Tag Archives: DPC

This afternoon.

The Irish Data Protection Commission is imposing a fine of €17m on Facebook parent company Meta.

Via RTE News:

The decision followed an inquiry by the commission into a series of 12 data breach notifications it received in the six-month period between 7 June 2018 and 4 December 2018.

The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR, the General Data Protection Regulation, in relation to the processing of personal data relevant to the 12 breach notifications.

The Data Protection Commission found that Meta Platforms failed to have in place appropriate technical and organisational measures that would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the 12 personal data breaches.

Facebook fined €17m by Data Protection Commission (RTE)


From top: Data Protection Commission office; Meta’s Dublin HQ (formerly Facebook)

This afternoon

The Irish Data Protection Commission (DPC) has denied claims that it lobbied members of the European Data Protection Board (EDPB) to help allow Facebook to bypass General Data Protection Regulation (GDPR).

Via RTÉ News:

The commission has also denied it acted in bad faith by holding talks with Facebook in a manner that it has been claimed by privacy campaigners sought to subvert the procedures of the EDPB.

The developments follow allegations made against the DPC in recent days by NOYB, the organisation run by Austrian privacy campaigner Max Schrems.

He claimed that documents, released under the Freedom of Information Act, showed the DPC tried to lobby other European data protection authorities for the adoption of a General Data Protection Regulation (GDPR) “bypass” approach to user data collection.

According to Mr Schrems, the “freedom of contract” approach would have allowed data controllers to put a clause into their terms and conditions, to make the harvesting of data necessary for a contract, in effect bypassing the consent requirement under GDPR.


The DPC acknowledged that the position it ultimately put forward on the issue of contract at the working group was not acceptable to many in the group and it became clear a consensus could not be built.


Data Protection Commission rejects Schrems’ claims on lobbying (RTÉ)


From top: Sinn Féin TD Louise O’Reilly, Labour TD Aodhán Ó Riordan, Independent TD Mattie McGrath; Dáil vote


At the Dáil sitting in the Convention Centre in Dublin.

Fianna Fáil TD Jack Chambers put forward the proposal that the Dáil adjourn this evening and return on September 15.

Before the vote, Sinn Féin TD Louise O’Reilly proposed that the Dáil convene next Tuesday to facilitate questions and answers to and from Tánaiste Leo Varadkar and the Minister for Employment and Social Protection Heather Humphreys about the PUP/social welfare controversy and the statement made by the Data Protection Commissioner in respect of the gathering of data by social welfare inspectors and gardai at airports and ports.

Ms O’Reilly also said the Dáil doesn’t need a six-week holiday and that deputies should return on September 1.

Labour TD Aodhán Ó Riordan said Labour was supporting Sinn Féin’s proposal but added that another item needed to be resolved before the Dáil took its summer recess – specifically: “The issue of pandemic unemployment payments for those who are self-employed and those who are in receipt of employee wages and self-employed wages who are now going to be put on a lower schedule of payment.”

He added:

“Now we can only resolve this issue if the Dáil is in sitting and we can’t have a six-week recess for those who are in receipt of this payment. So it would be very simple for us to return here on Tuesday, have questions over and back on this issue and come to a resolution on the issue that has been outlined by Deputy O’Reilly and also the issue that has been outlined by myself.” 

Independent TD Mattie McGrath also called for the Dáil to return next week.

In the end, TDs voted 81-44 to return to the Dáil on September 15.

Meanwhile, earlier…

Watch live here

Earlier: Departure From The Norm

Reasonable Question

From top: Facebook HQ, Dublin; Privacy activist Max Schrems outside the High Court, Dublin in 2015

This morning.

The European Court of Justice has ruled that Privacy Shield, the EU-US data protection agreement, is invalid.

Via RTÉ:

The case was referred to the European court by Ireland’s High Court.

It began as a 2015 complaint to the Irish Data Protection Commissioner, made by Austrian activist Max Schrems (see below).

The outcome could potentially have major implications for the way technology companies handle European citizens’ data.

It specifically relates to the personal data Facebook holds on its European users, which the company sends to its US-based data centres.

However, the ruling could impact any company that sends user data to the US or potentially any other country outside of the EU.

The Privacy Shield framework established between the EU and US was designed to allow data transfers between the two jurisdictions.

EU court rules EU-US data protection agreement invalid (RTE)

Privacy activist and party to the case Max Schrems says:

“I am very happy about the judgment. At first sight it seems the Court has followed us in all aspects.

This is a total blow to the Irish Data protection Commissioner (DPC) and Facebook. It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a role on the EU market.”

The Court clarified for a second time now that there is a clash of EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners.

Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.

This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws. You can’t blame the Court to say the unavoidable – when shit hits the fan, you can’t blame the fan.”

CJEU invalidates “Privacy Shield” in US Surveillance case (nypob.eu)