Irish data watchdog pushes for a business-friendly GDPR – POLITICO
The Irish Data Protection Commission has lobbied to allow social media to bypass user consent requirements under EU privacy rules, according to documents obtained by Max Schrems’ privacy campaign group .
According to documents obtained by noyb.eu under the Freedom of Information Act, the Irish DPC – which regulates the lion’s share of US tech companies under the EU’s General Data Protection Regulation – has explicitly pushed social networks to be able to monitor user behavior to target them with advertisements via contract, rather than having to obtain their consent.
However, attempts by the DPC to include “contract performance” as a legal basis in EU privacy guidelines have been rejected by other European regulators, according to the documents.
“This reduces the GDPR to a pro forma instrument. As long as you remember to include all kinds of requirements and provisions in a contract … controllers can do whatever they want and there is no need for consent or a balancing of interests … possible to provide social media accounts without tracking or profiling? Yes, in fact, it is, ”said a European regulator, who is not named in the document.
Another EU privacy watchdog has called the DPC’s attempts to legalize the use of contracts by companies to process ad data “contrary to anything we believe in”.
A third commented: “It seems to accept the monetization of personal data and circumvent other legal bases… We believe that this interpretation undermines the system and the spirit of the GDPR.
The Irish DPC ultimately failed to incorporate its proposals into the final guidelines, which include stringent data requirements to fulfill a contract with users. The final guidelines do not say that social networks can use the legal bases of the contract to serve personalized advertising.
The EU’s network of privacy regulators “have made it clear that there is no legitimacy to circumvent the legal requirements of informed consent by arguing that the processing is necessary for the performance of a contract to which the data subject is a party, ”Johannes Caspar, who headed privacy regulator at the time of the discussions, said POLITICO.
Three data regulator officials confirmed to POLITICO that Ireland’s point of view in discussing the guidelines was not shared by the majority of other regulators.
According to figures provided by the European Data Protection Board (EDPB), only one regulator voted against the final guidelines. The only dissenting regulator was Ireland, according to an official. Two others said it was likely Ireland based on their recollection of the talks.
Evidence of Ireland’s lobbying comes after the Dublin-based regulator proposed fining Facebook of up to € 36million for breach of transparency following its investigation into a filed complaint by Schrems in May 2018, accusing the social network of relying on “forced consent” to process data.
According to the draft decision, the Irish regulator said Facebook could in principle use the execution of a contractual legal basis to provide users with a personalized platform funded by advertising.
But, he added, assessing whether the contract was fair was beyond his legal remit.
At the time, a data regulator official said Ireland’s move would result in “the end of data protection as we know it” and that the idea of people signing up to Facebook to receive personalized advertising is “nonsense”.
“It’s not so much a part of the offer as something that is unilaterally imposed on users against the wishes of the majority of them. Nothing indicates that the legislator wanted to legitimize this ”, they declared.
The revelations that the Irish regulator pushed for a looser interpretation of EU privacy rules after receiving a complaint against Facebook will raise new questions about the watchdog’s relationship with the social media company.
“The documents show a clear plan: First, the Irish regulator has agreed to a GDPR bypass with Facebook. Then, he tries to insert this circumvention in the European directives, in the interest of an American multinational. The DPC clearly did not act in the best interests of the data. protection, but in the interests of American multinationals. Usually it is Facebook lobbyists who try to influence directives, here the Irish regulator has turned into a lobbyist, ”Schrems said in a statement.
Facebook moved from user consent to process data to the legal basis for the contract just before GDPR went into effect in May 2018. The company previously said it updated its terms as a result of 10 meetings with the Irish DPC.
An Irish DPC spokesperson said that “there is absolutely nothing unusual” between regulators when developing guidelines.
“To suggest that there is a problem with the way this process worked then, or now, demonstrates a lack of basic understanding of how the process works.EDPB, and how, through an iterative process, divergent views on complex policy issues are usually reconciled through dialogue and respectful and mature engagement ”, thesaid the spokesperson. “This was the case in relation to the development of the EDPB guidelines [on performance of a contract]. “
They also noted that the Court of Justice of the European Union was separately examining a case in which an Austrian court also ruled that Facebook was entitled to use the legal basis “performance of a contract”.
The outcome of these two cases “will also necessarily have an impact on the guidelines of the EDPB on the same subject,” said the spokesperson.
Facebook did not respond to a request for comment.
This article was updated with a response fromIrish DPC spokesperson.
This article is part of POLITICS Pro’s premium cybersecurity and data protection coverage. From emerging threats of a volatile digital world to legislation being developed to protect businesses and citizens, across all industries. For a free trial email [email protected] and mention Cyber.