Facebook’s main data protection regulator in the European Union is set to take its first decision on a lawsuit against Facebook itself. And it looks like it’s a doozy.
The non-profit Noyb privacy campaign today released a draft Irish Data Protection Commission (DPC) decision on a complaint filed under the EU’s General Data Protection Regulation (GDPR) .
The DPC’s draft ruling proposes to impose a $ 36 million fine on Facebook – a financial penalty that would take the ad tech giant just over two and a half hours to generate revenue, based on its revenue second quarter ($ 29 billion).
Yeah, we would like too.
But even more worrying for privacy advocates is the DPC’s apparent desire to allow Facebook to simply bypass regulations by claiming that users give it their data because they contracted it to get, uh, targeted advertising.
In a summary of its findings, the DPC writes: “Facebook is under no obligation to seek to rely solely on consent for the purpose of legitimizing the processing of personal data when it offers a contract to a user that certain users might consider it as a contract which mainly concerns the processing of personal data. Facebook has also not claimed to rely on consent under the GDPR.
“I find that the complainant’s case is not established that the GDPR does not allow Facebook to rely on 6 (1) (b) GDPR in the context of its terms of service offer”, also writes the DPC, suggesting that it is totally authentic for Facebook to claim a legal right to process people’s information for ad targeting, as it now suggests that users have in fact signed a contract with it to serve ads to them.
However, simultaneously, the draft decision of the DPC Is find that Facebook has violated the transparency requirements of the GDPR – in particular: Articles 5 (1) (a), 12 (1) and 13 (1) (c) – which means that users are unlikely to have understood that they were signing up for a Facebook advertising contract when they clicked “I agree” on Facebook’s T & Cs.
So the tl; dr here is that Facebook’s public marketing – which claims its service “helps you connect and share with the people in your life” – seems to be missing a few critical details about the ad contract this is. Actually asking you to come in, or something.
Insert your own facepalm emoji here.
Pay attention to the application gap
GDPR came into force across the EU in May 2018 – ostensibly to cement and strengthen long-standing privacy rules in the region that historically suffered from lack of enforcement, adding new provisions such as as oversized fines (up to 4% of worldwide turnover).
However, EU privacy rules have also suffered from a lack of universally vigorous enforcement. since updating the GDPR. And the penalties that were handed down – including a handful against Big Tech – were well below that theoretical maximum. Law enforcement has also not led to an obvious retooling of anti-privacy business models – yet.
So the reboot didn’t go exactly the way privacy advocates had hoped.
Despite the existence of the GDPR, the adtech giants have managed to avoid serious awareness in Europe about their surveillance-based business models – through the use of shopping forums and cynical delay tactics.
So while there is no dearth of GDPR complaints filed against adtech, complaints about the lack of enforcement in this area are also piling up.
And the plaintiffs are now also resorting to legal proceedings.
The problem is, under the GDPR one-stop-shop mechanism, complaints and cross-border investigations, such as those targeted at major tech platforms, are led by a single agency – usually when the company in question has its legal basis in the EU. .
And in the case of Facebook (and many other tech giants), it’s Ireland.
The Irish authority has long been accused of being a bottleneck for the effective enforcement of the GDPR, with critics pointing to an icy pace of enforcement, dozens of complaints were simply dropped without any noticeable activity and – in cases where complaints are not totally ignored. – disappointing decisions that end up coming out the other side.
One such round of ad tech-related GDPR complaints was filed by Noyb immediately after the regulation went into effect three years ago – targeting a number of ad tech giants (including Facebook) on which Noyb called it “forced consent”. And of course these complaints ended up on the desk of the DPC.
Noyb’s complaint against Facebook argues that the tech giant does not legally collect consent because it does not give users the free choice to consent to the processing of their data for advertising purposes.
Indeed, under EU law, consent must be freely given, specific (i.e. ungrouped) and informed to be valid. So, the substance of the complaint is not exactly as complicated as rocket science.
