Triggers argument

Ireland’s Facebook decision triggers argument over limits of GDPR

Ireland largely upheld Facebook’s argument that it doesn’t need consent to collect data.

BY VINCENT MANANCOURT

EU officials are gearing up for a fight over how much leeway companies should have to process personal data after a decision targeting Facebook from Ireland’s privacy regulator prompted pushback from campaigners.

Ireland's Data Protection Commission (DPC) said last week it plans to fine Facebook between €28 million and €36 million over an alleged lack of transparency over what it does with users' data.

But for privacy campaigners and officials at other EU watchdogs, Ireland's decision gives Facebook too much leeway to collect data on users without first obtaining their explicit consent to do so.

The argument over the limits of Europe's flagship data protection law, the GDPR, is expected to heat up in coming weeks as data protection watchdogs from 27 EU countries are invited to weigh in Ireland's draft Facebook decision before a final decision is made.

If Ireland's decision is upheld, that would "entail the end of data protection as we know it," said an official at a national privacy regulator who asked not to be named in order to discuss confidential deliberations between regulators.

That criticism echoed Austrian privacy campaigner Max Schrems, who filed the original complaint against Facebook and said that Ireland's decision amounted to a "GDPR bypass" because it allowed companies to gather data without consent.

"It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a 'contract,'" he said.

Contract or consent?

At the heart of the spat is Facebook's claim that it collects personal data as part of a contract with users, who know that the platform requires personal data in order to run its advertising-based business model and provide them with the Facebook service.

By invoking this "performance of a contract" clause in the GDPR, Facebook circumvents the need to obtain explicit consent from users to collect their data — which may otherwise take the form of a "yes" or "no" option to hand over personal data.

In its draft decision the DPC did not dispute Facebook's argument, but instead said it lacked the authority to rule on the question of whether the contract with users was fair. A ruling on that point would best be made by a consumer or competition authority, the regulator said.

The official at another data protection agency rejected that argument. "The whole idea that people sign up to Facebook to receive personalized advertising is pretty absurd. Not so much part of the offering as something that is unilaterally imposed on users against the wishes of the majority of them. There is no indication that the legislator wanted to legitimize this," the official said.

The Dublin regulator was set to collide with peers over its interpretation of the legal basis and particularly the point of what is "necessary" to fulfill a contract, the person added.

Yet the DPC is not the first European watchdog to approve Facebook's central argument about collecting data as part of a contract with users.

In December, an Austrian court backed Facebook’s argument that it needed to process data to earn money through advertising in order to fulfill its contract with users to provide them with a “personalized communication platform” free of charge — even though Austria’s Supreme Court referred that case to the EU’s top court on appeal, highlighting the difficulty of the issues at hand.

A Dublin-based expert backed up the argument that there is a limit to what the regulator can say about Facebook's terms of service.

“Much as one would like the DPC to be able to make determinations on all aspects of a matter, inevitably questions arise which need to be referred to another forum or to another court,” said Daragh O’Brien, a privacy expert at Castlebridge, a consultancy. 

The spat reflects ongoing disagreements over just how far the GDPR should go toward regulating data, at a time when lawmakers in the United States are debating whether to enact federal privacy rules.

For example, Germany competition authority tried to use data protection law to hobble Facebook’s data practices. But the move faced tough legal pushback and now sits with the EU’s top court, with questions focusing on whether the authority has strayed beyond its remit by invoking the GDPR to enforce competition rules.

Other EU privacy regulators now have a month in which to weigh in on Ireland's decision.

If other recent cross-border cases are anything to go by, they could push for a much higher fine than the the €36 million upper-range sum proposed by Facebook.

September’s €225 million fine for WhatsApp, for instance, started off as a €50 million penalty. Similarly, Luxembourg’s proposal to fine Amazon around €357 million eventually lead to a record €746 million penalty after input from other EU regulators.