New Draft Decision's Potential Impact on GDPR's Strict Consent Rules
The Irish Data Protection Commissioner's new draft decision has received significant attention. The decision relates to the legal basis of processing under the GDPR and it is criticised by many for giving entities a by-pass from GDPR's strict rules. In this article, Wikborg Rein looks into the draft decision and evaluates what it might mean for the application of the GDPR in the future.
Arecent draft decision of the Irish Data Protection Commissioner received significant attention both from experts and businesses, as it might bring changes to the operations of many entities across Europe.
The draft decision relates to a complaint that Facebook incorporated its Data Policy into its Terms of Service and, thereby, failed to comply with its obligations relating to consent under the General Data Protection Regulation ("GDPR"). The complainant is represented by the well-known non-profit organization NOYB - European Centre for Digital Rights.
By way of background, Facebook updated its Terms of Service in April 2018 to comply with the obligations arising from the GDPR. To continue to access the Facebook platform, all users were required to accept the updated Terms of Service. Existing users who were not willing to accept the new terms were advised to delete their Facebook account.
Against this background, the complainant claimed that (i) Facebook relied or had to rely on consent as a legal basis to process personal data and (ii) consent was not duly obtained by the users. Facebook, on the other hand, argued that it is not relying on consent as the lawful basis for the processing subject to the complaint.
The Irish Data Protection Commissioner concluded that Facebook has not relied on and is not legally obliged to rely on consent as a legal basis. In this respect, the Irish Data Protection Commissioner deemed targeted advertising as forming a core part of the contract between Facebook and its users. The Irish Data Protection Commissioner 'inter alia' found that Facebook could rely on contractual basis as legal basis for processing of personal data in relation to behavioural advertising.
On the other hand, the Irish Data Protection Commissioner also established that Facebook failed to comply with its transparency and information obligations under the GDPR.
The draft decision received criticism from experts in the field, and Facebook's way of operating was referred as an attempt to bypass the clear rules of the GDPR on consent. Experts have also raised concerns that the decision might lead to companies simply incorporating terms of data processing into contracts and thereby, processing personal data without having to obtain consent from data subjects.