Facebook’s lead data protection regulator in the European Union is inching toward making its first decision on a complaint against Facebook itself. And it looks like it’s a doozy.
Privacy campaign not-for-profit noyb today published a draft decision by the Irish Data Protection Commission (DPC) on a complaint made under the EU’s General Data Protection Regulation (GDPR).
The DPC’s draft decision proposes to fine Facebook $36 million — a financial penalty that would take the adtech giant just over two and a half hours to earn in revenue, based on its second quarter earnings (of $29 billion).
Yeah, we lol’d too.
But even more worrying for privacy advocates is the apparent willingness of the DPC to allow Facebook to simply bypass the regulation by claiming users are giving it their data because they’re in a contract with it to get, er, targeted ads.
In a summary of its findings, the DPC writes: “There is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data. Nor has Facebook purported to rely on consent under the GDPR.”
“I find the Complainant’s case is not made out that the GDPR does not permit the reliance by Facebook on 6(1)(b) GDPR in the context of its offering of Terms of Service,” the DPC also writes, suggesting it’s totally bona fide for Facebook to claim a legal right to process people’s information for ad targeting because it’s now suggesting users actually signed up for a contract with it to deliver them ads.
Yet — simultaneously — the DPC’s draft decision does find that Facebook infringed GDPR transparency requirements — specifically: Articles 5(1)(a), 12(1) and 13(1)(c) — meaning that users were unlikely to have understood they were signing up for a Facebook ad contract when they clicked “I agree” on Facebook’s T&Cs.
So the tl;dr here is that Facebook’s public-facing marketing — which claims its service “helps you connect and share with the people in your life” — appears to be missing a few critical details about the advertising contract it’s actually asking you to enter into, or something.
Insert your own facepalm emoji right here.
Mind the enforcement gap
The GDPR came into application across the EU back in May 2018 — ostensibly to cement and strengthen long-standing privacy rules in the region which had historically suffered from a lack of enforcement, by adding new provisions such as supersized fines (of up to 4% of global turnover).
However EU privacy rules have also suffered from a lack of universally vigorous enforcement since the GDPR update. And those penalties that have been issued — including a handful against Big Tech — have been far lower than that theoretical maximum. Nor has enforcement led to an obvious retooling of privacy hostile business models — yet.
So the reboot hasn’t exactly gone as privacy advocates hoped.
Adtech giants especially have managed to avoid a serious reckoning in Europe over their surveillance-based business models despite the existence of the GDPR — through the use of forum shopping and cynical delay tactics.
So while there is no shortage of GDPR complaints being filed against adtech, complaints over the lack of regulatory enforcement in this area are equally stacking up.
And complainants are now also resorting to legal action.
The issue is, under GDPR’s one-stop-shop mechanism, cross-border complaints and investigations, such as those targeted at major tech platforms, are led by a single agency — typically where the company in question has its legal base in the EU.
And in Facebook’s case (and many other tech giants’) that’s Ireland.
The Irish authority has long been accused of being a bottleneck to effective enforcement of the GDPR, with critics pointing to a glacial pace of enforcement, scores of complaints simply dropped without any discernible activity and — in instances where the complaints aren’t totally ignored — underwhelming decisions eventually popping out the other end.
One such series of adtech-related GDPR complaints were filed by noyb immediately the regulation came into application three years ago — targeting a number of adtech giants (including Facebook) over what noyb called “forced consent.” And these complaints of course ended up on the DPC’s desk.
noyb’s complaint against Facebook argues that the tech giant does not collect consent legally because it does not offer users a free choice to consent to their data being processed for advertising.
This is because under EU law consent must be freely given, specific (i.e., not bundled) and informed in order to be valid. So the substance of the complaint is not exactly as complicated as rocket science.
Yet a decision on noyb’s complaint has taken years to emerge from the DPC’s desk — and even now, in dilute draft form, it looks entirely underwhelming.
Per noyb, the Irish DPC has decided to accept what the campaign group dubs Facebook’s “trick” to bypass the GDPR — in which the company claims it switched away from relying on consent from users as a legal basis for processing people’s data for ad targeting to claiming users are actually in a contract with it to get ads injected into their eyeballs the very moment the GDPR came into force.
“It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a ‘contract,'” said noyb founder and chair, Max Schrems, in a statement which goes on to warn that were such a basic wheeze allowed to stand it would undermine the whole regulation. Talk about a cunning plan!
“If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions.”
“It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law,” he adds. “Since Roman times, the Courts have not accepted such ‘relabeling’ of agreements. You can’t bypass drug laws by simply writing ‘white powder’ on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick.”
Ireland has only issued two GDPR decisions in complaints against Big Tech thus far: Last year in a case against a Twitter security breach ($550,000 fine); and earlier this year in an investigation into the transparency of (Facebook-owned) WhatsApp T&Cs ($267 million fine).
Under the GDPR, a decision on these type of cross-border GDPR complaints must go through a collective review process — where other DPAs get a chance to object. It’s a check and balance on one agency getting too cosy with business and failing to enforce the law.
And in both the aforementioned cases objections were raised on the DPC drafts that ended up increasing the penalties.
So it is highly likely that Ireland’s Facebook decision will face plenty of objections that end in a tougher penalty for Facebook.
noyb also points to guidelines put out by the European Data Protection Board (EDPB) — which it says make it clear that bypassing the GDPR isn’t legal and must be treated as consent. But it quotes the Irish DPC saying it is “simply not persuaded” by the view of its European Colleagues and suggests the EDPB will therefore have to step in yet again.
“Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good,” says Schrems.
noyb has plenty more barbs for the DPC — accusing the Irish authority of holding “secret meetings” with Facebook on its “consent bypass” (not for the first time); and of withholding documents it requested — going on to denounce the regulator as acting like a “‘Big Tech’ adviser” (not, y’know, a law enforcer).
“We have cases before many authorities, but the DPC is not even remotely running a fair procedure,” adds Schrems. “Documents are withheld, hearings are denied and submitted arguments and facts are simply not reflected in the decision. The [Facebook] decision itself is lengthy, but most sections just end with a ‘view’ of the DPC, not an objective assessment of the law.”
We reached out to the DPC for comment on noyb’s assertions — but a spokesperson declined, citing an “ongoing process.”
One thing is beyond doubt at this point, over three years into Europe’s flagship data protection reboot: There will be even more delay in any GDPR enforcement against Facebook.
The GDPR’s one-stop-shop mechanism — of review plus the chance for other DPAs to file objections — already added multiple months to the two earlier DPC Big Tech decisions. So the DPC issuing another weak draft decision on a late-running investigation looks like it’s becoming a standard procedural lever to decelerate the pace of GDPR enforcement across the EU.
This will only increase pressure for EU lawmakers to agree alternative enforcement structures for the bloc’s growing suite of digital regulations.
In the meanwhile, as DPAs fight it out to try to hit Facebook with a penalty Mark Zuckerberg can’t just laugh off, Facebook gets to continue its lucrative data-mining business as usual — while EU citizens are left asking where are my rights?