Ireland Passes GDPR “Gag” Law Allowing Data Protection Commission to Make GDPR Procedures Confidential

Ireland has just passed a new law governing complaints brought under the EU’s General Data Protection Regulation (GDPR), and the gist of it is:

[It] will allow the Irish Data Protection Commission (DPC) to criminalize anyone sharing information about pending [GDPR] procedures. While the law is not clear and likely unconstitutional, it will be a tool to further put pressure on complainants when they speak up against the Irish DPC.

That’s the view of the organization noyb.eu, set up by the privacy expert Max Schrems. It is hard not to see this new law as aimed at both him and his organization. As Schrems put it: “I guess our fight for proper enforcement of the GDPR was so efficient, that the DPC now tries to criminalize us.”

Schrems and his noyb.eu have been a thorn in the side of the Irish Data Protection Commission for years, and have successfully challenged many of the DPC’s GDPR decisions. The new Irish GDPR gag law changes that, and seems to give the Irish data protection authority wide-ranging powers to stop anyone – including noyb.eu – from sharing details of GDPR cases.

Privacy Regulators Silencing Privacy Activists

This isn’t the DPC’s first attempt at silencing activists. In October 2021, the DPC sent a takedown notice to noyb.eu saying it would “require [noyb] to remove the draft [GDPR] decision from your website forthwith, and to desist from any further or other publication or disclosure of same.” Schrems refused to comply and… nothing happened because there was no way at the time for the DPC to enforce its demand.

The Irish government insisted that there was nothing to see here, but that claim is undermined by the manner in which the DPC’s new power was introduced, unexpectedly, just days before a vote on it. In a “statement of condemnation”, the European Digital Rights group noted that there was no pre-legislative scrutiny, so Irish members of parliament were unable to examine the law beforehand.

Ireland’s new GDPR gag law did not undergo a parliamentary debate stage, and no committee stage to allow politicians to obtain expert views on the law and its implications. The Irish Minister of State gave only a three-line explanation about the proposed change in the law, and only an hour was allowed for the Irish parliament to debate it along with 23 other sections before moving to a vote.

In other words, there is every sign that the Irish government knew the change in the law would be controversial, kept information about it to a minimum, limited opportunities to discuss and challenge it, and then pushed it through in great haste.

As well as noyb.eu and the European Digital Rights group, others also were troubled by the DPC’s new powers. They included the Irish Council for Civil Liberties, and Amnesty International, which described it as “a blatant attempt not only to shield Big Tech from scrutiny but also to silence individuals and organizations that stand up for the right to privacy and data protection”.

A leading Member of the European Parliament, Sophie in ‘t Veld, wrote on Twitter: “This gag law is so absurd it is hard to believe it is real. Relations with the Irish DPC have been strained for some time. Silencing the critics is not the right answer, and certainly not in a democracy.” She has submitted written questions on the topic to two important institutions that could do something about the new law – the European Commission and the European Data Protection Board (EDPB).

The EU Can End the Irish Approach to GDPR Cases

The EDPB ensures that the GDPR is applied consistently across the EU, and promotes cooperation, including on enforcement, between national data protection authorities (DPAs). Schrems fears that even the EDPB might be adversely affected by the new Irish law, and notes that the DPC has already brought a legal action against the EDPB before an EU court, and so is unlikely to have any qualms about wielding its new powers against the EDPB.

At the time of publication, the EDPB has not commented on the Irish legislation. Neither has the European Commission, which has just released its proposals for a new EU law to “streamline cooperation between data protection authorities (DPAs) when enforcing the General Data Protection Regulation in cross-border cases.” Potentially, that could address precisely the problem raised by the DPC’s new power to stifle criticisms of its GDPR enforcement. For example, one change would be to explicitly allow any of the EU’s data protection authorities to enforce the GDPR.

Currently, it falls generally to the country in which the company has its EU headquarters to enforce the GDPR – and that typically means Ireland’s DPC. Sadly, the European Commission has not taken this route. Schrems says the proposal is instead “an attack on users’ rights in GDPR procedures”:

The Commission proposal seems to be based mainly on (some) DPA’s demands to remove citizens from procedures to “simplify” them. When trying to fix issues, the Commission only tries to plug individual holes in the system, which surfaced in the first bigger cases between the Irish DPC and its European Counterparts.

At the moment, the changes to the GDPR are only a proposal, so the hope must be that the European Parliament can improve them during the EU legislative process. Meanwhile, noyb.eu has said that:

We will not bow to an unconstitutional local [Irish] law. This may however mean that some information we provide will not be available in Ireland anymore. The DPC and Meta have previously threatened lawsuits, but never followed through – likely because they know that they would lose such a case. However, we must expect the DPC to use this new provision to orchestrate even more procedural drama.

The new Irish GDPR gag law, combined with the EU plans to modify some aspects of the GDPR, mean that the world of privacy is unlikely to be boring anytime soon.

Featured image by D.