noyb's Second "Advent Reading": How the Irish DPC tried to lobby Facebook's "GDPR bypass" into European Guidelines.
This week, noyb published two rounds of documents as part of their "Advent Readings" from DPC and Facebook documents: A letter from Facebook to the Irish DPC confirms that the DPC had ten meetings with Facebook where they discussed and agreed on Facebook's GDPR bypass. The second round of documents shows that the DPC tried to push this bypass for "Social Media" into Guidelines of the European Data Protection Board (EDPB) but was met with harsh criticism from other European Data Protection Authorities (DPAs), going all the way with comments like "We think that this interpretation undermines the system and spirit of the GDPR“ or "This reduces the GDPR to a pro-forma instrument." The DPC's attempt to include the GDPR bypass into the guidelines took place, while it was tasked with being an indepent decision maker in a pending case on Facebook's "GDPR bypass".
Ten Meetings between Facebook and the DPC. As previously reported, Facebook had ten meetings with the DPC on how to approach the GDPR. In these meetings the multinational and the Irish regulator have agreed on a "GDPR bypass", by simply moving the consent clause into the terms and conditions of Facebook, claiming that this would bypass the GDPR's consent rules under Article 6(1)(a) of the GDPR, but make Article 6(1)(b) applicable instead.
The Proposed EDPB Guidelines. The newly discovered documents go even further: In 2018, the Irish DPC stated an initiative on EU level and started a new project in the EDPB's "Key Provisions Subgroup" on Article 6(1)(b) GDPR - exactly the provision it has previously agreed with Facebook to use as a GDPR bypass. The DPC was leading the group that had its first meeting in April 2018 - other European authorities were joining the group. The exact participants are not clear from the documents. In October 2018 the Irish DPC then sent a letter outlining a "strict" and, what the DPC called, a "freedom to contract" approach. The "freedom of contract" approach was an euphemism for an approach where controllers could write anything into their terms and thereby bypass the GDPR. The DPC proposed draft guidelines that were aimed at moving towards the "bypass" approach. This basically allowed companies to just put a clause into their terms and conditions to make the harvesting of data "necessary" for a contract and thereby bypass the consent requirement under the GDPR.
The Reaction by other DPAs. The reactions by other DPAs were extremely negative. Some examples include (A70): "This seems to accept monetisation of personal data and circumventing the other legal bases (see comments made above). We think that this interpretation undermines the system and spirit of the GDPR." or (A90): "Disagree. This reduces the GDPR to a proforma instrument." or (A103): "Contrary to everything we believe in (sorry, but it’s true), as well as previous A29WP guidance."
Here you can watch a video with many of these comments read out by noyb staff and current or former noyb trainees:
Role of "Social Media" in the Guidelines. The guidelines are general guidelines for any industry sector, however the DPC proposal is repeatedly focusing on "social networks" and "social media", so exactly the industry sector where Facebook has a de facto monopoly. Other DPAs notices this in their comments (A96): "Furthermore, all the examples seem to relate to social networks." or (A105) “We suggest removing this example, as this refers again to social media." Other comments explicitly attacked the DPC's suggestion that "social media" could just use all data for advertisement under a contract (A103): "Is it possible to provide social media accounts without tracking and profiling? Yes, in fact it is. Therefore, tracking or profiling is not necessary for the performance of that contract."
Conflict with pending Case? It is especially interesting that the DPC has made these proposals, when a complaint by noyb on Facebook's consent bypass was already before the regulator. Instead of taking a neutral position, DPC has even tried to lobby for Facebook's GDPR bypass on the European level.
The End Result. The subgroup has finished the project and published them as EDPB Guidelines 2/2019. All references to social networks and the option to bypass consent via an alleged "contract" were removed, against the DPC's position. The DPC seems to have proposed to delay the publication of the guidelines that go contrary to their agreement with Facebook, but was not successful with delaying the (now highly unfavourable) guidelines either. According to POLITICO, the DPC was the only DPA voting against the final guidelines.
Max Schrems, chairperson of noyb.eu: "The documents show a clear plan: First the Irish regulator agreed on a GDPR bypass with Facebook. Then it tries to squeeze this bypass into European guidelines. The DPC clearly does not act in the interest of data protection, but in the interest of US multinationals. Usually it is Facebook lobbyists that try to influence guidelines in the interest of their industry sector, here the regulator has turned into a lobbyist."
Legal Status of Documents. The EDPB documents were provided by the EDPB under the EU freedom of information rules. The letter by Facebook was provided under § 17 of the Austrian Administrative Act (AVG) and was therefore not deemed confidential - despite being stamped "strictly confidential" and Facebook's demand that the DPC may not share the documents.
All Documents: Below you can find all documents we published for this advent reading. We highly recommend to also read our overview first, as the draft document is slightly confusing when read the first time. Comment A89R88 is especially relevant, as it was not blackened and says "The Irish DPC is concerned that...", showing that the DPC is the author of these reactions. We have confirmed this via additional sources and digital fragments in the documents. The DPC did not react when asked for a comment, but also did not deny authorship.
Note: For the EDPB documents, it should be noted that the names of individual DPAs were removed. However, comments usually have a number starting with "A" (like "A88") reactions by the Irish DPC to these comments, usually have an "R" in the number, which indicates which comment this is a reaction to the comment after that number ("A89R88" is therefore comment 89, but also a reaction to A88"). On pages with too many comments, the comments can be found on the final pages of the document, under the relevant number starting with "A".