We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Shutterstock/Laura Hutton
Max Schrems

Facebook should be fined up to €36 million over 'serious' GDPR breaches, says Data Commissioner

The decision comes on foot of a complaint made by Austrian privacy campaigner Max Schrems.

THE DATA PROTECTION Commission (DPC) has recommended that Facebook Ireland be fined up to €36 million over breaches of its transparency obligations under the European General Data Protection Regulation (GDPR), according to a draft decision.

The DPC — the lead regulator for Facebook in the European Union because the company is headquartered in Dublin — must now share the draft with other EU data regulators before a final decision can be reached.

In the text of the draft decision, Data Protection Commissioner Helen Dixon said she was proposing the fine because “the infringements are serious in nature” and that “the lack of transparency goes to the heart of data subject rights and risks undermining their effectiveness by not providing transparent information”.

She added that the GDPR breaches affected over 50% of the population of the European Economic Area, “a very large figure”. 

The draft decision was published by Austrian privacy campaigner Max Schrems on his blog earlier today.

A spokesperson for the DPC told The Journal the Commission has sent its draft decision to other EU supervisory authorities. They now have one month to lodge any reasoned or relevant objections. 

The spokesperson would not comment any further.

“We don’t speculate or comment on live investigations,” a spokesperson for Facebook told The Journal. ”We are assisting the DPC with its inquiries and will await the final decision in due course.”

The decision comes on foot of one of several complaints lodged by Max Schrems with the DPC about the social media giant’s data procedures.

In the original 2018 complaint, it was alleged that Facebook relied on “forced consent” to process personal data, specifically in relation to its terms of services. It was alleged at the time that users were given a choice between consenting to the terms of service or deleting their Facebook account.

Ultimately, the DPC found that the company was not obliged to rely on the user’s consent to process their data.

However, Facebook failed to provide the user with enough information regarding the legal basis used to justify processing their data after they had accepted its terms of services.

The company also failed to set out the information in a concise, transparent, intelligible and easily accessible form, as is required under GDPR.

On the back of those findings, the DPC recommended that Facebook be fined between €28 million and €36 million.

The Commission also ordered the company to bring its terms of service into compliance with GDPR within three months, which it did. 

Last month, the DPC fined Facebook-owned WhatsApp Ireland €225 million over similar breaches of its transparency obligations under GDPR, which the company has since challenged in the High Court.

It was the largest fine ever imposed by the DPC and the second-largest penalty handed out under GDPR since the regulations were introduced in 2018.

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel