Schrems criticises Irish data regulator after Facebook case breakthrough
Privacy campaigner still awaiting response to complaint submited to DPC in 2013
Max Schrems: Austrian lawyer and privacy activist. Photograph: Joe Klamar/AFP/Getty Images
Austrian privacy campaigner Max Schrems has accused Ireland’s Data Protection Commission of being dysfunctional, after it agreed to investigate his seven-year-old complaint against Facebook.
After lengthy legal wrangling over procedure, jurisdiction and other technicalities, the DPC told the Schrems legal team on Tuesday that it would open its investigation irrespective of the outcome of an ongoing court case in Dublin involving the social media company.
In his June 2013 complaint, Max Schrems argued that Facebook’s European subsidiary, based in Dublin, was in breach of EU law by transferring European users’ personal data for processing in the US.
The complaint drew on National Security Agency whistleblower Edward Snowden’s revelations of mass surveillance by US intelligence agencies. The case has gone through at least seven court cases in the last seven years, although the DPC has yet to make a formal finding to uphold, or dismiss, the Schrems complaint.
Twice, in 2015 and 2020, the Court of Justice of the European Union (CJEU) used referrals in the Schrems case to strike down EU-US data transfer arrangements, and urged the Irish regulator to regulate.
In a draft preliminary decision, the DPC said data transfers outside the EU should be suspended unless there is a guaranteed level of protection for citizens’ rights equivalent to those offered under EU law.
In Tuesday’s letter, the DPC said it would progress the complaint “as expeditiously” as possible. Mr Schrems said he welcomed the news, but remained sceptical of the Irish regulator.
“Fundamentally, their procedures don’t work, it’s a huge procedural mess,” said Mr Schrems, head of the Vienna-based privacy lobby group Noyb (none of your business).
Dublin solicitor Gerard Rudden, a member of the Schrems legal team, said the DPC change of heart meant there was no need to proceed with a so-called “own volition” case between the two sides at the High Court.
A second such case, involving the DPC and Facebook, is still tabled to proceed, but the regulator has agreed to allow the Schrems side participate.
“After seven years, the DPC needs to conclude this investigation and issue a decision as soon as possible while respecting the parties’ right to fair procedure,” said Mr Rudden, adding that at least four years were “wasted from Max’s perspective”.
The seven-year legal battle has resulted in multi-million legal bills for all involved and, as in a previous round, Mr Schrems intends to ask the Irish courts to order the DPC to cover his costs.
In its letter, the DPC promised to release to the Schrems legal team previously withheld documents submitted by Facebook as part of the investigation.
Finding in favour of Schrems, Facebook warns, could bring huge disruption to online traffic and trade.
Facebook’s Dublin-based operation in the EU makes the DPC the EU’s lead regulator in this case. EU data protection laws allows the Irish regulator fine Facebook up to 4 per cent of its global turnover – $70.7 billion 2019 – and ban data transfers.
Facebook was not available for comment; the DPC said it would issue a detailed statement on Thursday.