Ireland's GDPR Decision Against Facebook Called a 'Joke'

Facebook Faces Potential €36 Million GDPR Fine

The primary data protection regulator for Facebook within the European Union, the Irish Data Protection Commission (DPC), is nearing a decision regarding a complaint filed against the social media platform.

The complaint, submitted by the privacy advocacy group noyb, centers around Facebook’s adherence to the EU’s General Data Protection Regulation (GDPR).

Draft Decision Details

A draft decision released by the DPC proposes a fine of $36 million for Facebook. This penalty represents just over two and a half hours of revenue for the company, based on its second-quarter earnings of $29 billion.

However, the potential allowance of Facebook to circumvent regulations is raising significant concerns among privacy advocates.

The DPC appears willing to accept Facebook’s argument that user data collection is justified by a contractual agreement – specifically, the provision of targeted advertising.

Contractual Basis for Data Processing

According to the DPC’s summary, “There is no obligation on Facebook to solely rely on consent for data processing when offering a contract to a user, particularly if that contract is perceived as primarily concerning personal data handling.”

The DPC further states that Facebook has not claimed to rely on consent under the GDPR, suggesting it is legitimate for the company to assert a legal right to process information for ad targeting.

This is based on the premise that users have effectively signed a contract agreeing to receive targeted advertisements.

Transparency Concerns Remain

Despite this potential allowance, the DPC’s draft decision also identifies infringements of GDPR transparency requirements.

Specifically, Articles 5(1)(a), 12(1), and 13(1)(c) were found to be violated, indicating that users likely did not fully comprehend they were entering into an advertising contract when agreeing to Facebook’s terms and conditions.

Implications of the Ruling

Essentially, Facebook’s public messaging – which emphasizes connecting with friends and family – may be omitting crucial details about the underlying advertising contract users are implicitly agreeing to.

This discrepancy raises questions about the true nature of the agreement between Facebook and its users regarding data processing and targeted advertising.

The ruling highlights the complexities of applying GDPR to large technology companies and the challenges of ensuring user understanding of data processing practices.

Addressing the Gap in GDPR Enforcement

The General Data Protection Regulation (GDPR) was implemented throughout the European Union in May 2018, with the intention of reinforcing existing privacy regulations. A key aim was to address a historical lack of robust enforcement, introducing significantly increased fines – potentially reaching up to 4% of a company’s global turnover.

Despite this update, consistent and vigorous enforcement of EU privacy rules has remained elusive. Penalties levied thus far, even against major technology companies, have generally fallen short of the maximum theoretical amounts. A substantial shift in privacy-compromising business practices has yet to materialize.

Consequently, the anticipated impact of the GDPR has not fully aligned with the expectations of privacy advocates.

Adtech companies, in particular, have largely avoided significant accountability in Europe regarding their surveillance-driven business models, despite the GDPR’s existence. This has been achieved through strategic legal maneuvering and deliberate stalling tactics.

While numerous GDPR complaints are filed against adtech firms, a corresponding increase in complaints concerning the absence of effective regulatory enforcement is also evident.

Furthermore, complainants are increasingly turning to legal challenges to seek redress.

The GDPR’s one-stop-shop mechanism presents a challenge, as cross-border complaints and investigations – especially those targeting large tech platforms – are typically led by a single regulatory agency. This agency is usually located in the country where the company has its primary EU legal establishment.

In the case of Facebook, and many other technology giants, this designated agency is Ireland.

The Irish Data Protection Commission (DPC) has frequently been criticized for acting as a bottleneck in GDPR enforcement. Concerns center on a slow pace of investigations, numerous complaints being dismissed without substantial review, and, when complaints are addressed, decisions that are often considered insufficient.

A series of adtech-related GDPR complaints were submitted by noyb (European Center for Digital Rights) immediately following the regulation’s implementation three years ago. These complaints targeted several adtech companies, including Facebook, alleging “forced consent.” These complaints were subsequently directed to the DPC.

noyb’s complaint against Facebook contends that the company’s consent collection practices are unlawful because users are not presented with a genuinely free choice regarding the processing of their data for advertising purposes.

