A draft decision from Ireland’s Data Protection Commissioner (DPC) endorsing Facebook’s legal basis for processing personal data has been met with criticism by a data protection activist who says the platform is trying to bypass EU privacy laws.
Since the EU’s GDPR entered into force, Facebook took a unique approach by including data processing specifications in its general terms and conditions.
Subsequently, the internet giant interprets the agreement as a contract rather than consent. Critics said this is an illegal loophole that the company uses to bypass the strict requirements GDPR imposes. Notably, that consent must be informed, given freely, specific and can be withdrawn at any time.
The draft decision published by NOYB said that “there is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data.”
The draft text has prompted criticism from Max Schrems, a data protection activist who initiated the complaint against Facebook in 2018 with NOYB, the NGO he founded.
“It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a ‘contract’. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimise any use of customer data without consent,” Schrems said.
For the Austrian activist, the Irish privacy watchdog’s draft decision goes against the guidelines issued by the European Data Protection Board (EDPB). This is the body that gathers all EU data protection authorities, on the processing of personal data to provide digital services.
The DPC has clashed on several occasions with its peers, who have accused it of having a timid approach to GDPR enforcement. As Facebook falls under its jurisdiction, the Irish privacy watchdog has the lead on the case. This does not mean, however, that the other data protection authorities do not have a say.
The draft decision will now be sent to the concerned authorities, which under GDPR’s dispute resolution mechanism will be able to make significant changes to the DPC’s draft decision. That was the case in a recent decision concerning WhatsApp, which saw the final fine being significantly scaled up following insistence from other European regulators.
A source close to the matter told EURACTIV it is certain that other EU authorities will challenge the decision, triggering the dispute resolution mechanism.
Facebook’s primary source of income is targeted advertising, which consists of harvesting and processing vast amounts of data. Therefore, a negative decision on the contractual approach would have disastrous consequences for its business model.
“We don’t speculate or comment on live investigations. We are assisting the IDPC with its inquiries and will await the final decision in due course,” a Facebook spokesperson told EURACTIV.
At the same time, the draft decision points to a lack of clarity in informing users about the legal basis used to process their data.
“The Irish DPC did find that Facebook had failed to provide clear information about its legal basis for processing. These transparency-related findings are very common in GDPR decisions—WhatsApp was found to have committed a similar infringement last month,” said Robert Bateman, research director at GRC World Forums.
Schrems has initiated another proceeding against Facebook, challenging the legality of its data processing practices. In July, the Austrian Supreme Court referred the case to the Court of Justice of the European Union (CJEU), which is yet to give a verdict.
“The CJEU might come to a different conclusion,” Bateman noted.