Digital rights campaigner Max Schrems said the data watchdog pushed other regulators to back a data collection policy used by Facebook.
Ireland’s Data Protection Commission (DPC) has been accused by Austrian privacy campaigner Max Schrems of improperly lobbying other EU regulators to allow Facebook to bypass user consent requirements for ad-related data collection.
Schrems, who is the co-founder of Vienna-based non-profit digital rights group NOYB, published documents yesterday (5 December) received under freedom of information rules. These showed the DPC wanted to allow social networks to monitor and target users with ads via contract rather than consent.
The DPC, which is responsible for regulating several US tech giants under GDPR rules, told the Irish Times that the documents released were authentic but contained “absolutely nothing unusual”.
Schrems claimed the documents indicate the DPC’s attempt to influence EU privacy guidelines and push other regulators to back a data collection policy used by Facebook.
“The documents show a clear plan. First the Irish regulator agreed on a GDPR bypass with Facebook. Then it tries to squeeze this bypass into European guidelines,” Schrems said.
“The DPC clearly does not act in the interest of data protection, but in the interest of US multinationals. Usually, it is Facebook lobbyists that try to influence guidelines in the interest of their industry sector, here the regulator has turned into a lobbyist.”
But the DPC failed to convince other European regulators, and some quoted in the documents echoed Schrems’ criticism. One regulator said that the DPC’s interpretation “undermines the system and spirit of GDPR”, while an EU privacy watchdog said it is “contrary to everything we believe in”.
“Is it possible to provide social media accounts without tracking and profiling? Yes, in fact it is,” a third is quoted saying, accusing the DPC of reducing “GDPR to a pro forma instrument”.
Under GDPR’s ‘one-stop shop’ mechanism, tech giants such as Facebook and Google are currently able to handle much of their GDPR responsibilities in one EU country. This means that many data protection investigations fall to regulators in countries where Big Tech companies have European headquarters, including Ireland.
But the Irish DPC’s role in policing Big Tech and its enforcement of GDPR has come under scrutiny in the EU lately, with commission vice-president Věra Jourová warning last week that the bloc’s privacy rules may need to change if enforcement is not effective.
In October, the DPC proposed a fine of between €28m and €36m for Facebook for failing to sufficiently inform users about how their data is processed – stemming from a complaint lodged by Schrems.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.