The Irish Data Protection Commissioner (“DPC”) has submitted a draft decision on Facebook Ireland Limited’s (“Facebook”) data protection compliance to other European regulators under the cooperation mechanism of the EU General Data Protection Regulation (“GDPR”) (the “Draft Decision”). The DPC proposes a fine between €28 and €36 million (i.e., up to $42 million) for infringements of the transparency obligations under the GDPR, specifically with respect to the legal basis upon which Facebook relied. In addition, the Draft Decision proposes imposing an order on Facebook to bring its terms of service and Data Policy into compliance within three months. However, the DPC indicates in its Draft Decision that Facebook is permitted to rely on contractual necessity as a legal basis for its personalized advertising, taking the view that this constitutes a core element of Facebook’s service.

On August 20, 2018, the DPC commenced an inquiry into Facebook’s compliance, following a complaint by an individual acting through None of Your Business (“NOYB”), the privacy activist group run by Max Schrems. The complaint stemmed from the fact that, in order to create a Facebook account, users are required to accept certain terms and conditions (the “Terms”), with acceptance of these terms constituting formation of a contract between Facebook and its users. During the process of updating its data processing practices for the purposes of GDPR compliance, Facebook requested acceptance of its updated Terms and also provided individuals with the opportunity to consent or not consent to a number of specific additional data processing activities. Although acceptance of the updated Terms was a pre-requisite for continued use of Facebook’s platform (users who did not agree were denied service), consent to the additional processing activities was not.

The complaint was made on the basis that Facebook had “forced” consent to the updated Terms, which incorporated Facebook’s Data Policy, and users suffered a detriment if they did not agree to those terms and the Data Policy together. The complainant also argued that Facebook had not made clear the legal basis relied on for each of its processing operations, as required under Article 13 of the GDPR.

The DPC identified three specific issues to be examined:

  1. whether acceptance of the Terms could and should be construed as consent to processing;
  2. whether contractual necessity, rather than consent, could be relied on as Facebook’s legal basis for processing, in particular with respect to activities such as behavioral advertising; and
  3. whether Facebook had failed to provide necessary information about its legal basis for processing.

On the first question, the DPC determined that Facebook was not required to rely on, nor had it indicated that it relied on, consent for the processing associated with its Terms. The DPC commented that in many cases involving a contract between a consumer and an organization, the appropriate legal basis is contractual necessity under Article 6(1)(b) of the GDPR, and this was not undermined by the fact that the consumer is required to consent to certain contractual terms.

On the second question, the DPC found that Facebook could, in principle, rely on the legal basis of contractual necessity for the processing required to deliver behavioral advertising insofar as this formed a core part of the service Facebook offered to users and users accepted under the contract between the parties. While the complainant argued that behavioral advertising is not necessary for the delivery of a social platform – a contention with which the DPC agreed – the DPC stated that the focus when assessing this legal basis should be on the specific contract in question and the nature of the services being offered to the user. The DPC determined that the Facebook service is promoted as one that provides personalized advertising, and therefore users would be aware of it being part of the nature of the service offered, in part because of public discourse on the matter.

The DPC stated with respect to personalized advertising, “It is, in fact, the core element of the commercial transaction as between Facebook and Facebook users. It follows that this is a commercially essential element of the contract. As this information is both clearly set out and publicly available, it is difficult to argue that this is not part of the mutual expectations of a prospective user and of Facebook. Finally, it is clear that the service is advertised (and widely understood) as one funded by personalized advertising, and so any reasonable user would expect and understand that this was the bargain being struck, even if they might prefer that the market would offer them better alternative choices.”

On the third question, the DPC found that Facebook had infringed Articles 5(1)(a), 12(1) and 13(1)(c) of the GDPR by failing to adequately communicate that it was relying on contractual necessity as the legal basis for its processing. The DPC commented that the information provided by Facebook lacked clarity and required users to seek out additional information via hyperlinks. In particular, the DPC found that, “There is no single composite text or layered route available to the user such as would allow them to quickly and easily understand the full extent of processing operations that will take place as regards their personal data arising from their acceptance of the Terms of Service. Each additional layer presents the user with similar information to that already provided as well as some new information which is not easy to identify, as the language used is similar to the information that has been provided before. The user should not have to work so hard to access the prescribed information; nor should there be ambiguity as to whether all sources of information have been exhausted.”

Now that the DPC has submitted its Draft Decision to the other concerned supervisory authorities, these regulators will have the opportunity to raise objections to the DPC’s proposals.

Read the DPC’s Draft Decision.