Brussels … to the rescue.
Amid mounting criticism of Ireland’s privacy watchdog, top European Commission official Didier Reynders has come to Dublin’s defense, brushing off calls to penalize the country over claims it has failed to uphold Europeans’ privacy rights.
The defense, in a letter to MEPs obtained by POLITICO, comes after lawmakers including Sophie in ‘t Veld and Tineke Strik from the Netherlands and Cornelia Ernst and Birgit Sippel from Germany urged the EU executive to open a disciplinary procedure against Dublin.
Such a so-called infringement procedure would have pressed Dublin to devote greater resources to enforcing Europe’s privacy rulebook, the General Data Protection Regulation (GDPR), or face the threat of eventual financial penalties from Brussels.
But Reynders, a Belgian former finance minister who’s now in charge of overseeing the GDPR, dismissed their arguments saying that Dublin was right to proceed cautiously in a number of cases, including a major one targeting Facebook.
“The question [of] which data can be processed on the basis of contract is a complex matter, which is now subject to two ongoing preliminary rulings proceedings at the CJEU,” the Belgian politician wrote, in reference to intense criticism of the Irish position in a draft decision that Facebook can use the “performance of a contract” legal basis to use data for ads, rather than relying on consent.
Reynders’ letter, first reported by mLex, brings a rare measure of comfort to an Irish tech regulator that has faced withering criticism in past months amid claims it’s failing to uphold Europeans’ privacy rights and going too easy on Facebook, Google and other tech giants in its jurisdiction.
The latest upheaval followed revelations that the regulator, the Irish Data Protection Commission (DPC), had pushed to allow social media networks to target users with personalized advertising without obtaining consent, based on the performance of a contract. Other European data protection agencies shot down this attempt, with one saying that the Irish interpretation “undermines the system and spirit” of the GDPR.
‘A complex matter’
Reynders’ view is seemingly at odds with other European data protection regulators.
In an official objection to Ireland’s draft decision in the Facebook case, Norway’s data protection agency said the Irish position would render European data protection law “pointless,” echoing the barrage of criticism from other EU regulators regarding the Irish position on the contract legal basis.
But the EU executive may have a point. Austria’s top court referred a Facebook case to the EU’s top court after a lower Austrian court also backed Facebook’s view that the social media platform can rely on contract for ads rather than consent.
“There are different views and approaches expressed concerning this matter … the Commission would like to stress in this context that the six legal bases for the processing of personal data under the GDPR are equally valid and protective,” Reynders went on.
There are six legal bases, including consent and contract, that can be used to process personal data under the GDPR, but not all can be used in every situation.
He added that “the very purpose” of the European Data Protection Board, the grouping of EU privacy watchdogs which produced the guidelines on using the contract legal basis, was “to allow for an open discussion and transparent and honest exchange of different points of view on how the GDPR should be interpreted.”
“It is however not for the Commission to comment on the exchanges of views in the context of the EDPB, and certainly not to launch infringement proceedings against a Member State for the views expressed by its data protection authority in this context, irrespective of whether the Commission agrees or disagrees with it,” Reynders wrote.
The top EU official also questioned some of the claims made by the MEPs in their letter.
He said that the claim that the Irish DPC has failed to send draft decisions to the other data protection authorities in 98 percent of 164 major EU-wide cases “appears to be a misinterpretation” of official statistics, since not all the cases submitted to the EDPB’s shared IT platform qualify as cross-border investigations.
The Irish DPC has also previously disputed the figure of 98 percent of unresolved cases, which originates from a report by the Irish Council of Civil Liberties in September 2021. “The statistics included within this report are simply inaccurate,” a DPC spokesperson noted at the time. According to the regulator, it has resolved over 50 percent of cross-border cases it has been forwarded.
Reynders went on to highlight enforcement action against Big Tech by the Irish DPC, noting that it has submitted seven cases to the EDPB, including a case that resulted in a €225 million fine for WhatsApp.
“These high-level cases against big techs are only part of the activity of the Irish DPC,” he said. “We have not so far identified issues with the Irish data protection rules or have evidence that these rules have not been respected.”
The Irish regulator has refuted claims it represents tech industry interests as being “absolutely incorrect.”
“The DPC regrets the baseless allegations of bad faith made against it,” it said.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.
