First major GDPR decisions looming on Twitter and Facebook

The lead data regulator for much of big tech in Europe is moving inexorably towards issuing its first major cross-border GDPR decision — saying today it’s submitted a draft decision related to Twitter’s business to its fellow EU watchdogs for review.

“The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR,” said the Irish Data Protection Commission (DPC) in a statement.

Europe’s General Data Protection Regulation came into application two years ago, as an update to the European Union’s long-standing data protection framework which bakes in supersized fines for compliance violations. More interestingly, regulators have the power to order that violating data processing cease. While, in many EU countries, third parties such as consumer rights groups can file complaints on behalf of individuals.

Since GDPR begun being applied, there have been thousands of complaints filed across the bloc, targeting companies large and small — alongside a rising clamour around a lack of enforcement in major cross-border cases pertaining to big tech.

So the timing of the DPC’s announcement on reaching a draft decision in its Twitter probe is likely no accident. (GDPR’s actual anniversary of application is May 25.)

The draft decision relates to an inquiry the regulator instigated itself, in November 2018, after the social network had reported a data breach — as data controllers are required to do promptly under GDPR, risking penalties should they fail to do so.

Other interested EU watchdogs (all of them in this case) will now have one month to consider the decision — and lodge “reasoned and relevant objections” should they disagree with the DPC’s reasoning, per the GDPR’s one-stop-shop mechanism which enables EU regulators to liaise on cross-border inquiries.

In instances where there is disagreement between DPAs on a decision the regulation contains a dispute resolution mechanism (Article 65) — which loops in the European Data Protection Board (EDPB) to make a final decision on a majority basis.

On the Twitter decision, the DPC told us it’s hopeful this can be finalized in July.

Commissioner Helen Dixon has previously said the first cross border decisions would be coming “early” in 2020. However the complexity of working through new processes — such as the one-stop-shop — appear to have taken EU regulators longer than hoped.

The DPC is also dealing with a massive case load at this point, with more than 20 cross border investigations related to complaints and/or inquiries still pending decisions — with active probes into the data processing habits of a large number of tech giants; including Apple, Facebook, Google, Instagram, LinkedIn, Tinder, Verizon (TechCrunch’s parent company) and WhatsApp — in addition to its domestic caseload (operating with a budget that’s considerably less than it requested from the Irish government).

The scope of some of these major cross-border inquiries may also have bogged Ireland’s regulator down.

But — two years in — there are signs of momentum picking up, with the DPC’s deputy commissioner, Graham Doyle, pointing today to developments on four additional investigations from the cross-border pile — all of which concern Facebook owned platforms.

The furthest along of these is a probe into the level of transparency the tech giant provides about how user data is shared between its WhatsApp and Facebook services.

“We have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also for Article 60 purposes,” said Doyle in a statement on that. “The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.”

The other three cases the DPC said it’s making progress on relate to GDPR consent complaints filed back in May 2018 by the EU privacy rights not-for-profit, noyb.

noyb argues that Facebook uses a strategy of “forced consent” to continue processing individuals’ personal data — when the standard required by EU law is for users to be given a free choice unless consent is strictly necessary for provision of the service. (And noyb argues that microtargeted ads are not core to the provision of a social networking service; contextual ads could instead be served, for example.)

Back in January 2019, Google was fined $57M by France’s data watchdog, CNIL, over a similar complaint.

Per its statement today, the DPC said it has now completed the investigation phase of this complaint-based inquiry which it said is focused on “Facebook Ireland’s obligations to establish a lawful basis for personal data processing”.

“This inquiry is now in the decision-making phase at the DPC,” it added.

In further related developments it said it’s sent draft inquiry reports to the complainants and companies concerned for the same set of complaints for (Facebook owned) Instagram and WhatsApp.

Doyle declined to give any firm timeline for when any of these additional inquiries might yield final decisions. But a summer date would, presumably, be the very earliest timeframe possible.

The regulator’s hope looks to be that once the first cross-border decision has made it through the GDPR’s one-stop-shop mechanism — and yielded something all DPAs can sign up to — it will grease the tracks for the next tranche of decisions.

That said, not all inquiries and decisions are equal clearly. And what exactly the DPC decides in such high profile probes will be key to whether or not there’s disagreement from other data protection agencies. Different EU DPAs can take a harder or softer line on applying the bloc’s rules, with some considerably more ‘business friendly‘ than others. Albeit, the GDPR was intended to try to shrink differences of application.

If there is disagreement among regulators on major cross border cases, such as the Facebook ones, the GDPR’s one-stop-shop mechanism will require more time to work through to find consensus. So critics of the regulation are likely to have plenty of attack area still.

Some of the inquiries the DPC is leading are also likely to set standards which could have major implications for many platforms and digital businesses so there will be vested interests seeking to influence outcomes on all sides. But with GDPR hitting its second birthday — and still hardly any decision-shaped lumps taken out of big tech — the regional pressure for enforcements to get flowing is massive.

Given the blistering pace of tech developments — and the market muscle of big tech being applied to steamroller individual rights — EU regulators have to be able to close the gap between investigation and enforcement or watch their flagship framework derided as a paper tiger…

Update: noyb has since issued an open letter calling for the European Commission to take action against the DPC for failing to enforce the regulation — accusing the regulator of engaging with Facebook on a so-called “consent bypass” in which it claims Facebook told it it has switched from “consent” to an “alleged data use contract” with users as its legal basis.

“This contract allegedly obliges Facebook to track, target and conduct research on its users,” noyb writes in the letter. “According to Facebook, this switch happened at the stroke of midnight when the GDPR became applicable.  Such a (mutual) reframing of an agreement (in this case from consent to contract) to bypass the law is called simulatio and is invalid.”

“It is nothing but lipstick on a pig,” Schrems continues in the statement. “Since Roman times, the law prohibits ‘renaming’ something just to bypass the law. What Facebook tried to do is not smart, but laughable. The only thing that is really concerning is that the Irish DPC apparently engaged with Facebook when they were designing this scam and is now supposed to independently review it.”

“It is a slap in the face of about 10,000 complainants if the DPC highlights the first of six steps in two cases after two years as an achievement,” added Schrems.

We’ve reached out to the DPC for comment on that. Update II: The DPC denied holding any “secret meetings” with Facebook, saying: “We regularly engage and meet with companies from all sectors as part of our regulatory enforcement and supervision functions, in accordance with Article 57 of the GDPR, in the same way that many of our EU colleague Data Protection Authorities do.”

“The DPC currently has 23 ‘big tech’ inquiries open and last Friday we announced significant developments in a number of these inquiries, including three that were initiated on foot of complaints received from noyb,” it added. “One of these complaint-based inquiries, which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing, has now moved to the decision-making phase at the DPC. In the other two, concerning the Instagram and WhatsApp platforms respectively, we have sent draft inquiry reports to the complainants and companies concerned. We cannot comment any further on these inquiries at this point as they are very much ongoing.”

Schrems II

Summer is also shaping up to be an interesting time for privacy watchers for another reason, with a landmark decision due from Europe’s top court on July 16 on the so called ‘Schrems II’ case (named for the Austrian lawyer, privacy rights campaigner and noyb founder, Max Schrems, who lodged the original complaint) — which relates to the legality of Standard Contractual Clauses (SCC) as a mechanism for personal data transfers out of the EU.

The DPC’s statement today makes a point of flagging this looming decision, with the regulator writing: “The case concerns proceedings initiated and pursued in the Irish High Court by the DPC which raised a number of significant questions about the regulation of international data transfers under EU data protection law. The judgement from the CJEU on foot of the reference made arising from these proceedings is anticipated to bring much needed clarity to aspects of the law and to represent a milestone in the law on international transfers.”

A legal opinion issued at the end of last year by an influential advisor to the court emphasized that EU data protection authorities have an obligation to step in and suspend data transfers by SCC if they are being used to send citizens’ data to a place where their information cannot be adequately protected.

Should the court hold to that view, all EU DPAs will have an obligation to consider the legality of SCC transfers to the US “on a case-by-case basis”, per Doyle.

“It will be in every single case you’d have to go and look at the set of circumstances in every single case to make a judgement whether to instruct them to cease doing it. There won’t be just a one size fits all,” he told TechCrunch. “It’s an extremely significant ruling.”

(If you’re curious about ‘Schrems I’, read this from 2015.)