General Data Protection Regulation (GDPR)
,
Governance & Risk Management
,
Privacy
New Bill Set to Penalize Disclosure of Data Protection Commission’s Reprimands
Irish Parliament has proposed changes to a new bill that would make it a criminal offense to disclose privacy reprimands issued by the Data Protection Commission. Civil rights groups are accusing the government of shielding the country’s privacy regulator from criticism.
See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now
The Irish Parliament put forward the Criminal Justice (Miscellaneous Provisions) Bill in 2022. It contains amendments to the country’s older criminal offenses regulations.
Last week, the lawmakers hastily introduced further changes to the draft law that will grant the country’s Data Protection Commission authority to legally sue individuals or organizations for disclosing information relating to reprimands deemed sensitive by the agency. Violations of the proposed law would be punishable by a fine of 5,000 euros.
Privacy rights organizations including the Irish Council for Civil Liberties and NOYB called out the government’s proposed move, saying it is an attempt to “muzzle the DPC critics” by making the operations of the agency more “opaque.”
“The DPC is already opaque,” ICCL senior fellow Johnny Ryan tweeted. “Most of its activity is exempt from Freedom of Information Act, and it does not hold public hearings. This will make the agency even less transparent. Government put this amendment at the final stage of a Miscellaneous Provisions Bill, evading proper scrutiny.”
Ryan said the proposed changes may further hinder the agency’s cooperation with European Union regulators to uphold citizens’ data rights.
Austrian privacy rights activist Max Schrems, whose organization NOYB has successfully sued big tech companies such as Facebook and Google for violations of the General Data Protection Regulation, said the latest amendments will help the Irish privacy regulator limit criticism against the agency. This will further help big companies avoid negative impact on stock prices and public perception, NOYB said.
“Instead of reacting to legitimate criticism, they now try to criminalize it,” Schrems said. “The law would, however, allow the DPC to selectively share information when it sees fit. It is mind-blowing that this would happen in a European country.”
The bill is set to enter final debate in the Irish Parliament on Wednesday. The privacy groups are calling on lawmakers to reject the proposed changes.
Privacy activists and civil society groups have long dogged the Irish Data Protection Commission with accusations that it is soft on U.S.-based tech companies. The fact that a large number of American big-tech companies – including Facebook, Microsoft and Apple – have established international headquarters in Dublin gives the Irish agency outsized influence over the behavior of these companies.
This flexibility made Ireland a bottleneck in effective GDPR implementation, the ICCL said previously, adding that a majority of regulatory action undertaken by the DPC against big tech companies tended to be largely settled through amicable resolutions (see: Irish Civil Society Dogs Irish DPC With GDPR Criticism).
The Irish DPC rejects these claims, citing its history of multiple, multimillion-euro fines against companies such as Facebook. The agency declined to comment on the legislation.