Regulators in Ireland have proposed up to $42 million in fines for Facebook after the company was accused of violating the GDPR through deceptive data collection policies.
Privacy expert Max Schrems and his advocacy group nyob — which submitted the original complaint against Facebook — published a draft decision from the Irish Data Protection Commission (DPC) about the issue that was sent to the other European Data Protection Authorities.
The decision suggests a fine of between $32 million and $42 million for Facebook’s violations of the GDPR, which include a failure to notify its customers about how it uses their data.
Schrems and other privacy experts slammed the proposed fine for its relatively minuscule size and for the legal arguments Facebook is making to get out of more strict fines.
Nyob said Facebook’s argument is effectively that it is exempt from most GDPR rules because of a minor change in its agreement with users.
“Facebook’s legal argument is rather simple: By interpreting the agreement between user and Facebook as a ‘contract’ (Article 6(1)(b) GDPR) instead of ‘consent’ (Article 6(1)(a) GDPR) the strict rules on consent under the GDPR would not apply to Facebook — meaning that Facebook can use all data it has for all products it provides, including advertisement, online tracking and alike, without asking users for freely given consent that they could withdraw at any time,” nyob explained in a blog post.
“Facebook’s switch from ‘consent’ to ‘contract’ happened on 25.5.2018 at midnight — exactly when the GDPR came into effect in the EU.”
Schrems said it is painfully obvious that Facebook is trying to bypass the rules of the GDPR by relabeling the agreement on data use as a ‘contract’. If this is accepted by regulators, any company could simply write the processing of data into a contract and thereby legitimize any use of customer data without consent, Schrems explained.
“This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions,” Schrems said.
Nyob noted that studies have shown users do not see the website’s terms of service as a contract. A Gallup Institute survey said just 1.6% of respondents saw the agreement they make with Facebook when they sign up for the site as a “contract.” More than 63% said they see the agreement as consent.
Schrems and nyob also made charged claims in the blog post, writing that representatives from Facebook and the DPC met in 2018 and created a way for Facebook to get around certain GDPR regulations.
He went on to explain that regulators were fining Facebook for “not being transparent” about how it processes data but still expressed support for the company’s “consent bypass.”
Both Facebook and the DPC did not respond to requests for comment.
“The DPC developed the ‘GDPR bypass’ with Facebook that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor,” Schrems said.
“Basically the DPC says Facebook can bypass the GDPR, but they must be more transparent about it. With this approach, Facebook can continue to process data unlawfully, add a line to the privacy policy and just pay a small fine, while the DPC can pretend they took some action.”
Schrems also took issue with how the DPC analyzed nyob’s complaint, criticizing the regulators for omitting key parts of their submission and refusing oral hearings.
The draft was sent to other data protection authorities across Europe and will now be reviewed. Regulators from other countries can submit complaints, which will then be handled by the European Data Protection Board. The board can overrule decisions made by Irish regulators.
WhatsApp was slapped with a 225 million euro fine last month after a GDPR investigation found that the platform was not transparent about how it shared data with its parent company, Facebook. In that case, Irish regulators faced similar backlash for the initial 50 million euro fine. The European Data Protection Board overruled the DPC and increased it significantly.
“Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good,” Schrems said.
Privacy expert Cillian Kieran told ZDNet the fine mentioned in the draft is just one-hundredth of the possible fine under GDPR.
Kieran also took issue with how the DPC represented Facebook’s position and the core tenets of their argument. He said that there needs to be consistent legal definitions designed into the technical systems themselves.
“How can the fine in the draft decision, an amount which Facebook recovers in revenue within less than 5 hours on average, possibly be dissuasive? Much of the decision goes into countering allegations that Facebook violated consent requirements. The decision argues that consent is not necessary in this situation, nullifying any issues of consent. This points to a serious disparity in how authorities, advocates, and end-users like the complainant view the principles of processing under GDPR,” Kieran said.
“Maybe if the Irish DPC did not form a bottleneck on dozens of GDPR investigations, we would be getting these vital interpretations on consent and other legal bases sooner than three and a half years after GDPR takes effect. I agree with Schrems that this decision is disappointing and inadequate, both in the fine and in the interpretation of contracts versus consent.”