Site navigation

Draft GDPR Fine Against Facebook Criticised for Leniency

Michael Behr


Facebook GDPR
The Irish DPC issued a fine against Facebook for concealing how it gathers user data.

A potential $42-million fine against Facebook proposed by Ireland’s GDPR regulator has been attacked by privacy campaigners.

The move has been criticised for being too lenient, but also for setting a precedent that could be used to bypass GDPR.

The fine has been levelled on the social media company based on accusations that Facebook violated GDPR by failing to notify customers how it processed their data. The Irish Data Protection Commission (DPC) recommended fining the company between $32m and $42m.

The draft decision on the case was published by privacy advocacy group noyb, which is headed by campaigner Max Schrems. He was responsible for filing the original complaint against Facebook.

The complaint focused on how Facebook uses a data transfer tool known as Standard Contractual Clauses (SCCs), a mechanism that allows for data transfers between the EU and the US. Schrems claims that the transfers of personal data violated GDPR.

However, the decision has been criticised for being too small, especially given Facebook’s billion-dollar earnings. In addition, they said that Facebook is making legal arguments that would see it get out of other fines.

According to noyb, Facebook is trying to use a clause in its user agreement to evade its responsibilities under GDPR. In effect, it claims that its users are entering into a ‘contract’ with Facebook that allows it to serve them targeted ads and track their online activity.

This, noyb warns, means that Facebook could evade its responsibilities under GDPR. The group added that Facebook switched from using ‘consent’ to ‘contract’ at midnight on May 25th, 2018 – the day GDPR came into force.


“It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabelling the agreement on data use as a ‘contract’,” Schrems said.

“If this would be accepted, any company could just write the processing of data into a contract and thereby legitimise any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions.”

They noted that the fine is not based on Facebook’s use of the consent bypass, but on failing to make it clear to its users.

“Basically, the DPC says Facebook can bypass the GDPR, but they must be more transparent about it,” Schrems continued.

“With this approach, Facebook can continue to process data unlawfully, add a line to the privacy policy and just pay a small fine, while the DPC can pretend they took some action.”

Get the latest news from DIGIT direct to your inbox

Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.

We will keep you up to date on the pivotal issues impacting the sector and let you know about key upcoming events to ensure that you don’t miss out on what’s going on across the Scottish tech community.

Click here to subscribe.

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: