The General Data Protection Regulation (GDPR) is the EU’s crowning glory in terms of privacy legislation. At least it was until the Vienna Superior Court ruled this week on a case between Max Schrems from NOYB and Facebook. In that ruling, the court decided that a “contract” allows Facebook to grant itself consent irrespective of what the user thinks.
According to Schrems: “The Austrian Court allows Facebook to bypass the new GDPR requirements. Facebook just copied the ‘consent’ into another document in the night the GDPR came into force and argues this would be a contract, not consent. This would have the consequence, that Europeans would be stripped of their new protections. Facebook is clearly abusing the law and this cannot be tolerated.”
The case is being appealed to the Vienna Supreme Court. From there, it is likely to head to the European Court of Justice (CJEU). The latter will come under pressure to close this loophole in GDPR or, at the very least, provide additional protections for users. However, given the likely Austrian Supreme Court’s judgment, there could be little room for them to act.
How can Facebook bypass GDPR?
The devil, as is often said, is in the detail. There is a machine-translated version of the court judgement that is worth reading. In terms of consent, this starts with section 3.1.3 at the bottom of page 24. It states: “The plaintiff [Schrems] essentially argues that he did not validly consent to the defendant’s [Facebook] measures covered by these claims. The defendant could also not successfully invoke other grounds of justification.”
It turns out to be quite the contrary. The court decided that: “Data processing is lawful, inter alia, if it is necessary for the performance of a contract to which the data subject is a party, in accordance with Art 6(1)(b) DSGVO.”
The court pointed to Facebook’s Terms of Service (ToS): They state: “We don’t charge you to use Facebook or the other products and services covered by these Terms. Instead, businesses and organisations pay us to show you ads for their products and services. By using our Products, you agree that we can show you ads that we think will be relevant to you and your interests. We use your personal data to help determine which ads to show you.”
By continuing to use Facebook, the court ruled that Schrems has agreed to these ToS. As Facebook provides a personalised platform for free, the court ruled: “The processing of personal user data is a supporting pillar of the contract concluded between the parties to the dispute. This is because only this data utilisation enables tailor-made advertising, which substantially shapes the “personalised experience” owed by the defendant and at the same time provides the defendant with the income necessary to maintain the platform and to make a profit. This data processing is therefore necessary for the performance of the contract.”
The ruling has far-reaching consequences. It means that a company can use its End User Licence Agreement (EULA) and Terms of Service to circumvent the GDPR. Given that few people bother to read either, usually because of their complexity, most will not realise how much they are giving up.
The court looked at how the Terms of Service were worded. It ruled: “Achievement of revenue through personalised advertising, made possible by the personal data of Facebook users is explained in the terms and conditions in a way that is easily understandable for any reader who is even moderately attentive.”
But what is attentive? Schrems team presented the results of a survey of 1,000 Facebook users. Just 1.6% acknowledged that they had entered into a contract with Facebook that allows it to use their data as it chooses. The majority thought that they still had to grant consent. The challenge here for Schrems is that he should have known better, and the court agrees. Given his longstanding battle with Facebook, it is unreasonable to think he didn’t read the ToS.
Facebook only shows you data it thinks you can understand
There is, of course, an existing remedy. Schrems could choose not to use Facebook. At that point, it would have to remove all of his data from their systems. And that brings us to another interesting part of this ruling.
Section 3.2.1 found that Facebook did not provide all the data it held on Schrems despite a request to do so. Facebook claims that it provides what it thinks a user can understand. According to the court, Facebook: “violated its duty to provide information, which is rooted in Article 15(1) of the GDPR.”
Among the data that Facebook currently withholds is what it receives from third parties about a user. This is data that comes under the Activities Outside Facebook category. It is gathered by third-parties, the Facebook pixel inserted into websites and apps that provide data to Facebook. There is no requirement for an individual to have a Facebook account for it to gather that data.
