The Irish Data Protection Commission (DPC) pushed for a liberal interpretation of data protection law that would favour social media companies, newly-released documents reveal. The proposals were characterised by another regulator as “contrary to everything we believe in” and “(reducing) the GDPR to a pro forma instrument.”
The 2018 documents, published by privacy group noyb.eu on Sunday, show a dialogue between European data protection authorities in which the DPC appears to push for a more liberal legal interpretation of the General Data Protection Regulation (GDPR) than some other regulators were willing to accept.
In comments on a draft version of the European Data Protection Board (EDPB)’s guidelines on consent under the GDPR, the DPC attempted to enable social media companies to rely on terms and conditions agreements for purposes of tracking and profiling users.
Other data protection authorities pushed back against the Irish DPC’s approach, stating that the proposals were “contrary to everything we believe in” and seemed to “accept monetisation of personal data.”
The final version of the guidelines, published in 2019, did not include the Irish DPC’s interpretation of the rules, and instead recommended that social media companies obtain user consent for any processing of personal data that was not “necessary” for the performance of a contract.
Cases against Facebook
The EDPB’s final consent guidelines were cited by noyb.eu in complaints against Facebook before the Irish DPC and the Austrian courts in 2018.
The complaints, brought by noyb.eu founder Max Schrems, allege that Facebook contravened the GDPR’s rules on consent by requiring users to agree to ad-targeting and profiling when signing up to use the social media service.
Schrems alleged that Facebook was instead required to obtain separate consent for ad-targeting and that the company was using its terms and conditions to “bypass the GDPR.”
To resolve the question of whether Facebook can rely on its terms and conditions for this purpose, Schrems’ Austrian court case against Facebook was referred to the Court of Justice of the European Union (CJEU) in July.
In a draft decision responding to the Irish complaint, dated Oct. 6, the Irish DPC determined that there was “no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract.”
Irish DPC Responds
In response to noyb.eu’s release of the documents, the Irish DPC said on Sunday that there was “absolutely nothing unusual” about the dialogue between data protection authorities around the interpretation of the GDPR’s consent rules.
“To suggest that there is any issue with how this process worked then, or now, demonstrates a lacking of basic understanding of the workings of the EDPB, and how, through an iterative process, divergent views relating to complex issues of principle are typically reconciled through dialogue, and through respectful and mature engagement,” the Irish DPC told Politico.
Schrems, however, argued that the Irish regulator’s approach was “part of a clear plan” following ten meetings between the Irish DPC and Facebook regarding the issue of GDPR consent.
“First the Irish regulator agreed on a GDPR bypass with Facebook. Then it tries to squeeze this bypass into European guidelines,” Schrems alleged on the noyb.eu website on Sunday.