THE DATA PROTECTION Commission (DPC) has recommended that Facebook Ireland be fined up to €36 million over breaches of its transparency obligations under the European General Data Protection Regulation (GDPR), according to a draft decision.
The DPC — the lead regulator for Facebook in the European Union because the company is headquartered in Dublin — must now share the draft with other EU data regulators before a final decision can be reached.
In the text of the draft decision, Data Protection Commissioner Helen Dixon said she was proposing the fine because “the infringements are serious in nature” and that “the lack of transparency goes to the heart of data subject rights and risks undermining their effectiveness by not providing transparent information”.
She added that the GDPR breaches affected over 50% of the population of the European Economic Area, “a very large figure”.
The draft decision was published by Austrian privacy campaigner Max Schrems on his blog earlier today.
A spokesperson for the DPC told The Journal the Commission has sent its draft decision to other EU supervisory authorities. They now have one month to lodge any reasoned or relevant objections.
The spokesperson would not comment any further.
“We don’t speculate or comment on live investigations,” a spokesperson for Facebook told The Journal. ”We are assisting the DPC with its inquiries and will await the final decision in due course.”
The decision comes on foot of one of several complaints lodged by Max Schrems with the DPC about the social media giant’s data procedures.
In the original 2018 complaint, it was alleged that Facebook relied on “forced consent” to process personal data, specifically in relation to its terms of services. It was alleged at the time that users were given a choice between consenting to the terms of service or deleting their Facebook account.
Ultimately, the DPC found that the company was not obliged to rely on the user’s consent to process their data.
However, Facebook failed to provide the user with enough information regarding the legal basis used to justify processing their data after they had accepted its terms of services.
The company also failed to set out the information in a concise, transparent, intelligible and easily accessible form, as is required under GDPR.
On the back of those findings, the DPC recommended that Facebook be fined between €28 million and €36 million.
The Commission also ordered the company to bring its terms of service into compliance with GDPR within three months, which it did.
Last month, the DPC fined Facebook-owned WhatsApp Ireland €225 million over similar breaches of its transparency obligations under GDPR, which the company has since challenged in the High Court.
It was the largest fine ever imposed by the DPC and the second-largest penalty handed out under GDPR since the regulations were introduced in 2018.
To embed this post, copy the code below on your site
have your say