Skip to main content

Irish Data Protection Commission’s Facebook decision – more unwanted scrutiny from its critics?

29 October 2021

In an Irish Data Protection Commission (DPC) draft decision, which has been published by Max Schrems’ on his None of your Business website, the DPC has proposed to fine Facebook up to €36 million over the social media giant’s lack of transparency and clarity in informing their users about the legal basis used to process their data. It found that “the lack of transparency goes to the heart of data subject rights and risks undermining their effectiveness by not providing transparent information”.

Facebook had updated its Terms of Service and Privacy Policy for the purposes of GDPR compliance. Some processing activity was included within the Terms of Service, while some other processing required individual consent. The decision on the lack of transparency centred around how this was relayed to users.

In the same Draft Decision, and perhaps more controversially, the Data Protection Commissioner, Helen Dixon (the Commissioner) did not uphold the complainant’s argument that the GDPR does not permit the reliance by Facebook on Article 6(1)(b) GDPR in the context of its Terms of Service. The Commissioner said “there is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data. Nor has Facebook purported to rely on consent under the GDPR”. The Commissioner therefore accepted that Facebook’s contract approach in processing data is permissible in this instance, given the nature of the service and the knowledge of those signing up that it includes such processing.

“Setting a new precedent for consent bypass”

Unsurprisingly Max Schrems has been quick out of the blocks to criticise the decision – and the Commissioner’s view on Article 6(1)(b) in particular. He stated: “it is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabelling the agreement on data use as a ‘contract’. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimise any use of customer data without consent”. He also added that in his view the Draft Decision means that “basically, the DPC says Facebook can bypass the GDPR, but they must be more transparent about it”.

He was also critical of the Commissioner’s analysis of the European Data Protection Board’s (EDPB), guidelines which make it clear that bypassing the GDPR is not legal. The Commissioner appeared to disagree with the application of those guidelines in this instance, finding there was “simply no persuasive authority in law” where “any particular lawful basis in the GDPR can be ‘mandatory’, ‘default’, a ‘lex specialis’, or of more or less significance than any other legal basis”. Let’s see if the EDPB has anything to say about that!.

The Draft Decision has now been submitted to the other concerned Supervisory Authorities (CSAs) for their review and comment as required by the GDPR. This may well, in a repeat of the WhatsApp decision, lead to the DPC being challenged yet again on the amount of the fine. But expect the Commissioner’s rationale and conclusion on the case put by the complainant in respect of Article 6(1)(b) to be closely scrutinised also.

Watch this space to see if the EDPB will invoke its powers under Article 65(1)(a) GDPR, or whether the DPC and CSAs will come to a collective decision regarding Facebook.

It’s been a torrid time for the DPC. We reported recently on the ICCL Report [Link] which described the organisation as not fit for purpose. In the last week the Minister for Justice has proposed adding three new commissioners, and the Commissioner herself has put forward her own proposals to the Justice Department.

Whether either solution will be enough to silence the DPC critics remains doubtful.

Related items

Related services

Back To Top