A draft ruling from Ireland’s privacy regulator would require
<a href="https://www.wsj.com/market-data/quotes/FB">Facebook</a><span class="company-name-type"> Inc.</span> to change how it informs users about its data processing but disregards complaints that the social-media giant needs to obtain direct consent for its activities.
If the decision is finalized, Facebook would also face a fine of between €28 million and €36 million (equivalent to $32.4 million to $41.7 million) for failing to be transparent with users. The case stems from a 2018 complaint filed by Austrian privacy lawyer Max Schrems, whose nonprofit organization NOYB published the draft decision on Wednesday. The Irish Data Protection Commission hasn’t made the decision public.
A Facebook spokesman didn’t respond to a request for comment.
The 2018 complaint, made under the European Union’s General Data Protection Regulation, argued that Facebook didn’t obtain consent from users about its data practices, such as using personal information to show targeted ads, and instead required them to accept the platform’s terms and conditions as a contract. Privacy advocates argue that companies shouldn’t be able to hide important information about how they handle data in those documents that many consumers don’t carefully read.
The GDPR requires companies to prove they are legally allowed to process data by either obtaining consent from individuals or fulfilling other criteria such as using the data because it is necessary to perform a contract. The European Data Protection Board, the umbrella group of EU privacy regulators, in 2019 said companies generally can’t rely on contracts to process personal data for targeted ads.
“The question is how much can you stretch that, how much can you add more things to a contract that the average user doesn’t think to be part of the social network,” Mr. Schrems said.
The Irish regulator disagreed with Mr. Schrems’s argument that Facebook didn’t need user data to fulfill its contract. “The counter-argument is that such advertising, being the core of Facebook’s business model and the core of the bargain being struck by Facebook users and Facebook, is necessary to perform the specific contract between Facebook and the Complainant,” the regulator wrote.
Necessity is “a high hurdle in European law,” said Frederik Borgesius, a professor of information and communications technology and private law at Radboud University in the Netherlands. Using a contract as the basis to process personal data for targeted ads is “implausible” under the GDPR, he said.
The Irish regulator proposed requiring Facebook to make its terms more transparent within three months. The company said it would need more time to make those changes, according to the draft decision.
Over the past year, European regulators have disagreed with findings from their Irish counterpart in two other high-profile cases involving Facebook’s chat service WhatsApp in September and social-networking site Twitter Inc. in December 2020. In both cases, the Irish office used a dispute-resolution process to end the disagreements, extending the cases by several months.
Under the GDPR privacy laws issued in 2018, the Irish regulator is responsible for overseeing many large multinationals’ data practices on behalf of all residents of the 27-country union because their EU corporate headquarters are in Ireland. That process has rankled other European regulators, which pushed for higher fines in the WhatsApp and Twitter cases.
Regulators from other European countries will likely object to elements of the Facebook decision, too, because it is about a large company and the fundamental issue of how people give consent to have their information processed, said David Martin Ruiz, senior legal officer at the European Consumer Organisation, a Brussels-based consumer rights group.
“It would be very problematic and dangerous to take away the possibility from people to give consent for something like being tracked and profiled for targeted advertising,” Mr. Martin Ruiz said.
The Irish regulator’s decision, if it is finalized, could encourage other companies to hide details about their data practices instead of obtaining consumers’ consent, said Estelle Massé, global data protection lead at privacy advocacy group Access Now. “There’s really the danger of letting Facebook off the hook, and potentially other companies who may say, ‘Well, if I only have to say this in my terms of services, it’s fine,’” she said.
Write to Catherine Stupp at [email protected]
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8