The Irish Data Protection Commission (DPC) has recently published a draft decision on its investigation of a complaint about Facebook’s data processing practices and found “a significant level of non-compliance” with Articles 5(1)(a), 12(1), and 13(1)(c).
For a company as large as Facebook, the financial penalties for GDPR violations are potentially colossal. The maximum fine for a GDPR violation is €20,000 or 4% of global annual turnover for the previous fiscal year, whichever is higher. Facebook had a global annual turnover of around $85.6 billion in 2020, which means a financial penalty could be as high as $3.44 billion.
However, despite the seriousness of the violations, the DPC recommended a GDPR fine in the range of €28 million to €36 million, ($32-$42 million) which is around 0.048% of its global annual turnover. The fine is substantial, but it is pocket change for Facebook and equivalent to around half a day’s profit for the social media giant.
The complaint investigated by the DPC concerned consent. The EU General Data Protection Regulation took effect on May 25, 2018, and gave EU residents rights over their personal data and how that information can be used. Consent is one of 6 legal bases outlined in Article 6 of the GDPR – See Article 6 1(a) – one of which must apply before personal data can be legally processed.
“There is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data. Nor has Facebook purported to rely on consent under the GDPR,” said the DPC in its draft decision.
The DPC has been heavily criticized over the decision, including by data protection authorities in other EU member states that consider the GDPR bypass illegal. The DPC considered their views but said it was “simply not persuaded” by their arguments. The financial penalty proposed was to resolve violations of Articles 5(1)(a), 12(1), and 13(1)(c) which concern transparency about data processing activities.
“It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law. Since Roman times, the Courts have not accepted such ‘relabeling’ of agreements. You can’t bypass drug laws by simply writing ‘white powder’ on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick,” said Schrems.
Schrems also alleges the DPC decision was the result of talks between the DPC and Facebook prior to the compliance deadline. Schrems said the DPC offered advice to Facebook in 10 secret meetings ahead of the GDPR compliance deadline. The draft decision refers to a “specific analysis” provided to Facebook by the DPC, the content of which is not being released. “The DPC developed the ‘GDPR bypass’ with Facebook, that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor,” said Schrems.
If a business was to follow the lead of Facebook and switch to a contract with its users, after the ruling on the Facebook complaint it would likely be possible to avoid any consent penalty provided the business was completely transparent about the change with its users. However, that would likely only apply if the business had its base in Ireland. The interpretation of such a move in other EU member states may be quite different. “Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good,” said Schrems.