The Irish Data Protection Commission (DPC) has set out plans to fine Facebook between €28 million and €36 million (U.S. $32 million and $42 million) for violations of the EU’s General Data Protection Regulation (GDPR).
The draft decision was shared Wednesday by privacy campaigner Max Schrems, who has filed multiple complaints against Facebook over its alleged abuses of data collection and data sharing. Schrems has been a harsh critic of the Irish DPC’s suitability as a regulator capable of holding the Big Tech firms it governs to account.
The proposed penalty is the first from 10 investigations the Irish DPC has launched into Facebook (excluding three others into Instagram and one into WhatsApp, which are also owned by the company).
A fine in the proposed range would amount to roughly 0.05 percent of Facebook’s 2020 global revenue of $84.2 billion, far below the possible 4 percent of turnover permitted under the GDPR. In its draft ruling, the Irish DPC said Facebook’s revenues were factored into the figure.
“For a company the size of Facebook, a €36 million fine—although not trivial—is unlikely to have a sufficient deterrent effect,” says Will Richmond-Coggan, a data protection and disputes specialist at law firm Freeths. “It is more likely simply to be seen as a cost of doing business.”
“Facebook will recover the amount of the fine within a couple of hours of trading, so it really has no dissuasive effect at all,” says Alan Calder, CEO of technology compliance specialists GRC International Group. “Most of the large U.S. technology organizations have chosen Ireland because they believe the Irish DPC is very soft-hearted—and it is.”
At the heart of the complaint is that Facebook has relied on “forced consent” to ensure it is GDPR compliant. When users sign up to its terms and conditions (T&Cs), they automatically consent to everything else. As such, personal data can be used to target ads at users if they choose to stay with the service.
However, the Irish DPC found there was “no obligation on Facebook to seek to rely solely on consent for the purposes of legitimizing personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data.” Nor did it find Facebook had purported to rely on consent under the GDPR.
Controversially, the Irish DPC ruled the GDPR under Article 6(1)(b) regarding lawfulness of processing does not prevent Facebook from claiming a legal right to process people’s information for ad targeting because users have signed a contract technically enabling the firm to do so.
“For a company the size of Facebook, a €36 million fine—although not trivial—is unlikely to have a sufficient deterrent effect. It is more likely simply to be seen as a cost of doing business.”
Will Richmond-Coggan, Data Protection and Disputes Specialist, Freeths
The Irish DPC also sided with Facebook that there is “no evidence” of any intentional breach of the rules while accepting its approach to transparency and the GDPR “represents a genuinely held belief on Facebook’s part” the company’s policies were in compliance. The regulator noted Facebook made no effort to mitigate damage to data subjects, given its position was that no damage took place.
The Irish DPC did find Facebook infringed GDPR transparency requirements under Articles 5(1)(a), 12(1), and 13(1)(c) by failing to provide users with the necessary information regarding its legal basis for processing once they had accepted Facebook’s terms of service, meaning users were unlikely to have understood they were signing up for an ad contract when they clicked “I agree” on the platform’s T&Cs.
Alongside the proposed fine, the Irish DPC said Facebook should update its T&Cs within three months of a final decision.
The draft decision has been shared with the rest of the EU’s national data protection authorities (DPAs), who can raise objections.
History suggests several DPAs will bitterly disagree with what they will likely regard an unduly lenient penalty, forcing Ireland to pass the case back to the European Data Protection Board, the EU’s GDPR supervisor, to work out a verdict that will pacify the necessary two-thirds majority. Similar deliberations took place ahead of the Irish DPC’s WhatsApp fine in September and Twitter decision last year.
In a statement on his website, Schrems said: “Our hope lies with the other European authorities. If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good.”
In an emailed statement, Facebook said: “We don’t speculate or comment on live investigations. We are assisting the Irish DPC with its inquiries and will await the final decision in due course.”
The Irish DPC was approached for comment but did not respond.