Ireland wants to gag those who raise EU privacy cases before its own national regulator, the DPC (Data Protection Commission). It might seem like a local judicial dispute, but instead it is news of European importance, relevant for any EU member State. But why? 

The fact is that the major privacy procedures concerning Big Tech (Google, Meta, Tik Tok, etc.) arising in any place in the in the EU are normally managed by the regulator of Dublin, because this is what the GDPR, the European legislation on personal data, prescribes for the so-called “cross-border processing”, which is almost the rule for online platforms. Therefore, irrespective where the victim of the GDPR infringement is located in the EU, the GDPR establishes a system, called “one-stop shop”, normally leading to the jurisdiction of the data protection authority of the European country where the accused Big Tech has placed its headquarters. And this country is normally Ireland, traditionally chosen as seat by large Internet multinationals for reasons of fiscal convenience, and which has consequently also become the main forum for major disputes regarding personal data. Fact is, all the major proceedings relating to the European GDPR regulation against Google and Meta have in fact been handled by the Irish DPC authority so far.

What is happening now in the Parliament in Dublin? An out-of-the-blue amendment (section 26A) introduced by the Minister of Justice to a general procedural law would aim to make records, reports and information of the DPC trials highly confidential, making those who allowed their disclosure liable to criminal penalties. It would be up to the DPC to identify reserved matters and persons liable for that. Remarkably, the rule could also apply to the participants in the process, including claimants, i.e. those who brought the Big Tech on duty before the regulator. It follows that a person whose data has been violated by Google, Meta or Tik Tok could not speak publicly about his case, under penalty of being indicted before the Irish courts. In most cases such a person would be a citizen of country other than Ireland but who for procedural reasons was obliged to take the case to Ireland. 

The incredible Irish legislative proposal seems aimed at neutralizing Max Schrems, the Austrian activist who has built a career by initiating a barrage of proceedings based on the GDPR against Big Techs and from which substantial fines have resulted (most recently those against Meta on personalised advertising as well as on the transfer of European data to the United States). Schrems has not only filed judicial cases, but has also created an organization that campaigns on ongoing proceedings, bringing to public attention the fact that the DPC itself is not as fast and efficient as its role would expect in pursuing Big Tech.

It is in fact known that all the decisions of the DPC on Big Tech are normally stigmatized by the European Board for data protection, which often reforms them in a more severe sense. The Irish government would now like to at least ease the media pressure by preventing Schrems and any other plaintiffs from speaking publicly about the cases brought before the DPC. A regrettable initiative which, as mentioned, could have deleterious effects on any European citizen, who wanted to complain about how their data is processed by Google, Meta or Tik Tok.

Notably, the legitimacy of the new potential Irish law is questionable. The GDPR allows for confidentiality obligations for regulators’ employees, but leaves others free to speak, especially litigants, as is the case in all other EU member states. Any restrictions on the parties’ freedom of expression should be minimal and proportionate. Furthermore, the DPC itself regularly exchanges procedural documents with the other EU authorities, which must be able to use them also with third parties, and in fact the issue of confidentiality has sometimes been invoked by the Irish to weaken this cooperation. 

In short, there is something rotten in Dublin and the problem will soon arrive in Brussels as well as in other European capitals, increasingly impatient with how Ireland interprets its role as European hub of the GDPR.

NB: a spokesperson for the Irish government declared that privacy campaigners and others are free to criticize the Irish data protection authority. The say there was a “misunderstanding” about the new law. Such declaration however may not be sufficient, since it will up to DPC to decide, case by case, which matters are to be considered confidential and which persons may be subject to specific obligations.