Supervisor wants to fine Facebook 36 million euros due to loophole

Spread the love

The Irish data regulator wants to fine Facebook 36 million euros. That is much lower than most European privacy regulators want. The DPC states that users voluntarily provide data to Facebook and the fine is therefore low.

This is apparent from a draft proposal prepared by the Irish Data Protection Commissioner. That proposal is part of an investigation into Facebook that other European regulators have also joined. The letter was sent to those supervisors. The Irish DPC is the primary regulator in the investigation. Under the GDPR, one supervisor is in charge of cross-country investigations, but others can join. The draft proposal has been published by noyb, the foundation of privacy activist Max Schrems.

The draft proposal contains the conclusion that the DPC intends to draw. The DPC plans to fine Facebook between 28 and 36 million euros. The company was fined because it is not transparent about the way it collects data from European users. That is a violation of the GDPR.

Lower due to ‘loophole’

The fine is much lower than most regulators hoped and expected. That’s because Facebook is exploiting what critics call a loophole. This has to do with the basis that Facebook has for data collection. There are six bases under the GDPR. One is permission; a user gives clear consent to have his data processed by a company. Most European regulators believe that Facebook needs the basis of ‘consent’ to collect user data. However, Facebook itself invokes a different basis, namely that it is ‘necessary to perform an agreement’. According to Facebook, users “enter into an agreement” with the company when they create an account.

There are differences in the ways in which users have control over their data. That depends on which basis is used. For example, different rules apply to the basis of ‘consent’ than to the basis of an agreement. An agreement also means that Facebook may in principle collect all data that Facebook thinks it needs, and users are less able to withdraw permission, have data removed or request it.

Circumvention of the law

Critics, including Max Schrems, argue that Facebook is thus circumventing the GDPR. “It’s painfully clear that Facebook wants to break clear GDPR rules by viewing data collection as a contract,” he says. “It is neither innovative nor smart to do that. Since Roman times, that argument has not been accepted by courts.”

It is therefore striking that the Irish privacy regulator seems to agree with Facebook’s argument. The other European regulators have already called Facebook’s loophole illegal. They hoped their Irish colleagues would agree. In the draft proposal, however, the DPC says that it is ‘not convinced’ by the arguments of the other regulators.

Still a fine

Despite this, the DPC plans to fine Facebook. The company receives this because it ‘is not transparent enough’ about the basis it asks for data collection. If the DPC had ruled that Facebook’s loophole would be illegal, Facebook would have been collecting data from users incorrectly for years. The fine would be expected to be much higher in that case, but that is not the case now.

The draft proposal is now first sent to the participating supervisors. They can then give their opinion about it. If they disagree, the matter can be taken to the European Data Protection Board. That is the umbrella organization of European privacy regulators. In extreme cases, the latter can object to the decision of the DPC as soon as it is official.

You might also like