Schrems calls on EU authorities to intervene in ‘Kafkaesque’ DPC case

Campaigner claims watchdog met Facebook regularly before introduction of GDPR rules

Austrian privacy campaigner Max Schrems has claimed there was ‘co-operation’ between Facebook and the Irish Data Protection Commissioner on the fim’s approach to strict European data-protection laws. Photograph: Getty Images

Austrian privacy campaigner Max Schrems has claimed there was ‘co-operation’ between Facebook and the Irish Data Protection Commissioner on the fim’s approach to strict European data-protection laws. Photograph: Getty Images

 

Austrian privacy campaigner Max Schrems has claimed there was “secret co-operation” between Facebook and the Irish Data Protection Commissioner (DPC) on the social networking giant’s approach to strict European data-protection laws.

In an open letter published on Sunday, Mr Schrems alleged Facebook had 10 meetings with the DPC prior to the introduction of GDPR, which, he says, it then relied on when designing key policies around user consent to certain data processing.

He also accused the commissioner of operating a go-slow on his privacy complaint against Facebook.

Two years after filing a fresh claim under new European Union data-protection rules (GDPR), Mr Schrems has written to other EU regulators to intervene in the “Kafkaesque” proceedings in Ireland.

In a statement, the DPC dismissed Mr Schrems’s allegation of secret co-operation. Graham Doyle, deputy commissioner with the DPC, said the office had held no “secret meetings” with Facebook.

“We regularly engage and meet with companies from all sectors as part of our regulatory enforcement and supervision functions, in accordance with article 57 of the GDPR, in the same way that many of our EU colleague data-protection authorities do.” Mr Doyle said the DPC was advancing 23 different inquiries into big tech firms and recently announced “significant developments” in several.

At the core of Mr Schrems’s argument are 10 meetings held between the DPC and Facebook in advance of new data-protection laws introduced in May 2018, as well as a White Paper supplied by the company to the DPC.

Mr Schrems claims that at the same time the GDPR came into force, Facebook changed the legal basis on which it relies when processing user data, changing from a reliance on consent to an “alleged contract”.

The meetings are referred to in submissions made by the company during the DPC’s investigation of the complaint.

‘Direct engagement’

Excerpts from these submissions show Facebook stated it had “detailed direct engagement with the commission prior to the implementation of the recent update to our terms, spanning 10 meetings”.

On Friday, the Irish regulator announced it had completed its investigation into Twitter’s handling of a data breach in 2018, raising the prospect of the first fines against tech companies who have made Dublin their European base and the DPC the lead regulator.

Mr Schrems criticised DPC investigations into data-collection complaints filed by users of WhatsApp and Instagram, both Facebook subsidiaries.

Investigations into WhatsApp and Instagram were still in the early, draft stage and, he said, counted as a “slap in the face” of complainants.

A text analysis revealed the WhatsApp and Instagram reports were largely identical to the DPC’s draft report into Facebook last year, he said.

Five years after his landmark ruling striking down previous EU transatlantic data-transfer mechanisms, Mr Schrems says he has no plans to give up on his case.

When the High Court lifts its Covid-19 restrictions and reopens, he will begin a judicial review into the DPC approach to his case.

Fred Logue, an Irish solicitor and data-protection expert, said under GDPR, firms must have a legal basis to process data.

“I am quite concerned that the DPC appears to accept without an investigation that Facebook can rely on contractual necessity for the extensive processing of personal data on its platform.”

Mr Logue said the DPC must look at the substance rather than the form of the contract to see if the “processing is truly necessary”.

“I would be very surprised if a data controller such as Facebook could avoid consent by incorporating data-processing terms in its contract. If that were the case, the idea of consent would be completely hollowed out.”

Business Today

Get the latest business news and commentarySIGN UP HERE