New Draft Decision's Potential Impact on GDPR's Strict Consent Rules

The Irish Data Protection Commissioner's new draft decision has received significant attention. The decision relates to the legal basis of processing under the GDPR and it is criticised by many for giving entities a by-pass from GDPR's strict rules. In this article, Wikborg Rein looks into the draft decision and evaluates what it might mean for the application of the GDPR in the future.

A recent draft decision of the Irish Data Protection Commissioner received significant attention both from experts and businesses, as it might bring changes to the operations of many entities across Europe.

The draft decision relates to a complaint that Facebook incorporated its Data Policy into its Terms of Service and, thereby, failed to comply with its obligations relating to consent under the General Data Protection Regulation ("GDPR"). The complainant is represented by the well-known non-profit organization NOYB - European Centre for Digital Rights.

By way of background, Facebook updated its Terms of Service in April 2018 to comply with the obligations arising from the GDPR. To continue to access the Facebook platform, all users were required to accept the updated Terms of Service. Existing users who were not willing to accept the new terms were advised to delete their Facebook account.

Against this background, the complainant claimed that (i) Facebook relied or had to rely on consent as a legal basis to process personal data and (ii) consent was not duly obtained by the users. Facebook, on the other hand, argued that it is not relying on consent as the lawful basis for the processing subject to the complaint.

The Irish Data Protection Commissioner concluded that Facebook has not relied on and is not legally obliged to rely on consent as a legal basis. In this respect, the Irish Data Protection Commissioner deemed targeted advertising as forming a core part of the contract between Facebook and its users. The Irish Data Protection Commissioner 'inter alia' found that Facebook could rely on contractual basis as legal basis for processing of personal data in relation to behavioural advertising.

On the other hand, the Irish Data Protection Commissioner also established that Facebook failed to comply with its transparency and information obligations under the GDPR.

The draft decision received criticism from experts in the field, and Facebook's way of operating was referred as an attempt to bypass the clear rules of the GDPR on consent. Experts have also raised concerns that the decision might lead to companies simply incorporating terms of data processing into contracts and thereby, processing personal data without having to obtain consent from data subjects.

Written by Ekin Ersvaer, Trainee

Read more articles on Data Protection

  • Data Protection, Technology and digitalisation

    2021

    New Draft Decision's Potential Impact on GDPR's Strict Consent Rules

    The Irish Data Protection Commissioner's new draft decision has received significant attention. The decision relates to the legal basis of processing under the GDPR and it is criticised by many for giving entities a by-pass from GDPR's strict rules. In this article, Wikborg Rein looks into the draft decision and evaluates what it might mean for the application of the GDPR in the future.

  • Data Protection, Technology and digitalisation

    2021

    Facebook to Delete Personal Data of More Than One Billion Users

    Last week, Facebook announced their decision to stop using the face recognition technology. Facebook's decision comes against the backdrop of intensifying concerns around data privacy and Facebook's practices, and it is expected to affect more than one billion users. Wikborg Rein reviews the details of Facebook's decision and its potential consequences in this brief article.

  • Data Protection, China, Technology and digitalisation

    2021

    New Chinese privacy law – PIPL

    4 factors you need to be aware of when doing business in China.