Ireland’s Data Protection Commissioner (DPC) Helen Dixon has rejected accusations it lobbied on behalf of large tech companies based in Dublin as “completely untrue”.
Amid media reports at the weekend, the DPC was accused of lobbying its European superior agency the European Data Protection Board (EPDB) in order to ensure the adoption of GDPR guidelines favourable to social media companies two years ago.
Those reports led to a letter from four MEPs to Didier Reynders, the Commissioner for Justice of the European Commission, on Monday, accusing the DPC of having “lobbied” to allow social media platforms to “bypass” the GDPR’s user consent requirements.
“The DPC tried to include ‘performance of a contract’ as a legal basis into these guidelines, forcing an interpretation of the GDPR that would serve platforms’ interests,” that letter states.
Dutch MEP Sophia Helena "Sophie" in 't Veld said: “The Irish privacy watchdog @DPCIreland has been slammed for weak enforcement of GDPR. Now it gets even worse: it was caught lobbying for lower standards for big tech. This Achilles heel in EU data protection must be addressed. Time for the EU Commission to start action against Ireland NOW!”
Ms Dixon’s office has hit back in trenchant terms.
“These allegations are utterly untrue,” the commission said in a statement on Tuesday afternoon.
“Allegations made against the DPC… appear to be concerned, not with any issues of substance… but with the advancement of a theory, central to which is an allegation that, acting in bad faith, the DPC sought to subvert the procedures of the EPDB,” it said.
Those discussions in 2017 and 2018 had related to the EPDB’s then-pending adoption of guidelines regarding Article 6 of the GDPR, which deals with the lawfulness of data processing relating to a subject entering into a contract, such as a person signing up to a social media site, with a company.
The DPC said that “in furtherance of its supervision functions” it had held meetings with Facebook to that end at that time, as it had with other regulators ”for the purposes of being updated… in respect of Facebook’s GDPR preparation programme”.
“This was entirely in keeping with the DPC’s long-established approach to supervision by way of consultation and regulatory engagement with stakeholders,” it said, stressing that one of those meetings had taken place “on the premises” of a fellow European regulator.
“The DPC regrets the baseless allegations of bad faith made against it,” the statement concludes.
The DPC has come in for extensive criticism from Europe, from privacy activist Max Schrems, and from the Irish Council for Civil Liberties in recent months regarding the perceived inadequacy and slow pace of its decision-making regarding big tech companies based in Ireland, such as Facebook.