Irish DPC removes noyb from GDPR procedure - Criminal report filed

23 November 2021

Irish DPC demanded noyb to sign a "non-disclosure agreement" or remove noyb from Facebook procedure. noyb files criminal report against DPC.

The Irish Data Protection Commission (DPC) has taken the unheard-of move, to demand noyb to draft and sign a "non-disclosure agreement" (NDA) within one working day. In absence of such an NDA for the benefit of the DPC and Facebook, the DPC would not comply with the duty to hear the complainant anymore. Schrems: "The DPC engaged in procedural blackmail. Only if we shut up, the DPC would 'grant' us our legal right to be heard. We have reported the incident to the Austrian Office for the Prosecution of Corruption. This is a regulator clearly asking for a 'quid pro quo' to do its job, which likely constitutes bribery in Austria."

Facebook would especially benefit from the NDA, as new documents indicate that EU regulators may find Facebook's "GDPR bypass" illegal possibly declaring Facebook's use of personal data since 2018 unlawful, with major implications for Facebook's business model in Europe.

Procedural Background. When the GDPR became applicable on 25.5.2018, Facebook has tried to bypass the GDPR's consent requirements by switching to an alleged contract over the use of personal data. noyb has filed a complaint with the Austrian Data Protection Authority (DPA), which was forwarded to the DPC as the "Lead Authority". After more than three years, the DPC issued a "Draft Decision" that declared Facebook's consent bypass legal. Once this was made public by noyb, the DPC demanded noyb to take down the DPC's decision as well as noyb's own submissions.

No legal basis for "non disclosure" requests. The DPC has no legal basis to demand that documents in a public procedure concerning millions of users are kept confidential. First of all, the DPC lacks jurisdiction outside of Ireland. Due to the GDPR's cooperation mechanisms the documents have to be served via the Austrian DPA under the applicable Austrian law (§17 AVG). As the Austrian DPA confirmed, there is no confidentiality regarding such procedural documents. Secondly, even if documents were to be served directly under Irish law, there is no legal duty for parties to keep documents confidential under Irish law. Section 26 of the Irish Data Protection Act, which is cited by the DPC, only applies to DPC staff ("relevant person"), not to parties. Lacking such a legal duty of confidentiality, the DPC now demanded an "agreement" that is not foreseen by law. Despite the complaint being brought before the local Austrian DPA, the DPC also demanded that noyb surrenders to Irish jurisdiction.

Max Schrems, chairperson of "The DPC acknowledges that it has a legal duty to hear us, but it now engaged in a form of 'procedural coercion'. The right to be heard was made conditional on us signing an agreement to the benefit of the DPC and Facebook. It is nothing but an authority demanding to give up the freedom of speech in exchange for procedural rights."

All legal and factual concerns raised in noyb's letters, were ignored by the DPC. Other suggestions, like disclosing the documents directly to the data subject, or the assurance that noyb is not planning to publish any documents for the time being, did not change the DPC's demand for a 'quid pro quo': an NDA in exchange of complying with the duty to hear the complainant.

Tremendous commercial problem for Facebook looming. The letters by the DPC do not only raise questions about how the DPC conducts its office, but also shows that other European DPAs have submitted "relevant and reasoned objections" and opposed the DPC's views. If the other DPAs have a majority and ultimately overturn the DPC's draft decision, Facebook could face a legal disaster, as most commercial use of personal data in the EU since 2018 would be retroactively declared illegal. Given that the other DPAs passed Guidelines in 2019 that are very unfavourable to Facebook's position, such a scenario is highly likely.

Schrems: "If the other DPAs overturn the DPC's decision, it would likely mean that large parts of Facebook's data use would be declared illegal. This would not only mean major penalties, but also looming damages claims by millions of users. Facebook has a strong interest to keep the details of this procedure under the rug. Facebook therefore repeatedly demanded that DPAs limit our right to be heard it seems the DPC is doing everything to assist Facebook in this demand."

Demanding a "benefit" can constitute corruption. The demanded NDA would have not only greatly benefited Facebook, but also the DPC. The DPC is continuously under fire by other DPAs, in public inquiries and the media. If an NDA would hinder noyb's freedom of speech, the DPC's reputational damage could be limited. Under the Austrian Criminal Act requesting a benefit (even a small benefit, or a non-material benefit) for the lawful performance of public duties (such as the right to be heard) can constitute a criminal act (§305 StGB). If noyb would grant such a benefit by signing an NDA in direct exchange for the DPC to conduct its legal duties, noyb and noyb staff itself could have potentially committed a crime (§307a StGB).

Report with Public Prosecutor filed. noyb has filed a criminal report ("Sachverhaltsdarstellung") with the Austrian Office for the Prosecution of Corruption (WKStA). As the target of the potential criminal act is based in Austria, it seems that the Austrian criminal act applies. The criminal report concerns the relevant DPC staff. The WKStA has to review if there is ground to start an investigation. The presumption of innocence applies.

Schrems: "Generally we have very good and professional relationships with authorities. We have not taken this step lightly, but the conduct of the DPC has finally crossed all red lines. They basically deny us all our rights to a fair procedure unless we agree to shut up. Austrian corruption laws are far reaching: when an official requests the slightest benefit to conduct a legal duty, the corruption provisions may be triggered. Legally there is no difference between demanding an unlawful agreement or a bottle of wine."

Background & noyb policy. noyb is proud to have a very positive and professional relationship with most DPAs. noyb received hundreds of legal documents since it started operating in mid-2018. Only when documents are of utmost public relevance, or necessary to back our statements, we make them public to the extent that we have the right to do so. Unfortunately, the DPC and Facebook declare basically every document as "confidential" by default and have threatened noyb staff and our legal council repeatedly to not cite, discuss, or publish the contents. The DPC does not even share relevant documents with other DPAs, contrary to its legal duties under the GDPR. Despite this situation, we have not disclosed documents on a voluntary basis, to limit friction with the DPC and Facebook. These voluntary efforts were apparently not fruitful.

noyb announces "advent readings" from various Facebook files. In protest of the situation and to show that noyb has every liberty to discuss documents within the parameters of applicable law, noyb will now conduct "advent readings" from various Facebook and DPC documents. On each Sunday in advent, noyb will publish another document, together with a video explaining the documents and an analysis why the use of these documents is fully compliant with all applicable laws.

Schrems: "We very much hope that Facebook or the DPC will file legal proceedings against us, to finally clarify that freedom of speech prevails over the scare tactics of a multinational and its taxpayer-funded minion. Unfortunately we must expect that they know themselves that they have no legal basis to take any action, which is why they reverted to procedural blackmail in the first place."

The "advent reading" will be published on — so tune in!