Looks Like Facebook Found a Way to Bypass Europe’s Privacy Rules

Want the best of VICE News straight to your inbox? Sign up here.

When Europe introduced its General Data Protection Regulation (GDPR) privacy laws in 2018, they were held up across the globe as the gold standard for protecting consumers’ data, and a way to finally bring tech companies like Facebook to heel.

But a draft ruling by Ireland’s Data Protection Commission (DPC), published on Wednesday, paves the way for Facebook to completely bypass the GDPR regulations and continue to collect and use its users’ data without their explicit consent.

The draft decision, which has been sent to the data regulators in all other EU countries for comment, says the commission agrees with Facebook’s argument that it doesn’t need to ask users for specific consent to target them with ads, because they’ve already signed a contract with the company when they agreed to Facebook’s lengthy and convoluted terms and conditions.

The decision, if ratified, could upend the protections provided by GDPR.

“Basically the DPC says Facebook can bypass the GDPR, but they must be more transparent about it,” Max Schrems, a privacy activist who initially filed a complaint against Facebook in 2018, said in a statement on Wednesday. “With this approach, Facebook can continue to process data unlawfully, add a line to the privacy policy and just pay a small fine, while the DPC can pretend they took some action.”

The small fine Schrems refers to is a suggested one of up to $36 million that the Irish regulator wants to impose for Facebook’s lack of transparency in how the company informed users about the change in its policy regarding user data.

Based on Facebook’s own second-quarter earnings, it would take the company less than three hours’ revenue to pay that fine.

The draft decision is in response to a case Schrems and his “noyb” activist group brought against Facebook on May 25, 2018—the same day that GDPR went into effect. (The group’s official name is the European Center for Digital Rights, but it’s known simply as “noyb,” which stands for “none of your business.”)

At midnight on that day, Facebook incorporated an agreement on data processing into its terms of service, making the GDPR requirements for “consent” not apply anymore. 

Under GDPR, EU citizens are meant to have a wide range of protections, one of which is that any company collecting people’s data is required to explicitly obtain their consent. There are also strict rules about how data can be collected, stored, and used, such as in online ad targeting. GDPR also gives people in the EU the ability to withdraw their consent at any time.

“It is neither innovative nor smart to claim that an agreement is something that it is not to bypass the law,” Schrems said. “Since Roman times, the Courts have not accepted such ‘relabeling’ of agreements. You can't bypass drug laws by simply writing ‘white powder’ on a [receipt] when you clearly sell cocaine. Only the Irish DPC seems to fall for this trick.”

Among privacy advocates and legal experts, the reaction to the published draft decision echoed Schrems’ comments. “DPC Ireland is a joke,” Peter Hense, a litigation lawyer specializing in data, tech, competition, and AI tweeted.

Jason Kint, CEO of Digital Content Next, a nonprofit trade association for the digital content industry, said that if the decision is ratified, it will result in “Facebook getting consent for surveillance capitalism by listing it in its user terms.” He added that it was “conclusive evidence that the Ireland DPC works for Facebook rather than the public.”

GDPR came about as a direct result of the revelations made by former CIA contractor Edward Snowden. European lawmakers resisted unprecedented levels of lobbying from Big Tech eager to water down the regulations, and produced a piece of legislation that gave people in the EU control over how their data was collected, stored, and used.

But the draft decision by the Irish regulators threatens to tear that all down.

“If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent,” Schrems said. “This is absolutely against the intentions of the GDPR, that explicitly prohibits [hiding] consent agreements in terms and conditions.”

The responsibility for making this decision falls to the Irish regulator because, under GDPR rules, the national regulator in the country where a company has its EU headquarters takes the lead in these cases.

Because Ireland is home to a massive number of the world’s biggest tech companies—due in part to Ireland’s low corporate tax rate—the Irish DPC has become a bottleneck for complaints in the region.

According to the Irish Council for Civil Liberties (ICCL), the Irish regulator is currently responsible for 164 cross-border GDPR cases. Of those cases, the commissioner has produced draft decisions in only five cases over the three years since the GDPR came into effect.

“Some 98 percent of the cross-border cases for which Ireland is responsible remain unresolved. No GDPR enforcer in any other EU member state can intervene because Ireland is the lead authority. Ireland is the bottleneck of GDPR enforcement against Google, Facebook, and big tech for all of Europe,” wrote Johnny Ryan, a senior fellow at the ICCL last month.

But it’s not just the volume of cases the DPC is dealing with that has raised concerns. Schrems says that the regulator has withheld documents, ignored submissions from Facebook users, and refused an oral hearing in this case.

He also accuses the commissioner of working with Facebook to facilitate this “bypass.”

“The DPC developed the 'GDPR bypass' with Facebook, that it is now greenlighting as a regulator. Instead of a regulator, it acts as a ‘big tech’ advisor,” Schrems wrote.

Facebook and the Irish Data Protection Commissioner declined to comment, citing the fact the case is ongoing.