Irish regulator, the DPC, is accused of pushing to weaken Europe’s GDPR laws for Facebook.
Europe’s General Data Protection Regulation (GDPR) has effectively become a gold standard for the world. While some accused the law of being overly burdensome at the outset, concerns that the law going to far have since quickly evaporated. These days, the concern is whether the law goes far enough and whether or not it can be effectively enforced. The latter point of contention became apparent after the law itself wound up being a victim of its own success. After 2 years, the enforcement side of things found itself dealing with 160,000 complaints.
It’s not as though enforcement isn’t trying. In fact, earlier this year, regulators fined Amazon €746 million – a fine that wound up being the largest fine ever handed out under the GDPR.
Let’s face it, though, questions over whether enforcement can keep up with the demand and whether the fines are high enough are actually pretty good problems to have. In other parts of the world, similar laws simply don’t exist. In the US, for instance, there is a much more patchwork set of laws at best. Sometimes, regulators manage to roll out fines such as the one the FTC slapped on Facebook (a $5 billion fine over the Cambridge Analytica scandal to be precise). Still, such fines aren’t exactly common as there isn’t much on the federal level to standardize privacy requirements. To put it simply, the privacy situation in the US is a huge mess.
The situation in Canada is, of course, much worse. While Canada had no problem thumping its chest over how they have privacy commissioners back in the 90’s and 2000’s, the situation is very far removed from perfect. While the existence of privacy commissioners both at the provincial and federal level certainly offers a good level of governmental infrastructure, the problem’s have only become apparent in the last decade. While privacy commissioners have the power to conduct investigations on companies, the most that can ever come out of them are strongly worded letters. Commissioners have no power to levy fines or other sanctions against companies, only wag their fingers and tell companies that they done bad.
In fact, the most redress anyone has is to file a lawsuit against the companies in question. Proving that it was a breach, hack, or leak on their end is a high bar to climb over. What’s more is that victims have to show that they have been negatively impacted, proving damages in court. In short, the onus to investigate and prove falls on the victims – and that’s assuming they can even afford lawyers to target these companies in the first place. The state of privacy laws in Canada has been a long running joke for about half a decade now and we are still waiting for lawmakers to get off their collective rear ends and do something about it.
While all this certainly shows that European’s have got it really good as far as privacy is concerned, it isn’t as though the situation is perfect. In fact, if you ever want to bring up how there might be flaws in the system, a particularly easy target can be found with the Irish DPC. For years now, Irish regulators have been accused of being slow to roll out fines for obvious instances of GDPR violations. Sometimes, when fines are levied against companies, critics have said that some of these fines are exceedingly lenient.
An example of this is back in October when the Irish DPC proposed fining Facebook somewhere between €28 million and €36 million. At the time, critics argued that the fine is far too light. From Compliance Week:
A fine in the proposed range would amount to roughly 0.05 percent of Facebook’s 2020 global revenue of $84.2 billion, far below the possible 4 percent of turnover permitted under the GDPR. In its draft ruling, the Irish DPC said Facebook’s revenues were factored into the figure.
“For a company the size of Facebook, a €36 million fine—although not trivial—is unlikely to have a sufficient deterrent effect,” says Will Richmond-Coggan, a data protection and disputes specialist at law firm Freeths. “It is more likely simply to be seen as a cost of doing business.”
“Facebook will recover the amount of the fine within a couple of hours of trading, so it really has no dissuasive effect at all,” says Alan Calder, CEO of technology compliance specialists GRC International Group. “Most of the large U.S. technology organizations have chosen Ireland because they believe the Irish DPC is very soft-hearted—and it is.”
At the heart of the complaint is that Facebook has relied on “forced consent” to ensure it is GDPR compliant. When users sign up to its terms and conditions (T&Cs), they automatically consent to everything else. As such, personal data can be used to target ads at users if they choose to stay with the service.
Indeed, the reaction to the fine was a collective facepalm. Some jokingly commented that Facebook simply has to rummage around the couch cushions to pay off the fine. Others said that the fine is not only a joke, but makes a mockery of what the GDPR is supposed to be about. What’s more is that it almost looks as though Facebook got off with the lightest of wraps on the wrist for their violations.
