Facebook’s leading data protection regulator in the European Union is moving towards making its first decision on a complaint against Facebook. And it looks like it’s a doozy.
Privacy campaign not for profit noyb one published today draft decision By the Irish Data Protection Commission (DPC) on a complaint made under the European Union’s General Data Protection Regulation (GDPR).
The DPC’s draft ruling proposes to fine Facebook $36 million – a financial fine that would take the edtech giant more than two and a half hours to generate revenue based on its second quarter earnings (of $29BN).
Yes, we would be happy too…
But of even greater concern for privacy advocates, the DPC’s explicit desire allows Facebook to bypass regulation by simply claiming that users are giving it their data because they are in contract with it. To get, er, targeted advertising…
In summarizing its findings, the DPC writes: “Facebook has no obligation to rely solely on consent for the purposes of legalizing personal data processing where it is offering a user a contract that Some users may rate as one. Primarily related to the processing of personal data. Nor does Facebook claim to rely on consent under the GDPR.”
“I find that the complainant’s case is not made that the GDPR does not permit a reliance by Facebook on 6(1)(b) GDPR in the context of the offering of its Terms of Service,” the DPC also writes, suggesting that that it is completely authentic For Facebook to claim the legal right to process people’s information for ad targeting because it is now suggesting that users have actually signed up for a contract with it to serve them ads.
Still – together – DPC’s draft decision does Find out that Facebook violated GDPR transparency requirements – specifically: Articles 5(1)(a), 12(1) and 13(1)(c) – meaning users are unlikely to understand was that they were signing up for the Facebook Ads Agreement when they clicked ‘I agree’ to Facebook’s terms and conditions.
So here tl; The dr is that Facebook’s public-facing marketing – which claims its service “helps you connect and share with the people in your life” – seems to be missing some important details about the advertising contract. Huh In fact asking you to enter, or something…
Enter your own Facepalm emoji here.
Keep in mind the enforcement gap
The GDPR came into force across the European Union in May 2018 – apparently to try and strengthen long-standing privacy rules in a region that has historically suffered from a lack of enforcement, with new provisions such as supersized Global turnover adding up to fines (up to 4%).
Although EU privacy rules have also suffered from a lack of vigorous enforcement universally since GDPR update. And the penalties that have been issued – including a handful against big tech – are far below that theoretical maximum. Nor has enforcement led to an apparent reassessment of the privacy-hostile business model – yet.
So the reboot didn’t go exactly as privacy advocates had hoped.
The edtech giant has managed to avoid serious calculations through the use of forum shopping and cynical delay tactics – especially in Europe – despite the existence of GDPR on its surveillance-based business model.
So while there is no shortage of GDPR complaints against edtech, complaints of a lack of regulatory enforcement in this area are equally piling up.
And the complainants are now taking recourse to legal action as well.
The point is that under the GDPR’s one-stop-shop mechanism, cross-border complaints and investigations, such as those targeted at major tech platforms, are led by a single agency – usually where the company has a legal base in the EU. .
And in the case of Facebook (and many other tech giants) that is Ireland.
The Irish authority has long been accused of being an impediment to the effective enforcement of the GDPR, with critics pointing to a glacial pace of enforcement, leaving scores of complaints without any apparent activity and – in such instances Where grievances are not completely ignored – overwhelming decisions eventually flow out the other end.
One such series of edtech-related GDPR complaints were filed by Noyb, immediately three years before the regulation went into effect – targeting several edtech giants (including Facebook) which Noyb called “forced consent”. And these complaints certainly ended up on the DPC’s desk.
Noyb’s Grievance Arguing against Facebook is that the tech giant doesn’t legally collect consent because it doesn’t provide users with a free option to consent to their data being processed for advertising.
This is because under EU law consent must be given independently, specific (i.e. not bundled) and informed to be valid. So the gist of the complaint is not as complicated as rocket science.
Yet the decision on Noyb’s complaint took years to emerge from the DPC’s desk—and even now, as a thin draft, it looks downright overwhelming.
Per noob, the Irish DPC has decided to accept campaign group Facebook’s “trick” to bypass the GDPR – which the company claims has used as a legal basis for processing people’s data for ad targeting. I have done away with relying on consent from users. Users claiming this are in fact in a contract with it to inject ads into their eyes as soon as the GDPR is implemented.
“It is abundantly clear that Facebook seeks to circumvent the GDPR’s explicit rules on data use by re-labeling the agreement on data use as an ‘agreement’,” said Max Schrems, Noyb’s founder and president, in a statement. Allowing such a basic wheezing to stand would undermine the whole regulation. Talk about a clever plan!
“If this will be accepted, any company may contract the processing of the data and thereby legalize any use of customer data without consent. This is absolutely against the intentions of the GDPR, which is expressly Prohibits concealment of consent agreements in terms and conditions.
“It is neither innovative nor smart to claim that a settlement is something the law is not to circumvent,” he says. “Since Roman times, courts have not accepted such ‘re-labeling’ of agreements. When you explicitly sell cocaine, you cannot circumvent drug laws by simply writing ‘white powder’ on the bill. Looks like only Irish DPCs fall for this trick.”
Ireland has so far issued only two GDPR rulings in complaints against Big Tech: in a case against a Twitter security breach ($550k fine) last year; and earlier this year in an investigation into the transparency of (Facebook-owned) WhatsApp T&Cs ($267M fine).
Under the GDPR, decisions on such cross-border GDPR complaints must go through a collective review process – where other DPAs have a chance to object. This is checks and balances on an agency getting too comfortable with business and failing to enforce the law.
And in both the above cases, objections were raised to the DPC draft, leading to increase in penalty.
It is therefore highly likely that Ireland’s Facebook decision will face a lot of objections that end up in the form of a hard penalty for Facebook.
Noyb also indicates guidelines Submitted by the European Data Protection Board (EDPB) – which says it clarifies that bypassing the GDPR is not legal and should be treated as consent. But it quotes the Irish DPC as saying it is “simply not willing” from the point of view of its European allies, and suggests the EDPB will have to step in again.
“Our hope lies with other European authorities. If they do not act, companies can simply transfer consent to the terms and thus bypass the GDPR for good,” Schrems says.
Noyb has too many barbs for the DPC – accusing the Irish authority of holding “secret meetings” with Facebook to “bypass consent” (not the first time); And withholding the documents it requested – continue to condemn the regulator for acting as a “‘Big Tech’ advisor” (no, you’re a law enforcer).
“We have cases before many officers, but the DPC is not running the due process even remotely,” Schrems says. “Documents are withheld, hearings are refused and arguments are presented and facts are simply not reflected in the judgment. NS [Facebook] The decision itself is lengthy, but most of the clauses end only with the ‘view’ of the DPC and not with an objective assessment of the law.”
We reached out to the DPC for comment on Noyb’s claim – but a spokesperson declined, citing an “ongoing process.”
One thing is beyond doubt at this point, more than three years into Europe’s major data protection reboot: there will be further delay In any GDPR enforcement against Facebook.
The GDPR’s one-stop-shop mechanism – a chance to review and file objections to other DPAs – has already added several months to the two earlier DPC ‘Big Tech’ decisions. So the DPC of late issued another weak draft decision on the ongoing investigation, which appears to be becoming a standard procedural lever to reduce the pace of GDPR enforcement in the EU.
It would only increase the pressure for EU lawmakers to agree to alternative enforcement structures for the bloc’s growing suite of digital rules.
Meanwhile, Mark Zuckerberg can’t laugh as DPAs fight to try to hit a penalty on Facebook, Facebook has to continue its lucrative data-mining business as usual – while EU citizens are asking if my Where are the rights?