Statement from DPC regarding allegations made in media publications on 05 and 06 and 07 December

07th December 2021

There has been considerable media coverage in recent days, alleging that the Data Protection Commission (DPC), acting in bad faith on foot of meetings it held with Facebook as part of its regulatory role, “lobbied” the European Data Protection Board (EDPB) with a view to achieving the adoption of guidelines by the EDPB on Article 6(1)(b) GDPR (‘necessity for the performance of a contract’), in the best interests of the company. These allegations are utterly untrue.

Issues relating to the proper legal interpretation of the necessity for the performance of a contract are presently the subject of an ongoing regulatory procedure. That procedure is currently being conducted under the Article 60 of the GDPR. More significantly and separately, Article 6(1)(b) is the subject of proceedings before the Court of Justice of the European Union.

In circumstances where such procedures and proceedings remain live, the DPC is restricted from engaging in any parallel discussion in any public forum.

As a general point, however, we would observe that the outcome of the procedures to which reference is made above will of course bind controllers and regulators alike, and may determine whether, when, and in what circumstances Article 6(1)(b) may be relied on by controllers as providing a legal basis for certain of their personal data processing operations.

The outcome of those procedures will also necessarily impact on the EDPB’s guidelines on the same topic, adopted on 8 October 2019.

Allegations made against the DPC, reported on in recent media publications, appear to be concerned, not with any issues of substance relating to Article 6(1)(b), but with the advancement of a theory, central to which is an allegation that, acting in bad faith, the DPC sought to subvert the procedures of the EDPB with a view to achieving the adoption of guidelines by the EDPB on Article 6(1)(b), favourable to the interests of a particular controller.

That allegation is utterly untrue.

Amongst other things, it also reveals a lack of any kind of basic understanding of the workings of the EDPB, and how, through an iterative process, divergent views relating to complex issues of principle are typically reconciled through dialogue, and through respectful and mature engagement.  

Such was the case in relation to the development of the EDPB’s guidelines on Article 6(1)(b).

In the circumstances, an early working document, presented in isolation, does no more than identify the range of views under discussion at one moment in time.

In part, the theory relies also on further serious (albeit unsubstantiated) allegations that have been levelled at the DPC. It has been alleged that the DPC approved/ negotiated/ jointly developed Facebook’s position in relation to the legal basis for its processing operations. This is absolutely incorrect and without basis in fact. To be clear, the DPC does not and never has, endorsed, jointly developed, approved or in any other way assented or consented to a controller’s or processor’s policies or position in relation to compliance with its data protection obligations.

During the course of late 2017 to March 2018, the DPC, in furtherance of its supervision functions, had meetings with Facebook (as it and indeed many other DPAs did with many other public and private sector organisations) for the purposes of being updated on and providing high level feedback in respect of Facebook’s GDPR preparation programme. This was entirely in keeping with the DPC’s long established approach to supervision by way of consultation and regulatory engagement with stakeholders. This function was an inherent aspect of the DPC’s statutory obligations under the Data Protection Acts 1988 and 2003 (Section 9 amongst others) which applied at the time of the meetings in question. Indeed it remains a core function under the new legislative regime in Ireland of the GDPR and the 2018 Act (e.g. Article 57 tasks which include monitoring, advising and awareness promoting activities amongst others, in addition to formal consultation activities under Article 36). The DPC makes it abundantly clear to any organisation that seeks to consult with it that this is the premise upon which consultation takes place and that it is entirely a matter for that organisation to ensure that it is in compliance with data protection law and to be able to demonstrate same.

In the context of performing its consultation and supervision functions regarding Facebook during this period, and as it does with all other organisations which seek to consult with it, the DPC provided high level feedback/ observations on proposed compliance approaches and non-binding guidance on the application of the GDPR and national legislation. To re-iterate: at no time in the course of its engagement with Facebook, or any other organisation which sought to consult with the DPC in relation to its GDPR preparations, did the DPC approve, jointly develop, endorse, consent to, or negotiate on the processing operations of Facebook. Neither it must be emphasised did the DPC at any time suggest or intimate to Facebook that Article 6(1)(b) was an appropriate lawful basis on which to base its processing operations. In fact, to the extent there were discussions on this matter was only insofar as to probe Facebook on its considerations concerning Article 6(1)(b) and to seek substantiation of its legal reasoning.  

In early 2018, one of the meetings with Facebook was hosted at the premises of another EU DPA, no one-stop-shop having existed in data protection law prior to May 2018, and attended by multiple EU DPAs where Facebook outlined its emerging considerations of lawful bases.

It was on foot of that meeting that the DPC on a number of occasions briefed DPAs during Article 29 Committee plenaries (now the EDPB) on what it had learnt about legal bases being contemplated from its engagement with controllers. In light of the harmonisation required by GDPR the DPC proposed the EDPB should prepare guidance on the topic of contract. In proposing the guidance, the DPC stated that there were potential issues around the appropriateness of reliance under the GDPR on such a legal basis. It was agreed that the DPC would act as lead rapporteur for the guidelines. A position then was prepared by the DPC, in good faith. In the first instance, that position sought to draw on guidance previously issued by the WP29 Group as well as the DPC’s own legal analysis having regard to the broader concepts and principles of contract law as understood in the common law legal tradition. As the exchanges developed, the DPC developed an updated position for discussion purposes which was the subject of intense debate in the usual way.  The position developed by the DPC was not acceptable to many within the sub-group and it became clear there was no possibility of building a consensus around it. At that point, respectful of the views of its colleagues, the DPC prepared a further iteration, adopting the views of the majority. The revised iteration prepared by the DPC ultimately became the cornerstone of the draft guidelines that later emerged from the sub-group, and which were ultimately adopted in plenary. That is to say, subject to some comparatively minor adjustments, the final guidelines have their origins in a document prepared by the DPC.

The DPC regrets the baseless allegations of bad faith made against it.