Front of the Irish social seat of Facebook showing user consent lobby to Irish DPC

Privacy Group Accuses Facebook of Trying to Lobby Irish DPC’s “Contractual” Interpretation of User Consent Into EU-Wide Guidelines

The privacy advocacy group noyb has engaged in many legal battles with Facebook in recent years; one current tilt has been over Facebook’s definition of user consent agreements as “contracts” as a means of stepping around General Data Protection Regulation (GDPR) requirements, a view the Irish DPC supported in a preliminary decision.

noyb has leaked documents that show Facebook approached the Guidelines of the European Data Protection Board (EDPB) with this idea after numerous receptive meetings with the Irish DPC, attempting to give their “user contract” view a legal foothold in all EU nations. Though this idea appears to have been run off by other EU data protection authorities, noyb alleges misconduct by the Irish DPC as it was brought during the period in which the regulator was tasked with making an independent decision about the legality of Facebook’s interpretation of user consent agreements.

noyb and Irish DPC continue public battle over Facebook’s data collection practices

This complicated tale centers on a set of GDPR complaints brought by noyb against Facebook over the last few years, each for different issues. Some have been settled, some have not. The Irish DPC has been a central figure in nearly all of them, given that Facebook (along with many other international tech giants) has its European headquarters in Dublin.

This particular complaint dates back to 2018, and accuses Facebook of attempting to dodge the then-new GDPR requirements by changing the legal definition of its user consent agreements. Framing the usual boilerplate privacy notification and agreement to use of cookies as a “contract” allowed Facebook much more leeway in what they could do and the scope of tracking they could engage in without notification or user consent.

After quite a slow review of the case, the Irish DPC came to a preliminary draft decision that indicated it was going to come down on Facebook’s side of the user consent issue. The public was not meant to know of this yet, but in its displeasure with the direction of the case noyb leaked the decision via its website (setting off a fresh round of legal disputes between all involved parties).

After some back-and-forth and legal threats on both ends, noyb vowed to continue releasing relevant documents to the public. This reveal of the meetings between the Facebook and the Irish DPC on the user consent issue, and later Facebook’s petitioning of the EDPB for the same purpose, appears to be the latest chapter in this saga.

Facebook’s user consent case welcomed by Irish DPC, but roundly rejected by other EU regulators

The first of these documents is a letter from Facebook Ireland to the Irish DPC, dated September 2018. The letter indicates that the two entities had met 10 times prior, during which time noyb contends that the details of Facebook’s user consent bypass mechanism were being hammered out.

The second set of documents indicates that Facebook went before the EDPB with the user consent terms it hammered out with the Irish DPC, and proposed that they be made standard throughout Europe. This idea was swatted down by a number of the other national data protection authorities (DPAs), who in some cases expressed concerns that Facebook was openly attempting to undermine the “system and spirit” of the GDPR and “circumvent legal bases.”

This effort was apparently endorsed by the Irish DPC, however, which in October 2018 sent out a letter to its contemporaries proposing a “freedom to contract” interpretation of the privacy rules that would essentially let Facebook (or anyone else in the social media space) insert language into their privacy terms to shield them from GDPR requirements.

With this, noyb is openly contending what has been a matter of quiet speculation for some time now: the Irish DPC actively works to protect multinationals that base their EU operations in Dublin out of its own economic interest, looking to help them circumvent GDPR rules wherever possible and handling investigations in a way that is favorable to them (proceeding very slowly, ultimately proposing “slap on the wrist” fine amounts).

These documents may cause renewed legal challenges for noyb, which was told by the Irish DPC to sign a confidentiality agreement in order to continue having its complaints heard after it leaked the initial draft decision. noyb contends that leak was legal under the Austrian law it is subject to, and it cites similar law that it says voids Facebook’s claims that the documents are required to be kept confidential.

The Irish DPC verified that the documents involving discussion of the user consent issue were legitimate, but said they contain “nothing unusual.” Nevertheless, the regulator’s handling of cases involving big tech firms and their data collection is drawing greater amounts of scrutiny: last week, the European Commission vice president said that GDPR power-sharing mechanisms may need to be revamped if the Irish DPC continues to be “ineffective” in handling cases within its borders.