Austrian lawyer Max Schrems, has accused the Irish Data Protection Commissioner of putting pressure on his privacy group, Nyob, to agree not to disclose documents about the regulators’ investigation into Facebook.
The group alleges that the DPC attempted to force the organisation to sign a non-disclosure agreement that would have prevented it publishing or disclosing documents in the case.
Schrems said in a statement that the DPC had made an “unheard of move” by demanding that Noyb draft and sign a Non Disclosure Agreement (NDA) within one working day.
“The DPC acknowledges that it has a legal duty to hear us, but it is now engaged in a form of ‘procedural coercion’, he said.
At issue is a complaint from Schrems and Nyob against Facebook in May in 2018 to the Austrian data protection regulator, which passed it on to Ireland’s DPC, the lead regulator for Facebook.
The DPC’s draft decision in August 2021 found that Facebook had lawfully reframed its agreement with Facebook users as a contract under GDPR and did not require the consent of users.
Letters from the Irish Data Protection Commissioner, however, reveal that other Data Protection Authorities disagree with the decision and have submitted “relevant and reasoned objections.”
Schrems said that the case is likely to reach the European Data Protection Board (EDPB) where other European regulators may choose to overrule the Irish DPC – a move that could mean that large parts of Facebook’s data use are found illegal.
“This would not only mean major penalties but also looming damages claims by millions of users,” he said.
Confidentiality requirements
The Irish Data Protection Commissioner wrote to Schrems and Nyob in November arguing that all correspondence in the case should be treated as confidential.
Confidentiality was necessary to allow “free and frank” exchanges between the parties and regulators and to avoid the disclosure of “interim views” that could compromise the decision-making process, it said.
Nyob had previously published the Data Protection Commissioners draft decision and had refused requests from the DPC to take it down, the letter noted.
The DPC said it was concerned that Nyob would disseminate objections by other data protection supervisors “outside the confines of the co-decision-making process”.
The letter required Nyob to propose arrangements, enforceable by Irish courts, to ensure that it would respect the confidentiality of any documents shared by the DPC.
No legal basis
Nyob argues that the DPC has no legal basis to demand that documents in a public procedure that affects millions of users are kept confidential.
The DPC is required to serve documents to the Austrian Data Protection Authority, which has confirmed that procedural documents are not confidential, it said.
Even if the documents were to be served directly under Irish law, there is no legal duty for parties to keep documents confidential under the relevant section of Irish Data Protection Act.
Nyob said it had a positive relationship with most of the Data Protection Authorities in Europe and had received hundreds of legal documents since it started work in mid-2018.
The group said it only made documents public when it had a right to do so and when they were of the utmost public importance or it was necessary to back Nyob’s statements.
“Unfortunately, the DPC and Facebook declare every document as “confidential” by default and have threated Noyb staff and our legal counsel repeatedly not to cite, discuss or publish the contents,” it said in a statement.
Despite its legal duties under GDPR, the DPC does not share relevant documents with other Data Protection Authorities, Nyob claimed.
The privacy group said it had voluntarily not disclosed documents from the Irish Data Protection Commissioner and Facebook.
“We have not disclosed documents on a voluntary basis, to limit friction with the DPC and Facebook. These voluntary efforts were apparently not fruitful,” it said.
The Data Protection Commissioner wrote to Nyob on 18 November saying it was not in a position to release the objections from data protection regulators and other material following Nyob’s unwillingness to sign a confidentiality agreement.
Facebook files to be published
Nyob said that in response it would publish further Facebook and DPC documents on every Sunday in advent with a video explaining why it is entitled legally to do so.
“We very much hope that Facebook or the DPC will file legal proceedings against us to finally clarify that freedom of speech prevails,” said Schrems.
Nyob said it has reported the incident to the Austrian Office for the Prosecution of Corruption to investigate as a possible breach of Austrian law.
“We have not taken this step lightly but the conduct of the DPC has finally crossed all red lines. They basically deny us all our rights to a fair procedure unless we agree to shut up,” said Schrems.
He said that Facebook has a strong interest in keeping the proceedings out of the public eye. “It seems the DPC is doing everything to assist Facebook in this demand,” he said.
Facebook and the DPC have been approached for comment.
