Facebook’s Response to the Irish Data Protection Commission Falls Flat
Facebook is the first company to face the wrath of a data protection office in the European Union as a result of Schrems II, which invalidated the EU-U.S. Data Privacy Shield. A full copy of the European Court of Justice’s judgment is available here.
By: Beata A. Safari, Staff member
On August 28, 2020, the Ireland Data Protection Commission (“DPC”) sent a preliminary draft decision* to Facebook Ireland Limited (“FIL”), a company wholly owned by Facebook, Inc. This was the first indication to FIL that the DPC had commenced an “own-volition inquiry” under Section 110 of Ireland’s Data Protection Act 2018 (the “Act”), which was enacted on May 24, 2018, to give effect to the General Data Protection Regulation (GDPR). In such inquiries, the DPC proceeds “not on the basis of a specific complaint . . . but on the basis of concerns on the part of the DPC that, in its processing of personal data, a controller may be infringing one or more provisions of the GDPR.”
The preliminary draft decision allotted FIL 21 days to submit a written response; thereafter, the DPC anticipated that it would provide a draft decision within 21 days. FIL filed a timely response on September 10, 2020 (“FIL Response Letter”), seeking judicial review of the preliminary draft decision and challenging it on eleven different grounds.
But as will be discussed below, there is little doubt the DPC acted within its authority under Section 110 (1) of the Act — not only when it investigated FIL but also when it reached the preliminary draft decision.
First, FIL argues the DPC erred by not conducting an adequate inquiry before the release of the preliminary draft decision. For example, the DPC did not contact FIL to gather information before releasing the preliminary draft decision. Additionally, some of the material and documents the DPC relies on are out of date and incomplete. Unfortunately for FIL, Section 137 (1) of the Act provides the DPC with broad latitude to “cause such investigation [under Section 110 (1)] as it thinks fit to be carried out.”
Second, FIL believes that the DPC departed from the procedure it deploys in handling complaints described in its 2018 Annual Report (“DPC Annual Report 2018”), particularly in that it abandoned stages 1, 2, 3, and 4 of the procedure and/or conflated stages 1, 2, 3, 4, 5 and 11.** This argument fails, however, because the DPC clearly stated that the description was “not binding” in the very same report. It further clarified that the description was “not determinative of the precise steps which will be followed in each inquiry, which will depend on the nature, circumstances, scope and subject matter of the inquiry.”
Third, FIL argues that in providing 21 days, the DPC did not afford FIL sufficient time to respond to the preliminary draft decision and essentially prejudged the dispute by indicating that it would reach a decision within 21 days of receipt of FIL’s response. There is little merit to this argument because Section 137 (5) of the Act would require the DPC to provide notice to FIL and afford the company the “opportunity to respond to the notice . . . within 7 days from the date on which the notice was given (or such further period not exceeding 28 days as the authorised officer allows).” Accordingly, allowing FIL 21 days to respond to the DPC’s notice is well within the DPC’s powers.
Fourth, FIL points out that the preliminary draft decision revealed that it was authored by one individual called “the sole decision-maker of the Commission” and argues that this is a departure from the DPC Annual Report 2018. Again, FIL misunderstands the DPC Annual Report 2018 wherein the DPC acknowledges the decision-making process is “carried out by a separate senior decision-maker in the DPC . . . usually the Commissioner for Data Protection” and that Section 137 (2) of the Act allows the DPC to “direct one or more authorised officers” to “submit to the Commission an investigation report following the completion of the investigation.”
Fifth, FIL argues that the DPC’s unitary procedure for addressing both the alleged infringement and its corrective power is contrary to that contemplated by the Act. While it is true that Section 111 of the Act places exercise of an infringement inquiry in one subsection and exercise of its corrective power in another subsection, the only textual requirement is that an infringement determination be made, followed by a determination whether to exercise its corrective power. There is no reason to read the section as requiring separate procedures for each finding.
Sixth, FIL argues that the DPC did not sufficiently explain why the initial regulatory investigation into Max Schrems’ complaint from November 2015 has not concluded while a second own-volition inquiry has commenced.° FIL’s argument falls through because the DPC Annual Report 2018 envisions this exact scenario (emphasis added):
Occasionally, where the DPC considers that there is justification for doing so . . . the DPC may open a statutory inquiry into the complaint and use its range of formal investigatory powers to examine the issues in the complaint further. . . . [I]t is also possible for a second type of statutory inquiry to be opened (an inquiry of the DPC’s own volition), which is not based on the specific complaint but that may examine thematic or systemic issues raised by the complaint relating to how, or to what extent, an organisation complies with data protection law.
