Irish DPC agrees with Facebook’s approach on legal basis for data processing

According to Euractiv, a draft decision from Ireland’s Data Protection Commissioner (DPC) endorsing Facebook’s legal basis for processing personal data has been met with criticism. This legal case was primarily aimed at challenging Facebook’s unique approach to data protection, which consists in including data processing specifications in its general terms and conditions. The Austrian activist Max Schrems, the complainant in the case, said Facebook “simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a ‘contract,'” potentially allowing other companies to “just write the processing of data into a contract and thereby legitimize any use of customer data without consent.”In the draft decision released by the civil society organisation noyb, the DPC found that “there is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user which some users might assess as one that primarily concerns the processing of personal data.” In addition, the draft decision also proposes a fine of 36 million euros against the company for violating other transparency requirements of the GDPR.