The Irish Data Protection Commission lobbied to allow social networks to bypass user consent requirements within EU privacy rules, documents obtained by Max Schrems’ privacy campaign group show.
According to the documents obtained by noyb.eu under freedom of information law, the Irish DPC — which regulates the lion’s share of U.S. tech companies under the EU’s General Data Protection Regulation — explicitly pushed for social networks to be able to monitor users’ behavior to target them with ads via a contract, rather than by having to obtain their consent.
However, the DPC’s attempts to include „performance of a contract“ as a legal basis into the EU privacy guidelines was rejected by other European regulators, the documents show.
“This reduces the GDPR to a pro forma instrument. As long as you remember to include all kinds of requirements and provisions in a contract … controllers can do as they like and there is no need for consent or a balancing of interests … Is it possible to provide social media accounts without tracking and profiling? Yes, in fact it is,” said one European regulator, who is not named in the document.
Another EU privacy watchdog labelled the DPC’s attempts to legalize companies’ use of contracts to process data for ads, “contrary to everything we believe in.”
A third commented: „This seems to accept monetisation of personal data and circumventing the other legal bases … We think that this interpretation undermines the system and spirit of the GDPR.“
The Irish DPC eventually failed to get its proposals into the final guidelines, which include strict requirements for what data is necessary to fulfill a contract with users. The final guidelines do not say that social networks can use the contract legal bases to serve personalized advertising.
The EU’s network of privacy regulators “has made pretty clear that there is no legitimation circumventing the legal requirements of an informed consent by arguing processing is necessary for the performance of a contract to which the data subject is party,” Johannes Caspar, who led Hamburg’s privacy regulator at the time of the discussions, told POLITICO.
Three data regulator officials confirmed to POLITICO that Ireland’s view in the discussion on the guidelines was not shared by the majority of other regulators.
According to figures provided by the European Data Protection Board (EDPB), only one regulator voted against the final guidelines. The lone dissenting regulator was Ireland, according to one official. Another two said it was likely to be Ireland based on their recollection of the discussions.
The evidence of Ireland’s lobbying comes after the Dublin-based regulator proposed fining Facebook up to €36 million for transparency failures following its investigation into a complaint filed by Schrems in May 2018 accusing the social network of relying on “forced consent” to process data.
According to the draft decision, the Irish regulator said Facebook could in principle use the performance of a contract legal basis to provide users with a personalized ad-funded platform.
But, it added, assessing whether the contract was fair was beyond its legal remit.
At the time, one data regulator official said that Ireland’s ruling would entail “the end of data protection as we know it” and that the idea that people sign up to Facebook to receive personalized advertising is “absurd.”
“Not so much part of the offering as something that is unilaterally imposed on users against the wishes of the majority of them. There is no indication that the legislator wanted to legitimize this,” they said.
The revelations that the Irish regulator lobbied for a looser interpretation of EU privacy rules after receiving a complaint against Facebook will raise fresh questions around the relationship between the watchdog and the social media firm.
„The documents show a clear plan: First the Irish regulator agreed on a GDPR bypass with Facebook. Then it tries to squeeze this bypass into European guidelines, in the interest of a U.S. multinational. The DPC clearly did not act in the interest of data protection, but in the interest of U.S. multinationals. Usually it is Facebook lobbyists that try to influence guidelines, here the Irish regulator has turned into a lobbyist,” said Schrems in a statement.
Facebook switched from relying on user consent to handle data to the contract legal basis just before the GDPR went into force in May 2018. The company has previously said that it made this update to its terms following 10 meetings with the Irish DPC.
A spokesperson for the Irish DPC said “there is absolutely nothing unusual” about to and fro between regulators when developing guidelines.
“To suggest that there is any issue with how this process worked then, or now, demonstrates a lacking of basic understanding of the workings of the EDPB, and how, through an iterative process, divergent views relating to complex issues of principle are typically reconciled through dialogue, and through respectful and mature engagement,“ the spokesperson said. „Such was the case in relation to the development of the EDPB’s guidelines [on performance of a contract].”
They also noted that the Court of Justice of the European Union is separately reviewing a case where an Austrian court also ruled that Facebook was entitled to use the “performance of a contract” legal basis.
The outcome of both these cases “will also necessarily impact on the EDPB’s guidelines on the same topic,” the spokesperson said.
Facebook did not reply to a request for comment.
This article has been updated with a response from a spokesperson for the Irish DPC.
This article is part of POLITICO Pro’s premium coverage of Cybersecurity and Data Protection. From the emerging threats of a volatile digital world to the legislation being shaped to protect business and citizens, across sectors. For a complimentary trial email [email protected] and mention Cyber.