Still, a decision on Noyb’s complaint took years to emerge from the DPC’s office – and even now, in watered-down draft form, it looks utterly disappointing.
By Noyb, the Irish DPC has decided to accept what the campaign group calls Facebook’s “trick” to circumvent the GDPR – in which the company claims it has stopped relying on user consent as a legal basis for the processing of personal data for advertising targeting. to claim that users are in fact in a contract with it to get advertisements injected into their eyeballs at the same time the GDPR went into effect.
“It is painfully obvious that Facebook is simply trying to sidestep clear GDPR rules by re-qualifying the agreement on the use of ‘contract’ data,” Noyb founder and chairman Max Schrems said in a statement that puts on guard against wheezing as basic as it would undermine the entire settlement. Talk about a smart plan!
“If this were accepted, any business could simply write data processing into a contract and thus legitimize any use of customer data without consent. This is absolutely contrary to the intent of the GDPR, which explicitly prohibits masking consent agreements in terms and conditions. “
“It is neither innovative nor smart to pretend that a deal is something that it is not to circumvent the law,” he adds. “Since Roman times, courts have not accepted such ‘relabelling’ of agreements. You can’t get around drug laws by just writing ‘white powder’ on an invoice, when you are clearly selling cocaine. . Only the Irish DPC seems to fall into the tower trap. “
Ireland has so far issued only two GDPR decisions in complaints against Big Tech: last year in a Twitter security breach case ($ 550,000 in fine); and earlier this year in an investigation into the transparency of the terms and conditions of WhatsApp (owned by Facebook) (fine of $ 267 million).
Under the GDPR, a decision on this type of cross-border GDPR complaint must go through a collective review process, which other DPAs have the opportunity to object to. It’s a check and a check for an agency that becomes too comfortable with business and does not enforce the law.
And in the two aforementioned cases, objections were raised about the CPD plans which ended up increasing the penalties.
It is therefore very likely that Ireland’s decision on Facebook will run into numerous objections which will result in a more severe sanction for Facebook.
Noyb also highlights guidelines issued by the European Data Protection Board (EDPB) – which it says make it clear that circumvention of the GDPR is not legal and should be treated as consent. But he quotes the Irish DPC as saying that he is “just not convinced” by the point of view of his European colleagues and suggests that the EDPB will therefore have to intervene again.
“Our hope lies with other European authorities. If they don’t take action, companies can simply translate consent into terms and thus bypass GDPR permanently,” said Schrems.
Noyb has a lot more beards for the DPC – accusing the Irish authority of having held “secret meetings” with Facebook over its “consent circumvention” (not for the first time); and withhold the documents he requested – continuing to denounce the regulator as acting as a “’Big Tech’ adviser” (not, you know, a law enforcement official).
“We have cases before many authorities, but the DPC does not even manage a fair procedure remotely,” adds Schrems. “Documents are withheld, hearings are denied and arguments presented and facts are simply not reflected in the decision. [Facebook] the decision itself is long, but most sections simply end with a “view” of the CPD, not an objective assessment of the law. “
We reached out to the DPC to comment on noyb’s claims – but a spokesperson declined, citing an “ongoing process”.
One thing is in no doubt at this point, more than three years after the flagship restart of data protection in Europe: there will be even more delay in any GDPR application against Facebook.
The GDPR one-stop-shop mechanism – review plus the ability for other DPAs to file objections – has already added several months to the two previous Big Tech DPC decisions. Thus, the DPC issuing another weak draft ruling on a late investigation appears to be becoming a standard procedural lever to slow the pace of GDPR enforcement in the EU.
This will only increase the pressure on EU lawmakers to agree on alternative enforcement structures for the bloc’s growing suite of digital regulations.
Meanwhile, as APDs battle to try and hit Facebook with a penalty, Mark Zuckerberg can’t just laugh, Facebook continues its lucrative data mining business as usual – while EU citizens wonder where are my rights. ?