The NGO None Of Your Business (noyb) recently made public a draft decision sent by the Irish Data Protection Commissioner (DPC) to other European Data Protection Authorities under the GDPR’s cooperation mechanism. This draft decision is part of an ongoing investigation assessing Facebook’s data protection practices which started more than three years ago.
- First, whether acceptance of the Terms could and should be considered as consent to the processing,
- Second, could Facebook lawfully rely on contracts as a basis for its processing,
- Third, did Facebook provide the requisite information to the data subjects regarding the legal basis of the processing and whether it did so in a transparent manner.
Many points of this draft decision are interesting and could be discussed at length, including Dixon’s interpretation of the information requirement (§ 5.1 s.), the very brief analysis on the damage suffered by Facebook’s users (§ 9.18), or the determination of the amount of the fines (§ 9.1 s.). Nonetheless, we will limit our discussion to the analysis of the second issue, namely whether or not Facebook could rely on the contractual legal basis for certain purposes of its processing, including for behavioral advertising. If Facebook cannot rely on the contractual legal basis, it will probably have to rely on user consent, which is substantially harder to get under the GDPR (and is less given by the users).
Facebook’s legal basis for data processing
The DPC starts its analysis by stating that Facebook did not rely or intend to rely on the legal basis of consent to process personal data under its Terms of Service (§ 3.12), nor that it had to (§ 3.16 s.). On the contrary, the DPC considers that “in many cases involving a contract between a consumer and an organization, the lawful basis for processing is the necessity for the performance of the contract” (§ 3.18). I personally agree with this interpretation, especially since the Article 29 Working Party and then the European Data Protection Board (EDPB) have been restricting how the necessity clause should be interpreted. According to the EDPB, this necessity clause “must be interpreted strictly and does not cover situations where the processing is […] unilaterally imposed on the data subject by the controller.” Thus, the key issue was to determine if behavioral advertising should be considered as necessary for the performance of the social network contract. If considered necessary, Facebook could rely on the contractual legal basis for its processing. If not, Facebook would have to rely on another legal basis to justify its data processing (probably consent).
Surprisingly, Commissioner Dixon asserts that behavioral advertising is “the core of Facebook’s business model and the core of the bargain being struck by Facebook users and Facebook” (§ 4.41). Her interpretation of the GDPR’s legal basis is based on a few elements that will be successively discussed.
Facebook’s core service
Intuitively, personal advertising does not appear “strictly necessary” to perform a social networking activity. Indeed, a social network is frequently defined as “an online service or site through which people create and maintain interpersonal relationship”. It is mainly a way to connect with other people and not a place where individuals typically come to receive behavioral advertising. Besides, Facebook’s motto is “connect with friends and the world around you on Facebook”, and not “connect with friends and receive advertising tailored to your tastes.”
However, Commissioner Dixon considers that “personalized advertising constitutes the ‘core’ of its service, and would therefore be the Facebook service’s ‘distinguishing characteristics’” (§ 4.39). She goes on to say that “as the core of the bargain between the parties, this advertising […] appears to be part of the substance and fundamental object of the contract” (§ 4.43). According to Commissioner Dixon, “a reasonable user would be well-informed […] that [personalized advertising] is the very nature of the service being offered by Facebook and contained within the contract” (§ 4.39). Based on this interpretation, it appears that Facebook’s users are on the social network not to connect with their friends and family but rather to receive personalized advertising.
More precisely, because Facebook’s Terms of Service explicitly refer to ads and sponsored content as being part of the contract (§ 4.37), Commissioner Dixon appears to consider that the practice should fall into the scope of the contract. Two arguments strongly object to this interpretation. First, “the fact that the purposes of the processing is covered by contractual clauses drafted by the supplier will not automatically mean that the processing is necessary for the performance of the contract” (EDPB, Opinion 4/2017, § 52; EDPB, Guidelines 2/2019, § 57 s.). Thus, the fact that Facebook refers to ads and sponsored content in its Terms of Service does not make them automatically fall inside the contractual necessity standard. Also, and most importantly, a company claiming something in its Terms of Service does not make it legal or fair.
Indeed, European union law and Member States laws protect consumers against unfair standard contract terms. Based on these principles, a French court ruled in 2019 many provisions of Facebook’s Terms of Service were unfair or illegal, in particular, terms relating to behavioral advertising (which at the time of the complaint – 2014 – was based on the consent of the user). Although Commissioner Dixon does not represent a court and has no power to control the fairness of contractual terms (which she emphasizes multiple times in her draft decision, see § 4.13), her analysis favors what is written in the Terms of Service instead of what could be considered fair for Facebook’s users and the handling of their personal data.
Facebook’s business model
Commissioner Dixon invokes Facebook’s business model as another argument in favor of considering behavioral advertising as the core of the contract between Facebook and its users (§ 4.44). It is described as “the provision of data on personal activity to facilitate targeted advertising” (§ 4. 46). However, it is unclear why the company’s business model should be considered as an element when assessing the bargain between the company and its users. This reasoning could have dangerous consequences and could be used to justify some of the worst practices. To illustrate: since applying labor laws to drivers could hurt the business model of mobility service companies, drivers should be qualified as independent contractors and courts should not re-qualify them as employees. We are left wondering if data protection rules should be twisted to allow predatory business model.
Paying with your personal data to access Facebook
Commissioner Dixon’s reasoning seems to fully endorse the principle that when a service is free, users can be required to “pay” for it with their personal data (§ 4.41). This idea has agitated the data protection community for a long time, and the GDPR does not provide a clear answer. At first glance, article 7 § 4 of the GDPR seems to ban contracts establishing a link between the consent of the subject and the provision of a service. However, the wording leaves some flexibility since article 7 § 4 requires that the “utmost account shall be taken” when assessing the consent. Also, this article relates to consent requirements and its articulation with the acceptance of a contract remains unclear. Commissioner Dixon’s interpretation could be considered as a first taste of the idea that personal data can be “counter-performance” or consideration of a free service, which is one interpretation of article 3 of directive 2019/770 on contracts for the supply of digital content and digital services.
One last effect of Commissioner Dixon’s reasoning remains unanswered. How the data minimization principle (GDPR, article 5 § 1 c) can still apply in this context? Personalized advertising is per se based on a massive collection of personal data. If this type of advertising is the core of the bargain between Facebook and its users, what are the limits relating to the collection of personal data of Facebook’s users?
If Commissioner Dixon’s interpretation is to be upheld by other Data Protection Authorities (which is doubtful), noyb will probably challenge it in front of an Irish Court, which may refer some questions to the European Court of Justice. A few years are still lying ahead before a definite legal answer provided to the complainant and European Facebook’s users.
Asides from the legal considerations, if Facebook’s core service is to provide you with personalized advertising, do you really want to stay on Facebook?