Ireland: Corrupt GDPR procedures now "confidential"

29 June 2023
DPC Section 26A

Ireland makes questionable GDPR cases 'confidential'.
Irish DPC will likely use Section 26A to muzzle criticism. 

Despite profound criticism by civil society (ICCL, Amnesty, EDRi, BEUC) and hard push back in the Irish Parliament, Ireland has passed a law that will allow the Irish Data Protection Commission (DPC) to criminalize anyone sharing information about pending procedures. While the law is not clear and likely unconstitutional, it will be a tool to further put pressure on complainants when they speak up against the Irish DPC. The law was requested by the DPC and aims at silencing non-profits. Despite the passing of this "lex noyb", noyb will not limit legitimate public speech about cases it is engaged in.

Section 26A passed by Irish Government majority. Against criticism from all opposition parties and even two members of the governing coalition, the government majority of Fine Gael (EPP), Fianna Fáil (Renew), and the Greens have passed an Amendment to the Data Protection Act, that will allow the DPC to declare documents 'confidential'. In the lengthy debate on this amendment, James Browne representing the Ministry for justice got under intense pressure. Members of the Irish Parliament (TDs) repeatedly questioned the impact on freedom of speech, cooperation with the EDPB and the geographic application.

Max Schrems: "I guess our fight for proper enforcement of the GDPR was so efficient, that the DPC now tries to criminalize us. We did not think this would be possible in a European democracy. The DPC and the Irish Justice Ministry follow Orban's footsteps with this law."

Scope of Section 26A contested. While the government takes the view that the DPC can only claim 'confidentiality' in very specific circumstances and on specific information, the DPC has previously (without any legal basis) declared entire procedures confidential. The law does not foresee any immanent remedy for such an unlawful practice.

Max Schrems: "There remain major questions around the legality of Section 26A. The DPC already abused the law before this amendment passed, I expect them to just feel emboldened now. As the legality and meaning of Section 26A is contested, is very likely that this fight is now moving from the political arena to the courts."

Section 26A criminalizes basic exchanges. Section 26A could be used by the DPC to prohibit sharing of documents with other complainants, other regulators or even the EDPB. The many people that are unhappy about the procedure before the DPC could see criminal sanctions when voicing public criticism. Independent of penalties being actually enforced, the mere threat of a criminal sanction will silence most people.

Does Section 26A violate EU and Irish law? Typically laws that limit the use of information have an exemption for freedom of speech. Section 26A does mention that information may be used, when "permitted by law" - which seems to allow to rely on freedom of speech. However, it is likely that the DPC will try to press criminal charges against anyone relying on a freedom of speech exemption.

Max Schrems: "All legal experts we talked to take the view that Section 26A by itself violates Irish and EU law. It could be interpreted to still allow freedom of speech, but the DPC will likely resist that suggestion. This will just lead to more and more litigation over procedures, instead of getting stuff done."

Irish law cannot extend to rest of EU. While the DPC has previously taken the view that its orders or rules would apply in other EU Member States, Irish criminal law is limited to conduct within Ireland. Equally, Article 55(1) GDPR clarifies that each Data Protection Authority only has jurisdiction in its own Member State. In addition to Irish law, EU law therefore prevents the DPC to apply Section 26A outside of Ireland.

Max Schrems: "While Section 26A will be a major problem for persons in Ireland, it is clear that it can legally not apply to persons outside of Ireland. Ireland has no jurisdiction to regulate freedom of speech in the rest of the European Union."

EU cooperation under further tension. While basically all other DPAs give unrestricted access to documents (with the exception of actual trade secrets and alike), some Member States and the EDPB fall under additional obligations under Freedom of Information Laws. The exceptional approach of the Irish DPC to simply declare entire procedures 'confidential', likely creates further tensions between the Irish DPC and the EDPB - at a time where the DPC has already sued the EDPB before European Courts. While EU law is superior to national law, the DPC has used such divergence to factually ignore demands from other DPAs or the EDPB.

Max Schrems: "It is clear that EU law trumps Irish gag orders, but in reality the DPC will use this to jam up procedures against big tech even more. After all there is no European police officer that would enforce EU law against the DPC. We are moving towards and even more confrontational era with the DPC."

noyb will not limit public information. noyb has so far shared document to the extent relevant and necessary to exercise freedom of speech. Contrary to some claims by the DPC and big tech about "leaking", these documents were always obtained in full compliance with the law, such as freedom of information laws or applicable procedural laws outside of Ireland. noyb is currently assessing options, but to ensure that we continue to fully comply with the law, we may have to limit certain information from being available in Ireland. Given that the DPC will likely try to enforce Section 26A outside of Ireland too, it is to be expected that EU procedures against big tech in Ireland will suffer from even more procedural deadlocks generated by the DPC. Other DPAs will have to fight even harder to get files and documents from the DPC, who will likely abuse Section 26A to continue to protect big tech.

Max Schrems: "We will not bow to an unconstitutional local law. This may however mean that some information we provide will not be available in Ireland anymore. The DPC and Meta have previously threatened lawsuits, but never followed through - likely because they know that they would lose such a case. However, we must expect the DPC to use this new provision to orchestrate even more procedural drama."