Regulators in Ireland have proposed[1] up to $42 million in fines for Facebook after the company was accused of violating the GDPR through deceptive data collection policies.
Privacy expert Max Schrems and his advocacy group nyob -- which submitted the original complaint[2] against Facebook -- published a draft decision from the Irish Data Protection Commission (DPC) about the issue that was sent to the other European Data Protection Authorities.
The decision suggests a fine of between $32 million and $42 million for Facebook's violations of the GDPR, which include a failure to notify its customers about how it uses their data.
Schrems and other privacy experts slammed the proposed fine for its relatively minuscule size and for the legal arguments Facebook is making to get out of more strict fines.
Nyob said Facebook's argument is effectively that it is exempt from most GDPR rules because of a minor change in its agreement with users.
"Facebook's legal argument is rather simple: By interpreting the agreement between user and Facebook as a 'contract' (Article 6(1)(b) GDPR) instead of 'consent' (Article 6(1)(a) GDPR) the strict rules on consent under the GDPR would not apply to Facebook -- meaning that Facebook can use all data it has for all products it provides, including advertisement, online tracking and alike, without asking users for freely given consent that they could withdraw at any time," nyob explained in a blog post[3].
"Facebook's switch from 'consent' to 'contract' happened on 25.5.2018 at midnight -- exactly when the GDPR came into effect in the EU."
Schrems said it is painfully obvious that Facebook is trying to bypass the rules of the GDPR by relabeling the agreement on data use as a 'contract'. If this is accepted by regulators, any company