DPC seeking penalty of up to €36m against Facebook

The Data Protection Commission (DPC) has suggested a penalty of between €28 million and €36 million for Facebook in a draft decision made against the company.

Austrian privacy and data rights campaigner Max Schrems’s NYOB organisation, which filed the original complaint against the technology giant, has published the commission’s draft decision online.

The commission, which is headed by Helen Dixon, confirmed it sent out the decision to fellow European data protection agencies and that they have a month to respond to its findings.

The commission has been investigating claims by NYOB that Facebook has “bypassed the GDPR” by changing terms and conditions for users so that it no longer needs consent to process personal data. It is alleged it has done this by relabelling agreements on data use as a “contract”.

Other European data protection authorities have issued guidelines stating that such a bypass of the general data protection regulation (GDPR) is illegal and must be treated as consent. However, the Irish DPC has said it is not persuaded by such views.

Penalty
A penalty of the level outlined in the documents published by NYOB, if levied against the company, would amount to roughly 0.048 per cent of Facebook’s global revenue. The GDPR allows for penalties of up to 4 per cent.

The DPC is Facebook’s lead regulator in the European Union and is therefore charged with investigating suspected breaches of GDPR rules. The draft decision has been sent on to other data protection authorities, which can raise objections to the proposed solution. If this happens, the case will then reach the European Data Protection Board (EDPB) where the Irish DPC’s suggested proposal can be overruled, as it was in a recent case involving WhatsApp.