Remember that contract you signed with Facebook?
I’m sure you printed out a copy and stored it in a safe place. Maybe you consulted your lawyer, who negotiated more favorable terms on your behalf. It’s a big deal, entering into an agreement to surrender so much of your personal data (and perhaps that of your networked friends) in exchange for . . . well, what, exactly?
Why, targeted advertising of course! That’s right – in a “bombshell” disclosure in an Austrian court, Facebook claimed that every user that agreed to the new terms and conditions introduced on 25 May 2018 (when the GDPR came into effect) had “concluded an advertising contract” with Facebook that amounted to “order[ing] personalized advertising.”
Who knew? The answer is, virtually no one. In fact, according to a November 2019 survey of 1000 14+ year-olds by the Austrian Gallup Institute (survey results in German), only 10% even suspected that Facebook’s notification amounted to a contract. And of these, only 17% — so that’s less than 2% of all users surveyed – agreed that Facebook had a legal obligation to show them only relevant ads. (Thus fulfilling Facebook’s side of the alleged contract.)
Indeed, it’s quite possible that even Facebook didn’t “know” that the 2018 T&Cs amounted to a contract. Prior to the surprise announcement of an advertising contract in early November, Facebook had consistently defended the validity of their GDPR consent mechanism – which they now seem to be abandoning in favor of the contract defense.
(Reminder: There are six legal grounds for processing personal data under the GDPR: consent; legitimate interest (these are the two you would expect to be used for profiling and data-driven marketing); complying with a legal obligation; performing a public or official task; vital interest (e.g., saving a life); and servicing a contract, aka contractual necessity.)
According to Katharina Raabe-Stuppnig (the lawyer for noyb, which filed the complaint against Facebook): “Facebook now says that they do not need consent for the use of the data because users ordered this advertising. Advertising on Facebook is now supposed to be an important part of the ‘service promise.’ It’s as if [Facebook thinks] users join Facebook only to see ads.”
Is it legal? Hardly.
Assuming that Facebook employs people who can, you know, read, then they already know that their recourse to a supposed contract with users will ultimately fail. The European Data Protection Board (EDPB) issued guidelines in early October 2019 that the astute Eduardo Ustaran has called “the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data.”
In particular, the EDPB (reiterating findings that the predecessor Article 29 Working Party issued in 2014!) states:
![\"\"](\"https://contentadvisory.net/wp-content/uploads/2019/11/Screen-Shot-2019-11-25-at-16.13.30.png\")
In short, Facebook could/should have known since at least April 2018 (when the draft guidelines on contractual necessity were issued) and actually since 2014 that a supposed contract with users of their social network is not a “suitable legal ground” for collecting personal data and building profiles for behavioral advertising.
Is it smart? Sadly, yes.
But of course, Facebook isn’t interested in GDPR compliance. They’re interested in buying as much time as possible to continue business-as-usual by a strategy of deny, delay, and defend. In the present case, Facebook first argued that only the Irish data protection authority (DPA) could launch an investigation of their practices. The Austrian Supreme Court found in January 2019 that, on the contrary, “everyone has a right to file a lawsuit based on GDPR.”
As the case proceeded (slowly) this year, Facebook sent Ceceilia Álvarez, Privacy Policy Director of Facebook EMEA to respond to noyb’s allegations. Under questioning, however, Facebook’s counsel argued that Álvarez “lacked the ‘technical understanding’ to answer questions on Facebook’s handling of personal data.”
Get it? Facebook offers an “expert” witness in their defense and then Facebook’s own lawyers expose the witness as incompetent! It was all a premeditated charade to further delay the court’s decision – and it worked; the case has been postponed until February 2020.
(However, as noyb founder Max Schrems pointed out, Facebook’s courtroom theatrics also undermine its argument: ““Facebook argues that every user knows what they are getting into – but not even the top Facebook privacy expert can explain exactly what the company does with our data. That’s particularly absurd.”)
When the Austrian court does inevitably decide the case in noyb’s favor, Facebook will of course appeal through every available body for several more years. Eventually, the European Court of Justice will confirm the obvious lower court findings, and Facebook will be fined the GDPR maximum of less than $2.5 billion. For Facebook, that’s a paltry fine, and certainly not the \”dissuasive” sanction called for by the GDPR. Above all, it will be a small price to pay for the billions they will earn from GDPR non-compliant data usage during the many years that they deny and delay the inevitable. The strategy may be entirely legal . . . but is it ethical?
Is it evil? Kant thinks so.
Elizabeth Denham of the ICO (the UK’s DPA) tirelessly emphasizes that the GDPR is about managing data “sensitively and ethically.” Of course, no regulation can demand ethical behavior from a corporation as a legal person. Still, the GDPR’s accountability principle does require firms to put in place the appropriate technical and organizational measure to ensure compliance, to be able to demonstrate that they have done so, and to ensure that these measures are reliably and consistently effective.
In this regard, Denham notes that the GDPR “creates an onus on companies to understand the risks that they create for others, and to mitigate those risks.” Or, as another ICO official has said, the key to thriving under the GDPR is “to put the individual at the heart” of data processing practices.
In contrast to these commitments and obligations to others (namely, consumers as the origin of personal data), Facebook has consistently sought to evade, circumvent, or simply ignore its regulatory obligations. The clumsy ruse of appealing to a contract basis that it knows to be invalid is only the latest (although particularly shocking) example. This behavior also makes a mockery of – by which I mean, exposes as a lie – every statement my Mark Zuckerberg, Nick Clegg, or any other Facebook spokesperson about how the company is fully GDPR compliant, has extended GDPR protections to users worldwide, and welcomes new regulations. All of that chattering is but a fog meant to obscure Facebook’s systematic and virtually unabated pursuit of profits from data-drive behavioral advertising.
Subordinating the (moral) law to one’s own conceits and interests: that’s Immanuel Kant’s definition of radical evil.
Title photo by Toni Cuenca from Pexels
