EU: NOYB publishes Irish DPC draft decision to fine Facebook €28-36M, calls for stronger sanctions against 'consent bypass'
None of your business ('NOYB') published, on 13 October 2021, the Irish Data Protection Commission's ('DPC') draft decision proposing a fine of between €28 million and €36 million against Facebook Inc. in relation to transparency failures regarding the processing of user data under the contractual legal basis provided under Article 6(1)(b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the draft decision responds to contentions that Facebook should not be allowed rely on Article 6(1)(b) to process user data based on its terms of service, and that Facebook should be legally obligated to rely on the consent legal basis under Article 6(1)(a) of the GDPR. Furthermore, the draft decision rejects these contentions, arguing that the GDPR does not set out any form of hierarchy of lawful bases that can be used for processing personal data, whether by reference to the categories of personal data or otherwise.
However, the draft decision finds that Facebook had nonetheless failed to provide necessary information regarding its legal basis for processing pursuant to acceptance of the terms of service, noting that the information that has been provided by Facebook is disjointed, and requires users to move in and out of various sections of the data policy and terms of service. The draft decision therefore concludes that Facebook had infringed Articles 5(1)(a), 12(1) and 13(1)(c) of the GDPR.
In response to the draft decision, Max Schrems of NOYB posited, "Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a 'contract'. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions."
NOYB further outlined that the draft decision has been sent to other European data protection authorities and may reach the European Data Protection Board ('EDPB'), at which point such authorities may overrule the DPC, as was the case in the recent decision against WhatsApp.