The Irish Data Protection Commissioner (“DPC”) has submitted a draft decision on Facebook Ireland Limited’s (“Facebook”) data protection compliance to other European regulators under the cooperation mechanism of the EU General Data Protection Regulation (“GDPR”) (the “Draft Decision”). The DPC proposes a fine between €28 and €36 million (i.e., up to $42 million) for infringements of the transparency obligations under the GDPR, specifically with respect to the legal basis upon which Facebook relied. In addition, the Draft Decision proposes imposing an order on Facebook to bring its terms of service and Data Policy into compliance within three months. However, the DPC indicates in its Draft Decision that Facebook is permitted to rely on contractual necessity as a legal basis for its personalized advertising, taking the view that this constitutes a core element of Facebook’s service.
On August 20, 2018, the DPC commenced an inquiry into Facebook’s compliance, following a complaint by an individual acting through None of Your Business (“NOYB”), the privacy activist group run by Max Schrems. The complaint stemmed from the fact that, in order to create a Facebook account, users are required to accept certain terms and conditions (the “Terms”), with acceptance of these terms constituting formation of a contract between Facebook and its users. During the process of updating its data processing practices for the purposes of GDPR compliance, Facebook requested acceptance of its updated Terms and also provided individuals with the opportunity to consent or not consent to a number of specific additional data processing activities. Although acceptance of the updated Terms was a pre-requisite for continued use of Facebook’s platform (users who did not agree were denied service), consent to the additional processing activities was not.
The complaint was made on the basis that Facebook had “forced” consent to the updated Terms, which incorporated Facebook’s Data Policy, and users suffered a detriment if they did not agree to those terms and the Data Policy together. The complainant also argued that Facebook had not made clear the legal basis relied on for each of its processing operations, as required under Article 13 of the GDPR.
The DPC identified three specific issues to be examined:
- whether acceptance of the Terms could and should be construed as consent to processing;
- whether contractual necessity, rather than consent, could be relied on as Facebook’s legal basis for processing, in particular with respect to activities such as behavioral advertising; and
- whether Facebook had failed to provide necessary information about its legal basis for processing.
On the first question, the DPC determined that Facebook was not required to rely on, nor had it indicated that it relied on, consent for the processing associated with its Terms. The DPC commented that in many cases involving a contract between a consumer and an organization, the appropriate legal basis is contractual necessity under Article 6(1)(b) of the GDPR, and this was not undermined by the fact that the consumer is required to consent to certain contractual terms.
On the second question, the DPC found that Facebook could, in principle, rely on the legal basis of contractual necessity for the processing required to deliver behavioral advertising insofar as this formed a core part of the service Facebook offered to users and users accepted under the contract between the parties. While the complainant argued that behavioral advertising is not necessary for the delivery of a social platform – a contention with which the DPC agreed – the DPC stated that the focus when assessing this legal basis should be on the specific contract in question and the nature of the services being offered to the user. The DPC determined that the Facebook service is promoted as one that provides personalized advertising, and therefore users would be aware of it being part of the nature of the service offered, in part because of public discourse on the matter.
The DPC stated with respect to personalized advertising, “It is, in fact, the core element of the commercial transaction as between Facebook and Facebook users. It follows that this is a commercially essential element of the contract. As this information is both clearly set out and publicly available, it is difficult to argue that this is not part of the mutual expectations of a prospective user and of Facebook. Finally, it is clear that the service is advertised (and widely understood) as one funded by personalized advertising, and so any reasonable user would expect and understand that this was the bargain being struck, even if they might prefer that the market would offer them better alternative choices.”
On the third question, the DPC found that Facebook had infringed Articles 5(1)(a), 12(1) and 13(1)(c) of the GDPR by failing to adequately communicate that it was relying on contractual necessity as the legal basis for its processing. The DPC commented that the information provided by Facebook lacked clarity and required users to seek out additional information via hyperlinks. In particular, the DPC found that, “There is no single composite text or layered route available to the user such as would allow them to quickly and easily understand the full extent of processing operations that will take place as regards their personal data arising from their acceptance of the Terms of Service. Each additional layer presents the user with similar information to that already provided as well as some new information which is not easy to identify, as the language used is similar to the information that has been provided before. The user should not have to work so hard to access the prescribed information; nor should there be ambiguity as to whether all sources of information have been exhausted.”
Now that the DPC has submitted its Draft Decision to the other concerned supervisory authorities, these regulators will have the opportunity to raise objections to the DPC’s proposals.
Read the DPC’s Draft Decision.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code