A Contextual Analysis of the Data Protection Commissions Decision Against Facebook Ir. Ltd
In this article I will synopsise the recent decision of the DPC against Facebook Ireland regarding infringements of GDPR in the matter of data processing.[1] I will analyse the DPC’s decision alongside explanations of the relevant GDPR articles for coherency. Finally, I will address the legal implications of the DPCs finding that Facebook may bypass consent regarding data processing by agreement of contract.
The DPC began their inquiry into Facebook Ireland in August 2018, to assess whether Facebook had complied with EU obligations under recent GDPR regulation 2016/679.[2] This regulation concerns data protection and privacy within the EU and EEA and is a pillar of EU privacy and human rights law.
The inquiry focused on the specific contract between a user of Facebook (i.e., the data subject) and Facebook Ir. Ltd (the data controller in this instance), upon acceptance of the social network’s “Terms of Service”. Directive 95/46/EC (see also Art.94),[3] GDPR contains a fundamental requirement for data controllers to have a legal basis for the processing of personal data. These legal bases include the consent of the data subject, necessity for the purposes of the performance of a contract with the data subject and processing necessary for the purposes of legitimate interests of the data holder.
Essentially, under GDPR, data controllers are required to provide data subjects with detailed information whenever personal data is obtained - this information must be specific with regards to the purposes of the data processing and the legal basis for said processing. Transparency and communication with data subjects is pivotal to GDPR.
In the case at hand, the complainant, Ms. L.B, brought her case to the Austrian Data Protection Authority. She alleged that Facebook sought ‘forced consent’ by offering users a ‘binary choice’ of acceptance of the updated terms of service regarding data protection, or the option of deleting their Facebook account. She further alleged that it remains unclear as to which specific legal basis is being relied upon by Facebook for the processing of the personal data. This uncertainty is due to the fact that Facebook never specified which legal basis they are relying upon under Directive 95/46/EC, instead, merely listing the six legal bases for data processing under Article 6 GDPR in their privacy policy.[4] Article 6 pertains to the lawfulness of data processing, with 6.1 outlining the relevant legal bases.
In the interest of brevity, I will follow the structure used by Helen Dixon, Commissioner of the DPC in the draft decision. It is her view that the central issue is whether the processing of personal data was lawful and whether the information provided reaches the required transparency level. The issues considered by the draft decision are as follows:
Issue 1 – Whether a user clicking the ‘accept’ button, in the context of the updated terms of service creates consent under GDPR;
Issue 2 – Whether Article 6.1(b), processing as a necessity for performance of contract, may be relied upon as a legal basis for data processing;
Issue 3 – Whether Facebook provided the relevant information regarding processing under Article 6.1(b) and whether the information was sufficiently transparent.
Issue 1
The question to be considered here is whether a reasonable user would believe that they were consenting to the processing of personal data under Article 6, as opposed to singing up to a contract with Facebook. Facebook have argued that the act of clicking the ‘accept’ button should not be considered consent. Article 4.11 GDPR offers a definition of consent and specifically states that it may be given either by statement or ‘clear affirmative action’.[5]
It is the complainant’s contention that certain circumstances exist wherein consent as a legal basis is the only accurate ground for data processing and therefore is always relevant, even if the data controller does not meet the definition of consent under Article 4.11. Facebook rebutted this claim, stating that an agreement to enter into a contract is entirely separate from consent to data processing. Whilst it is true that not all data processing must abide by the requirements set by Article 4.11, and consent is only one of six legal bases that a data controller may rely on. However, in this particular set of facts, there is grey area ample for misinterpretation as Facebook have not specified which legal basis they were relying upon. According to Dixon’s analysis, it would seem that Facebook have recently shifted from a reliance on consent to another legal basis – reliance on necessity for the performance of a contract.
The draft decision makes the distinction between agreeing to a contract, which may involve the processing of personal data, and providing one’s consent to personal data processing under GDPR. As noted by the European Data Protection Board, these are two contrasting concepts, with their own respective requirements and legal consequences. The draft decision further highlights that the six legal bases of data processing all hold the same weight, in that none are given preferential specification under GDPR. It is relevant to consider Art 29 Working Party,[6] which clearly states that one basis has ‘normative priority’ over the rest – the DPC is not bound by this article, but it has persuasive power, nonetheless.
The DPC concluded its analysis of Issue 1, stating that Facebook hadn’t sought to rely upon consent for the processing of personal data, nor did they purport to do so. Further, they were not legally obliged to rely upon consent. Facebook, of its own volition admits that this falls short of the GDPR definition of consent regarding the processing of personal data under their Terms of Service.
Issue 2
This issue concerns whether in theory, Facebook can rely upon Article 6.1(b) GDPR for data processing under a contract, with reference to behavioural advertising. As stated earlier, Article 6.1 pertains to lawful processing of data – subsection B concerns processing in the context of contractual necessity. Article 29 of Opinion 06/2014 provides some guidance for circumstances in which the legal basis in question is contractual necessity. Essentially, the article states that this legal basis must be interpreted strictly, and not used as a ‘catch all’ excuse for any data processing carried out within the contract. In particular, the complainant takes issue with Facebook’s use of personalised advertisements, alleging that this should not fall under contractual necessity. This argument is premised on the idea that one should be able to identify the ‘core function’ of a contract when viewing it as a whole, with both parties’ intentions.
The complainant seeks to draw a distinction between ‘implicit consent’, such as an agreement which is obvious in a contract of services, and ‘compulsory consent’ which is dependent upon acceptance of the contract. Thus, the DPC’s assessment concerns the data processing performed by Facebook following the acceptance of the contract, and whether it is necessary to the contract’s core functions.
The complainant’s argument follows a narrow interpretation of Article 6.1(b) which is purpose-based. Facebook alternatively argue that a broader interpretation of the article should be applied, one which follows that data processing required to deliver a contract shall be lawful, irrespective of whether the processing is crucial or even the most minimal, to deliver the service.
The case at hand poses a certain difficulty when attempting to assess the contractual necessity in a vacuum, given that there is a lack of harmonisation of contract law at an EU level. Moreover, the DPC lacks the authority to determine the general validity of the contract. Instead, they are restricted to interpreting and applying the relevant GDPR only.
The DPC referenced the 2008 German case of Heinz Huber,[7] which states that mere processing at a level higher than the absolute minimal shall satisfy the necessity test if the processing is carrying out a lawful objective of the contract in an efficient manner. The DPC found that Facebook is not precluded from relying upon Article 6.1(b) as a basis for data processing and included the legitimising of behavioural advertising. Therefore, in theory, Facebook may rely upon Article 6.1(b) for the purposes of legitimising its Terms of Service.
Issue 3
The 3rd issue is whether Facebook provided the requisite information on the legal basis for data processing under Article 6.1(b) and with the required transparency.
Article 5 GDPR concerns the lawful processing of personal data and bases particular importance on fairness and transparency.[8] There are a number of provisions and articles within GDPR which provide guidelines on the transparency of information and underline its importance, such as Recital 58 which emphasises that information communicated to the data subject should be clear and concise, easily accessible and in plain language.[9]
The complainant argues that the format of Facebook’s Terms of Service, the data policy, which is accessible via hyperlink, in combination with the method acceptance into the contract (the ‘accept’ button), taken altogether encouraged a belief that the data processing was on foot of the legal basis of consent. This is contrary to Article 13.1(c) which requires that the information provided specifies the legal basis for the processing and shall explain the processing which will occur under said legal basis.[10] Transparency is an overarching principle of GDPR and is directly connected to the principle of accountability.
