Fb Ought to Make clear Phrases of Service, Irish Privateness Regulator Says
A draft decision from the Irish data protection authority would require Facebook Inc.
However, changing the way it informs users about its data processing ignores complaints that the social media giant needs to get direct consent for its activities.
Should the decision be finally made, Facebook could also face a fine of between 28 and 36 million euros (equivalent to 32.4 to 41.7 million US dollars) for a lack of transparency towards users. The case goes back to a complaint from the Austrian data protection attorney Max Schrems in 2018, whose non-profit organization NOYB published the draft decision on Wednesday. The Irish Data Protection Commission has not published the decision.
A spokesman for the Irish regulator declined to comment because the investigation was still open and said the office passed the document on to regulators in the other 26 countries in the European Union last week. These regulators have a month to respond and raise objections. The Irish Data Protection Commission will then make a final decision and other European regulators may still object at this point.
A Facebook spokesman did not respond to a request for comment.
Subscribe to Newsletter
WSJ Pro cybersecurity
Cybersecurity news, analytics, and insights from the WSJ’s global team of reporters and editors.
The 2018 complaint, filed under the European Union’s General Data Protection Regulation, argued that Facebook did not seek user consent for its data practices, such as as a contract. Privacy advocates argue that companies must not hide important information about how data is handled in documents that many consumers do not read carefully.
The GDPR requires companies to demonstrate that they are legally entitled to process data, either by obtaining consent from individuals or by meeting other criteria, e.g. The European Data Protection Board, the umbrella group of EU data protection authorities, said in 2019 that companies generally cannot rely on contracts to process personal data for targeted advertisements.
“The question is how far you can expand that, how many more things can be added to a contract that the average user does not consider to be part of the social network,” said Schrems in an interview.
Helen Dixon is the Data Protection Officer for Ireland
Sean and Yvette for The Washington Post / Getty Images
The Irish regulator disagreed with Mr Schrems’ argument that Facebook does not need user data to perform its contract. “The counter-argument is that such advertising, which is the core of Facebook’s business model and the core of the agreement reached by Facebook users and Facebook, is necessary to fulfill the specific contract between Facebook and the complainant,” wrote the regulator.
Need is “a high hurdle in European law,” said Frederik Borgesius, professor of information and communication technology and private law at Radboud University in the Netherlands. The use of a contract as the basis for the processing of personal data for targeted advertisements is “implausible” within the meaning of the GDPR, he said.
The Irish regulator proposed asking Facebook to make its terms more transparent within three months. The company said it would take more time to make these changes, according to the draft decision.
Last year, European regulators disagreed with their Irish counterpart’s findings on two other high profile cases involving Facebook’s WhatsApp chat service in September and social networking site Twitter Inc. in December 2020, dispute settlement procedures to resolve the disagreements to end and extend the cases for several months.
Under the GDPR data protection laws passed in 2018, the Irish regulator is responsible for overseeing the data practices of many large multinational companies on behalf of all residents of the 27-country union as their EU headquarters are in Ireland. This process has upset other European regulators who have pushed for higher fines in the WhatsApp and Twitter cases.
Regulators from other European countries are also likely to oppose elements of Facebook’s decision as it is about a large company and the fundamental question of how people consent to their data being processed, said David Martin Ruiz, senior legal officer at the European Consumer Organization, a Brussels-based consumer rights group.
“It would be very problematic and dangerous to deprive people of the opportunity to give their consent, for example to be followed and profiled for targeted advertising,” said Martin Ruiz.
The Irish regulator’s decision, when complete, could encourage other companies to hide details about their data practices rather than seeking consumer consent, said Estelle Massé, global data protection director for Access Now data protection group. “There is a real risk of ditching Facebook and possibly other companies that might say, ‘Well, if I just have to say that in my Terms of Service, it’s fine,'” she said.
Write to Catherine Stupp at [email protected]
Copyright © 2021 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8