Facebook Ireland Limited – Order (Ireland, 2021)

The organization 'None of your business' (NOYB) published a draft decision of the Irish DPA (DPC) on October 13, 2021, which indicates that it proposes a fine between EUR 28 million and EUR 36 million against Facebook. The draft primarily addresses the fact that Facebook has included details on data processing in its terms of service, thus relying on Art. 6 (1) b) rather than on consent pursuant to Art. 6 (1) a) GDPR. Critics consider this a loophole used by Facebook to circumvent the stricter GDPR requirements of consent according to Art. 6 (1) a) GDPR. However, the DPC emphasizes that the GDPR does not establish a hierarchy of legal bases that can be used to process personal data. Yet, the DPC noted that Facebook failed to provide clear information about its legal basis for data processing and highlights that the information provided by Facebook is discontinuous and that users are referred to different documents and texts of the data policy and terms of service. The DPC concludes its draft that Facebook has thus violated Art. 5 (1) a) GDPR, Art. 12 (1) GDPR and Art. 13 (1) c) GDPR. The draft decision will now be forwarded to other European data protection authorities allowing them to comment on it.