The right to privacy and data protection would cease to exist if the Irish Data Protection Commission's (DPC) draft decision in a major inquiry into Facebook is allowed to stand, Norwegian authorities said.
In a recent letter sent to the DPC by the Norwegian data protection authority, Datatilsynet, the organisation said the ruling would effectively render European data protection law "pointless".
The letter, which has been seen by The Irish Times, highlights the many differences between the DPC and its European counterparts over the best way to police internet giants.
“With the Irish Data Protection Commission’s interpretation, there would be no effective protection of personal data, as the principle of lawfulness would effectively be rendered pointless and a mere formality. Data protection law would no longer be able to ensure data protection, and the essence of the right to privacy and data protection would cease to exist,” Datatilsynet said.
With most of the big tech companies having located their European headquarters in Dublin, the DPC has become a de facto regulator for their pan-European data activities. However, there have been widespread complaints about delays by the DPC in reaching decisions in investigations and on the suggested fines to be levied where companies have been found to have violated the law.
The DPC recently suggested a penalty of between €28 million and €36 million for Facebook in the draft decision made against the company, equivalent to just 0.048 per cent of the company’s global revenue. The general data protection regulation (GDPR) allows for penalties of up to 4 per cent of turnover.
The commission has been investigating claims that Facebook has “bypassed the GDPR” by changing terms and conditions for users so that it no longer need to get their consent to process their personal data.Other European data protection authorities have issued guidelines stating that this is illegal but the DPC has said it is not persuaded by such views.
Under the DPC’s draft decision, Facebook would be allowed to dispense with the need to ask users for consent to use their data and to provide the right to opt out of such consent each time they log on to the platform.
Instead, consent would be one of the terms and conditions of the contract accepted by users when they sign up for the service in the first place. And they would not be able to opt out without being shut out of the social media platform altogether.
The DPC has been on the defensive of late after facing increased criticism. Earlier this week it rejected as "utterly untrue" allegations by Austrian privacy campaigner Max Schrems that it improperly lobbied other European regulators over the contested data collection policy used by Facebook.
European Commissioner Vera Jourova last month said the DPC was "understaffed and needs additional capacity" at a Web Summit press conference announcing new regulations for tech companies. Her comments come as the commission itself recently urged the Government to allow it to recruit more people at higher pay to allow it to operate properly in the coming years.
Johnny Ryan, senior fellow at the Irish Council for Civil Liberties (ICCL), recently lodged a complaint with European ombudsman Emily O'Reilly about the EU's failure to act against Ireland over the pace of big tech investigations by the State's privacy watchdog.
“ICCL has called for an independent review of how to strengthen and reform the DPC. We believe it is essential that Government ensure this happens,” he told The Irish Times.
The DPC said it could not comment on an ongoing investigation.