The Irish Data Protection Commission (DPC) has recently published a draft decision on its investigation of a complaint about Facebook’s data processing practices and found “a significant level of non-compliance” with Articles 5(1)(a), 12(1), and 13(1)(c).
For a company as large as Facebook, the financial penalties for GDPR violations are potentially colossal. The maximum fine for a GDPR violation is €20,000 or 4% of global annual turnover for the previous fiscal year, whichever is higher. Facebook had a global annual turnover of around $85.6 billion in 2020, which means a financial penalty could be as high as $3.44 billion.
However, despite the seriousness of the violations, the DPC recommended a GDPR fine in the range of €28 million to €36 million, ($32-$42 million) which is around 0.048% of its global annual turnover. The fine is substantial, but it is pocket change for Facebook and equivalent to around half a day’s profit for the social media giant.
The complaint investigated by the DPC concerned consent. The EU General Data Protection Regulation took effect on May 25, 2018, and gave EU residents rights over their personal data and how that information can be used. Consent is one of 6 legal bases outlined in Article 6 of the GDPR – See Article 6 1(a) – one of which must apply before personal data can be legally processed.
The complaint was filed with the DPC, which has jurisdiction over Facebook because Facebook’s EU base is in Dublin, by Max Schrems and his privacy advocacy group NOYB (None of Your Business). The complaint alleged multiple violations of the GDPR, including the failure to state the legal basis for processing data, failure to obtain clear consent to process data, forced consent by requiring individuals to agree to all terms in its privacy policy, having additional hidden consent in its terms of service, and limitations of complaint to processing of personal data.
Users were told via a pop-up that continuing to use the service would require them to consent to the new privacy policy or delete their account, which essentially served as a “lock-in effect”, as not agreeing would mean a user lost an extensive amount of personal data and connections, since they could not be exported to another service. The complaint alleged this was a “take it or leave it” condition for service, not consent freely given. In short, the complaint alleges Facebook has been processing the personal data of users without legal consent since May 25, 2018, and has been engaging in deceptive data collection practices.
The change to Facebook’s privacy policy occurred at midnight on May 25, 2018, when the GDPR took effect. Part of the change to the privacy policy was a legal manoeuvre that saw the terms and conditions for using the platform changed to a contract. By entering into a contract with its users, consent to process user data did not been to be given – Switching from consent to a contract is a GDPR bypass. The DPC agreed with Facebook and the GDPR bypass and that decision could have serious repercussions, as any business could follow the lead of Facebook and switch to a contract, thus avoiding the issue of consent as a legal basis for data processing.
“There is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data. Nor has Facebook purported to rely on consent under the GDPR,” said the DPC in its draft decision.
The DPC has been heavily criticized over the decision, including by data protection authorities in other EU member states that consider the GDPR bypass illegal. The DPC considered their views but said it was “simply not persuaded” by their arguments. The financial penalty proposed was to resolve violations of Articles 5(1)(a), 12(1), and 13(1)(c) which concern transparency about data processing activities.
“It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law. Since Roman times, the Courts have not accepted such ‘relabeling’ of agreements. You can’t bypass drug laws by simply writing ‘white powder’ on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick,” said Schrems.
Schrems also alleges the DPC decision was the result of talks between the DPC and Facebook prior to the compliance deadline. Schrems said the DPC offered advice to Facebook in 10 secret meetings ahead of the GDPR compliance deadline. The draft decision refers to a “specific analysis” provided to Facebook by the DPC, the content of which is not being released. “The DPC developed the ‘GDPR bypass’ with Facebook, that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor,” said Schrems.
If a business was to follow the lead of Facebook and switch to a contract with its users, after the ruling on the Facebook complaint it would likely be possible to avoid any consent penalty provided the business was completely transparent about the change with its users. However, that would likely only apply if the business had its base in Ireland. The interpretation of such a move in other EU member states may be quite different. “Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good,” said Schrems.