The Irish data watchdog said its meetings with Facebook were in keeping with its supervisory role and that the lobbying accusations are false.
Ireland’s Data Protection Commission (DPC) has rejected the recent accusations that it lobbied in the interests of Facebook, stating the claims are “utterly untrue”.
The DPC was accused by Austrian privacy campaigner Max Schrems of improperly lobbying other EU regulators such as the European Data Protection Board (EDPB) to allow Facebook to bypass user consent requirements for ad-related data collection.
Schrems claimed the DPC agreed on a GDPR bypass in meetings with Facebook and then tried to push for a policy in European guidelines that would allow companies to monitor and target users with ads via contract rather than consent.
Four MEPs sent a letter to the EU’s commissioner for justice on 6 December saying enforcement of European data protection regulation is being “seriously hampered because of Ireland” and the DPC’s role as the lead supervisory authority for several major US tech players that have European headquarters in the country.
They also raised the accusations of the DPC lobbying for Big Tech and called for the EU to take action against Ireland.
— Sophie in 't Veld (@SophieintVeld) December 6, 2021
A statement released yesterday (7 December) by the DPC said the allegations are not concerned with any issues of substance, “but with the advancement of a theory, central to which is an allegation that, acting in bad faith, the DPC sought to subvert the procedures of the EDPB”.
The DPC said the allegations are untrue and reveal “a lack of any kind of basic understanding” on the workings of the EDPB.
Meetings with Facebook
The DPC said it had meetings with Facebook between late 2017 and March 2018, ahead of the introduction of Europe’s General Data Protection Regulation (GDPR) in May 2018.
It added that the purpose of the meetings was to be updated on Facebook’s GDPR preparation programme and to provide high-level feedback. These meetings were in relation to the adoption of guidelines regarding Article 6 of GDPR, which deals with the lawful grounds for processing personal data.
The DPC said it had similar discussions with other public and private sector organisations, as did other data protection authorities (DPAs) in Europe.
“This was entirely in keeping with the DPC’s long-established approach to supervision by way of consultation and regulatory engagement with stakeholders,” it added.
The data watchdog said the initial position it developed on topic of contracts was not acceptable to many other DPAs, so it prepared a new iteration that adopted the views of the majority and became the “cornerstone” of the draft guidelines. It added that the final guidelines have their origins from this DPC document.
The statement concluded: “The DPC regrets the baseless allegations of bad faith made against it.”
The Irish DPC has faced a lot of scrutiny over its enforcement of GDPR.
Under the regulation’s ‘one-stop shop’ mechanism, tech giants such as Facebook and Google are currently able to handle much of their GDPR responsibilities in one EU country. This means that many investigations fall to regulators in countries where Big Tech companies have European headquarters, namely Ireland.
European Commission vice-president Věra Jourová warned last week that the bloc’s privacy rules may need to change and move towards greater centralisation if enforcement is not effective – putting Ireland’s DPC in the spotlight again.
Draft decision on Instagram
Meanwhile, the DPC has submitted a draft decision on an inquiry into Instagram, which started last year, on how the social media platform processes children’s information. This process is part of Article 60 of GDPR, where the draft is sent to other concerned supervisory authorities, which have one month to send any relevant objections.
Deputy commissioner Graham Doyle said: “This is the seventh DPC inquiry to have reached the Article 60 stage under the GDPR. In addition to this Instagram inquiry, two other DPC inquiries into Facebook are currently at the Article 60 stage.”
A recent draft decision from the DPC proposed a fine of between €28m and €36m for Facebook for failing to sufficiently inform users about how their data is processed.
In September, WhatsApp was issued the DPC’s largest ever fine for breaching GDPR.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.