
























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
1.2 The Inquiry, which commenced on 20 August 2018, examined whether Facebook Ireland Limited. (“Facebook”) complied with its obligations ...
Typology: Slides
1 / 96
This page cannot be seen from the preview
Don't miss anything!

























































































In the matter of the General Data Protection Regulation DPC Case Reference: IN- 18 - 5 - 5 In the matter of LB (through NOYB) v Facebook Ireland Limited Draft Decision for the purposes of Article 60 GDPR of the Data Protection Commission made pursuant to Section 113(2)(a) of the Data Protection Act 2018 Further to a complaint-based inquiry commenced pursuant to Section 110 of the Data Protection Act 2018
**Decision-Maker for the Commission: [DRAFT – BEARS NO SIGNATURE]
Helen Dixon Commissioner for Data Protection** Dated the 6 th^ October 2021 Data Protection Commission 2 Fitzwilliam Square South Dublin 2, Ireland as arguments are partly missing, not accurately reflected or taken out of context.
1.1 This document is a draft Decision (“the Draft Decision”) of the Data Protection Commission (“the Commission”) in accordance with Section 113(2)(a) of the Data Protection Act 2018 (“the 2018 Act”), arising from an inquiry conducted by the Commission, pursuant to Section 110 of the 2018 Act (“the Inquiry”). 1.2 The Inquiry, which commenced on 20 August 2018, examined whether Facebook Ireland Limited (“Facebook”) complied with its obligations under the EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council) (“the GDPR”) in respect of the subject matter of a complaint made by Ms. L.B. (“the Complainant”). The complaint was referred to the Commission by the Austrian Data Protection Authority, Die Österreichische Datenschutzbehörde (“The Austrian DPA“) on 30 May 2018 (“the Complaint“). In advance of the preparation of this Draft Decision, a preliminary draft of this document (“the Preliminary Draft Decision”) was circulated to Facebook and the Complainant’s representative so as to enable them to make submissions on my provisional findings. The submissions of these parties have been taken into account in finalising this Draft Decision. 1.3 Further details of procedural matters and a chronology pertaining to the Inquiry are set out in the Schedule to this decision.
required to provide detailed information to users at the time personal data is obtained in relation to the purposes of any data processing and the legal basis for any such processing. In essence, there must be a legal basis for each processing operation (of personal data) and there must be transparency in the communication of such information to individual users. Prior to the GDPR taking legal effect, no detailed requirement existed for a controller to explicitly state what legal basis they relied on in processing particular categories of personal data. 2.3 To continue to access the Facebook platform, all users were required to accept the updated Terms of Service prior to 25 May 2018. The updated Terms of Service were brought to the attention of existing Facebook users by way of a series of information notices and options on the Facebook platform, referred to as an “engagement flow” or “user flow”. The engagement flow was designed to guide users through the processing of deciding whether to accept the updated Terms of Service. The option to accept the updated “terms” was presented to users at the final stage of the engagement flow. The final stage of the engagement flow also contained embedded hyperlinks to the full text of the Terms of Service, the Data Policy and the Cookies Policy. As referenced in the full text of the Terms of Service, the Data Policy provides information to users on Facebook’s processing of personal data in respect of the Facebook platform. 2.4 Existing users who were not willing to accept the new terms were advised of the option to delete their Facebook account. Such users were informed that they could no longer use the Facebook platform without accepting the new terms. Prior to deletion of the account, the users were also informed of the option to download a copy of their personal data which had undergone processing by Facebook. 2.5 Users who did continue through the new “engagement flow” were given the opportunity to consent or not to consent to a number of specific data processing activities, including the use of facial recognition. Provision of consent for such processing was not presented as a prerequisite for continuing to use the service. In other words, these were choices the user could make above and beyond the decision to sign up to the service, and users are free to use the service without providing consent to this processing. 2.6 Figures 2. 1 and 2.2, below, are screenshots of the final stage of the “engagement flow” which brought an existing user, the Complainant, through the process of accepting the updated Terms of Service. The screenshots are in German; an English translation can be found below. as arguments are partly missing, not accurately reflected or taken out of context.
