Ireland’s data protection commissioner (DPC) Helen Dixon has triggered an unprecedented war of words with other EU regulators, dragging into the open a long-simmering stand-off over its oversight of Facebook and other US tech companies based in Dublin.
Germany’s federal data regulator (BfDI) has accused Ms Dixon in a letter of making “simply false” claims about her and others’ work while Austrian privacy campaigner Max Schrems in another letter says the DPC’s narrative on his long-running Facebook complaint “greatly departs from objective facts”.
Last month Ms Dixon requested a hearing at the European Parliament to respond to claims about the DPC made during a hearing of its civil liberties, justice and home affairs (LIBE) committee.
That hearing last September focused on the legality of Facebook’s transfer of EU citizens data to the US, subject of a long-running complaint filed by Mr Schrems with the DPC.
The LIBE committee agreed to her request but, on Wednesday, said “the Irish DPC has declined to participate in the meeting under the format set”.
After its September hearing, the LIBE committee issued a draft resolution critical of the DPC’s work. This contained a strong condemnation of the Irish regulator’s efforts to shift onto Mr Schrems some costs of a round of legal action the DPC had itself initiated, which went to the European Court of Justice (CJEU) in Luxembourg.
Such an approach to legal costs “would have created a massive chilling effect” on EU citizens registering complaints with the DPC in future, the committee said. It called on the European Commission to “start infringement procedures against Ireland for not properly enforcing” European data protection regulations (GDPR).
Last month Ms Dixon, in an eight-page letter seen by The Irish Times, described the parliamentary committee’s criticism of the DPC’s work as “inaccurate and incomplete” and requested a chance to present her side of the argument.
“The accompanying ‘strong condemnation’ of the DPC’s actions is neither sustainable nor appropriate and should be withdrawn,” she wrote.
On the most recent CJEU case, Ms Dixon said she felt bound to seek guidance from Luxembourg on particular kinds of transatlantic data transfers in line with an earlier Luxembourg ruling. The LIBE critical draft resolution “would serve only to deepen common misconceptions” about the subsequent CJEU ruling on the case.
Mr Schrems disagrees in a letter to the LIBE committee, saying the DPC “pretended for five years that the solution in the law did not exist – just to send the case back to the CJEU... [and] kick the can down the road”.
In her February letter, Ms Dixon said her office was Europe’s “only supervisory authority to engage with EU-US transfers in a meaningful way, or at all”.
That prompted a robust response from Germany’s federal data protection regulator (BfDI) Ulrich Kelber. In a letter to the LIBE committee he said Ms Dixon’s perception of fellow regulators’ work ethic on data transfers “reflect her personal, one-sided view with which she often stands isolated” in EU circles.
New GDPR data protection rules came into force in 2018, giving the DPC regulator a lead role in overseeing Ireland-based US tech companies.
Of 50 complaints about Facebook subsidiary WhatsApp he has forward to Dublin, “not one has, to date, been concluded”.
He accused Ms Dixon of being very protective of her lead role on regulating companies like Facebook, an approach he said “inhibits a certain amount of initiatives of other regulators”.
That Ireland’s DPC had the lead in 196 EU data cases, of which just four had reached a ruling, “means a clear backlog in processing cases in the Irish regulatory authority cannot be denied”.
The DPC did not respond to requests for comment.