Max Schrems is probably a name the average Irish person is familiar with, though they may not be able to pinpoint why: Something to do with Facebook, he’s taken them to court, you recollect.
To the Irish Data Protection Commissioner (DPC), Mr Schrems, a now 33-year-old Austrian, is the most familiar name of them all.
Last year after eight years of legal wrangling, the Court of Justice of the European Union (CJEU) ruled in favour of a complaint Mr Schrems had made to the DPC regarding how Facebook was processing his personal data
Schrems II as it has come to be known was hugely significant — it essentially served, among other things, to strike down Facebook’s method, via a system known as standard contractual clauses (SCC), of transferring data between the EU and the US by stipulating stricter requirements for SCCs, with each to be taken on their own merits.
Long and short of it: Should that judgment be translated into a negative ruling by the DPC, Facebook is in big trouble — it’s entire business model is predicated on SCCs.
But all is not rosy between the DPC and Mr Schrems, who has railed repeatedly against the perceived slow nature of the commission’s decision-making processes.
Over the past two months the DPC has been on the receiving end of two damaging resolutions from the European Parliament’s civil liberties (LIBE) committee, the most recent of which arrived on Thursday night of last week.
The committee professed itself “particularly concerned … that cases referred to Ireland in 2018 have not even reached the stage of a draft decision” under GDPR.
This followed a protracted series of correspondence between Mr Schrems, Irish DPC Helen Dixon, and LIBE, which saw Ms Dixon label an offer for her to appear before the committee, along with Mr Schrems, after the draft resolution wording admonishing her body had already been agreed, as “perverse”. Strong words for a woman who chooses her every utterance carefully.
“The big issue is efficiency,” Mr Schrems tells the. “At present the DPC’s process is designed to fail.”
Navigating this particular contretemps is a labyrinthine affair. In theory the DPC and Mr Schrems should want the same thing — to hold big tech to account.
In practice, the two have been at loggerheads for years, not least since the DPC took the decision in 2016 to refer, via the Irish High Court, Mr Schrems’ complaint against Facebook to the CJEU. It took four years for a decision to be delivered last July.
Mr Schrems claims that the DPC is hopelessly constrained by its own need “to write endless reports rather than deciding on a claim and then letting the complainant and the second party fight the issue out in court”.
“There needs to be a fundamental shift to remove the blockage,” he says. “People in Europe don’t care who the commissioner is, it’s not personal, they just want the authority to respond."
The DPC, unsurprisingly, doesn’t agree.
The problem in parsing this situation is that both sides have seemingly valid points. In taking Mr Schrems’ complaint to Europe, the Austrian argues that the DPC merely served “to kick the can down the road for five years”.
“This all amounted to politics, and shielding big tech,” he says.
“If you just want to do your job then you issue a decision and then see what happens.”
Given that complaint was upheld by the CJEU, you could be forgiven for thinking Mr Schrems has a point. Except, in its ruling, the CJEU explicitly stated that the DPC's referral had been legally justified.
The fact the DPC was also ordered to pay Mr Schrems' costs, which informed sources state are in the region of €3m, has been pointed at as further proof of the former being in the wrong, but this is also, to an extent, a simplification of what happened — someone had to pay those costs, and it couldn’t be the complainant — it wasn’t his fault the case was kicked onward after all.
That is of scant comfort to the Irish taxpayer of course, who ultimately foots the bill.
Deputy Commissioner with the DPC Graham Doyle, responding to Mr Schrems’ assertions, states that the Commission’s performance “stands up in comparison with the other European authorities”.
He notes that of just four decisions involving fines taken against big tech across the 27 EU countries to date, the DPC was responsible for one of them (against Twitter), while a further six or seven (including some taken by Mr Schrems himself) are hoped for by the end of this year.
He argues that Ms Dixon’s decision not to attend the LIBE hearing with Mr Schrems was imperative because Mr Schrems remains involved in litigation involving the DPC before the Irish courts.
He says that means any interaction would have been inappropriate, while the clamour for ‘more fines more quickly’ is redundant if those fines end up being reduced or written off entirely because of a lack of fair procedure.
This is something that has happened to the German regulator, one of the DPC’s staunchest critics, repeatedly.
“We want to be quicker, but we also want to be careful and efficient,” Mr Doyle says.
"If you’re going to end up in court, you would rather be dealing with the merits of a decision than whether or not you followed fair procedure."
The LIBE committee issue, meanwhile, serves to give the lie to an extent to Mr Schrems’ case that the DPC has been playing politics with big tech, given the LIBE resolutions themselves, in criticising Ireland, have been essentially political statements.
Aside from general criticism, Mr Schrems has said, in terms of concrete action to speed the DPC up, that “logic states that there should be more than one commissioner”. The 2018 Data Protection Act, which gave effect to GDPR in Irish law, has provision for three, but that has never been actioned.
However, the decision to appoint further commissioners is one for Government, not the DPC although the latter can, of course, lobby for such an outcome.
Wexford-based data protection expert Daragh O’Brien, himself no stranger to criticism of the State regulator, is a deal more measured in his appraisal of the DPC than some of its critics.
In terms of a second and third commissioner he states: ““The problem isn’t the number of commissioners - it’s the slower processes lower down that get those cases before the Commissioner for decision that are the issue.”
Regarding European criticism of the DPC, Mr O’Brien say that “people in glass houses shouldn’t throw stones”.
“The DPC should be picking up the pace, but every regulator needs to up its game. And effective sanctions need to be grounded in fair procedure. Swinging big and missing isn’t of much use to anyone,” he says.
“The important metric here is behavioural change among institutions, and you achieve that via the certainty, frequency and procedural fairness of fines.”