In June we reported about the Irish Government’s ‘last minute’ amendment to the Courts and Civil Law (Miscellaneous Provisions) Bill 2022, which was seen by some as an effort to ‘muzzle’ critics of the Data Protection Commission (“DPC”).
The Bill was debated and the Irish Government has indeed passed a new law governing complaints brought under the General Data Protection Regulation (“GDPR”), which allows the DPC to declare cases ‘confidential’ and criminalize anyone sharing information about GDPR procedures. This is seen by some as a gag order introduced by the DPC.
Privacy activists, such as Max Schrems and noyb, have been a thorn in the DPC’s side for a number of years and have successfully challenged several of the DPC’s GDPR decisions. The new Irish GDPR gag law changes that, and gives the DPC wide-ranging powers to stop anyone from sharing details of GDPR cases.
Silencing Privacy Activists
The European Digital Rights group, another group of privacy activists, issued a statement of condemnation when the Irish Government first indicated that the Bill would come up for debate towards the end of June and noted that there was no pre-legislative scrutiny.
Furthermore, the Irish Council for Civil Liberties and Amnesty International were also troubled by the DPC’s new powers. They described it as “a blatant attempt not only to shield Big Tech from scrutiny but also to silence individuals and organizations that stand up for the right to privacy and data protection.”
EDPB and its powers
The European Data Protection Board (“EDPB”) ensures that the GDPR is applied consistently across the European Union (“EU”) and promotes cooperation – including on enforcement – between national data protection authorities (“DPAs”).
There are concerns that the EDPB might be adversely affected by the new Irish law and will likely create further tensions between that the DPC and the EDPB. Presently, the EDPB has not released a statement on this development and therefore it is not clear
Effect on the rest of the EU
Previously, the DPC has taken the view that its orders and rules would apply in other EU Member States. This is in contradiction to Article 55(1) GDPR, which clarifies that each DPA only has jurisdiction in its own Member State. Furthermore, EU law prevents the DPC to apply Section 26A outside of Ireland.
The law has been viewed by some as unclear and likely unconstitutional and combined with the EU plans to modify some aspects of the GDPR, it is expected that the privacy world may be facing some interesting times ahead.
Does your organization require any assistance regarding the GDPR? Contact us, the Experts in Data Privacy, at firstname.lastname@example.org for assistance.