Figure: 2. 2.7 An English translation (via machine-translation) of the text is as follows: Figure 2.1: “ Please accept our updated Terms of Service to continue using Facebook. We have updated our Terms of Service to explain in more detail how our service works and what we expect from all Facebook uses. You can now more easily control your data as well as your privacy and security settings in the settings. We have also updated our Data Policy and our Cookie Policy. These now also take into account new features that we are working on and explaining. By clicking "I agree", you accept the updated Terms of Service. If you do not want to accept the terms of use, you can find your options under this link .” Figure 2.2: “ If you do not agree, you can no longer use Facebook. You can delete your account and have the option to download a copy of your information beforehand. Close/Delete Account ”. OVERVIEW OF THE COMPLAINT as arguments are partly missing, not accurately reflected or taken out of context.
2.8 The Complaint was made in the context of Facebook’s updated Terms of Service and the requirement for existing users to accept the new terms to continue to access the Facebook platform. 2.9 In respect of the updated Terms of Service, the Complainant alleges that she was given a binary choice: either accept the Terms of Service and the associated Data Policy by selecting the “accept” button,^1 or delete her Facebook account. The Complainant’s argument is predicated on the Data Policy being incorporated into the Terms of Service. This claim is disputed by Facebook.^2 The Complainant further alleges that Facebook relied on “forced consent” to process personal data on the basis that “ the controller required the data subject to agree to the entire privacy policy and the new terms ”^3 and did not give users a genuine choice to decline the updated terms without suffering detriment. 2.10 In addition, the Complainant alleges that it is unclear which specific legal basis is being relied on by the controller for each processing operation. Indeed, she argues that “[i] t remains, nevertheless, unclear which exact processing operations the controller chooses to base on each specific legal basis ”^4 as “[t] he controller simply lists all six bases for lawful processing under Article 6 of the GDPR in its privacy policy without stating exactly which legal basis the controller relies upon for each specific processing operation. ”^5 In connection with this, the Complainant expresses particular concern with reliance on Article 6(1)(b) GDPR as a legal basis for the processing operations detailed in the Terms of Services; extracts from the Terms of Services which relate to these processing operations are found below. 2.11 As the GDPR requires controllers to provide detailed information to users at the time when personal data are obtained, including the provision of information about the purposes of the processing as well as the legal bases for the processing, the Complainant argues that this lack of information breaches the transparency obligations in the GDPR.^6 2.12 In the submissions on the Preliminary Draft Decision made on the Complainant’s behalf, it is argued that the Commission has “ failed to investigate the relevant facts ”.^7 As far as it has been possible to discern from the submissions, it appears that this assertion is linked to the Complainant’s contention that the Commission has misconstrued the scope of the Complaint (^1) For completeness, it should be noted that Facebook disputes the claim that the Data Policy is part of the Terms of Service. (^2) Facebook Submissions on Draft Report, paragraph 7.1(A) (^3) Complaint, page 3. (^4) Ibid. (^5) For completeness, it should be noted that the legal bases for processing of personal data include consent of the data subject, necessity based on the requirement to fulfil a contract with the data subject or processing based on the legitimate interests of the data controller. There is no hierarchy as between these legal bases set down in the GDPR. (^6) Ibid , page 6 and paragraph 2.3.4. (^7) Complainant Submissions on Preliminary Draft Decision, paragraph 4.1. as arguments are partly missing, not accurately reflected or taken out of context.
technology, such as augmented reality and 360 video to create and share more expressive and engaging content on Facebook. Help you discover content, products, and services that may interest you: We show you ads, offers, and other sponsored content to help you discover content, products, and services that are offered by the many businesses and organizations that use Facebook and other Facebook Products. Our partners pay us to show their content to you, and we design our services so that the sponsored content you see is as relevant and useful to you as everything else you see on our Products. Combat harmful conduct and protect and support our community: People will only build community on Facebook if they feel safe. We employ dedicated teams around the world and develop advanced technical systems to detect misuse of our Products, harmful conduct towards others, and situations where we may be able to help support or protect our community. If we learn of content or conduct like this, we will take appropriate action - for example, offering help, removing content, blocking access to certain features, disabling an account, or contacting law enforcement. We share data with other Facebook Companies when we detect misuse or harmful conduct by someone using one of our Products. Use and develop advanced technologies to provide safe and functional services for everyone: We use and develop advanced technologies - such as artificial intelligence, machine learning systems, and augmented reality - so that people can use our Products safely regardless of physical ability or geographic location. For example, technology like this helps people who have visual impairments understand what or who is in photos or videos shared on Facebook or Instagram. We also build sophisticated network and communication technology to help more people connect to the internet in areas with limited access. And we develop automated systems to improve our ability to detect and remove abusive and dangerous activity that may harm our community and the integrity of our Products. Research ways to make our services better: We engage in research and collaborate with others to improve our Products. One way we do this is by analyzing the data we have and understanding how people use our Products. You can learn more about as arguments are partly missing, not accurately reflected or taken out of context.
some of our research efforts. Provide consistent and seamless experiences across the Facebook Company Products: Our Products help you find and connect with people, groups, businesses, organizations, and others that are important to you. We design our systems so that your experience is consistent and seamless across the different Facebook Company Products that you use. For example, we use data about the people you engage with on Facebook to make it easier for you to connect with them on Instagram or Messenger, and we enable you to communicate with a business you follow on Facebook through Messenger. Enable global access to our services: To operate our global service, we need to store and distribute content and data in our data centers and systems around the world, including outside your country of residence. This infrastructure may be operated or controlled by Facebook, Inc., Facebook Ireland Limited, or its affiliates ………………………. How do we use your information We use the information we have (subject to choices you make) as described below and to provide and support the Facebook Products and related services described in the Facebook Terms and Instagram Terms. Here's how: Provide, personalize and improve our Products. We use the information we have to deliver our Products, including to personalize features and content (including your News Feed, Instagram Feed, Instagram Stories and ads) and make suggestions for you (such as groups or events you may be interested in or topics you may want to follow) on and off our Products. To create personalized Products that are unique and relevant to you, we use your connections, preferences, interests and activities based on the data we collect and learn from you and others (including any data with special protections you choose to provide where you have given your explicit consent); how you use and interact with our Products; and the people, places, or things you're connected to and interested in on and off our Products. Learn more about how we use information about you to personalize your Facebook and Instagram experience, including features, content and as arguments are partly missing, not accurately reflected or taken out of context.
and other sponsored content for you in the Facebook Settings and Instagram Settings. Provide measurement, analytics, and other business services. We use the information we have (including your activity off our Products, such as the websites you visit and ads you see) to help advertisers and other partners measure the effectiveness and distribution of their ads and services, and understand the types of people who use their services and how people interact with their websites, apps, and services. Learn how we share information with these partners. Promote safety, integrity and security. We use the information we have to verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, maintain the integrity of our Products, and promote safety and security on and off of Facebook Products. For example, we use data we have to investigate suspicious activity or violations of our terms or policies, or to detect when someone needs help. To learn more, visit the Facebook Security Help Center and Instagram Security Tips. Communicate with you. We use the information we have to send you marketing communications, communicate with you about our Products, and let you know about our policies and terms. We also use your information to respond to you when you contact us. Research and innovate for social good. We use the information we have (including from research partners we collaborate with) to conduct and support research and innovation on topics of general social welfare, technological advancement, public interest, health and well-being. For example, we analyze information we have about migration patterns during crises to aid relief efforts. Learn more about our research programs. ” SCOPE OF THE COMPLAINT 2.14 I have carried out my assessment of the scope of the Complaint to the extent that it relates to specified data processing and specified alleged infringements of the GDPR. A chronology of issues that arose in this regard (1) as between the parties and (2) as between the parties and the DPC in the course of establishing the substantive scope of the Complaint is included in the as arguments are partly missing, not accurately reflected or taken out of context.
