The Irish Data Protection Commission has been accused of aiding and abetting Facebook to develop a “GDPR bypass”, allowing the company to swerve the strict rules on consent – that cover advertising and online tracking – by insisting users’ agreement on data processing is a contract.
According to privacy organisation NOYB, spearheaded by Austrian lawyer and Facebook nemesis Max Schrems, this deal – thrashed out in what the organisation claims were secret meetings with Facebook – dates back to spring 2018, just before GDPR came into force.
In a blogpost, NOYB states: “By interpreting the agreement between user and Facebook as a contract in Article 6(1b) of GDPR instead of consent in Article 6 (1a), Facebook can use all the data it has for all the products it provides, including advertisement, online tracking and alike, without asking users for freely given consent that they could withdraw at any time.”
NOYB reveals the switch from “consent” to “contract” happened at midnight on May 25 2018 – exactly when GDPR came into effect.
Schrems said: “It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a contract. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimise any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions.
“It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law. Since Roman times, the courts have not accepted such ‘relabeling’ of agreements. You can’t bypass drug laws by simply writing ‘white powder’ on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick.
“The DPC developed the ‘GDPR bypass’ with Facebook, that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor.”
The claims coincide with the Irish DPC publishing a draft decision to fine Facebook between €28m (£23.7m) and $36m (£30.5m) because it believes the company should have been more transparent on this bypass. The draft has been sent to the other European data protection authorities for approval.
Even at the top end of $36m, the financial penalty would take Facebook just over two and a half hours to earn in revenue, based on its second quarter earnings.
On a European level, NOYB says the data protection authorities have issued guidelines that such a bypass of GDPR is illegal and must be treated as consent. However, the Irish DPC has said it is “simply not persuaded” by the view of its European counterparts.
Schrems concluded: “Basically the DPC says Facebook can bypass GDPR, but they must be more transparent about it. With this approach, Facebook can continue to process data unlawfully, add a line to the privacy policy and just pay a small fine, while the DPC can pretend they took some action.
“Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good.”
Such a move is not without precedent; in September, the Irish DPC was forced to increase a proposed €50m (£44m) fine for WhatsApp by 350% to €225m (£219m) after bowing to pressure from other European regulators.
Related stories
Privacy group vows to ensure that WhatsApp coughs up
Irish up WhatsApp fine 350% to €225m after EDPB call
Facebook nemesis targets sites over consent cookies
Apple cut to the core by new unlawful tracking claims
Decision Marketing at 10: How GDPR changed the world
US tech giants rocked as Privacy Shield gets the chop
Transatlantic data transfers torpedoed once again
Facebook ‘still using illegal safe harbour agreement’
Let battle commence: first GDPR complaints are filed