According to the court: “The plaintiff [Schrems] is still entitled to information on his personal data processed by the defendant [Facebook] and on the purposes of processing (paragraph 1(a) of the Regulation), on the recipients or categories of recipients to whom the personal data have been or will be disclosed (paragraph 1(b) of the Regulation) and on the origin of the data if they were not collected from the plaintiff (paragraph 1(g) of the Regulation).”
Is consent always an absolute?
When it comes to data collection and use Clarke replied: “Not every data collection and reuse purpose should be based on consent. If you want someone to deliver your products, you should not have the right to withdraw consent to use minimum data necessary for that purpose. That data use goes into terms and conditions (the contract). This is why the GDPR has multiple lawful bases for data processing, but advertising is an altogether different kettle of fish.
“Some marketing, if we are honest, is a fair trade-off. I like to see context-based ads for my favourite things, but that is a world away from hyper-segmentation of individuals into narrowly labelled combinations of location, behaviour, preference, personality, or physical appearance, then reuse and resale of those profiles for a range of unclear purposes.
“Historically, the imbalance between contract writer and contract signatory has been a necessary cause of close scrutiny. We’ve always watched out for unfair inclusions and exceptions buried in the fine print. That’s a specific element of transparency the GDPR seeks to reproduce, but this judgement seems happy to view “marketing” as an amorphous purpose blob. Something the European Data Protection Board specifically cautions against.”
Services need to deliver clearer and accurate information on data usage
“This apparent over-simplification seems to be at once blasé about the knowledge level, and support for this and defeatist about unexpected data use being a fact of internet life. If Facebook and other adjacent firms can shape their content as well as they advertise, they can redesign their service to feed us clear, contextual and timely information about data being collected and the full details of intended primary, secondary, and on-going processing.
“It is only when those associated details become clear that this can be broken down into useful purposes with fit for purpose lawful bases, as opposed to an amorphous mass of monetisation you are told you have to put up with forever if you want to continue talking to friends.”
How do we balance potential harm with the benefits of data sharing?
“But what are we really talking about? How much data re-use, what kind of data, collected via which mechanisms, involving which third parties, and kept for how long? What potential for harm goes with the specifically applicable combination of those things? Harm that might be caused by data misuse, accidents, data loss incidents, or fully intentional sharing, analysis, and reuse?
How much of that activity and the profit and influence gained by both Facebook and data recipients, is equivalent to the value gained from that service, site, or platform? When will those who intentionally sign up, and those caught up in the tracking dragnet, pay off the debt that apparently incurs? How much data monetisation is worth a year of online interaction with friends? If that equation exists, and monetisation balances out our service usage, is there a point when data reuse and retention ceases?
“Perhaps that imbalance and intentional lack of clarity is why Max didn’t get a full and frank account of all the data that Facebook hold about him, all the data acquired from elsewhere, and all the data shared with 3rd parties everywhere.”
Enterprise Times: What does this mean?
GDPR was meant to ensure that users retained control of how their data was used. Implied consent and automatic opt-ins were meant to be a thing of the past. Users had to explicitly consent to the use of their data and withdraw that consent at any time. For the court to rule that a contract overrides GDPR will surprise many.
Schrems and his team are already preparing an appeal to the Vienna Supreme Court. If it rules in the same way, this will go all the way to the European Court of Justice. Would the CJEU overturn this ruling? It could certainly rule that there is a breach of the spirit of the GDPR. However, procedurally, it would almost certainly have to return the case to lawmakers to create new laws.
Another challenge for lawmakers will be in data disclosure. It has become apparent that Facebook gathers data on individuals even when they have no Facebook account. In this case, there is no contract in place, so Facebook can only hold that data based on GDPR consent. It remains to be seen if this will lead to a challenge that requires Facebook to delete all such data.
The last word goes to Clarke who said: ““Because it has always been this way” (referring to the ad nauseum right to collect, re-use, and share data, in return for access to this and similar platforms), is becoming the very antithesis of transparency, and innovation.
“I’m certain the appeal will make for interesting reading.”