EU officials are gearing up to fight over how much leeway companies should have to process personal data after a move targeting Irish privacy regulator Facebook sparked rejection from activists.
Irish Data Protection Commission (DPC) said last week it plans to fine Facebook between 28 and 36 million euros for an alleged lack of transparency about what it does with user data.
But for privacy activists and officials of other EU watchdogs, Ireland’s move gives Facebook too much leeway to collect user data without first obtaining their consent. explicit.
The argument over the limits of Europe’s flagship data protection law, the GDPR, is expected to intensify in the coming weeks as data protection watchdogs in 27 EU countries are urged to weigh in on Ireland’s draft decision on Facebook before a final decision is made.
If Ireland’s decision is upheld, it “would mean the end of data protection as we know it,” said an official at a national privacy regulator who asked not to be named in order to discuss confidential deliberations between regulators.
This criticism echoes Austrian privacy activist Max Schrems, who filed the initial complaint against Facebook and said Ireland’s move amounted to a “GDPR circumvention” because it allowed businesses to collect data without consent.
“It is painfully obvious that Facebook is simply trying to get around clear GDPR rules by re-qualifying the ‘contract’ data use agreement,” he said.
Contract or consent?
At the heart of the discussion is Facebook’s claim that it collects personal data as part of a contract with users, who know that the platform needs personal data to run its business model based on it. advertising and provide them with the Facebook service.
By invoking this “performance of a contract” clause in the GDPR, Facebook circumvents the need to obtain explicit consent from users to collect their data – which may otherwise take the form of a “yes” or “no” option for transmit personal data. .
In its draft ruling, the DPC did not dispute Facebook’s argument, but instead said it did not have the authority to rule on whether the contract with users was fair. A decision on this point would be best rendered by a consumer or competition authority, the regulator said.
The head of another data protection agency rejected this argument. “The idea of people signing up to Facebook to receive personalized advertising is pretty absurd. It’s not so much part of the offer as something that is unilaterally forced on users against the wishes of the majority of people. There is nothing to indicate that the legislator wanted to legitimize this, ”said the official.
The Dublin regulator was on the verge of clashing with its peers on its interpretation of the legal basis and in particular on the point of what is “necessary” to fulfill a contract, the person added.
Yet the DPC is not the first European watchdog to endorse Facebook’s central argument about collecting data under contract with users.
In December, an Austrian court backed Facebook’s argument that it had to process data to earn money from advertising in order to fulfill its contract with users to provide them with a “personalized communication platform for free. “- even though the Supreme Court of Austria remanded this case. before the highest appellate court in the EU, highlighting the difficulty of the issues in dispute.
A Dublin-based expert argued that there is a limit to what the regulator can say about Facebook’s terms of service.
“Just as one would like the DPC to be able to make decisions on all aspects of a case, questions inevitably arise that need to be referred to another forum or tribunal,” said Daragh O’Brien, expert in privacy in Castlebridge, a tip.
The spat reflects ongoing disagreements over how far the GDPR should go in regulating data, at a time when US lawmakers are debating whether to adopt federal privacy rules.
For example, the German competition authority attempted to use data protection law to hamper Facebook’s data practices. But that decision has been the subject of a difficult legal setback and now falls under the EU’s highest court, with questions focusing on whether the authority has strayed beyond its purview. powers by invoking the GDPR to enforce competition rules.
Other EU privacy regulators now have one month to comment on Ireland’s decision.
If one relies on other recent cross-border cases, they could demand a much higher fine than the higher sum of 36 million euros proposed by Facebook.
The September fine of 225 million euros for WhatsApp, for example, began as a fine of 50 million euros. Likewise, Luxembourg’s proposal to impose a fine of around 357 million euros on Amazon ultimately led to a record fine of 746 million euros after contributions from other EU regulators.
You want more analyzes of POLITICS? POLITICS Pro is our premium intelligence service for professionals. From financial services to commerce, technology, cybersecurity and more, Pro delivers the real-time insights, in-depth insights and the scoops you need to stay ahead of the curve. E-mail [email protected] to request a free trial.