Open Letter on “confidential” dealings in Facebook case

24 May 2020
open letter by noyb

Within hours of the new GDPR being applicable on 25 May 2018, the European non-profit organisation filed three complaints against the Facebook Group (including WhatsApp and Instagram). Since then, the Irish Data Protection Commission (DPC) has declared the contents of the extremely slow procedure “confidential” and asked not to discuss them in public.

Despite this alleged (and legally non-binding) confidentiality, published an Open Letter (PDF) today that exposes how the GDPR has (not) been enforced two years after it became applicable. Even under the Kafkaesque procedure described in the letter and below, the Facebook Group may still have to face a fine of up to € 2.5 Billion down the road, if the DPC follows its internal investigator report.

Secret meetings on “consent bypass” between DPC and Facebook. The open letter exposes for the first time that the Irish DPC and the Facebook Group (including WhatsApp and Instagram) had ten secret meetings before the GDPR became applicable in 2018. In these meetings, Facebook claims to have had “detailed direct engagement with the Commission prior to the implementation” of an apparent “consent bypass” (details below) to circumvent the GDPR’s strict consent rules. Despite the fact that Facebook relied on these meetings in its submissions and highlighted that the documents were ‘subject to consideration’ by the DPC, the authority refuses access to any records of these secret meetings, including a White Paper submitted by Facebook.

Max Schrems, chairman of “It sounds a lot like those secret ‘tax rulings’ where tax authorities secretly agree with large tech companies on how to bypass the tax laws – just that they now do this with the GDPR too.”

Facebook’s illegal “consent bypass”. In the procedures that were triggered by three complaints filed by two years ago (within the first hours of the GDPR becoming applicable), the Facebook Group openly acknowledges that it simply switched from highly regulated “consent” to an alleged “data use contract”. This contract allegedly obliges Facebook to track, target and conduct research on its users. According to Facebook, this switch happened at the stroke of midnight when the GDPR became applicable.  Such a (mutual) reframing of an agreement (in this case from consent to contract) to bypass the law is called simulatio and is invalid.

Max Schrems: “It is nothing but lipstick on a pig. Since Roman times, the law prohibits ‘renaming’ something just to bypass the law. What Facebook tried to do is not smart, but laughable. The only thing that is really concerning is that the Irish DPC apparently engaged with Facebook when they were designing this scam and is now supposed to independently review it.”

In a study conducted by the Gallup Institute on the “consent bypass”, 64% of 1.000 users believe they gave consent, despite Facebook’s claims to the opposite. Depending on the question, only 1.6-2.5% thought they actually entered into a “data use contract” that includes a duty of Facebook to use their data for advertisement or research. The rest thought it is mere information, a contract without such duties or could not see any meaning in the page.

Max Schrems: “Basically none of the 1,000 users we have asked thinks they have signed such an alleged ‘data use contract’ with Facebook.”

DPC limits legal analysis of the “data use contract” to the Oxford English Dictionary. One reason the DPC could not find any problem with the alleged “data processing contract” that Facebook relies upon is that the DPC simply decided that the analysis of such a contract is outside its powers (“ultra vires”). Instead of analysing the contract under the applicable law, the DPC literally cited the definition of a “contract” from the Oxford English Dictionary in its reports.

Schrems: “In law school, you learn to read law books for legal questions, not a dictionary. It seems this was a winning technique for centuries. It is obvious that the DPC is trying to not review Facebook’s alleged ‘data use contract’.

Overview over procedures two yeary after filing

DPC celebrates finishing 1 of 6 steps in two years? In a public statement late last Friday, the DPC surprisingly named the three procedures triggered by as examples of great progress in the DPC’s work. This is despite the fact that the DPC took two years to complete 1 out of 6 steps of its procedure on WhatsApp and Instagram, and 2 out of 6 steps on Facebook (see overview table). Given that the DPC reported 7,125 complaints in 2019 alone and zero GDPR fines against any private actor, this is hardly an achievement.

Max Schrems: “It is a slap in the face of about 10,000 complainants if the DPC highlights the first of six steps in two cases after two years as an achievement.”

Even plagiarising own report took DPC 10 months. The pride that the DPC took in delivering two draft reports (step 1 of 6) on WhatsApp and Instagram last week seemed even more grotesque when realized that these reports overlap 76 to 82% with the 2019 Facebook report (screenshot).

Max Schrems: “We ran the draft reports on Instagram and WhatsApp that the DPC proudly highlighted last week through a software to identify plagiarism and had a good laugh: 76% and 82%, respectively, were identical to a draft report from last year on Facebook. It seems that even just widely copy and pasting a draft report took them more than 10 months.”

Comparison of Facebook (2019) and Instagram (2020) draft report

DPC report sees a violation of GDPR transparency rules. Fine could reach billions. Even though the DPC resisted reviewing the legality of Facebook’s “consent bypass”, an internal inquiry report nevertheless finds a violation of the GDPR’s transparency requirements in Article 5 GDPR by not adequately informing users of Facebook, WhatsApp, and Instagram about the legal basis for using their data. If the DPC ultimately holds on to this view, it would have to issue an “effective, proportionate and dissuasive” fine of up to 4% of Facebook’s annual revenue (up to € 2.5 billion or US$ 2.83 billion).

Max Schrems: “Basically, the DPC investigation took the position that Facebook can screw users as long as they are more transparent about it. This would nevertheless mean that Facebook, Instagram, and WhatsApp have processed the data of all European users in violation of the GDPR. Even if the DPC only finds this more limited violation, the fine could amount to up to € 2.5 billion.

European Commission and DPAs must take action. In the Open Letter, also calls on the European Commission to take actions against Ireland. With about 10,000 complaints in two years and no fines at all against private actors, it is obvious that Ireland does not effectively implement EU law.

The Open Letter also calls on other European Data Protection Authorities (DPAs) to take steps when colleagues refuse to do their job. While the GDPR unfortunately often lacks clear deadlines, it allows that DPAs request colleagues to take certain actions or to start an “urgency procedure” if another DPA is inactive.

Schrems: “Many DPAs are frustrated with situations like in Ireland, but only calling them out is not enough. They also have to use the tools that the GDPR foresees. We have for example made such applications with the Austrian DPA now.”

To assist this effort, has sent all relevant documents on the pending procedures to the other European DPAs, despite the fact that the Irish DPC has explicitly insisted that may not provide these documents to its colleagues.

Background on is a European data protection non-profit that tries to ensure GDPR enforcement. is funded by more than 3,200 supporting members. The team of 15 people include GDPR lawyers and tech experts from different EU member states. So far, has filed more than 20 GDPR complaints on different matters and against companies such as Amazon, Apple, Google, Facebook, DAZN, SoundCloud, and Netflix.