Facebook alleged that it would not be possible to provide clear linkage between the specific categories of data, the purposes of the relevant processing operations and the legal basis upon which these operations were taking place in a concise manner, and thus would hinder the principles of GDPR by making the information inaccessible to the data subject. Dixon did not accept this argument, stating that on the contrary, Facebook offers a surplus of information in this area which could be diluted and condensed down, given the example of the use of informative tables, which would provide clear links between the data processing and the relevant legal basis, and combat information fatigue. Dixon further argues that many of the terms used by Facebook across the relevant legal documents are repetitive and generalised and are lacking in transparency or any profound explanation for the data subject. Following this analysis, the DPC found that Facebook did infringe upon Article 5.1.(a), 12.1,[11] and 13.1.(c), however, the Commission highlighted that an infringement of Article 5.1 does not automatically trigger an infringement of the later articles. In this instance, Facebook did in fact infringe upon all the articles previously stated.
The End Results
Article 58.2 outlines the corrective powers of the supervisory authorities under GDPR.[12] Under this article the DPC recommended the imposition of corrective measures against Facebook to bring their data processing operations into compliance with the relevant GDPR articles. The DPC considered the massive scale of Facebook’s network, including the financial, technological and manpower at their disposal when they confirmed the 3-month deadline for the finalisation of these corrective measures.
Article 58.2 grants the DPC power to impose fines in addition to corrective measures, which must be effective, dissuasive, and proportionate to the infringement. The DPC found that the committed infringements were negligent in character and acknowledged that although Facebook had cooperated completely with the DPC during the investigation, they are legally required to do so. Therefore, their cooperation did little to dissuade the incurring fine. The DPC also considered the amount of data subjects impacted by the infringement when assessing the appropriate fine, referring to Eurostats, which stated that 50% of the EEA appeared to have been affected.[13]
After analysis of the relevant criteria, the DPC made the decision to administer a fine of no less than €28 million and not more than €36 million. It is worth noting that the DPC has the power to issue fines up to 4% of revenue, the current fine only amounts to approximately 0.048% of Facebook Inc.’s reported revenue at the end of 2020.[14]
While still in the early stages, the knock-on effects of this case could result in restrictions or potential bans on EU to US data transfers and a structural change within contract law at a European level. By conceding that individual data processing may be carried on foot of contractual necessity, the DPC have allowed Facebook to bypass consent by means of contractual agreement, which is an unfamiliar concept under GDPR as we know it. Furthermore, it is worth noting the complainant’s dissatisfaction with the DPC’s investigation – she alleged that Facebook had ‘cut a deal’ with the DPC, describing the commissions conclusions as “a cheap trick” and “(at best) too lazy”. The commission claimed these comments lacked foundation.
It is likely this case will follow the same route as the recent ground-breaking decisions involving the DPC and WhatsApp Ireland and will be referred onto the European Data Protection Board. [15]
[1] Data Protection Commission [6 October 2021] Case Reference: IN-18-5-5
[2] Council Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data [2016] OJ L 119, 4.5.2016
[3] Directive 95/46 [EC] OJ L 281
[4] Article 6 GDPR on Lawfulness of Processing
[5] Article 4 GDPR Definitions
[6] Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, as last revised and adopted on 11 April 2018
[7] Case C‑524/06, Heinz Huber v Bundesrepublik Deutschland, 18 December 2008
[8] Article 5 GDPR Principles Relating to Processing of Personal Data
[9] Recital 58 GDPR The principle of transparency
[10] Article 13 GDPR Information to be provided where personal data are collected from the data subject
[11] Article 12 GDPR Transparent information, communication and modalities for the exercise of the rights of the data subject
[12] Article 58.2 GDPR Powers
[13] https://ec.europa.eu/eurostat/tgm/table.do?tab=table&init=1&language=en&pcode=tps00001&plugin=1
[14] Data Protection Commission [6 October 2021] Case Reference: IN-18-5-5 [10.41]
[15] Laoise Kelly, ‘GDPR - WhatsApp Faces Record Fine’ (2021) NUIG Law Review https://www.lawreview.nuigalway.ie/commercial-awareness/gdpr-whatsapp-faces-record-fine accessed 25 January 2022