Thursday, March 31, 2022

Facebook, Ireland, and GDPR inconsistencies

Early this month Meta Platforms, Facebook's parent company, was fined € 17 million by the Irish Data Protection Commission (DPC) fined after concluding the American business failed to comply with GDPR requirements in 12 breach notifications between June and December of 2018, and which affected 30 million Facebook users.

Meta has downplayed the severity of the violation in an emailed statement:

"This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people's information."
However, this lack of "record keeping" means Facebook is not documenting/proving they are protecting people's information. And that not only violates the principle of Due Care but also infringes GDPR Articles 5(2) and 24(1).

But, this is not important.

This is not the first time Meta had been fined for GDPR violations, nor it is the largest fine it has received; the € 60 million penalty from Jan 2022 and the € 225 million from Sept 2021 top that by such a long margin they are in a different league.

And this is not important either.

It is significant that the Irish GPC fined it; that does not happen very often. Ireland is the European headquarters of most of the American companies, including the 10 tech giants -- Apple, Google, Twitter, etc -- with an European presence. Since 2018, an average of 10,000 complaints per year have been filed with the Irish GPC. According to the Irish Data Protection Commissioner Helen Dixon, of those thousands of complaints, two were issued decisions in 2020, and she expected up to six decisions to be made in 2021, or 0.07% of all GDPR complaints.

Then we have the issue of the fines. Per the GDPR, they can be up to 4% of a firm’s global revenue. While Dixon said any fine would reflect the significant number of users affected, in June 2018 Facebook reported a bug caused 14 Million users to share friends-only content with strangers. Then September 2018 thr social medial giant disclosed a major hack which could have compromised up to 50 million user accounts. Later it claimed this hack resulted in a data breach where the data of only 30 Million users was stolen. Finally in December of that year another bug compromised 5.6 Million users.

And yet the Irish DPA decided € 17 million was enough to reflect the significant number of users affected.

Max Schrems, who has stated that

The [Irish] DPC simply interprets the word "handle" to mean that the DPC can also simply dispose of complaints on the fundamental right to privacy. She openly argued “In fact, there is no obligation on the DPC under the 2018 Act to produce a decision in the case of any complaint.”
has also accused the Irish DPC of advising Facebook on how to bypass GDPR by redefining their agreement with the user as a "contract," which would make the GDPR "consent" requirement no longer applicable.

But, this too it also not important.

What is important anyway?

This show a clear inconsistency between the how Ireland and the rest of the EU handles GDPR complaints. The Irish DPA is the lead supervisory authority for cross-border cases that fall into its jurisdiction. Given its past history, it is probable it may not side with the Austrian and the French Data Protection Authorities regarding Google Analytics.

This regulatory discrepancy creates an incentive for companies which want to use Google Analytics and other means of data transfer between the US and EU that are considered against the GDPR to set up shop in Dublin. While this may be good for the Irish economy,

  • How will this different interpretation of the GDPR articles play out given that one of the goals of the GDPR is to regulate the processing personal data within the entire European Union?
  • Is this even an inconsistency or do EU members have some latitude to interpret GDPR articles based on local laws? Remember that when the French Data Protection Authority decided that Google Analytics was not GDPR compliant, the Austrian one had already made the same decision. That seems to imply there is some jurisdiction independence across the EU, and perhaps the Google Analytics ruling will only become applicable to the entire EU/EEA if enough Data Protection Authorities decide to support that.
  • Will other European countries invoke Article 65(1)(a) and request the European Court of Justice, or the European Data Protection Board, to intervene and enforce some kind of legal consistency for all member countries?
Only time will tell.