The Irish Data Protection Commission is facing a judicial review of its operations following complaints over its handling of GDPR cases against WhatsApp and Instagram, amid allegations it is stalling the process.
The case, brought by None of your Business, the privacy group fronted by Austrian lawyer Max Schrems, has been sanctioned by Ireland’s High Court.
At the heart of the issue are complaints filed by NOYB with a number of EU data protection regulators against Google, Facebook, WhatsApp and Instagram over so-called “forced consent”.
The group claimed that the tech giants use the strategy to continue processing individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for the provision of the service.
The case against Google was dealt with by French regulator CNIL, and upheld last month, resulting in a €50m (£44m) fine.
The others were forwarded to the Irish DPC, which under the one-stop-shop principle, means the Irish regulator is the lead authority for nearly all US tech giants who have their European HQs in Dublin.
To deal with the cases against Facebook, WhatsApp and Instagram, the Irish DPC created a new six-step process, which Schrems has already branded “Kafkaesque”.
Gerard Rudden of ARQ Solicitors, representing NOYB, said: “In these proceedings, NOYB is seeking a declaration that the DPC has failed to carry out an investigation into the complaints within a reasonable period, as they are obliged to do. The DPC have adopted, in NOYB’s view, an unnecessary and cumbersome six step procedure in relation to these complaints. In the two years since the complaints were filed, they have only completed the first step.”
The case against Facebook has progressed two steps in two years, while the cases against WhatsApp and Instagram are still at a single step. At the current rate, allowing for three years of appeals, these cases are unlikely to be concluded before 2027, NOYB claims.
The judicial review seeks to force the Irish DPC to speed up the process and complete its investigation in a reasonable time. It is also seeking a judgment that the Irish DPC has breached its obligations under GDPR, which requires that “the lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views”.
Google must ditch ‘forced consent’, French court rules
Irish data regulator issues first GDPR ruling in two years
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise
Top EU data cop cutback threat triggers EU complaint
WhatsApp and Twitter facing first major GDPR rulings
2019 Review of the Year: Why it’s crunch time for GDPR