A new report by the Irish Data Protection Commissioner suggests that Facebook should clarify its terms of service and how it handles personal data. The report comes on the heels of a European Union investigation into how Facebook handles user data, which found that the company’s practices were “incompatible” with EU law.
A draft decision from Ireland’s privacy regulator would force Facebook Inc. to alter how it notifies users about its data processing, but it would ignore concerns that the social media giant should seek direct permission for its operations.
If the judgment is upheld, Facebook may be fined between €28 million and €36 million (about $32.4 million and $41.7 million) for failing to be open with its users. The issue originates from a complaint made by Austrian privacy lawyer Max Schrems in 2018, and the draft judgment was released on Wednesday by his nonprofit group NOYB. The judgment of the Irish Data Protection Commission has not been made public.
Because the inquiry is still ongoing, an Irish regulator spokesperson refused to comment, but said the paper was shared with authorities from the other 26 European Union nations last week. These regulators have one month to react and may object if they want. The Irish Data Protection Commission will then make a final judgment, at which point other European watchdogs may still protest.
A representative for Facebook did not reply to a request for comment.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
The complaint, filed under the General Data Protection Regulation of the European Union in 2018, claimed that Facebook did not obtain consent from users for data practices such as using personal information to show targeted ads, instead forcing them to accept the platform’s terms and conditions as a contract. Companies should not be allowed to conceal critical information about how they manage data in papers that many customers do not read attentively, according to privacy experts.
The GDPR requires businesses to demonstrate that they are legally permitted to handle data by getting permission from people or meeting other requirements, such as utilizing the data to fulfill a contract. Companies can’t depend on contracts to handle personal data for targeted advertising, according to the European Data Protection Board, an umbrella body of EU privacy authorities.
Mr. Schrems said, “The issue is how far can you extend it, how much can you add more elements to a contract that the typical user doesn’t believe is part of the social network.”
Helen Dixon is Ireland’s data protection commissioner.
Getty Images/Sean and Yvette for The Washington Post
Mr. Schrems’ claim that Facebook didn’t require user data to complete its contract was rejected by the Irish regulator. “The counter-argument is that such advertising is essential to fulfill the particular contract between Facebook and the Complainant since it is at the heart of Facebook’s business model and the essence of the bargain made between Facebook users and Facebook,” the regulator said.
According to Frederik Borgesius, a professor of information and communications technology and private law at Radboud University in the Netherlands, necessity is “a high barrier under European law.” According to him, using a contract to handle personal data for targeted advertising is “implausible” under the GDPR.
Within three months, the Irish regulator recommended forcing Facebook to make its rules more clear. According to the draft judgment, the business said that it would need additional time to implement such modifications.
In two previous high-profile instances involving Facebook’s messaging service WhatsApp in September and social-networking site Twitter Inc. in December 2020, European authorities have differed with conclusions from their Irish counterparts. The Irish office utilized a dispute-resolution procedure in both instances to resolve the issues, which caused the cases to be delayed by many months.
Because many major multinationals’ EU corporate headquarters are in Ireland, the Irish regulator is responsible for monitoring their data practices on behalf of all citizens of the 27-country union under the GDPR privacy rules passed in 2018. Other European authorities were irritated by the procedure, and advocated for heavier penalties in the WhatsApp and Twitter instances.
Because it is about a large company and the fundamental issue of how people give consent to have their information processed, regulators from other European countries are likely to object to parts of the Facebook decision, said David Martin Ruiz, senior legal officer at the European Consumer Organisation, a Brussels-based consumer rights group.
“Taking away people’s ability to provide permission for things like being monitored and profiled for targeted advertising would be very troublesome and dangerous,” Mr. Martin Ruiz said.
If the Irish regulator’s judgment is confirmed, Estelle Massé, global data protection head at privacy advocacy organization Access Now, believes it will encourage other businesses to conceal information about their data methods rather than seeking customers’ permission. “There’s a real risk of letting Facebook off the hook, as well as other businesses that may say, ‘Well, if I only have to state this in my terms of service, it’s fine,’” she added.
Members of Congress have compared Facebook’s and Instagram’s strategies to the tobacco industry’s. Joanna Stern of the Wall Street Journal examines both sessions to see what lessons tobacco regulation may teach us about what may be next for Big Tech. Adele Morgan/The Wall Street Journal photo illustration
Catherine Stupp can be reached at [email protected]
Dow Jones & Company, Inc. All Rights Reserved. Copyright 2021 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8