Schedule. Also included in the Schedule are details of the approach I have adopted in determining the scope of the Complaint. In determining the precise parameters of the scope of the Complaint, I have had regard to the Complaint as a whole and, in particular, have taken note of the express statements in the Complaint which define its scope. I have also had regard to the Investigator’s analysis in respect of the scope of the Complaint. 2.15 On his assessment of the Complaint, the Investigator concluded that there were four key issues to be analysed in the context of his Inquiry: 8 a. Whether clicking “accept” on the Terms of Service was to be construed as an act of consent, or must be an act of consent, to the processing of personal data for the purposes of the GDPR – the Investigator’s conclusions 1 and 2 of the Final Report address this issue b. Whether Facebook could rely on Article 6(1)(b) GDPR as a lawful basis for processing personal data with respect to its Terms of Service – the Investigator’s conclusion 3 of the Final Report addresses this issue c. Whether Facebook misrepresented the legal basis for processing in a manner that caused the Complainant to believe that consent was relied upon – the Investigator’s conclusions 4 and 10 of the Final Report address this issue d. Whether Facebook had failed to provide the necessary information regarding its legal basis for processing in connection with its Terms of Service and Data Policy – the Investigator’s conclusions 5, 6, 7, 8 and 9 of the Final Report address this issue 2.16 I agree with the Investigator’s summary of the core issues in respect of issues (a) and (b). In respect of issues (c) and (d), however, I take a different view. 2.17 Issue (c), as identified by the Investigator, solely addresses the allegation that Facebook has misrepresented the lawful basis relied on in connection with the Terms of Service. I agree that this issue falls within the scope of the Complaint. Issue (d), however, was treated by the Investigator as a generalised assessment of whether Facebook’s Data Policy complies with Article 13(1)(c) GDPR as a whole with regard to processing conducted on foot of Article 6(1)(b) GDPR. This is based on the fact that the Complaint states, in generalised terms, that: “ It remains, nevertheless, unclear which exact processing operations the controller chooses to base on each specific legal basis under Article 6 and Article 9 of the GDPR. (^8) Final Report, paragraph 7. as arguments are partly missing, not accurately reflected or taken out of context.
2.21 The Complainant’s submissions on the Preliminary Draft Decision further argue that there has been a failure to investigate the relevant facts. It is argued that there is a fundamental disagreement as to whether the agreement the Complainant has accepted is “a contract” or “a consent”.^12 This issue was dealt with extensively in the Preliminary Draft Decision and is determined below in this Draft Decision. 2.22 While the Complainant’s submissions on the Preliminary Draft Decision call for the Commission to engage in a thorough investigation as to the nature of this agreement, having regard to the scope of the Complaint, this is, in my view, entirely unnecessary and would not divulge any new Information or serve a useful purpose at this stage. As is set out in Section 3 below, there is no dispute in relation to the fact that there is a contract between Facebook and the Complainant or the fact no consent within the meaning of the GDPR has been provided by the Complainant in concluding the “agreement” in dispute. What is in dispute, as set out in detail in this Draft Decision and in the Schedule, is the lawfulness of the personal data processing and the transparency of the information provided. 2.23 On this basis, the issues that I will address in this Draft Decision are as follows: Issue 1 – Whether clicking on the “accept” button constitutes or must be considered consent for the purposes of the GDPR Issue 2 – Reliance on Article 6(1)(b) as a lawful basis for personal data processing Issue 3 – Whether Facebook provided the requisite information on the legal basis for processing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent manner. 3 ISSUE 1 – WHETHER CLICKING ON THE “ACCEPT” BUTTON CONSTITUTES OR MUST BE CONSENT FOR THE PURPOSES OF THE GDPR WHETHER THE ACCEPTANCE IS CONSENT 3.1 As I have outlined in Section 2, the Complainant alleges that clicking on the “accept” button of the engagement flow presented to existing users in respect of Facebook’s updated Terms of Service in April 2018 constituted an act of consent by the data subject for the purposes of Article 6(1)(a) GDPR. The first question to be considered is whether Facebook, via the updated Terms of Service, sought to obtain the Complainant’s “consent” for the purposes of processing of personal data under those Terms of Service. Facebook’s position, as noted above, is that it did not. (^12) Ibid , paragraph 4.3.1. as arguments are partly missing, not accurately reflected or taken out of context.
