noyb publishes the draft decision by the DPC in the case against Facebook

The Irish Data Protection Commission (DPC) has sent a draft decision to EDRi's member noyb - European Center for Digital Rights and informed noyb that the draft decision would be shared with the other European Data Protection Authorities for consultation. The case concerns Facebook's reliance on contracts for serving advertising to its users - the legal trick Facebook applied in May 2018 to bypass the GDPR.

By NOYB (guest author) · October 20, 2021

The Irish Data Protection Commission (DPC) has sent a draft decision to EDRi’s member noyb – European Center for Digital Rights and informed noyb that the draft decision would be shared with the other European Data Protection Authorities for consultation. The case concerns Facebook’s reliance on contracts for serving advertising to its users – the legal trick Facebook applied in May 2018 to bypass the GDPR.

The draft decision concerns one of the complaints which noyb submitted to the DPC in May 2018 – right after the GDPR became applicable. In the course of the proceedings, it turned out that Facebook simply chose on 25 May 2018 to include the agreement on data processing in a “contract” instead of a “consent”. This switch deprived Facebook users of the many protections that the GDPR offers for “consent” as a legal basis for processing. 

Facebook seems to interpret the agreement between a user and Facebook as a “contract” (Article 6(1)(b) GDPR) instead of “consent” (Article 6(1)(a) GDPR) which means that the strict rules on consent under the GDPR would not apply to Facebook. This “bypass” enables Facebook to use all data it has for all products it provides, including advertisement, online tracking and alike, without asking users for freely given, informed, specific, and unambiguous consent. Under the GDPR, users also have a right to withdraw consent at any time. In the case of a contract, the users lose such privileges. 

Despite claiming that the “consent bypass” is legal, the DPC still issued a fine to Facebook (a penalty of € 28 to € 36 Mio) for not being fully transparent about the legal basis for processing its user data. In summary, the DPC is therefore not planning to take action on the violation raised by the complaint, but instead just proposed that Facebook makes the bypass clearer. The penalty would amount to roughly 0.048% of Facebook’s global revenue, despite the option for penalties of up to 4% in the GDPR.

The Draft Decision was now sent to the other European Data Protection Authorities (DPAs), who can raise objections to the proposed solution by the Irish DPC. It is very likely that this case will then reach the European Data Protection Board (EDPB) where the DPAs can overrule the Irish DPC, just like in a recent case on WhatsApp.