Data Protection
Published in

Data Protection

Facebook “GDPR Consent Bypass” Hits Austrian Supreme Court

Facebook is “bypassing GDPR consent”, according to a case brought to the Austrian Superior Court by GDPR final boss Max “Schrems II” Schrems.

Photo by Joshua Hoehne on Unsplash

What does “bypassing the GDPR” mean?

Here’s the background of this case:

  • Under the Data Protection Directive, Facebook relied on the legal basis of “consent” for cookies.
  • The GDPR passed in 2016, with a higher consent standard. Consent now had to be obtained via an “unambiguous,” “clear, affirmative action.”
  • Facebook’s consent request was no longer valid. What would the company do? Ask for consent in a valid way? Stop undertaking activities that require consent (such as using tracking cookies)?
  • No — on the day the GDPR came into force, in May 2018, Facebook copied its consent request into its terms. The social media platform now said it was now relying on the legal basis of “contract”, not consent.

What are the requirements for relying on the legal basis of “contract”?

The lawful basis of ”contract” is for when you need to process personal data to perform your obligations under a contract with the data subject.

If you order a product from Amazon, Amazon needs your address to send it to you — and Amazon can rely on “contract” to collect and use your address for this purpose.

Facebook said it “needed” cookies to enable its business model to operate. After all, the social media giant can’t fulfill its obligations under the Facebook Terms of Service if it goes out of business — right?

Facebook also needed cookies to provide personalised ads (as “promised” in Facebook’s terms), and to enable the user to use Facebook for free.

So… Is that a valid reliance on “contract”?

Not according to the European Data Protection Board (EDPB).

The EDPB says activities that are “necessary for the performance of a contract” do not include “activities (that) are not necessary for the individual services requested by the data subject, but rather necessary for the controller’s wider business model.

I covered this case after it was heard by the Viennese Superior Court. The court’s decision seemed odd to many people — like me — who spend a lot of time submerged in data protection.

There were other factors at play here — local contract law, for one. But it seems likely that the Austrian Supreme Court will refer the case to the Court of Justice of the European Union (CJEU), which will confirm Schrems’ arguments.

So what if the CJEU says Facebook must get “proper” consent? What will Facebook do?

Here’s one possibility.

The ePrivacy Regulation will come into force soon. Under the current version, controllers will be allowed to make access to services contingent on consent to cookies — as long as they offer an alternative service that doesn’t involve cookies, for which they can charge a fee.

In my view, this provision creates two tiers of consent in the EU (which I think is problematic).

Facebook is unlikely to be happy about the idea of offering users a genuinely free choice over its use of cookies.

But what if Facebook could offer a paid alternative, safe in the knowledge that most people would continue to use the free version?

A paid version of Facebook? Unlikely. But it’s a possibility.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store