A freshly enacted Irish law now governs complaints under the European Union's General Data Protection Regulation (GDPR). The core of this legislation empowers the Irish Data Protection Commission (DPC) to penalize anyone disclosing information about pending GDPR procedures. Although the law appears unclear and potentially unconstitutional, it provides another instrument to exert pressure on complainants who challenge the DPC.
That is the perspective of noyb.eu, an organization established by privacy advocate Max Schrems. It's challenging not to interpret this law as a measure targeting Schrems and his organization, particularly considering their long-standing struggle for efficient GDPR enforcement that seems to have compelled the DPC to criminalize them, according to Schrems.
Schrems and noyb.eu have historically challenged the Irish DPC's interpretations of GDPR, often successfully. However, this new legislation significantly expands the DPC's powers, restricting any entity - including noyb.eu - from disseminating details about GDPR cases.
In a previous attempt to silence activists in October 2021, the DPC issued a takedown notice to noyb.eu, demanding the removal of a draft GDPR decision from its website. Schrems, however, refused to comply, resulting in no consequence as the DPC lacked enforcement authority at the time.
The swift and rather secretive manner in which this legislation was passed indicates that the Irish government understood the law would stir controversy. It was suddenly introduced mere days before a vote without any pre-legislative scrutiny or chance for parliamentary members to evaluate the law beforehand. Furthermore, there was neither a parliamentary debate stage nor a committee stage to seek expert opinions. The Irish Minister of State offered a succinct explanation of the proposed changes and allowed only an hour for the parliament to discuss it before proceeding to a vote.
Prominent organizations such as the Irish Council for Civil Liberties and Amnesty International, as well as the European Digital Rights group, have expressed concern over the DPC's newfound powers. Amnesty International described it as an attempt to not only protect Big Tech from examination but also stifle those advocating for privacy and data protection rights.
The recent legislative shift has sparked international concern, with Sophie in 't Veld, a prominent Member of the European Parliament, questioning its democratic legitimacy. She has addressed inquiries to two key institutions capable of acting against this new law - the European Commission and the European Data Protection Board (EDPB).
The EDPB's mandate is to ensure consistent GDPR application across the EU, promoting cooperation among national data protection authorities. The newly enacted law could affect even the EDPB adversely, Schrems warns, pointing out that the DPC has already initiated legal action against the EDPB at an EU court.
With the European Commission having recently proposed a new EU law to facilitate cooperation among DPAs in enforcing GDPR in cross-border cases, the DPC's increased powers come at a crucial time. This new law could help address the issue of the DPC's potential suppression of GDPR enforcement criticism. Unfortunately, as per Schrems, the proposal seems to prioritize simplifying procedures over users' rights.
For now, the GDPR amendments are merely proposed, fostering hopes that the European Parliament can enhance them during the EU legislative process. However, noyb.eu asserts that it will not submit to an unconstitutional local Irish law, albeit this might result in some information being unavailable in Ireland.
The introduction of this new Irish law, coupled with the proposed EU changes to the GDPR, indicates a turbulent and interesting period ahead in the realm of privacy.
0 Comments