Ireland makes reporting on DPC procedures illegal

See below for an update from the Irish Department of Justice.

On Wednesday, 21 June, a last-minute amendment to Ireland's Courts and Civil Law (Miscellaneous Provisions) Bill 2022, the Irish Government added a provision allowing the Irish Data Protection Commission (DPC) to declare virtually of all its procedures as "confidential". Under the Bill, Section 26A would make most reporting about DPC procedures or decisions illegal. 

Like most observers, we learned this through a blog article posted on Monday, 26 June, by the Austrian privacy group NOYB. As the article indicated, if passed, the Bill would also make reporting on the claims made by technology companies or unfair procedures affecting millions an unlawful act. The Amendment has to be approved by the Irish Parliament on Wednesday.

At the time, Max Schrems, NOYB honorary chair, said, "Instead of reacting to legitimate criticism, they now try to criminalise it.The proposed law in Ireland makes it criminal to share any information on a procedure. This shows that they fear the public and reporters more than anything.The law would however allow the DPC to selectively share information when it sees fit. It is mind blowing that this would happen in a European country."

In a separate post, Johnny Ryan from the Irish Council for Civil Liberties (ICCL) condemned the move. 

“Justice should be done in public. The DPC should be holding public GDPR hearings, as the Supreme Court's Zalewski Decision makes clear. Instead, the Government is attempting to make DPC decision making even more opaque. The DPC is already exempted from freedom of information rules that could have aided in its reform," he said in a statement. 

Going further, he argued, “Ireland's enforcement of the GDPR against Big Tech, and how it upholds the data rights of everyone in Europe," and asked the Irish government why they are doing this. 

Other posts from Amnesty, EDRi, and BEIC were equally condemning. 

Then, on Wednesday, Reuters reported that Section 26 A of the Bill passed by 73 votes to 60.

The vote came after junior minister James Brown at Ireland's justice ministry had told parliament there had been a misinterpretation of the amendment's scope, saying, "To be clear nothing in this amendment will prevent a complainant from speaking out about the nature of their data privacy complaint. There is no impact on journalists and no impact on the DPC's obligations under the GDPR." 

In response, NOYB posted a detailed blog outlining how it believed the DPC would use its new powers to criminalise anyone sharing information about pending procedures. In defiance, NOYB also confirmed that it would not be silenced in legitimate public speech about cases it is engaged in. NOYB did concede, however, that some information it provides may not be available in Ireland anymore. 

Max Schrems said: "While Section 26A will be a major problem for persons in Ireland, it is clear that it can legally not apply to persons outside of Ireland. Ireland has no jurisdiction to regulate freedom of speech in the rest of the European Union."

The article also suggests Section 26A will add to the already fractious relationship between the DPC and the European Data Protection Board (EDPB). 

UPDATE: 040723 - Following last week's news, roundly condemned by industry advocates and media outlets concerned about attempts to silence critics of Ireland's Data Protection Commission, the Irish Department of Justice released a statement. In the interest of providing an unbiased and balanced account, we are including the statement in full. 

[Start]

There appears to be a misinterpretation of the scope and purpose of this amendment (to the Irish Data Protection Act 2018).

• For clarity, nothing in this amendment would prevent a complainant from speaking out about the nature of their data privacy complaint or that a complaint had been made to the Data Protection Commission.
• The amendment applies only to persons engaged with the Commission in the context of the performance of certain statutory functions including inquires and investigations. The specific functions known as “relevant functions” are defined in Section 26A (5). Its purpose is to bolster the integrity of those statutory processes and the provision to the Commission of confidential and commercially sensitive information in the course of carrying out the “relevant functions”.
• Amendments are to ensure that the investigation of breaches of #GDPR can be investigated effectively and fairly so that robust sanctions can be applied and the privacy of EU citizens protected. Breaches of confidentiality during an investigation can undermine the ability to effectively regulate data processors and allow breaches to go unsanctioned. While the amendment does permit the Commission to direct that information is not to be disclosed, it must identify the specific information and the specific reasons by reference to the definition of confidential information. Confidential information is defined in Section 26A and is limited to information that is commercially sensitive within the meaning of section 149 (7), given in confidence or the disclosure of which could reasonably be expected to prejudice the effectiveness of the performance of a relevant function.
• There are also limits included in relation to the duration in which the obligation not to disclose lasts. Where information is confidential because its disclosure would prejudice the effectiveness of the performance of a relevant function, that ceases once the relevant function has concluded.
• The intention to bring forward an amendment to the confidentiality provisions of the Data Protection Act 2018, was highlighted to Dail Eireann at Second Stage in October 2022 and Committee Stage in November 2022.
• It does not impact on media reporting or on the GDPR and the obligations on the DPC under that GDPR.”

[End]

Special thanks to Paul Jordan, Chair of the privacy special interest group PICCASO, for alerting us to the statement on his LinkedIn page. 

In the comments to Paul's post, he commented that the "EDPB will look into its [the amendment's] implications together with the DPC, also taking into account the upcoming Commission legislative proposals for the harmonisation of national procedural laws. The draft of which should be available in the coming weeks." 

We are no doubt all interested to see how this unfolds.