Irish DPC greenlights Facebook's "GDPR bypass". Schrems: “Decision undermines key element of GDPR.”
The Irish Data Protection Commission (DPC) has sent a "draft decision" (PDF) to the other European Data Protection Authorities on Facebook's legal trick to bypass the GDPR. noyb has published the relevant documents today.
In the DPC’s view Facebook can simply choose to include the agreement on data processing in a "contract", which would make the GDPR requirements for "consent" not apply anymore. However, the authority suggests a penalty of € 28 to € 36 Mio as Facebook ought to have been more transparent on this bypass.
- noyb's Complaint of 25 May 2018 (PDF)
- noyb's submissions of 9 September 2019 (PDF)
- noyb's submissions of 11 June 2020 (PDF)
- Draft Decision of the Irish DPC (PDF)
- Schedule to the Draft Decision (PDF)
Agreement to use data is not "consent"? Facebook's legal argument is rather simple: By interpreting the agreement between user and Facebook as a "contract" (Article 6(1)(b) GDPR) instead of "consent" (Article 6(1)(a) GDPR) the strict rules on consent under the GDPR would not apply to Facebook - meaning that Facebook can use all data it has for all products it provides, including advertisement, online tracking and alike, without asking users for freely given consent that they could withdraw at any time. Facebook’s switch from "consent" to "contract" happened on 25.5.2018 at midnight - exactly when the GDPR came into effect in the EU.
Schrems: "It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a 'contract'. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions"
Illegal since Roman times. Since Roman times, the law says that agreements have to be treated as what they actually are (objective assessment), not as what the parties claim it to be (formal assessment).
Schrems: "It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law. Since Roman times, the Courts have not accepted such 'relabeling' of agreements. You can't bypass drug laws by simply writing 'white powder' on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick."
64% of Facebook users see "consent", but DPC sides with Facebook. To assess the real meaning of the agreement, noyb has commissioned the Gallup Institute with an objective study: Of 1.000 Facebook users, only 1,6% saw a contract over advertisement (as claimed by Facebook), 64% assumed the agreement was a "consent". The rest was not sure about the legal meaning of the agreement.
DPC was "simply not persuaded" by European Colleagues. On a European level, the Data Protection Authorities (DPAs) have issued guidelines that such a "bypass" of the GDPR is illegal and must be treated as consent. However, the Irish DPC said she is "simply not persuaded" by the view of its European Colleagues.
Ten secret meetings with Facebook on "consent bypass". The surprising ruling is likely based on a deal between Facebook and the DPC from spring 2018, just before the GDPR became applicable. While the DPC argues this would have been a separate procedure, the Draft Decision refers to (undisclosed) "specific analysis" that the DPC provided to Facebook. Facebook equally relied on such a deal before a court in Austria. Despite multiple requests to get access to these files the DPC refuses to disclose any details of its dealings with Facebook and calls the criticism "unsubstantiated".
Schrems: "The DPC developed the 'GDPR bypass' with Facebook, that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor."
€28 to €36 Mio fine for not telling users they get screwed out of GDPR rights. Despite claiming that the “consent bypass” is legal, the DPC still issued a fine to Facebook for not being fully transparent about the legal basis for processing its user data. In summary, the DPC is therefore not planning to take action on the violation raised by the complaint, but instead just proposed that Facebook makes the bypass clearer. The penalty would amount to roughly 0.048% of Facebook’s global revenue, despite the option for penalties of up to 4% in the GDPR.
Schrems: "Basically the DPC says Facebook can bypass the GDPR, but they must be more transparent about it. With this approach, Facebook can continue to process data unlawfully, add a line to the privacy policy and just pay a small fine, while the DPC can pretend they took some action."
Schrems: "Russian Procedure". The procedure itself also raises major concerns. The DPC continuously denies access to crucial documents. While the DPC produced a massive 96-page draft decision, it largely "reframed" the written users’ submissions or simply ignored key parts of the users’ submission. In an attempt to clarify the position of the complainant directly, noyb has applied for an oral hearing - which was equally denied by the DPC.
Schrems: "We have cases before many authorities, but the DPC is not even remotely running a fair procedure. Documents are withheld, hearings are denied and submitted arguments and facts are simply not reflected in the decision. The decision itself is lengthy, but most sections just end with a 'view' of the DPC, not an objective assessment of the law."
Case likely to reach EDPB. The Draft Decision was now sent to the other European Data Protection Authorities (DPAs), who can raise objections to the proposed solution by the Irish DPC. It is very likely that this case will then reach the European Data Protection Board (EDPB) where the DPAs can overrule the Irish DPC, just like in a recent case on WhatsApp.
Schrems: "Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good."