They say that God loves a trier. If so, he has special love for Ireland’s Data Protection Commission (DPC).
In a 1,600-word press release on Wednesday, concluding investigations against Facebook and Instagram, the DPC implied it had won a battle.
The opposite is the case. Its ruling on Wednesday was another low point in data protection regulation for 450 million EU citizens.
Put simply: the agency that had previously sided with Facebook over key points on a complaint by vocal Austrian privacy campaigner Max Schrems in May 2018 was called into line by its fellow European authorities and forced to reverse its position.
Not only that. Instead of its original proposed fine of between €28 million and €36 million for Facebook, made in its October 2021 draft decision, the DPC is now fining the company €210 million (and another €180 million for Instagram) over illegal data procession. A further fine for WhatsApp is looming.
And Meta, which reported €89.77 billion in annual gross global profit in 2021, will have to change its highly profitable personalised advertising model in Europe.
The DPC has sent Facebook and Instagram copies of its decision, and given them three months to legalise their data collection. Interestingly, the Meta companies can flag any information they believe is commercially sensitive and should not appear in a final published decision.
Max Schrems, who filed the complaint, has been told he will get a copy of that final decision later, via the Austrian data authority. If that version has been redacted in any significant manner, it could make for interesting legal arguments on appeal.
Ireland’s concentration of big tech companies always meant heightened focus on the DPC’s performance, and the State has responded to past criticism with increased resources to investigate complex cases.
Last year it imposed a €265 million fine on Meta for illegal “data scraping”. Too often, however, the Irish DPC has consistently taken positions on EU data protection that Europe’s highest courts - and fellow regulators - say are wrong. We now know that, for nearly five years, Facebook and Instagram have collected more information on their European users than EU law allows
Only under duress has the Irish regulator agreed. After nearly five years of this charade, the DPC should, to quote Samuel Becket, fail better.