Austrian lawyer & privacy activist Max Schrems has filed a corruption complaint against the Irish Data Protection Commission (DPC) for “procedural blackmail”. noyb- European Center for Digital Rights, the Vienna-based not-for-profit that Max co-founded and chairs, has filed the complaint under Austrian law.
By the way, noyb literally means ‘None of Your Business’.
What’s the Matter?
The Irish Data Protection Commission is currently investigating Facebook for trying to bypass GDPR’s (General Data Protection Regulation) consent requirements. The issue came to the fore when GDPR came into effect in 2018. Alleging that Facebook was bypassing the consent requirements through a “take it or leave it agreement”, noyb filed a complaint with the Austrian Data Protection Authority. Since the Irish DPC is the supervisory authority for Facebook, the Austrian authority forwarded the complaint.
[More on supervisory authority and GDPR’s one-stop-shop mechanism here.]
Last October, the Irish DPC sent a draft decision on the complaint to the other European Data Protection Authorities. In its opinion, Facebook can choose to include the agreement on data processing in a contract. However, it suggested a penalty as well since Facebook ought to have been more transparent about the bypass. The Irish DPC has recently fined WhatsApp €225 million ($266 mn, £193 mn), also for breaching transparency obligations. WhatsApp is appealing the decision but is also tweaking its privacy policy in Europe.
In the Facebook case, when the DPC issued the draft decision, noyb made the decision public. Following the publication, the Irish DPC demanded noyb to take down the draft decision as well as noyb’s own submissions. The DPC also demanded noyb to draft and sign a “non-disclosure agreement” (NDA) within one working day. When noyb refused to sign the NDA, the DPC removed it from the procedure.
In most simple terms, it means the adjudicator has refused to hear the complainant unless there’s an NDA in place. You can read the entire series of communications between the DPC and noyb here.
There’s no basis for “non-disclosure” requests
nyob says the Irish DPC has no legal basis to demand that documents in a public procedure concerning millions of users are kept confidential. It argues:
- Irish DPC lacks jurisdiction outside Ireland;
- Since the complaint was made with Austrian DPA, documents have to be served through it. And the DPA has confiemd that there is no confidentiality regarding procedural documents.
- Under Section 26 of the Irish Data Protection Act, only DPC staff is legally duty-bound to keep documents confidential. There’s no such legal burden on the parties.
nyob further remarks that Facebook would especially benefit from the NDA. Any decision finding its GDPR bypass illegal would have major implications for its business model in Europe. Schrems said:
“If the other DPAs overturn the DPC’s decision, it would likely mean that large parts of Facebook’s data use would be declared illegal. This would not only mean major penalties, but also looming damages claims by millions of users. Facebook has a strong interest to keep the details of this procedure under the rug. Facebook therefore repeatedly demanded that DPAs limit our right to be heard — it seems the DPC is doing everything to assist Facebook in this demand.”
Charges of Corruption and the Complaint
nyob says the Austrian Criminal Act penalises “requesting a benefit (even a small benefit, or a non-material benefit) for the lawful performance of public duties. Schrems said:
“The DPC engaged in procedural blackmail. Only if we shut up, the DPC would ‘grant’ us our legal right to be heard. We have reported the incident to the Austrian Office for the Prosecution of Corruption. This is a regulator clearly asking for a ‘quid pro quo’ to do its job, which likely constitutes bribery in Austria.”
noyb further says that if it complies with the Irish DPC’s demand, it would be granting a benefit to the Irish DPC in exchange for conducting its legal duties. As such, “noyb and noyb staff itself could have potentially committed a crime (§307a StGB)”.
Since the target of the potential criminal act is based in Austria, noyb has filed a criminal report against the Irish DPC with the Austrian Office for the Prosecution of Corruption.
Irish DPC’s response
The Irish DPC has clarified its position speaking to Techcrunch. It sys that information related to an ongoing procedure must be kept confidential in order to ensure “fairness to all parties”. It adds that it “must balance its obligations to protect confidential information against the complainant’s and the data controller’s rights to fair procedures.
Although the DPC again fails to specify the legal basis to justify this “balancing obligation”, it describes it as a “constitutional obligation”.
It also reiterates Section 26 of the Irish Data Protection Act, which noyb claims does not apply to parties to a procedure.
You can read the Irish DPC’s full response here.
Do subscribe to our Telegram group for more resources and discussions on tech-law & policy. To receive weekly updates, don’t forget to subscribe to our Newsletter.