In an open letter, online privacy activist Max Schrems has criticised the Irish data protection commission’s handling of a complaint against social media giant Facebook and called on the European Union to step in. EURACTIV Germany reports.
On 25 May 2018, the EU’s General Data Protection Regulation (GDPR) came into force.
Just in time for its second anniversary, one of Europe’s most prominent data protection activists, the Austrian Max Schrems, sent an open letter to EU authorities strongly criticising its implementation.
In the letter, Schrems discusses a lawsuit against Facebook and its companies WhatsApp and Instagram, in which the Irish data protection commission (DPC) has pulled the brakes, according to Schrems.
The data protection activist is, therefore, calling on international data protection authorities and the European Commission to put pressure on the Irish authorities.
Schrems became known through the class action suit against Facebook for alleged violations of data protection rules.
Although the case was rejected by the European Court of Justice in 2018, the lawyer Schrems stayed strong. Together with his organisation “nyob” (short for “none of your business”), he took on three new lawsuits against Facebook, WhatsApp and Instagram on 25 May 2018, just hours after the GDPR came into force.
“Compulsory consent” for the use of data
This time it was about the consent of users to have their data processed by Facebook.
The case sounds like a bureaucratic hair-splitting, but in reality, the question is whether data may be processed or not.
Since the GDPR came into force, anyone who wants to process user data must obtain consent, in a way which cannot be forced or hidden (for example, buried deep in the terms and conditions).
Facebook solved the problem by changing its consent model during the night of 25 May. Instead of asking users for consent, it simply changed its terms and conditions to become a contract.
This new contract presents Facebook’s curation of content tailored to users via algorithms as services which require the processing of data. And it turns out that according to the GDPR, data processing is permitted for the fulfilment of contracts.
But Schrems sees this as “compulsory consent”, as he made clear in an interview with EURACTIV Germany. This is because these contractual changes were only communicated to users in the form of a pop-up that was hurriedly clicked away, which, according to Schrems, does not amount to consent under the GDPR.
Schrems, therefore, supervised a lawsuit against Facebook submitted before the Austrian courts claiming that data processing is occurring without GDPR-compliant consent.
However, as Facebook’s headquarters are in Ireland, Austrian judges forwarded the case to their Irish counterparts.
A small step for Schrems, a big one for the Irish
For a long time, little happened, as the Irish authorities repeatedly delayed the process.
Last month, however, on 22 April, the draft decision for the Facebook lawsuit was issued, followed on 20 May, by the draft report against Instagram and WhatsApp.
Irish Deputy Privacy Commissioner Grahan Doyle told EURACTIV Germany that these were “significant developments”.
However, Schrems emphasised that these are only two steps out of four before the matter moves from the Irish to the EU level (see infographics). By comparison, the Austrian data protection authority would have to decide within six months.
Schrems fears that the procedure could drag on for another ten years. “That is not quite what the GDPR should be aiming for,” he said.
That is why Schrems is calling for more pressure on the Irish authorities in his letter.
The data protection authorities in other countries would be able to do so because they would have a suitable tool: an emergency procedure which would enable a common European decision to be taken which would be binding on Ireland.
The Austrian authority could also bring the case back to its own territory. So far, however, “other authorities do not dare to use this” mechanism, said Schrems.
No secret meetings
The German data protection authority has not yet received an official request from nyob to talk to their Irish colleagues, said spokesperson Christoph Stein. However, the issues addressed in the letter “have been and will be discussed with the Irish DPC in the European Data Protection Committee,” he told EURACTIV Germany.
Of particular frustration for data protection activists are the ten meetings between Facebook and the Irish DPC before the GDPR had even come into force.
Despite several requests, the contents of these meetings were not made public, which has led noyb to assume, as it states in the letter, that companies and authorities are trying to circumvent the consent in “secret cooperation”.
However, the Irish authorities have denied any “secret meetings”.
The Irish authority is in regular contact with private companies as part of its supervisory role under Article 57 of the GDPR, as is the case for many other data protection authorities, said Irish Deputy Privacy Commissioner Doyle.
(Edited by Frédéric Simon)