Facebook allowed by Irish watchdog to flout GDPR's consent requirements, Schrems complains

Facebook should be fined between 28 million euros and 36 million euros and have to make its terms of service more transparent after violating EU data protection rules, according to a draft decision by the Irish privacy watchdog that was made public today by privacy activist Max Schrems.

The draft decision, which hasn’t been confirmed independently by the Irish Data Protection Commission, was made in a complaint brought by Schrems about how the social media company processes personal data in relation to behavioral advertising.

In a statement released alongside the draft decision, Schrems has accused the Irish DPC of allowing Facebook to “bypass” a requirement under the General Data Protection Regulation to request consent from users for their personal data for behavioral data.

In a separate video statement, Schrems also said he planned to contest the finding that Facebook only violated “transparency” requirements.

"Basically the DPC says Facebook can bypass the GDPR, but they must be more transparent about it," Schrems said. "With this approach, Facebook can continue to process data unlawfully, add a line to the privacy policy and just pay a small fine, while the DPC can pretend they took some action."

The draft decision, dated Oct. 6, follows a complaint filed by Schrems’ activist group Noyb in May 2018, shortly after the GDPR took effect, that Facebook was breaking the law by including its data policy in its revised terms and conditions.

The group said that Facebook relied on “forced consent” to process personal data on the basis that “the controller required the data subject to agree to the entire privacy policy and the new terms” and did not give users a genuine choice to decline the updated terms.

The Irish DPC argued that Facebook shifted the legal basis for processing from “consent” to “contract,” siding with the US tech giant on the extent of data processing permitted under the contract and rejecting Schrems’ argument that it should be as narrow as possible.

The draft decision did find that Facebook has violated GDPR requirements to be transparent about its data processing. “Users have not been provided with the information in relation to processing” under GDPR rules “that they are entitled to receive,” the commissioner, Helen Dixon, said. “This represents, in my view, quite a significant information deficit and one which, by any assessment of matters, can equate to a significant inability to exercise control over personal data.”

Schrems argued that this finding didn't address the core issue in his complaint and that the fine should be higher.

"It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a 'contract'," he said. "If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions."

The draft decision has been sent to the European Data Protection Board, the umbrella group of data protection authorities in the 27-nation EU. The authorities can contest the level of the fine and the Irish DPC’s conclusions.

That’s what happened recently when the Irish authority originally proposed a fine of between 30 million euros and 50 million euros for a GDPR violation by Facebook’s messaging service, WhatsApp. Numerous fellow watchdogs on the EDPB insisted on raising the fine, which ended up as 225 million euros, the second highest yet issued under the GDPR. Facebook has appealed that decision.

In the latest case, Facebook has also disputed the complaint and said it shouldn’t be fined. The company declined to comment on the draft decision today. "We don't speculate or comment on live investigations. We are assisting the [Irish] DPC with its inquiries and will await the final decision in due course," a spokesman said.

Facebook’s Irish subsidiary has set aside more than 300 million euros for possible data-protection fines, primarily from the Irish regulator, the company's accounts show.

The Irish DPC wasn't immediately available for comment.