EU law stipulates that consent must be freely given, specific, and informed to be considered valid. The core issue of the complaint is therefore relatively straightforward.

However, a decision on noyb’s complaint has been delayed for years, and the emerging draft decision appears to be considerably weaker than anticipated.

According to noyb, the Irish DPC intends to accept what the organization describes as Facebook’s “trick” to circumvent the GDPR. The company asserts it transitioned from relying on user consent as a legal basis for processing data for ad targeting to claiming users implicitly agree to receive advertisements as part of a contractual agreement the moment the GDPR took effect.

“It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a ‘contract,’” stated Max Schrems, founder and chair of noyb, in a press release. He further warned that allowing such a tactic would fundamentally undermine the regulation.

“If this were accepted, any company could simply incorporate data processing into a contract, thereby legitimizing any use of customer data without consent. This is absolutely contrary to the GDPR’s intentions, which explicitly prohibit hiding consent agreements within terms and conditions.”

“It is neither innovative nor intelligent to claim that an agreement is something it is not to avoid the law,” he added. “Courts have historically rejected such ‘relabeling’ of agreements. You cannot evade drug laws by labeling ‘white powder’ on a bill when you are clearly selling cocaine. Only the Irish DPC appears susceptible to this tactic.”

To date, Ireland has issued only two GDPR decisions against Big Tech: a $550,000 fine against Twitter for a security breach last year, and a $267 million fine against (Facebook-owned) WhatsApp earlier this year regarding the transparency of its Terms & Conditions.

Under the GDPR, decisions on cross-border complaints must undergo a collective review process, allowing other Data Protection Authorities (DPAs) to raise objections. This serves as a safeguard against a single agency becoming overly lenient with businesses and failing to enforce the law.

In both previously mentioned cases, objections were raised during the review process, ultimately leading to increased penalties.

It is therefore probable that Ireland’s decision regarding Facebook will also face objections, potentially resulting in a more substantial penalty for the company.

noyb also references guidelines issued by the European Data Protection Board (EDPB), which it claims clearly state that circumventing the GDPR is unlawful and should be treated as requiring consent. However, the Irish DPC has stated it is “simply not persuaded” by the views of its European counterparts, suggesting the EDPB may need to intervene again.

“Our hope rests with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR permanently,” says Schrems.

noyb further criticizes the DPC, alleging “secret meetings” with Facebook regarding its “consent bypass” strategy (a recurring concern) and accusing the regulator of withholding requested documents. The organization denounces the DPC as acting like a “‘Big Tech’ advisor” rather than a law enforcer.

“We have cases before many authorities, but the DPC is not even remotely running a fair procedure,” adds Schrems. “Documents are withheld, hearings are denied, and submitted arguments and facts are simply not reflected in the decision. The [Facebook] decision itself is lengthy, but most sections just end with a ‘view’ of the DPC, not an objective assessment of the law.”

The DPC was contacted for comment on noyb’s claims but declined to respond, citing an “ongoing process.”

More than three years after the launch of Europe’s flagship data protection regulation, one thing is certain: further delays in GDPR enforcement against Facebook are inevitable.

The GDPR’s one-stop-shop mechanism, including the review process and the opportunity for other DPAs to object, has already added months to the two previous DPC Big Tech decisions. The DPC’s tendency to issue weak draft decisions on protracted investigations appears to be becoming a standard tactic to slow down GDPR enforcement across the EU.

This will likely intensify pressure on EU lawmakers to adopt alternative enforcement structures for the bloc’s expanding portfolio of digital regulations.

Meanwhile, as DPAs continue to strive for a penalty against Facebook that Mark Zuckerberg cannot easily dismiss, Facebook is able to continue its profitable data-mining operations. EU citizens are left questioning the status of their data rights.