{"id":24778,"date":"2023-07-10T04:19:56","date_gmt":"2023-07-10T11:19:56","guid":{"rendered":"https:\/\/www.privateinternetaccess.com\/blog\/?p=24778"},"modified":"2023-07-06T22:18:00","modified_gmt":"2023-07-06T22:18:00","slug":"ireland-gdpr-gag-law","status":"publish","type":"post","link":"https:\/\/www.privateinternetaccess.com\/blog\/ireland-gdpr-gag-law\/","title":{"rendered":"Ireland Passes GDPR “Gag” Law Allowing Data Protection Commission to Make GDPR Procedures Confidential"},"content":{"rendered":"\n

Ireland has just passed a new law<\/a> governing complaints brought under the EU\u2019s General Data Protection Regulation (GDPR), and the gist of it is: <\/p>\n\n\n\n

\n

[It] will allow the Irish Data Protection Commission (DPC) to criminalize anyone sharing information about pending [GDPR] procedures. While the law is not clear and likely unconstitutional, it will be a tool to further put pressure on complainants when they speak up against the Irish DPC.<\/p>\n<\/blockquote>\n\n\n\n

That\u2019s the view<\/a> of the organization noyb.eu, set up by the privacy expert Max Schrems<\/a>. It is hard not to see this new law as aimed at both him and his organization. As Schrems put it: \u201cI guess our fight for proper enforcement of the GDPR was so efficient, that the DPC now tries to criminalize us.\u201d <\/p>\n\n\n\n

Schrems and his noyb.eu have been a thorn in the side of the Irish Data Protection Commission for years, and have successfully challenged many of the DPC\u2019s GDPR decisions<\/a>. The new Irish GDPR gag law changes that, and seems to give the Irish data protection authority wide-ranging powers to stop anyone \u2013 including noyb.eu \u2013 from sharing details of GDPR cases.<\/p>\n\n\n\n

Privacy Regulators Silencing Privacy Activists<\/h2>\n\n\n\n

This isn\u2019t the DPC\u2019s first attempt at silencing activists. In October 2021, the DPC sent a takedown notice to noyb.eu<\/a> saying it would \u201crequire [noyb] to remove the draft [GDPR] decision from your website forthwith, and to desist from any further or other publication or disclosure of same.\u201d Schrems refused to comply and\u2026 nothing happened because there was no way at the time for the DPC to enforce its demand. <\/p>\n\n\n\n

The Irish government insisted that there was nothing to see here, but that claim is undermined by the manner in which the DPC\u2019s new power was introduced, unexpectedly, just days before a vote on it. In a \u201cstatement of condemnation<\/a>\u201d, the European Digital Rights group noted that there was no pre-legislative scrutiny, so Irish members of parliament were unable to examine the law beforehand. <\/p>\n\n\n\n

Ireland\u2019s new GDPR gag law did not undergo a parliamentary debate stage, and no committee stage to allow politicians to obtain expert views on the law and its implications. The Irish Minister of State gave only a three-line explanation about the proposed change in the law, and only an hour was allowed for the Irish parliament to debate it along with 23 other sections before moving to a vote. <\/p>\n\n\n\n

In other words, there is every sign that the Irish government knew the change in the law would be controversial, kept information about it to a minimum, limited opportunities to discuss and challenge it, and then pushed it through in great haste.<\/p>\n\n\n\n

As well as noyb.eu and the European Digital Rights group, others also were troubled by the DPC\u2019s new powers. They included the Irish Council for Civil Liberties<\/a>, and Amnesty Internationa<\/a>l, which described it as \u201ca blatant attempt not only to shield Big Tech from scrutiny but also to silence individuals and organizations that stand up for the right to privacy and data protection\u201d. <\/p>\n\n\n\n

A leading Member of the European Parliament, Sophie in \u2018t Veld<\/a>, wrote on Twitter: \u201cThis gag law is so absurd it is hard to believe it is real. Relations with the Irish DPC have been strained for some time. Silencing the critics is not the right answer, and certainly not in a democracy.\u201d She has submitted written questions<\/a> on the topic to two important institutions that could do something about the new law \u2013 the European Commission and the European Data Protection Board (EDPB).<\/p>\n\n\n\n

The EU Can End the Irish Approach to GDPR Cases<\/h2>\n\n\n\n

The EDPB<\/a> ensures that the GDPR is applied consistently across the EU, and promotes cooperation, including on enforcement, between national data protection authorities (DPAs). Schrems fears that even the EDPB might be adversely affected by the new Irish law, and notes that the DPC has already brought a legal action against the EDPB<\/a> before an EU court, and so is unlikely to have any qualms about wielding its new powers against the EDPB.<\/p>\n\n\n\n

At the time of publication, the EDPB has not commented on the Irish legislation. Neither has the European Commission, which has just released its proposals<\/a> for a new EU law to \u201cstreamline cooperation between data protection authorities (DPAs) when enforcing the General Data Protection Regulation in cross-border cases.\u201d Potentially, that could address precisely the problem raised by the DPC\u2019s new power to stifle criticisms of its GDPR enforcement. For example, one change would be to explicitly allow any of the EU\u2019s data protection authorities to enforce the GDPR. <\/p>\n\n\n\n

Currently, it falls generally to the country in which the company has its EU headquarters to enforce the GDPR \u2013 and that typically means Ireland\u2019s DPC. Sadly, the European Commission has not taken this route. Schrems says the proposal is instead \u201can attack on users\u2019 rights in GDPR procedures<\/a>\u201d:<\/p>\n\n\n\n

\n

The Commission proposal seems to be based mainly on (some) DPA\u2019s demands to remove citizens from procedures to \u201csimplify\u201d them. When trying to fix issues, the Commission only tries to plug individual holes in the system, which surfaced in the first bigger cases between the Irish DPC and its European Counterparts.<\/p>\n<\/blockquote>\n\n\n\n

At the moment, the changes to the GDPR are only a proposal, so the hope must be that the European Parliament can improve them during the EU legislative process. Meanwhile, noyb.eu has said that<\/a>:<\/p>\n\n\n\n

\n

We will not bow to an unconstitutional local [Irish] law. This may however mean that some information we provide will not be available in Ireland anymore. The DPC and Meta have previously threatened lawsuits, but never followed through \u2013 likely because they know that they would lose such a case. However, we must expect the DPC to use this new provision to orchestrate even more procedural drama.<\/p>\n<\/blockquote>\n\n\n\n

The new Irish GDPR gag law, combined with the EU plans to modify some aspects of the GDPR, mean that the world of privacy is unlikely to be boring anytime soon.<\/p>\n\n\n\n