Max Schrems, one of the central figures in bringing down the EU-US Privacy Shield, has penned an open-letter slams the Irish Data Protection Commission for not dealing with Facebook appropriately.
With his privacy campaign organisation, noyb.eu (none of your business) taking on the social media giant, Schrems has heavily criticised the regulator for a lack of action, shrouding investigations with mystery and secret meetings with the firm to create a ‘consent bypass’ situation.
“It sounds a lot like those secret ‘tax rulings’ where tax authorities secretly agree with large tech companies on how to bypass the tax laws – just that they now do this with the GDPR too,” noyb.eu Chairman Schrems said.
The ‘consent bypass’ was an agreement between the authorities and Facebook to switch its policy from ‘consent’ to an alleged ‘data use contract’, allowing the company to track, target and conduct research on users.
“It is nothing but lipstick on a pig,” said Schrems.
“Since Roman times, the law prohibits ‘renaming’ something just to bypass the law. What Facebook tried to do is not smart, but laughable. The only thing that is really concerning is that the Irish DPC apparently engaged with Facebook when they were designing this scam and is now supposed to independently review it.”
According to research quoted by the privacy advocates, only 1.6 – 2.5% of users were aware they were actually entering into a ‘data use contract’. Should these figures be anywhere near accurate, this should not be considered anywhere near good enough.
This entire saga is a bit of ‘he said, she said’ with mud being slung across the wall. On one side of the coin, it is not difficult to imagine secret meetings to figure out how rules can be circumnavigated, but it is also within reason to assume Schrems and his privacy cronies are exaggerating and making a mountain out of a molehill.
Schrems has stated his organisation filed complaints about Facebook during the first few hours of GDPR coming into action, however, the subsequent investigations have not been concluded. This is a fair complaint, these investigations do take time, but then again there has to be a limit. The Information Commissioners Office (ICO) in the UK has delivered dozens of rulings in this period while the Irish DPC celebrated completing the first of six steps last week.
Facebook is a very complicated business with operations spanning across almost every European nation, and while the Irish DPC has been designated lead regulatory authority for several high-profile names, it is not proving itself worthy of this responsibility yet.
Again, you have to take Schrems claims with a pinch of salt, but Silicon Valley is escaping without punishment. We find it impossible to believe all of its residents are acting perfectly within the rules. It would be more credible to blame overly complex bureaucratic processes, a lack of funding, steep workloads and people just not taking privacy as serious as they should; Silicon Valley’s residents at the top of the list.