Ireland’s Data Protection Commission (DPC) has been investigating Facebook since shortly after the European Union’s General Data Protection Regulation (GDPR) went into effect in 2018. During that time, the agency has developed a reputation for very long investigations that ultimately settle on relatively small fine amounts. That reputation stands to be burnished with its first draft decision against Facebook. The proposed fruits of the Irish DPC’s three-year investigation into the social media giant’s consent and transparency violations are GDPR fines that would amount to a maximum of about $36 million to $42 million, or what the company makes roughly every two hours.
Stemming from a complaint made by privacy group noyb, the Irish DPC began investigating Facebook in August 2018. The complaint called into question the adequacy of Facebook’s terms of service. When Facebook updated its terms in May 2018 to bring the platform into compliance with the GDPR, it furnished users with the choice of accepting the terms or closing their account. The complaint alleged that this was a form of “forced consent” outside the bounds of what the GDPR allows, and that Facebook users were not provided with adequate information about the platform’s data collection or their options.
The Irish DPC’s decision in this matter is not final, but the beginning of a process in which the other EU DPCs will have input. The region’s other data protection authorities have been as frustrated by the Irish DPC as privacy advocates have at times, as Ireland consistently comes in with desired GDPR fine amounts much lower than others would like to assess. If there is enough dispute it is possible for the case to go before the European Data Protection Board (EDPB), which creates the possibility for the Irish DPC to be overruled.
The relatively small GDPR fine stems in part from the Irish DPC’s agreement with Facebook’s fundamental argument, which hinges on technical classification rather than intent. Facebook says that its terms of service are a “contract” in the eyes of the law rather than a document provided as part of the GDPR’s user consent process. As noyb points out, Facebook changed this particular piece of language in its terms in May of 2018, just ahead of the start of GDPR enforcement.
noyb argues that this is a clear attempt to bypass the GDPR on a technicality. To this end, it commissioned a study of Facebook users. After reviewing the terms of service, only 1.6% of respondents agreed that they were engaging in a contract with Facebook. 64% said that it should be considered a consent agreement, and the remaining 34% were not sure what the legal status was.
Other EU data authorities have issued specific guidelines that warn against attempting to use this legal loophole to step around GDPR consent requirements. The Irish DPC has rejected this view, and noyb accuses it of engaging in “secret meetings” with Facebook in early 2018 to strike a deal allowing the terms to stand.
Ireland’s history of GDPR fines raises questions
The Irish DPC’s first GDPR fine of substance was issued last month, a $267 million penalty to Facebook-owned WhatsApp. The Irish DPC did not initially seek that amount; its first proposal was for only about 1/4 that amount, and it took a ruling by the EDPB to increase it after other data authorities objected.
This current Facebook ruling may well be headed down the same path, and it may prove to be the only way to get the Irish DPC to levy substantial GDPR fines. Aside from the WhatsApp fine, Ireland has only issued eight GDPR fines to date and seven were to businesses local to the country rather than the foreign tech companies that pack Dublin for use as their EU headquarters. The only other fine to a Big Tech firm was to Twitter in late 2020, and that €450,000 penalty was also widely criticized for being too small.
Aside from the penalty amounts, there is concern about this ruling being set as a precedent. If Facebook is allowed to simply couch user consent and data processing agreements in the language of a contract to bypass being subject to GDPR rules, why would every company not do the same? Those based in other countries might run into difficulty, but the lion’s share of major tech companies are in Dublin due to its favorable perks.
In the interim, Facebook can continue to operate (and process user data) in the EU as it always has. The process of hashing things out amongst the other data authorities and the EDPB could take months or even years, based on prior examples.
Cillian Kieran, CEO of Ethyca, notes that this situation is another indication that GDPR fines and processes are in need of re-evaluation to ensure that meaningful enforcement actually occurs: “The decision includes a fine that is one-hundredth of the possible fine under GDPR. Article 83 of GDPR requires fines to be effective, proportionate and dissuasive. How can the fine in the draft decision, an amount which Facebook recovers in revenue within less than 5 hours on average, possibly be dissuasive? … Maybe if the Irish DPC did not form a bottleneck on dozens of GDPR investigations, we would be getting these vital interpretations on consent and other legal bases sooner than three and a half years after GDPR takes effect … Our policies and systems are in dire need of consistency; we need consistent legal definitions and applications of legal bases for processing, and they need to be designed into the technical systems themselves. I agree with Schrems that this decision is disappointing and inadequate, both in the fine and in the interpretation of contracts versus consent.”