VIENNA (Reuters) – Privacy activist Max Schrems called on the European authorities to push the Irish regulator to speed up its handling of cases he has brought against Facebook on the second anniversary of the introduction of rules designed to help protect the data of consumers. Schrems, long a thorn in the side of Facebook, bemoaned the lack of progress since the introduction of the General Data Protection Regulation (GDPR) regime across Europe in 2018.
“After two years, we feel that the time has come to shine light on the shortcomings of the GDPR’s current enforcement in Ireland and bring the debate into the public,” the letter, published on Monday, says.
The procedure adopted by the Irish Data Protection Commission (DPC) was “highly inefficient and partly Kafkaesque.”
The letter’s recipients are the national data protection authorities, the European Commission, the EU Parliament and the European Data Protection Board (EDPB).
The GDPR overhauled data protection laws in the European Union that predated the rise of the internet and, most importantly, gave regulators the power to impose fines of up to 4 percent of global revenues for companies that break the rules.
Schrems, who previously won a landmark European ruling on data transfer in 2015, said he would seek a judicial review of the DPC’s actions at the Irish High Court as soon as coronavirus-related restrictions are lifted.
Ireland’s DPC, asked for comment on the letter, said it had currently 23 “big tech” inquiries open and last Friday announced significant developments in a number of these inquiries, including three that were initiated after complaints received from Max Schrems’s non-profit organisation noyb.
“One of these complaint-based inquiries, which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing, has now moved to the decision-making phase,” the DPC said.
Schrems filed complaints against Google, Facebook and its affiliates Instagram and WhatsApp immediately after GDPR came into effect in May 2018, arguing that their approach violated the rights of users to choose themselves whether to allow companies to use their data.
The Irish Data Protection Commission is the lead regulator in the Facebook cases as the firm has its European headquarters in Dublin.
The case against Google was dealt with in France, where the regulator CNIL imposed a 50 million euro fine for breaching the EU privacy rules in January last year.
Schrems said the Irish watchdog had requested to keep documents confidential and to not even share them with other national counterparts.
“We request the European Commission to act and issue infringement procedures against any member state with legislation that prevents the effective application of the GDPR, with overly complicated and long procedures, or without any effective remedy against delayed procedures,” the letter says.
Facebook declined comment on the DPC process.
Reporting by Kirsti Knolle, additional reporting by Padraic Halpin in Dublin, Katie Paul in San Francisco; Editing by David Evans