The Irish Data Protection Commission (DPC), Europe's main data-protection watchdog, is attacked by leading privacy advocates for taking too long to wrap up probes into Facebook Inc. and its Instagram and WhatsApp units.

Max Schrems’s group Noyb in an open letter on Monday called on European Union authorities to “take action” against the Irish Data Protection Commission, which has yet to issue any significant fines exactly two years after strict EU rules empowered the regulator to levy hefty penalties for serious privacy violations.

Within hours of the new GDPR being applicable on 25 May 2018, the European non-profit organisation noyb.eu filed three complaints against the Facebook Group (including WhatsApp and Instagram). noyb.eu says that since then, the DPC has asked the non-profit organisation not to discuss those issues in public and declared the contents of the "extremely slow procedure confidential".

Despite this alleged (and legally non-binding) confidentiality, noyb.eu on Monday published an Open Letter (PDF) that exposes how the GDPR has (not) been enforced two years after it became applicable. Even under the Kafkaesque procedure described in the letter, noyb.eu says that the Facebook Group may still have to face a fine of up to € 2.5 Billion down the road, if the DPC follows its internal investigator report.

According to the letter, the Irish DPC and the Facebook Group (including WhatsApp and Instagram) had ten secret meetings before the GDPR became applicable in 2018.

In these meetings, Facebook claims to have had “detailed direct engagement with the Commission prior to the implementation” of an apparent “consent bypass” (details below) to circumvent the GDPR’s strict consent rules. Despite the fact that Facebook relied on these meetings in its submissions and highlighted that the documents were ‘subject to consideration’ by the DPC, the authority refuses access to any records of these secret meetings, including a White Paper submitted by Facebook.

Max Schrems, chairman of noyb.eu: “It sounds a lot like those secret ‘tax rulings’ where tax authorities secretly agree with large tech companies on how to bypass the tax laws – just that they now do this with the GDPR too.”

“There were no ‘secret meetings’ held between the DPC and Facebook,” Graham Doyle, deputy commissioner at the data protection commission, said. “We regularly engage and meet with companies from all sectors as part of our regulatory enforcement and supervision functions” just as other EU data regulators do.

In the procedures that were triggered by three complaints filed by noyb.eu two years ago (within the first hours of the GDPR becoming applicable), the Facebook Group openly acknowledges that it simply switched from highly regulated “consent” to an alleged “data use contract”. This contract allegedly obliges Facebook to track, target and conduct research on its users. According to Facebook, this switch happened at the stroke of midnight when the GDPR became applicable.

Max Schrems: “It is nothing but lipstick on a pig. Since Roman times, the law prohibits ‘renaming’ something just to bypass the law. What Facebook tried to do is not smart, but laughable. The only thing that is really concerning is that the Irish DPC apparently engaged with Facebook when they were designing this scam and is now supposed to independently review it.”

In a study conducted by the Gallup Institute on the “consent bypass”, 64% of 1.000 users believe they gave consent, despite Facebook’s claims to the opposite. Depending on the question, only 1.6-2.5% thought they actually entered into a “data use contract” that includes a duty of Facebook to use their data for advertisement or research. The rest thought it is mere information, a contract without such duties or could not see any meaning in the page.

Max Schrems: “Basically none of the 1,000 users we have asked thinks they have signed such an alleged ‘data use contract’ with Facebook.”

The letter comes just days after the Irish authority said it’s edging closer to delivering its first major sanctions under the EU’s General Data Protection Regulation after finalizing a draft decision in a probe concerning Twitter Inc. and completing a further procedural step in a separate probe concerning WhatsApp.

GDPR empowered regulators to levy penalties of as much as 4% of a company’s annual revenue for the most serious violations. The biggest fine to date was a 50 million-euro ($54.5 million) penalty for Google by France’s watchdog CNIL.