Of course, a bit problem is the fact that when it comes to “big tech” companies, Irish regulators are tasked with enforcing it. This has to do with the nature of some of these companies European headquarters being located there. So, it paints this image of how if “Big Tech” wants to avoid the strictest of fines, locate to Ireland because they don’t really adequately enforce the law there.
Now, we are learning that the situation in Ireland is actually much worse then that. According to complaints, the Irish DPC is also accused of attempting to water down GDPR laws on behalf of Facebook. From Politico Europe:
According to the documents obtained by noyb.eu under freedom of information law, the Irish DPC — which regulates the lion’s share of U.S. tech companies under the EU’s General Data Protection Regulation — explicitly pushed for social networks to be able to monitor users’ behavior to target them with ads via a contract, rather than by having to obtain their consent.
However, the DPC’s attempts to include “performance of a contract” as a legal basis into the EU privacy guidelines was rejected by other European regulators, the documents show.
“This reduces the GDPR to a pro forma instrument. As long as you remember to include all kinds of requirements and provisions in a contract … controllers can do as they like and there is no need for consent or a balancing of interests … Is it possible to provide social media accounts without tracking and profiling? Yes, in fact it is,” said one European regulator, who is not named in the document.
Another EU privacy watchdog labelled the DPC’s attempts to legalize companies’ use of contracts to process data for ads, “contrary to everything we believe in.”
A third commented: “This seems to accept monetisation of personal data and circumventing the other legal bases … We think that this interpretation undermines the system and spirit of the GDPR.”
The Irish DPC eventually failed to get its proposals into the final guidelines, which include strict requirements for what data is necessary to fulfill a contract with users. The final guidelines do not say that social networks can use the contract legal bases to serve personalized advertising.
The EU’s network of privacy regulators “has made pretty clear that there is no legitimation circumventing the legal requirements of an informed consent by arguing processing is necessary for the performance of a contract to which the data subject is party,” Johannes Caspar, who led Hamburg’s privacy regulator at the time of the discussions, told POLITICO.
For longtime readers, the name Max Schrems might sound familiar. He is the founder of an organization known as NOYB (None of Your Business). In 2020, we reported on a European court challenge which challenged the so-called SHIELD laws. Those laws essentially says that other first world countries can simply be trusted to guard people’s personal information. This was seen to be a loophole for companies to circumvent GDPR laws by simply being located in a “trusted” country which doesn’t have much in the way of equivalent laws. The legal challenge was made and Schrems ultimately won. The court ruled that companies must vet people’s personal information.
The Irish DPC responded to the complaints and said that the accusations are completely baseless. From SiliconRepublic:
Ireland’s Data Protection Commission (DPC) has rejected the recent accusations that it lobbied in the interests of Facebook, stating the claims are “utterly untrue”.
A statement released yesterday (7 December) by the DPC said the allegations are not concerned with any issues of substance, “but with the advancement of a theory, central to which is an allegation that, acting in bad faith, the DPC sought to subvert the procedures of the EDPB”.
The DPC said the allegations are untrue and reveal “a lack of any kind of basic understanding” on the workings of the EDPB.
According to NOYB, the situation became much more dramatic. In one posting, they published documents they have obtained to prove that their accusations are accurate. They commented with this back in October:
Agreement to use data is not “consent”? Facebook’s legal argument is rather simple: By interpreting the agreement between user and Facebook as a “contract” (Article 6(1)(b) GDPR) instead of “consent” (Article 6(1)(a) GDPR) the strict rules on consent under the GDPR would not apply to Facebook – meaning that Facebook can use all data it has for all products it provides, including advertisement, online tracking and alike, without asking users for freely given consent that they could withdraw at any time. Facebook’s switch from “consent” to “contract” happened on 25.5.2018 at midnight – exactly when the GDPR came into effect in the EU.
