to unless it agrees to the confidentiality demand.
Instead the regulator opts to pose the question of “what will happen to the case if Mr Schrems declines to give an undertaking — actionable in the Irish courts — that there will be no more publication of documents”; and whether “the objections phase and the final decision can proceed without him/noyb/the complainant receiving documents”.
“The objections phase at least will proceed as planned,” the DPC writes on that, before equivocating an answer to what will happen after. “What happens at any later stage will depend on a number of factors to include the outcome of the consultation process as between the DPC and the other data protection authorities, but also on whether Mr Schrems’ maintains his present position that he must be given access to all materials on the basis that it will be for Mr Schrems alone to decide what (if anything) he may publish or use, and retaining the right to change his position at his sole election and at any time of his choosing.”
The DPC concludes its screed by observing that: “Ultimately, noyb will also have a right of appeal against the final decision delivered at the end of the co-decision-making procedure” — which does not in any way compensate for an unfair procedure.
But it does, perhaps, sound like a regulator that’s very comfortable with legal challenges — and may even be anticipating an additional layer of court action down the line, i.e. related to the DPC withholding documents from the complainant (when, presumably, it’s not withholding the same stuff from Facebook… Fairness eh!).
TechCrunch’s view, after examining the DPC’s response, is there is nothing here to prevent a reasonable observer concluding that the bulk of the regulator’s ‘sweating toil’ is actually aimed at generating obfuscating friction (and even suggestive fictions) — which in turn is only likely to build in fresh delays that slow down regulatory procedures and, ultimately, further retard enforcement against tech giants like Facebook. But do take a good 15-20mins of your own time for a close reading of the DPC’s remarks (below) to make up your own mind.
But what about Facebook? noyb’s press release goes on to predict a “tremendous commercial problem” looming for the data-mining giant — as it says DPC correspondence “shows that other European DPAs have submitted ‘relevant and reasoned objections’ and oppose the DPC’s view” [i.e., in the consent bypass complaint against Facebook].
“If the other DPAs have a majority and ultimately overturn the DPC’s draft decision, Facebook could face a legal disaster, as most commercial use of personal data in the EU since 2018 would be retroactively declared illegal,” noyb suggests, adding: “Given that the other DPAs passed Guidelines in 2019 that are very unfavourable to Facebook’s position, such a scenario is highly likely.”
The not-for-profit has more awkward revelations for the DPC and Facebook in the pipe, too.
It says it’s preparing fresh document releases in the coming weeks — related to correspondence from the DPC and/or Facebook — as a “protest” against attempts to gag it and to silence democratic debate about public procedures.
“On each Sunday in advent, noyb will publish another document, together with a video explaining the documents and an analysis why the use of these documents is fully compliant with all applicable laws,” it notes, adding that what it’s billing as the “advent reading” will be published on noyb.eu — “so tune in!”
So looks like the next batch of “Facebook Papers” that Meta would really rather you didn’t see will be dropping soon.
Update (1)a: Here’s the DPC’s response to our request for comment in full (NB: We’ve redacted the name of the DPC officer which was appended to the end of the text):
“Thank you for your recent media query to this office. The DPC has had numerous queries on the matter and so we have prepared a compilation of the answers in the hope that the information will be of assistance to you.
1. There seems to be a standoff between the original Austrian complainant and the DPC over confidentiality of documents. In the one-stop shop arrangements for GDPR, in a dispute like this, which jurisdiction has primacy: where the case was filed, or where it is being processed?
Under the GDPR, because the relevant data controller (in this case, Facebook Ireland) has its main establishment in Ireland, the Irish DPC is what is called the “lead supervisory authority” and so has the obligation to investigate and make a preliminary decision about the issues raised in the complaint. The Austrian data protection supervisory authority referred the complaint to the Irish DPC on this basis. Once we have reached a “draft decision” (which is how our proposed decision is referred to under Article 60 of the GDPR), it is then sent to and considered by our colleagues in the data protection authorities in the other EU member states as part of a co-decision-making procedure. Following this process, the Irish DPC reaches a final decision on the complaint reflecting either the consensus achieved amongst data protection authorities or, where differences arise between them which cannot be reconciled, a decision of the European Data Protection Board following a dispute resolution procedure.
The Irish DPC is obliged to follow Irish fair procedures law as part of our decision-making process. These fair procedures obligations have been confirmed on several occasions by the Irish courts, including the Supreme Court.
One of the considerations here is that, as a matter of fairness to all parties, the integrity of the inquiry process should be respected and the confidentiality of information exchanged between the parties upheld. What we mean by this is that it would be unfair to any party under investigation by a regulator (not just the DPC) if the materials that they provide to that regulator, and the regulator’s queries to and correspondence with them, should be made public before any decision is reached in relation to the matters that are under investigation. This would effectively mean an investigation against anybody would be turned into an open, public process before any decision is reached against them, and this is not fair nor has it ever been a feature of regulation in Ireland up to now.
