Security Experts:

Has Facebook Sidestepped GDPR's User Consent Requirements?

Facebook GDPR Compliant

The Irish data protection commissioner (DPC) has produced a draft decision stating Facebook need not rely on user consent to process EU user data. Consent is a cornerstone of GDPR, but Facebook has effectively sidestepped the need for GDPR-relevant user consent.

This is achieved by simply adding data processing specifications into its general terms and conditions and effectively changing acceptance into a contract. The argument is that since there is now a contract between Facebook and the user, the usual understanding of consent is neither required from, nor can be revoked by, the user.

At the very moment that GDPR came into force at midnight on May 25, 2018, Facebook changed its terms and conditions statement into a ‘Terms of Service’ statement. By continuing to use Facebook, the user agreed to those terms as a contract. Included within the Terms is the statement:

For all people who have legal capacity to enter into an enforceable contract, we process data as necessary to perform our contracts with you (the Facebook Terms and Instagram Terms, together, 'the Terms'). We describe the contractual services for which this data processing is necessary in the “Our Services” section of the Terms, and in the additional informational resources accessible from the Terms. The core data uses necessary to provide our contractual services are…

Then follows a bullet-point list of what the contract allows, including, “To transfer, transmit, store, or process your data outside the EEA, including to within the United States and other countries.”

In short, the Irish data protection authority is confirming that Facebook is bound by neither GDPR’s definition of user consent, nor ‒ potentially ‒ the European Court’s Schrems II ruling. Schrems II effectively makes the transfer of European PII to the U.S. illegal under the Privacy Shield, and also raises questions on the validity of standard contractual clauses. 

The basis of the Schrems II ruling is that data can only be transferred to a location that provides a degree of privacy protection comparable to that enforced in the EU.; and this does not include the U.S. (because of the access to that data provided by FISA Section 702). FISA allows the U.S. government to conduct targeted surveillance of foreign nationals, and to compel holders of data to hand it to the government. This is not considered acceptable by the European Courts for European PII.

GDPR Enforcement

Schrems II is named after Max Schrems, an Austrian-born privacy activist in the EU, and founder of NOYB (none of your business). It was his activity that led the European Court to declare the earlier Safe Harbor agreement (allowing personal data transfer between the EU and U.S.) to be unconstitutional and therefore null and void. The Safe Harbor agreement was replaced by a new agreement called Privacy Shield – but Schrems again challenged this as not safeguarding the requirements of GDPR. The European Court agreed, and its consequent ruling, known as Schrems II, rules against the validity of Privacy Shield.

The new draft decision from the Irish DPC effectively means that Facebook can ignore the GDPR’s user consent requirements, while it weakens the Schrems II ruling. Schrems II is clear, but it is not yet enforced in the EU. 

Facebook uses ‘standard contractual clauses approved by the European Commission’ to legalize its data transfers. Schrems II says contractual clauses may be legal, but raises concerns ‒ and these clauses will be challenged in court. While the delay in enforcing Schrems II is partly down to the various national authorities waiting on the outcome of current court cases, there is little doubt that international politics is also at play. 

If Facebook’s contract can bypass user consent requirements, there is an implication that it might also bypass data transfer requirements. The EU national governments need a way to allow data transfer between the EU and U.S., and government lawyers will be examining the DPC draft decision to see if this is, or is at least partly, something that could indicate a solution.

Schrems is disappointed. He published a copy of the DPC’s draft decision (PDF) on the NOYB website, along with his own blog commentary that describes it as “Facebook's legal trick to bypass the GDPR.” He comments, "It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a 'contract'. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions."

(It is worth noting that the Irish DPC has written to NOYB demanding that the draft decision document be removed from the NOYB website: “In the circumstances, we require you to remove the draft decision from your website forthwith, and to desist from any further or other publication or disclosure of same whilst the CSAs co-decision-making process remains ongoing.” (PDF). At the time of writing, NOYB is resisting this demand.)

The problem is that the Irish regulator has delivered a verdict based on its reading of the letter of the law. It is almost unanimously considered to be contrary to the spirit of the law. However, Schrems believes that he still has the law on his side, describing Facebook’s process as akin to lipstick on a pig.

"It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law,” he says. “Since Roman times, the Courts have not accepted such 'relabeling' of agreements. You can't bypass drug laws by simply writing 'white powder' on a bill, when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick."

He is particularly scathing about the Irish regulator, saying that other European authorities have issued guidelines that such a ‘bypass’ of the GDPR is illegal and must be treated as consent. The Irish regulator was not persuaded by these guidelines – and Schrems suggests that Ireland is simply conforming to a secret agreement it reached with Facebook prior to GDPR becoming effective.

"The DPC developed the 'GDPR bypass' with Facebook, that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor,” he said.

Schrems hopes that this draft decision by the DPC will ultimately be overturned by the European Data Protection Board (EDPB). "Our hope lies with the other European authorities,” he said. “If they do not take action, companies can simply move consent into terms and thereby bypass the GDPR for good." 

But the fact remains that there is now a political dilemma. This decision may potentially solve the problem of the Schrems II ruling, but flies in the face of the user consent cornerstone of GDPR. The former is likely to be welcomed, while the latter will likely prove unacceptable.

Adding what might be considered insult to injury, the DPC noted that while Facebook’s action might be legal, it acted illegally in not making the process sufficiently clear to Facebook’s users. It has slapped Facebook’s wrist by proposing a GDPR fine for lack of transparency of between €28 million and €36 million. This is roughly equivalent to 0.048% of Facebook’s global revenue.

Related: Ireland's Data Protection Commission Reports GDPR Investigations on Tech Giants

Related: UK Regulator Hits Facebook With Maximum Fine

Related: EU Court Leaves Facebook More Exposed to Privacy Challenges

Related: Is Facebook Out of Control? Investigations and Complaints Are Rising

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.