New Draft Decision's Potential Impact on GDPR's Strict Consent Rules

The Irish Data Protection Commissioner's new draft decision has received significant attention. The decision relates to the legal basis of processing under the GDPR and it is criticised by many for giving entities a by-pass from GDPR's strict rules. In this article, Wikborg Rein looks into the draft decision and evaluates what it might mean for the application of the GDPR in the future.

A recent draft decision of the Irish Data Protection Commissioner received significant attention both from experts and businesses, as it might bring changes to the operations of many entities across Europe.

The draft decision relates to a complaint that Facebook incorporated its Data Policy into its Terms of Service and, thereby, failed to comply with its obligations relating to consent under the General Data Protection Regulation ("GDPR"). The complainant is represented by the well-known non-profit organization NOYB - European Centre for Digital Rights.

By way of background, Facebook updated its Terms of Service in April 2018 to comply with the obligations arising from the GDPR. To continue to access the Facebook platform, all users were required to accept the updated Terms of Service. Existing users who were not willing to accept the new terms were advised to delete their Facebook account.

Against this background, the complainant claimed that (i) Facebook relied or had to rely on consent as a legal basis to process personal data and (ii) consent was not duly obtained by the users. Facebook, on the other hand, argued that it is not relying on consent as the lawful basis for the processing subject to the complaint.

The Irish Data Protection Commissioner concluded that Facebook has not relied on and is not legally obliged to rely on consent as a legal basis. In this respect, the Irish Data Protection Commissioner deemed targeted advertising as forming a core part of the contract between Facebook and its users. The Irish Data Protection Commissioner 'inter alia' found that Facebook could rely on contractual basis as legal basis for processing of personal data in relation to behavioural advertising.

On the other hand, the Irish Data Protection Commissioner also established that Facebook failed to comply with its transparency and information obligations under the GDPR.

The draft decision received criticism from experts in the field, and Facebook's way of operating was referred as an attempt to bypass the clear rules of the GDPR on consent. Experts have also raised concerns that the decision might lead to companies simply incorporating terms of data processing into contracts and thereby, processing personal data without having to obtain consent from data subjects.

Written by Ekin Ersvaer, Trainee

Read more articles on Data Protection

  • Data Protection, Employment Law, Technology and digitalisation

    2022

    New Guidelines and Recommendations on Data Protection at the Workplace

    The Norwegian Data Protection Authority (Nw.: Datatilsynet) has recently published both updated guidelines on employees' whistleblowing and an interesting study on monitoring and control of employees' digital activities (both available only in Norwegian). Both these new initiatives relate to data protection at the workplace, and are relevant to all businesses.

  • Technology and digitalisation, Intellectual Property, Data Protection

    2022

    1 - A Europe Fit for the Digital Age

    The European Union has recently been active in terms of legislative developments relating to technology and digitalisation. News about Digital Services Act, Digital Markets Act, European Union's new Artificial Intelligence Act, Data Act and Data Governance Act are emerging frequently and there is a new development almost every week.

  • Data Protection, Technology and digitalisation

    2022

    Credit Information Act: new rules for credit assessments and processing of personal data

    This article provides an overview of key issues in the new Credit Information Act which businesses must be aware of to ensure compliance with the new regulations.