Reflecting these sorts of considerations, Section 26 provides that the DPC may designate information as being confidential so that it must be kept confidential while the inquiry is ongoing. The reasons why information is designated as confidential include the following:
– to preserve/maintain free and frank exchanges between the DPC and each of the complainant and the controller, facilitating the kind of dialogue (and associated information flows) necessary to ensure that all of the issues under examination can be fully and effectively explored, and positions advanced by relevant parties fully and properly tested;
– to ensure that the issues under examination can be addressed within the confines of the decision-making process itself, and to reduce the scope for parallel exchanges taking place outside that process; and,
– to avoid the publication (or other disclosure to third parties) of exchanges identifying interim views and/or positions that remain under consideration by the DPC and which, if disclosed prior to the conclusion of the decision-making process, may reasonably be considered likely to compromise the decision-making process and/or give rise to procedural unfairness and/or cause harm to the interests of the complainant and/or controller, as the case may be.
It is of note here that both the Irish and Austrian data protection authorities agree that neither the complainant nor the controller have a right to participate in the consultation process that forms a key part of the co-decision-making procedure described above. From there, the Austrian DPA held that Mr Schrems was not entitled to sight of documents exchanged between the DPC and its fellow data protection authorities.
For its part, the DPC believes that the parties should be given sight of such materials, provided only that they agree to treat them as confidential within the decision-making process
2. According to noyb/Schrems, the Austrian DPA says there is no confidentiality clause covering such procedural documents. You say in your letters to noyb that there is a confidentiality clause.As noted, the Austrian SA has made it clear on two separate occasions now that it did not consider that Mr Schrems was entitled to sight of documents exchanged between the DPC and its fellow data protection authorities in the course of the co-decision-making procedure.
It has also expressed the view to the DPC that Mr Schrems would not have been entitled to the draft decision and accordingly its publication on foot of the equivalent Austrian process could not arise.
The DPC’s position is as outlined under point 1.
a. Does the DPC draw on legislation outside the 2018 data protection act regarding confidentiality of procedures? And, if so, where?
The Irish DPC draws on its obligations under the GDPR, the Irish Data Protection Act 2018 and its Constitutional obligation to apply fair procedures (as set out above).
b. NOYB says the paragraphs of the 2018 act the DPC cites apply only to a “relevant person” which includes DPC employees and contractors. Is this correct, or is there another section of the act that applies to parties in a complaint, too?
One of the legal obligations on the Irish DPC is under Section 26 of the Data Protection Act 2018. This requires that “relevant persons” (which include officers of the DPC) must not disclose confidential information, unless this is required (for example, by fair procedures obligations, as explained above) or is permitted by law.
Even then, however, the DPC must balance its obligations to protect confidential information against the complainant’s and the data controller’s rights to fair procedures.
In practical terms, the DPC is bound to take all reasonable steps to ensure that the confidentiality of such material is upheld in its own hands but also when it passes to the hands of a third party.
To put it another way, the DPC can’t comply with its obligation to protect the confidentiality of material in its own hands, if it then passes that same material to a third party, without restriction, knowing or reasonably believing there is a strong likelihood the third party will publish it
3. What happens to the case if Mr Schrems declines to give an undertaking – actionable in the Irish courts – that there will be no more publication of documents? Can the objections phase and the final decision proceed without him/NOYB/the complainant receiving documentsAs flagged above, neither the complainant nor the controller are afforded an active role in the co-decision-making procedure described briefly above, save to the extent that, for reasons derived from Irish procedural law, the DPC takes steps to afford the complainant and controller a right to see the objections and to make written observations if any adjustments are proposed to the current iteration of the draft decision. As such, the objections phase at least will proceed as planned. What happens at any later stage will depend on a number of factors to include the outcome of the consultation process as between the DPC and the other data protection authorities, but also on whether Mr Schrems’ maintains his present position that he must be given access to all materials on the basis that it will be for Mr Schrems alone to decide what (if anything) he may publish or use, and retaining the right to change his position at his sole election and at any time of his choosing.
Ultimately, NOYB will also have a right of appeal against the final decision delivered at the end of the co-decision-making procedure.”
Update (1)b: Noyb has now sent a detailed rebuttal of the DPC’s response — which we’re also publishing in full below.
NB: Here the DPC’s source text is presented in quotation marks and formatted in italics; while noyb’s responses are presented below in bold to distinguish between them. Further note: noyb did not respond to the DPC’s response to question 3 — so we have excluded repeating that chunk of text:
DPC: “1. There seems to be a standoff between the original Austrian complainant and the DPC over confidentiality of documents. In the one-stop shop arrangements for GDPR, in a dispute like this, which jurisdiction has primacy: where the case was filed, or where it is being processed?”
