Ireland’s Data Protection Commission (DFC) has sent a “draft decision” to other European Data Protection Authorities regarding Facebook’s legal trick to bypass the GDPR. 

Privacy campaign noyb today published a draft decision by the Irish DPC on a complaint made under the EU’s General Data Protection Regulation (GDPR). 

According to the DPC, Facebook can simply bypass the regulation by choosing to include the agreement on data processing in a “contract”, thus making the GDPR requirements for consent not applicable anymore. 

“It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a ‘contract’. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions,” explained Max Schrems, founder of noyb. 

In a summary of its findings, the DPC writes: ”There is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data. Nor has Facebook purported to rely on consent under the GDPR.”

“I find the Complainant’s case is not made out that the GDPR does not permit the reliance by Facebook on 6(1)(b) GDPR in the context of its offering of Terms of Service,” 

Despite claiming that the “consent bypass” is legal, the DPC still issued a fine, of €28m to €36m, to Facebook for not being transparent about the legal basis for processing its user data. 

The penalty would roughly amount to 0.048% of Facebook’s global revenue, despite the option for penalties of up to 4% in the GDPR.

”Basically the DPC says Facebook can bypass the GDPR, but they must be more transparent about it. With this approach, Facebook can continue to process data unlawfully, add a line to the privacy policy and just pay a small fine, while the DPC can pretend they took some action,” wrote Schrems.