Seventh, FIL complains that the European Data Protection Board (EDPB) was not consulted before the DPC took a “one-size-fits-all, quick fix solution.” FIL’s approach mischaracterizes the procedure described in the DPC Annual Report 2018. Stage 8 of the general description of phases under the DPC Annual Report 2018 recognizes an EDPB dispute resolution phase, if it is applicable. On September 4, 2020, the EDPB announced that it had established one task force to examine complaints filed by the privacy rights group None of Your Business (NOYB), co-founded by Schrems, and a second task force to prepare recommendations for processors and controllers to ensure protection in transfer of data to third countries. Presumably, FIL would have liked the second task force to have been consulted before the preliminary draft decision was released. Even if the enumerated stages are to be taken at face value — which, given the findings under point 2 above, the DPC need not — EDPB involvement would actually take place after release of a draft decision. EDPB dispute resolution appears in stage 8 of the DPC Annual Report 2018 and the release of the preliminary draft decision falls squarely under either stage 5, the DPC draft decision-making phase on infringement, or stage 6, the notification of the DPC draft decision and commencement of GDPR cooperation phase.
Eighth, FIL speculates that it has not been treated equally because it is “not aware of any similar inquiry being conducted into transatlantic data transfers on the part of other companies under the DPC’s jurisdiction.” FIL does not summon any legal authority in support of its argument; the company’s only contention is that because other companies transferring data to the United States are dealing with substantially the same challenges, “it is neither fair nor appropriate” that FIL should be the only company subject to investigation and face possible suspension of data transfers to the United States. It is unclear what standards FIL expects such a “similar inquiry” to apply, given that the DPC currently has ongoing investigations into Alphabet’s Google, MTCH Technology Services Limited (operator of Tinder), and Quantcast International Limited. The Irish regulator recently concluded an investigation into Twitter with a draft decision, and it appears likely that Apple will be the Irish regulator’s next target over allegations that Siri recorded users’ intimate conversations without consent.
Ninth, FIL asserts that the DPC is in breach of the right to fair procedures described in the DPC Annual Report 2018. The right to fair procedures is protected by the Irish Constitution and requires that a person making a decision not be biased or have the appearance of bias, and that the affected party be given adequate opportunity to present its case. This point is mostly a regurgitation of points 2, 3, and 4 above and is thus unconvincing.
Tenth, FIL maintains that the DPC is in breach of the duty to give reasons in accordance with Irish law.°° This point mostly reiterates points 2, 3, 5, 6, 7, and 8 above and is unsatisfactory because the DPC acted within its authority in commencing the investigation.
Finally, FIL restates that the DPC did not take into account the relevant considerations it lists out in the FIL Response Letter; however, those considerations were all addressed in the above points.
Publicly, Facebook has generally declined to comment on the preliminary draft decision and instead pointed to a statement by Nick Clegg, its Vice President of Global Affairs and Communications, in which he acknowledged that the DPC “commenced an inquiry into Facebook controlled EU-US data transfers” but that Facebook will nonetheless, “continue to transfer data in compliance with the recent CJEU ruling and until [it] receive[s] further guidance.”
Still, the categorical language in the FIL Response Letter confirms that the gravity of the preliminary draft decision is not lost on Facebook: if the DPC does not change its decision then Facebook will all but withdraw its services from the European Union. Conversely, Michael Veale, a technology policy researcher at University College London, opines that “[t]he idea that Facebook would withdraw from the European market is absurd brinksmanship that I don’t think anyone truly believes.”
As of the date of this writing, the DPC has not yet released the draft decision it anticipated would be complete within 21 days of the FIL Response Letter. While FIL’s arguments in the FIL Response Letter are rather tenuous, it looks like Ireland has become Facebook’s battleground to save its business across the European Union. It will not give up without a protracted fight.
Beata Safari is an LL.M. student at Columbia Law School and a Staff member of the Columbia Journal of Transnational Law. She graduated with a J.D. from Seton Hall University Law School in 2017. She previously published a Comment in the Seton Hall Law Review titled “Intangible Privacy Rights: How Europe’s GDPR Will Set a New Global Standard for Personal Data Protection,” which examined Schrems I and argued that the enactment of the GDPR would set a new standard for protection of personal data worldwide.
ENDnotes
* As of the date of this writing, the text of the preliminary draft decision does not seem to be publicly available. Though the preliminary draft decision is referenced as appearing in the appendices to the FIL Response Letter, the appendices do not, as of the date of this writing, appear to be publicly available, either.
** Stage 1 is the commencement/notification phase; stage 2 is the information gathering phase; stage 3 is the draft inquiry report preparation phase; stage 4 is the submissions phase (draft inquiry report); stage 5 is DPC draft decision-making phase (infringement); and stage 11 is decision-making phase (corrective power), if applicable.
° In fact, Schrems himself has expressed dissatisfaction because he believes his original complaint against Facebook has not been contemplated by the DPC.
°° The duty to give reasons is a duty often imposed by the Constitution or by statute in Ireland. For more on this topic, see Imelda Higgins, “The Duty to Give Reasons in Irish Law: Is It Time to Recognise a General Duty?,” Dublin University Law Journal 34 (2011): 23.