3.2 In this regard, I note that the Complainant’s position partly rests on several arguments to the effect that the design of the engagement flow is “ deceptive ”.^13 The Complainant expresses particular concerns in respect of the final stage of the engagement flow and alleges that the acceptance process is set out in a misleading manner, such that a reasonable user would, and indeed the Complainant did in fact, believe that they are consenting for the purposes of Article 6 GDPR to data processing rather than simply signing up to a contract.^14 These arguments in relation to the alleged misleading nature of the user engagement flow will be considered as part of Issue 3 in the context of transparency requirements. This first issue is solely concerned with whether reliance is placed on the legal basis of consent. 3.3 In this context, I will first consider whether, as a matter of fact, Facebook sought to rely on consent at all as a legal basis. I will subsequently assess whether, as a matter of law, Facebook was obliged to seek consent as a legal basis for processing, as the Complainant argues. 3.4 In its submissions on the Draft Report made to the Investigator, the Complainant argues that the “ scope of application ” of consent and the “ conditions of validity ” under the GDPR must be distinguished. The Complainant further argues that the “ scope ” of consent is any “ expression of will by which the data subject indicates his consent to the processing of his personal data ".^15 The “ conditions of validity ” are, in the Complainant’s view, the elements of the definition of consent set out in Article 4(11) GDPR. The Complainant further argues that “[t] o come up with the crazy idea that a violation of the conditions of consent automatically leads to the inapplicability of these conditions is a legal shot in the foot. ”^16 The Complainant’s position is that there are some circumstances in which only consent - and no other legal basis - is applicable, and therefore that there are circumstances where consent must be applicable even if the data controller is not seeking to rely on consent and the definition in Article 4(11) GDPR is not met. In the Complainant’s view, this should result in a declaration that the data processing based on consent is unlawful for want of compliance with these “conditions of validity”. 3.5 Facebook’s position is that “[t] he agreement to enter into a contract is a wholly separate matter to any form of consent to data processing… ”,^17 and that: “ Article 4(11) GDPR is not relevant in this instance as Facebook Ireland is not seeking to rely on it (and the alternative legal basis sought to be relied on is valid). It is not the case that all types of processing must be assessed against the formal requirements under Article 4(11) GDPR. Indeed as the (^13) Complainant Submissions on Final Report, page 16. (^14) Ibid , page 11. (^15) Ibid , page 40. (^16) Ibid. (^17) Submission 22 February 2019, paragraph 2.6. as arguments are partly missing, not accurately reflected or taken out of context.
