A financial penalty for GDPR violations totalling €28-€36 million ($32-$42 million) is not by any means insignificant, except if that financial penalty is for a company such as Facebook when it barely counts as a slap on the wrist. Facebook has a net annual turnover of $85.9 billion, of which $29.14 billion is profit.
That is the recommended fine proposed by the Irish Data Protection Commission (DPC) to resolve violations of the EU General Data Protection Regulation by Facebook. The Irish DPC launched an investigation into the social media giant when a complaint was filed by Max Schrems and his privacy advocacy group NOYB. The complaint alleges Facebook has been processing the personal data of its users without consent and has been engaging in deceptive data collection practices.
Such a change would be unlikely to get past EU data protection authorities, who are charged with ensuring compliance but the Irish DPC has accepted the legal maneuver. In its draft decision, the Irish DPC has accepted Facebook’s argument. Many Data Protection Authorities throughout the EU disagree and view the consent bypass as illegal but the Irish DPC said it was “simply not persuaded” by their interpretation of the GDPR.
“There is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data. Nor has Facebook purported to rely on consent under the GDPR,” explained the Irish DPC in its draft decision.
While there appears to be no GDPR violation in the eyes of the Irish DPC, a financial penalty has been proposed. The Irish DPC maintains Facebook should have been more transparent about the change from consent to contract, and that it was not made sufficiently clear to users of the platform that the contract bypassed the requirements of the GDPR. The lack of transparency was determined to be in violation of Articles 5(1)(a), 12(1) and 13(1)(c) of the GDPR. Given the importance of the right to information about data processing activities, the Irish DPC said it, “represents a significant level of non-compliance.” The total fines proposed to resolve those violations amounts to €28-€36 million, which is 0.048% of Facebook’s global revenue. The maximum financial penalty is 4% of global annual revenue.
“It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law. Since Roman times, the Courts have not accepted such ‘relabeling’ of agreements. You can’t bypass drug laws by simply writing ‘white powder’ on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick,” said Schrems.
Schrems also suggested the Irish DPC developed the GDPR bypass with Facebook prior to the GDPR taking effect. Schrems says there were 10 secret meetings between the Irish DPC and Facebook in the spring of 2018 prior to the GDPR taking effect. The draft decision refers to a “specific analysis” that the DPC provided to Facebook, but the DPC has refused to disclose the content of that analysis.
“The DPC developed the ‘GDPR bypass’ with Facebook, that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor,” said Schrems. “Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good.”