Irish DPC sends noyb a take down notice on a published Facebook draft decision

[German]The Irish data protection authority DPC has sent the data protection organization noyb, founded by Max Schrems in Austria, a so-called take down notice. This is a request to take down a published document from the organization's website. The document is about a draft decision of the DPC, in which a trick used by Facebook is to be legalized. The DPC classifies this draft as confidential, but noyb sees it differently.


The facts

The Irish data protection authority DPC is trying to submit a "draft decision" (PDF) to the other European data protection authorities regarding a legal trick Facebook is using to circumvent the GDPR. Facebook's legal reasoning, according to Max Schrems and noyb, is simple: if the agreement is interpreted as a "contract" (Article 6(1)(b) GDPR) instead of "consent" (Article 6(1)(a) GDPR), the strict rules of the GDPR should no longer apply to the group. Facebook could therefore use all available data for all its services – including advertising and online tracking. Facebook would then no longer have to ask users for voluntary consent or give them the opportunity to revoke it at any time. This switch from "consent" to "contract" took place at midnight on May 25, 2018 – exactly when the GDPR came into force in Europe. The organization noyb has published corresponding documents and commented on the details in this article (in German).

DPC demands removal of the documents

I came across the issue in question via the following tweet from colleagues at Golem. The Austrian data protection organization noyb published the details in this article (in German) and writes that they received a request from the Irish DPC noyb to delete published documents.

DPC versus Noyb

It is about the draft decision mentioned above, which is supposed to deprive Facebook users of their rights under the GDPR. Noyb is requested in the letter:

Remove the draft decision from your website immediately and refrain from any further or other publication or disclosure of the same.

Noyb states its own position on its website and writes that they should censor itself, if the give in to the DPC request. Noyb suggests that the Irish DPC take legal action in an Austrian court to have the documents removed. At this point, the process seems clear …


The position of the DPC

I then took a quick look at the DPC's letter (PDF). In the letter, the Irish DPC argues that the actual decision-making process between the authority, Facebook (respondent) and the complainant (in this case ooyb) was agreed to be confidential. This was also known to Noyb and had been agreed upon. The Irish DPC writes in this regard:

  • "In recognition of the confidentiality of investigative documents in the investigative process, you [Schrems/noyb] have previously offered to sign 'a non-disclosure agreement ("NDA") or other agreement that would limit access to these documents to certain individuals'." It was also specifically noted that this step would ensure "that no information would be released or used outside of this proceeding…."
  • Consistent with this office's position on the confidentiality of investigative documents, when we [DPC] later released a copy of the draft investigative report to you [noyb], we wrote: "The contents of the draft report and appendices should be kept strictly confidential at this time, … to ensure the integrity of the investigative process, particularly in light of the fact that the contents of the materials relate to the subject matter of an open investigation that is still under consideration by this office."

So the position of the Irish authority is: A reconciliation process is currently underway, and noyb had also agreed to confidentiality (albeit on a voluntary basis and with certain conditions). Between the lines of the paper I read that noyb never signed or unconditionally accepted a non-disclosure agreement ("NDA").

Ostensibly unclear facts

On the one hand, there is therefore an interest in informing the public about relevant proceedings. On the other hand, it is in the interest of those involved in the proceedings if not all internal information is made public. It would be critical if noyb had agreed to a confidentiality agreement during the ongoing proceedings. Then it would be inadmissible for interim documents and drafts to be discussed publicly. The IPC document highlights that NOYB had agreed to maintain the confidentiality of the investigation material in a letter dated October 4, 2019, addressed to the Austrian data protection authority. It is quoted:

We will therefore continue to refrain (on a voluntary basis) from publishing or sharing the contents of the file (such as the "draft decision") or communicating any content ….

However, it is odd that letters from 2019 are referenced, but documents from 2021 are supposed to be confidential. There seems to be formally quite different positions from noyb and the Irish DPA here. Here it would be of interest to have more details, which noyb also provides.

The position of noyb

In its statement (German) noyb writes that it represents a data subject before the Austrian Data Protection Authority (DPA) and is therefore subject to Section 17 of the Austrian Administrative Procedure Act (AVG). However, this does not provide for any restrictions regarding the use of documents, which has been confirmed by the Austrian DPA on several occasions.

Then noyb also addresses the position of the Irish DPC, which I touched on above, that confidentiality had been agreed. The privacy activists accuse the DPC of selectively quoting from various correspondences in which the DPC insisted on the confidentiality of the documents. To this they state:

However, it is clear from all relevant documents that noyb does not accept this position, but refrains from publishing the documents in question during the investigation in the interest of smooth cooperation between the DPC and the Austrian data protection authority. Contrary to the insinuations in the letter of the data protection authority, noyb has at no time given any commitment or assurance not to use these documents.

This is already a clear position, and Max Schrems, Chairman of noyb, says:

The DPC knows that there is no legal basis to require that we withhold relevant documents from the public. Instead, they are now citing letters, some of which are more than two years old. If you read these letters in full, they all confirm that we have always refused to see these documents as confidential.

This letter is part of a general approach by the DPC to suppress criticism. The DPC regularly requires complainants to sign various 'non-disclosure' agreements and even asks journalists to pre-approve questions. Overall, the DPC wants to control any information in the public domain, which is absurd in a democratic society.

Noyb accuses the DPC of pursuing a long-standing system of restricting public engagement and transparency, relying on a broad exemption in Ireland's Freedom of Information Act. noyb's role under Article 80 of the GDPR, the privacy activists say, is to work with public authorities and monitor the development of the GDPR. This may include publishing decisions that are relevant to the public, where permitted by law. Noyb writes that many European data protection authorities themselves actively publish decisions to inform the public in a transparent manner. Max Schrems writes in this regard:

We have a very positive relationship with the authorities, even if there are different views. In a democratic society, it is normal that civil society actors also question the decisions of authorities. The DPC is the only public body I know that does not accept such criticism and makes extreme efforts to silence public debate.

Similar articles:
Ireland's IDPC systematically protects Google, Facebook & Co. against GDPR proceedings
GDPR: WhatsApp fined with 225 million Euro
European Court cancels EU-US "Privacy Shield"

Cookies helps to fund this blog: Cookie settings

This entry was posted in General, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *