After a 4½ year investigation, Ireland’s Data Protection Commission (DPC) was handed a damning report card on Thursday by Europe’s highest data protection body, the European Data Protection Board (EDPD).
Under EU data protection rules (GDPR) enacted in 2018, the Irish DPC has had frontline responsibility for regulating cross-border data regimes of multinationals with European headquarters in Ireland. In particular focus: Dublin-based big tech companies like Meta and Twitter, whose entire business models are based on collecting, processing and selling user data to advertisers.
But how much data can they collect and process under EU law and how explicit is the consent of users, who have a fundamental right to privacy?
The case in question, based on an Austrian complaint from May 2018, was about whether Facebook and Instagram, both part of Meta, have to make clear to users what they are doing and seek extra permission and offer an opt-out to detailed data collection that still allows user access.
Meta insisted users simply accept such practices as a quid pro quo for using “free” social media services.
In its draft decision, the DPC seemed to accept that Meta’s subsidiaries were acting within EU law, though it proposed fines of up €59 million for Instagram and Facebook not being more transparent with users.
Its reading of EU data protection law, detailed in a draft decision from 2021, was taken apart in the final decision of EDPB. This body comprises all EU/EEA data regulators as well as an elected head, with non-voting observers such as the European Commission.
The EDPB report lists “relevant and reasoned” challenges filed by Spanish, Italian, Swedish, Polish, Portuguese, Norwegian, Austrian, Finnish and German national regulators to an Irish draft decision. To resolve the regulator deadlock, the EDPB voted to overrule the DPC, ordered it to throw out its original decision and implement instead the findings of the higher body.
This is a drastic step, taken in only six out of more than 500 cross-border cases so far under GDPR, and requires a two-thirds majority.
One regulator said there was “considerably more than the two-thirds required” to overturn the Irish draft decision. A second, asked if the DPC was alone in its position, answered: “That could well be the case.”
In a press release last week, the DPC said a “subset” of European regulators objected to existing Facebook/Instagram data collection policies.
Decision to overrule
This week it declined to say how many other European regulators agreed with its legal stance on the disputed contracts-consent issue.
EDPB chair Andrea Jelinek said that, while the decision to overrule the Irish regulator was clear, this should not be seen as an attack on Ireland or its data regulator. Instead, she said it reflected the concentration of data-processing tech companies in Ireland and the settling-in time for new cross-border powers allowed under GDPR.
“Some cases simply take longer, with EU competition law it took 10 years before it began working,” she told The Irish Times. “It’s only when problems arise that other national authorities get involved.”
Germany’s federal regulator Ulrich Kelber welcomed the decision, saying, “It’s no secret we thought some investigations were taking too long.”
“We are happy with the results and the severe fines [of €390 million] imposed, though we would have gone higher,” said Mr Kelber. “I am very satisfied it is very clear that a legal basis was lacking for Meta’s data processing.”
Many who spoke to The Irish Times, though wary of intervening in Irish affairs, said the case flagged the need for urgent reform of Irish data protection legislation.
“It’s such a convoluted procedure,” said one regulator, “with investigations requiring so many steps that it takes quite a while.”