Schrems: “It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a ‘contract’. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions”
Illegal since Roman times. Since Roman times, the law says that agreements have to be treated as what they actually are (objective assessment), not as what the parties claim it to be (formal assessment).
Schrems: “It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law. Since Roman times, the Courts have not accepted such ‘relabeling’ of agreements. You can’t bypass drug laws by simply writing ‘white powder’ on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick.”
Shortly after, the Irish DPC apparently sent a takedown demand, ordering the site to desist from publishing such materials in the future. NOYB refused to comply:
Yesterday night, the Irish Data Protection Commission (DPC) sent an extraordinary letter (PDF) to noyb, saying it would “require [noyb] to remove the draft decision from your website forthwith, and to desist from any further or other publication or disclosure of same”. noyb refused to self-censor and limit the public’s access to problematic decisions. Alternatively, noyb invited the DPC to bring legal proceedings before the relevant Court in Austria, instead of sending letters that are intended to intimidate complainants.
Problematic relationship with transparency and criticism. The DPC has has a long-standing policy to limit public engagement and transparency. It regularly relies on a broad exemption from the Irish Freedom of Information Act, demands ‘non disclosure’ agreements from parties in procedures, demanded the European Parliament to even change its procedures when hearing Helen Dixon to limit criticism and runs a tight public relations department that limits interviews of critical journalists.
Schrems: “This letter is part of a general approach by the DPC to stifle criticism. The DPC is regularly demanding various ‘non disclosure’ agreements from complainants and even asks journalists to get questions pre-approved. Overall the DPC wants to control every element in the public domain, which is unheard of in a democratic society.”
noyb’s position is clear. noyb’s role under Article 80 GDPR is to engage with authorities and follow the development of the GDPR. This may include the publication of decisions that are of relevance to the public, if permitted by law. In fact, many European DPAs actively publish decisions themselves in an effort to be transparent and inform the public.
Schrems: “We have a very positive relationship with the authorities, also when there are different views. It is normal in a democratic society that civil society actors question the decisions of authorities at times. The DPC is the only public body that I ever came across that cannot accept such criticism and undertakes extreme efforts to silence the public debate.”
Some time after that, the Irish DPC was accused of removing NOYB from a GDPR procedure. In response, NOYB filed a criminal report:
The Irish Data Protection Commission (DPC) has taken the unheard-of move, to demand noyb to draft and sign a “non-disclosure agreement” (NDA) within one working day. In absence of such an NDA for the benefit of the DPC and Facebook, the DPC would not comply with the duty to hear the complainant anymore. Schrems: “The DPC engaged in procedural blackmail. Only if we shut up, the DPC would ‘grant’ us our legal right to be heard. We have reported the incident to the Austrian Office for the Prosecution of Corruption. This is a regulator clearly asking for a ‘quid pro quo’ to do its job, which likely constitutes bribery in Austria.”
Facebook would especially benefit from the NDA, as new documents indicate that EU regulators may find Facebook’s “GDPR bypass” illegal — possibly declaring Facebook’s use of personal data since 2018 unlawful, with major implications for Facebook’s business model in Europe.
Report with Public Prosecutor filed. noyb has filed a criminal report (“Sachverhaltsdarstellung”) with the Austrian Office for the Prosecution of Corruption (WKStA). As the target of the potential criminal act is based in Austria, it seems that the Austrian criminal act applies. The criminal report concerns the relevant DPC staff. The WKStA has to review if there is ground to start an investigation. The presumption of innocence applies.
Schrems: “Generally we have very good and professional relationships with authorities. We have not taken this step lightly, but the conduct of the DPC has finally crossed all red lines. They basically deny us all our rights to a fair procedure unless we agree to shut up. Austrian corruption laws are far reaching: when an official requests the slightest benefit to conduct a legal duty, the corruption provisions may be triggered. Legally there is no difference between demanding an unlawful agreement or a bottle of wine.”
Suffice to say, things have gotten ugly in this story. Still, the battle over privacy in Europe is far from over even with the passage of GDPR back in 2018. It’ll be interesting to see where things go from here.
Drew Wilson on Twitter: @icecube85 and Facebook.
