Irish Data Protection Commission Proposes €28-36 Million GDPR Fine for Facebook
A financial penalty for GDPR violations totalling €28-€36 million ($32-$42 million) is not by any means insignificant, except if that financial penalty is for a company such as Facebook when it barely counts as a slap on the wrist. Facebook has a net annual turnover of $85.9 billion, of which $29.14 billion is profit.
That is the recommended fine proposed by the Irish Data Protection Commission (DPC) to resolve violations of the EU General Data Protection Regulation by Facebook. The Irish DPC launched an investigation into the social media giant when a complaint was filed by Max Schrems and his privacy advocacy group NOYB. The complaint alleges Facebook has been processing the personal data of its users without consent and has been engaging in deceptive data collection practices.
The issue at the heart of the complaint is that at midnight on 25.5.2018 when the GDPR took effect, Facebook made changes to its privacy policy that changed its agreement with users of the platform. Rather than obtaining consent from users to collect, use, and process their data, the agreement was changed to a contract.
The change is significant as by classifying the agreement as a contract, Facebook is able to bypass the strict GDPR Rules on obtaining consent before processing personal data, which is one of the most important provisions of the GDPR. It also means that users of Facebook cannot simply exercise their right to withdraw their consent at any time and stop the processing of their personal data. By making that change, Facebook has decided the consent requirement of the GDPR does not apply, and that has implications for EU citizens. Any business could simply make a wording change to their privacy policy and enter into a contract with consumers rather than obtain their consent and thus bypass the GDPR.
Such a change would be unlikely to get past EU data protection authorities, who are charged with ensuring compliance but the Irish DPC has accepted the legal maneuver. In its draft decision, the Irish DPC has accepted Facebook’s argument. Many Data Protection Authorities throughout the EU disagree and view the consent bypass as illegal but the Irish DPC said it was “simply not persuaded” by their interpretation of the GDPR.
“There is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data. Nor has Facebook purported to rely on consent under the GDPR,” explained the Irish DPC in its draft decision.
While there appears to be no GDPR violation in the eyes of the Irish DPC, a financial penalty has been proposed. The Irish DPC maintains Facebook should have been more transparent about the change from consent to contract, and that it was not made sufficiently clear to users of the platform that the contract bypassed the requirements of the GDPR. The lack of transparency was determined to be in violation of Articles 5(1)(a), 12(1) and 13(1)(c) of the GDPR. Given the importance of the right to information about data processing activities, the Irish DPC said it, “represents a significant level of non-compliance.” The total fines proposed to resolve those violations amounts to €28-€36 million, which is 0.048% of Facebook’s global revenue. The maximum financial penalty is 4% of global annual revenue.
“It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law. Since Roman times, the Courts have not accepted such ‘relabeling’ of agreements. You can’t bypass drug laws by simply writing ‘white powder’ on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick,” said Schrems.
Schrems also suggested the Irish DPC developed the GDPR bypass with Facebook prior to the GDPR taking effect. Schrems says there were 10 secret meetings between the Irish DPC and Facebook in the spring of 2018 prior to the GDPR taking effect. The draft decision refers to a “specific analysis” that the DPC provided to Facebook, but the DPC has refused to disclose the content of that analysis.
“The DPC developed the ‘GDPR bypass’ with Facebook, that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor,” said Schrems. “Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good.”