Note by noyb: There is nothing in the answers below that answers the question in the headline about applicable procedural laws.
DPC: “Under the GDPR, because the relevant data controller (in this case, Facebook Ireland) has its main establishment in Ireland, the Irish DPC is what is called the “lead supervisory authority” and so has the obligation to investigate and make a preliminary decision about the issues raised in the complaint. The Austrian data protection supervisory authority referred the complaint to the Irish DPC on this basis.”
Note from noyb: This is correct, but what is left out, is that the DPAs have to “coordinate” under Article 60(1) GDPR and that each DPA applies its own procedural law in such a case. So there is a “One Stop Shop” for the controller and the complainant, in their local language and under the local procedure.
DPC: “Once we have reached a “draft decision” (which is how our proposed decision is referred to under Article 60 of the GDPR), it is then sent to and considered by our colleagues in the data protection authorities in the other EU member states as part of a co-decision-making procedure. Following this process, the Irish DPC reaches a final decision on the complaint reflecting either the consensus achieved amongst data protection authorities or, where differences arise between them which cannot be reconciled, a decision of the European Data Protection Board following a dispute resolution procedure.
The Irish DPC is obliged to follow Irish fair procedures law as part of our decision-making process. These fair procedures obligations have been confirmed on several occasions by the Irish courts, including the Supreme Court.”
Note from noyb: This is correct, but there is no mention about what “fair procedure obligations” exactly were confirmed by what court case. In fact there is not a single case that would provide for confidentiality before the DPC. We have asked for a legal basis in the law or in case law, but the DPC is silent on this. Just saying “some court said something about fair procedures” is not a basis to demand NDAs from parties or kick them out of the procedure (in fact it’s the opposite of a “fair procedure”).
DPC: “One of the considerations here is that, as a matter of fairness to all parties, the integrity of the inquiry process should be respected and the confidentiality of information exchanged between the parties upheld. What we mean by this is that it would be unfair to any party under investigation by a regulator (not just the DPC) if the materials that they provide to that regulator, and the regulator’s queries to and correspondence with them, should be made public before any decision is reached in relation to the matters that are under investigation. This would effectively mean an investigation against anybody would be turned into an open, public process before any decision is reached against them, and this is not fair nor has it ever been a feature of regulation in Ireland up to now.”
Note from noyb: This is Facebook’s position, but in fact public debate and criticism (especially when it comes to the data protection right of millions) in a democratic society cannot be limited to after a decision is made. In fact, it is crucial that parties and the public can form an opinion during a decision process. As a default political, regulatory or court procedures are therefore open to the public – unless there are serious grounds to limit information. The DPC take the view that by default the public and the parties may not voice concerns or just get informed about a procedure before it is too late. What comes in addition to that, is that the DPC is extremely complicated and slow in the decision process. The pending case lasts for about 3.5 years by now. Usually such decisions are shorter and the room for public debate is therefore more limited. In the “EU-US data transfer” case, the investigation is ongoing for more than 8 years. The public would never have been informed about the background of two CJEU decisions, if such “fairness” rules would have continuously applied since 2013.
DPC: “Reflecting these sorts of considerations, Section 26 provides that the DPC may designate information as being confidential so that it must be kept confidential while the inquiry is ongoing. The reasons why information is designated as confidential include the following:”
Note from noyb: This is incorrect. Section 26 does not have the word “designate” in it. It does not allow the DPC to (one-sidedly) just decide what is “confidential” or not. Instead there is an objective test to be applied, which may be contested by the parties, because the DPC’s view may go too far or not far enough. It is not an absolute right by the DPC to just “declare” things to be confidential.
DPC: “- to preserve/maintain free and frank exchanges between the DPC and each of the complainant and the controller, facilitating the kind of dialogue (and associated information flows) necessary to ensure that all of the issues under examination can be fully and effectively explored, and positions advanced by relevant parties fully and
properly tested;
– to ensure that the issues under examination can be addressed within the confines of the decision-making process itself, and to reduce the scope for parallel exchanges taking place outside that process; and,
– to avoid the publication (or other disclosure to third parties) of exchanges identifying interim views and/or positions that remain under consideration by the DPC and which, if disclosed prior to the conclusion of the decision-making process, may reasonably be considered likely to compromise the decision-making process and/or give rise to procedural unfairness and/or cause harm to the interests of the complainant and/or controller, as the case may be.”Note from noyb: This is incorrect. Section 26 does not name any of these elements. They are completely made up by the DPC.
