Privacy campaigner Max Schrems accused Ireland's data protection commissioner (DPC) of attempting to prohibit him from publishing documents related to a long-running complaint against Facebook.
In August 2018, an Austrian citizen, with the assistance of Mr Schrems’s privacy lobby group Noyb, filed a complaint via the Austrian data protection regulator that Facebook was bypassing new EU data protection rules.
The Austrian body passed on the case to the Irish DPC, which is the lead regulator for Facebook in the EU. Last month the DPC issued a draft decision proposing a penalty of between €28 million and €36 million for Facebook. It noted that, before new EU data protection rules came into force in May 2018, Facebook had changed the legal basis of its relationship with its users to reflect and comply with the new EU data rules.
Mr Schrems has dismissed this shift as a legal “trick” in which he accused the DPC of being complicit. He published the draft decision and other correspondence with the Irish regulator on Noyb’s website, prompting the DPC to demand the documents be removed.
On Tuesday, the Austrian campaigner accused the DPC of threatening to remove him from the ongoing case unless he signed an undertaking to cease publishing documents without the Irish regulator’s express consent.
“Only if we shut up, would the DPC ‘grant’ us our legal right to be heard,” said Mr Schrems. In a series of DPC letters published on the Noyb website, the regulator describes Mr Schrems’s actions as “an unlawful and improper interference” in its investigation.
It insists that confidentiality of draft decisions and related documents are a prerequisite for a free exchange of views, or shifting positions, before a final decision is reached.
In a November 12th letter, the DPC declared its draft decisions and related information constituted “confidential information” under the 2018 data protection act.
It also noted that, two years ago, Mr Schrems and Noyb agreed not to publish documents related to the investigation.
The founder of Noyb hit back, describing the Irish regulator’s move as “procedural coercion”. The Irish regulator has no legal jurisdiction over the Austrian complainant or the Vienna-based Noyb, he said. According to the Austrian data regulator, added Mr Schrems, no confidentiality clause applies to data protection procedural documents.
Noyb pointed out in a letter to the DPC that the confidentiality clause it cited in the 2018 act applied to its employees and any contractors.
The DPC insists it is not trying to exclude Mr Schrems and Noyb from the case but acting to ensure fair procedure for all in an ongoing case. Ahead of a final decision, it is now in a phase where observations and objections to its draft decision can be filed by case parties and other European data protection regulators.
Mr Schrems suggested that, far from pursuing fair procedure, the DPC is instead “serving the interest of Facebook Ireland Ltd. and indeed its own interests, by trying to limit transparency and public oversight”. The DPC said that it operates under Irish fair procedures law and that “parties should be given sight of such materials, provided only that they agree to treat them as confidential within the decision-making process”.