Austrian lawyer Max Schrems has accused the Irish data protection commissioner (DPC) of putting pressure on his privacy group, Nyob, to agree not to disclose documents about the regulator’s investigation into Facebook.
The group alleges that the DPC attempted to force it to sign a non-disclosure agreement (NDA) that would have prevented it publishing or disclosing documents in the case.
Schrems said in a statement that the DPC had made an “unheard-of move” by demanding that Noyb draft and sign an NDA within one working day.
“The DPC acknowledges that it has a legal duty to hear us, but it is now engaged in a form of ‘procedural coercion’,” he said.
At issue is a complaint from Schrems and Nyob against Facebook in May 2018 to the Austrian data protection regulator, which passed it on to Ireland’s DPC, the lead regulator for Facebook.
The DPC’s draft decision in August 2021 found that Facebook had lawfully reframed its agreement with Facebook users as a contract under the General Data Protection Regulation (GDPR) and did not require the consent of users.
However, letters from the Irish DPC reveal that other data protection authorities disagree with the decision and have submitted “relevant and reasoned objections”.
Schrems said the case is likely to reach the European Data Protection Board (EDPB), where other European regulators may choose to overrule the Irish DPC – a move that could mean large parts of Facebook’s data use are found illegal.
“This would not only mean major penalties, but also looming damages claims by millions of users,” he said.
The Irish DPC wrote to Schrems and Nyob in November arguing that all correspondence in the case should be treated as confidential.
Confidentiality was necessary to allow “free and frank” exchanges between the parties and regulators and to avoid the disclosure of “interim views” that could compromise the decision-making process, it said.
Nyob had previously published the DPC’s draft decision and had refused requests from the DPC to take it down, the letter noted.
The DPC said it was concerned that Nyob would disseminate objections by other data protection supervisors “outside the confines of the co-decision-making process”.
The letter required Nyob to propose arrangements, enforceable by Irish courts, to ensure that it would respect the confidentiality of any documents shared by the DPC.
No legal basis
Nyob argues that the DPC has no legal basis to demand that documents in a public procedure that affects millions of users are kept confidential.
The DPC is required to serve documents to the Austrian Data Protection Authority, which has confirmed that procedural documents are not confidential, it said.
Even if the documents were to be served directly under Irish law, there is no legal duty for parties to keep documents confidential under the relevant section of the Irish Data Protection Act.
Nyob said it had a positive relationship with most of the data protection authorities in Europe and had received hundreds of legal documents since it started work in mid-2018.
The group said it only made documents public when it had a right to do so and when they were of the utmost public importance, or it was necessary to back Nyob’s statements.
“Unfortunately, the DPC and Facebook declare every document as ‘confidential’ by default and have threated Noyb staff and our legal counsel repeatedly not to cite, discuss or publish the contents,” it said in a statement.
Despite its legal duties under the GDPR, the DPC does not share relevant documents with other data protection authorities, Nyob claimed.
The privacy group said it had voluntarily not disclosed documents from the Irish DPC and Facebook.
“We have not disclosed documents on a voluntary basis, to limit friction with the DPC and Facebook,” it said. “These voluntary efforts were apparently not fruitful.”
The DPC wrote to Nyob on 18 November saying it was not in a position to release the objections from data protection regulators and other material following Nyob’s unwillingness to sign a confidentiality agreement.
Facebook files to be published
Nyob said that in response, it would publish further Facebook and DPC documents on every Sunday in advent with a video explaining why it is legally entitled to do so.
“We very much hope that Facebook or the DPC will file legal proceedings against us to finally clarify that freedom of speech prevails,” said Schrems.
Nyob said it has reported the incident to the Austrian Office for the Prosecution of Corruption to investigate as a possible breach of Austrian law.
Under the Austrian Criminal Act, requesting a benefit, which could include a non-disclosure agreement, for the lawful performance of public duties, such as the right to be heard, could constitute a criminal offence, Schrems argues.
“We have not taken this step lightly, but the conduct of the DPC has finally crossed all red lines,” said Schrems. “They basically deny us all our rights to a fair procedure unless we agree to shut up.”
He said Facebook has a strong interest in keeping the proceedings out of the public eye. “It seems the DPC is doing everything to assist Facebook in this demand,” he added.
Irish DPC says no to Schrems
Mary Bridget Donnelly, assistant commissioner at the DPC Ireland confirmed in a statement last night that the DPC could “take steps” to give Nyob and Facebook the right to see the objections from other regulators to the DPC’s draft decision and to make written observations.
But she made it clear that the DPC would not share objections from other Data Protection Authorities with Schrems and Nyob unless they gave an undertaking not to publish or disclose the documents.
Under Section 26 of the Irish Data Protection Act, the Irish regulator could designate information as confidential, she said, to protect the fairness of the decision making process, and to ensure that no harm is caused to the interests of Facebook or Nyob.
The DPC had an obligation to protect confidential material in its own possession from disclosure and is unable to pass that material to a third party “knowing or reasonably believing there was a strong likelihood the third party will publish it”.
The Austrian Data Protection Authority had held that Schrems was not entitled to have sight of the documents exchanged between the DPC and other data protection regulators about the case, she said.
“For our part, the DPC believes that the parties should be given sight of such materials, provided only that they agree to treat them as confidential within the decision-making process.”
The statement makes it clear that Facebook would be able to view and comment on exchanges between data protection regulators but Nyob would be prevented from doing so, unless it agreed to a non-disclosure agreement.
“Ultimately, Nyob will have a right of appeal against the final decision delivered at the end of the co-decision-making process,” said Donnelly.
Facebook did not respond to requests for comment.