DPC: “It is of note here that both the Irish and Austrian data protection authorities agree that neither the complainant nor the controller have a right to participate in the consultation process that forms a key part of the co-decision-making procedure described above. From there, the Austrian DPA held that Mr Schrems was not entitled to sight of documents
exchanged between the DPC and its fellow data protection authorities.”Note from noyb: this is misleading – the Austrian DPA in fact only takes the view that the cooperation process under Article 60(3) to (5) GDRP is not open the (both) parties. The DPC instead explicitly says that both parties have a right to be heard in its letters. We urged both DPAs to come to consensus, but it seems they were unable to reach such a consensus. There is now a situation where the Irish DPA takes the view that there is a role for the parties, but that documents are secret and the Austrian DPA takes the view that there is no role for the parties, but if there would be a role, § 17 AVG make the documents useable for anyone. Bottom line is: Facebook will be heard and noyb will not.
DPC: “For its part, the DPC believes that the parties should be given sight of such materials, provided only that they agree to treat them as confidential within the decision-making process”
Note from noyb: There is no basis for such a conclusion. In fact, the DPC itself may violate Section 26 if it shares “confidential” documents with the parties, as Section 26 is absolute in the consequences. The reality is that Section 26 is binary: If it is “confidential” it has to stay within the DPC, if it is not “confidential” it may be shared with external parties, who are themselves not subject to Section 26.
DPC: “2. According to noyb/Schrems, the Austrian DPA says there is no confidentiality clause covering such procedural documents. You say in your letters to noyb that there is a confidentiality clause.
As noted, the Austrian SA has made it clear on two separate occasions now that it did not consider that Mr Schrems was entitled to sight of documents exchanged between the DPC and its fellow data protection authorities in the course of the co-decision-making procedure.”Note from noyb: This is incorrect and/or misleading. The Austrian DPA took the view that this entire process is not open to the parties (neither the complainant nor Facebook), so it does not fall under the right to access to documents (independent of the documents being confidential or not). The DPC take the opposite view, that the process is open to the parties, but the documents are confidential. The DPAs were unable to agree on a joint position.
DPC: “It has also expressed the view to the DPC that Mr Schrems would not have been entitled to the draft decision and accordingly its publication on foot of the equivalent Austrian process could not arise.”
Note from noyb: This is absolutely incorrect. The Austrian DPA never said that. They even provided us with a USB drive with all the documents of the procedure. § 17 AVG is binary: Once you get the documents, they are free. See for example the Austrian Supreme Administrative Court (VwGH 22. 10. 2013, 2012/10/0002; VwGH 21. 2. 2005, 2004/17/0173; Rz 5).
DPC: “The DPC’s position is as outlined under point 1.
a. Does the DPC draw on legislation outside the 2018 data protection act regarding confidentiality of procedures? And, if so, where?
The Irish DPC draws on its obligations under the GDPR, the Irish Data Protection Act 2018 and its Constitutional obligation to apply fair procedures (as set out above).”Note from noyb: The GDPR has 99 Articles, the Irish Data Protection Act has hundreds of Sections and “Constitutional obligations” are not any clear framework for such a specific question. In fact the DPC cannot point to any specific provision, because there are none.
DPC: “b. NOYB says the paragraphs of the 2018 act the DPC cites apply only to a “relevant person” which includes DPC employees and contractors. Is this correct, or is there another section of the act that applies to parties in a complaint, too?
One of the legal obligations on the Irish DPC is under Section 26 of the Data Protection Act 2018. This requires that “relevant persons” (which include officers of the DPC) must not disclose confidential information, unless this is required (for example, by fair procedures obligations, as explained above) or is permitted by law. Even then, however, the DPC must balance its obligations to protect confidential information against the complainant’s and the data controller’s rights to fair procedures.”
Note from noyb: This is not in the law or any case law and just made up.
DPC: “In practical terms, the DPC is bound to take all reasonable steps to ensure that the confidentiality of such material is upheld in its own hands but also when it passes to the hands of a third party.”
Note from noyb: This is not in the law or any case law and just made up.
DPC: “To put it another way, the DPC can’t comply with its obligation to protect the confidentiality of material in its own hands, if it then passes that same material to a third party, without restriction, knowing or reasonably believing there is a strong likelihood the third party will publish it”
Note from noyb: This “conflict” is not really existing. The DPC has in fact blackened any documents that it considered “sensitive” or somehow protected. The rest is simply not falling under Section 26 and therefore there is no need to “balance”. The conflict that the DPC tries to generate here, is just because it declares even the most trivial email as “confidential”.”
This report has been updated with a link to the DPC’s letter to noyb; with Johnny Ryan’s confirmation of another confidentiality demand by the regulator in its complaint against Google’s adtech; with comment from the DPC and our analysis of its claims, including additional comment from Schrems; and with noyb’s detailed rebuttal of the DPC’s commentary