3.9 I put the views set out above to the Parties in the Preliminary Draft Decision. Facebook submitted that “ the Complainant’s position is legally and factually wrong ” and that Facebook “… does not seek to obtain consent to data processing from users when users are asked to contractually agree to its Terms of Service ”.^19 Moreover, Facebook submits that it “… did not request or require the data subject’s consent to processing described in the Data Policy nor did it seek the data subject’s consent to the processing described in, or otherwise performed for the purposes of, the Terms of Service, and as a consequence that the data subject did not in fact consent in this manner ”.^20 This confirms the position set out in the Preliminary Draft Decision: Facebook did not rely on consent as a legal basis for processing in this context. On this basis, Facebook expressed its agreement with the provisional finding that “ it is not legally obliged to rely on consent in order to deliver the Terms of Service and endorses the unequivocal decision of the Commission to reject the [Complainant’s] argumen t…”.^21 3.10 In contrast, the Complainant’s submissions on the Preliminary Draft Decision argue that the alleged contract is an example of falsa demonstratio i.e. that Facebook has held out particular clauses as constituting part of a contract when, as a matter of law, they actually do not.^22 The Complainant in this regard relies on the perceived intention of the parties, the “ economic background and common understanding ”, and the fact that the shift from reliance on consent to reliance on necessity for the performance of a contract was recent. 3.11 While this argument may be relevant in the context of reliance on Article 6(1)(b) GDPR – which is considered as the second issue below – it does not address the essential issue arising for the purposes of Article 6(1)(a) GDPR. In this case, Facebook is not relying on consent as a legal basis for processing of personal data under the Terms of Service. Indeed, the parties appear to agree that acceptance of the Terms of Service is not valid consent for the purposes of the GDPR. 3.12 For these reasons, I conclude that, as a matter of fact, Facebook did not rely, or purport to rely, on the Complainant’s consent as a legal basis for the processing of personal data under the Terms of Service. WHETHER THE CONTROLLER MUST RELY ON CONSENT (^19) Facebook Submissions on Preliminary Draft Decision, paragraph 1.7(B). See also paragraph 3. (^20) Ibid , paragraph 3.1. (^21) Facebook Submissions on Preliminary Draft Decision, paragraph 4.1. (^22) Ibid , 4.4.1. as arguments are partly missing, not accurately reflected or taken out of context.
3.13 Based on a new understanding of this issue that evolved during the course of this Inquiry, the Complainant made what I consider to be an alternative argument: namely, that Facebook was legally obliged to rely on consent and that, as Facebook has not done so, the processing was consequently unlawful. 3.14 In the Complainant’s submissions on the Preliminary Draft Decision, it is denied that the Complainant advanced such an argument.^23 I have dealt with this point in part in footnote 36 of the Schedule. It remains the case that the Complainant has argued that where “ the subject matter of the declaration of intent…is primarily data processing ”^24 the appropriate legal basis must derive from Article 6(1)(a) GDPR, and where the subject matter of the contractual offer “ is primarily some other contractual service ”,^25 the legal basis can derive from Article 6(1)(b) GDPR. In my view, it is difficult to interpret this as anything other than an argument that consent is the only appropriate legal basis for agreements primarily concerning data processing. This is, to put it another way, a suggestion that consent is a higher order of legal basis, at least in respect of agreements that primarily involve data processing. This being so, and for completeness, I will now consider whether consent under Article 6(1)(a) GDPR must be relied on by the controller in this context. 3.15 The Investigator points out that the Complaint begins by claiming that the data subject “ had to agree to ” Facebook’s Terms of Service and Data Policy at the time of the update in April
2018.^26 In my view it is critically important to distinguish between agreeing to a contract (which may involve processing of personal data) and providing consent to personal data processing specifically for the purposes of legitimising that personal data processing under the GDPR. As noted by the EDPB, these are entirely distinct concepts which “ have different requirements and legal consequences ”.^27 In particular, these are distinct legal bases for the processing of personal data under Article 6(1)(a) and 6(1)(b) GDPR, with all the consequences that this entails. 3.16 In this context, it is important to emphasise that GDPR does not set out any form of hierarchy of lawful bases that can be used for processing personal data, whether by reference to the categories of personal data or otherwise.^28 There is no question that “ one ground has normative priority over the others ”.^29 This position is reflected in the Guidance of the Article 29 Working Party, which, although not legally binding, is nonetheless instructive in considering this (^23) Complainant Submissions on Preliminary Draft Decision, paragraph 4.4.2. (^24) Submissions on Draft Inquiry Report, page 35. (^25) Ibid. (^26) Final Report, paragraph 111, Complaint, Paragraph 1.3. (^27) Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online. services to data subjects, paragraph 17, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines- art_6- 1 - b-adopted_after_public_consultation_en.pdf. (^28) C Kuner et al eds, The EU General Data Protection Regulation: A Commentary (Oxford 2020), page 329. (^29) Ibid. as arguments are partly missing, not accurately reflected or taken out of context.