European Union

NOYB publishes DPC’s draft decision against Facebook and calls for sanctions against ‘consent bypass’

NOYB published, on 13 October 2021, the Irish DPC draft decision proposing a fine of between €28 million and €36 million against Facebook in relation to transparency failures regarding the processing of user data under the contractual legal basis provided under Article 6(1)(b) of the GDPR.

In this draft decision, the DPC responds to contentions that Facebook should not be allowed to rely on the contract to process user data and should be legally obligated to rely on the consent legal basis.

The DPC rejects these contentions, arguing that the GDPR does not set out any form of hierarchy of lawful bases that can be used for processing personal data.

However, the draft decision finds that Facebook had failed to provide necessary information regarding its legal basis for processing pursuant to acceptance of the terms of service, noting that the information provided by Facebook was disjointed, and required users to move in and out of various sections of the data policy and terms of service.

For the DPC, Facebook infringed Articles 5(1)(a), 12(1) and 13(1)(c) of the GDPR.

According to Max Schrems of NOYB « Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a ‘contract’. If this would be accepted, any company could just write the processing of data into a contract and thereby legitimize any use of customer data without consent. »

The draft decision has been sent to other European data protection authorities and may reach the EDPB.

You can read NOYB’s press release here and the draft decision here.

National Authorities

DPC publishes statement on budget for 2022

The DPC published, on 12 October 2021, a statement on the Government’s Budget for 2022.

The Irish data protection authority will receive an additional funding of €4.1 million, which increases its funding by 22%.

You can read the press release here.

Fines

CNPD imposes €135,000 fine against unnamed insurance company

The CNPD published, on 5 October 2021, its deliberation No. 31/FR/2-21 of 5 August 2021 whereby it imposed a fine of €135,000 against an unnamed insurance company under Articles 5, 32 and 33 of the GDPR.

The CNPD also ordered the company to bring its processing activities in line with Articles 5 and 32 of the GDPR within two months of receiving notification of the decision.

The deliberation cites failures concerning the obligation :

• to document a personal data breach,
• to notify the data subjects,
• to implement appropriate security measures,,
• to communicate the contact details of the DPO to the CNPD.

Following a complaint related to a data breach, the CNPD noted that the insurance company had sent multiple emails to an incorrect email address, which included personal information such as surname, questions regarding a specific illness, the surname and the adress of the doctor.

In addition to the above violations the CNPD determined that the company’s actions had also resulted in violations of Articles 33, 34(1), and 37(7) of the GDPR.

You can read the deliberation, only available in French, here.