Regulators in Ireland have proposed up to $42 million in fines for Facebook after the company was accused of violating the GDPR through deceptive data collection policies.
Privacy expert Max Schrems and his advocacy group nyob — which submitted the original complaint against Facebook — published a draft decision from the Irish Data Protection Commission (DPC) about the issue that was sent to the other European Data Protection Authorities.
The decision suggests a fine of between $32 million and $42 million for Facebook’s violations of the GDPR, which include a failure to notify its customers about how it uses their data.
Schrems and other privacy experts slammed the proposed fine for its relatively minuscule size and for the legal arguments Facebook is making to get out of more strict fines.
Nyob said Facebook’s argument is effectively that it is exempt from most GDPR rules because of a minor change in its agreement with users.
“Facebook’s legal argument is rather simple: By interpreting the agreement between user and Facebook as a ‘contract’ (Article 6(1)(b) GDPR) instead of ‘consent’ (Article 6(1)(a) GDPR) the strict rules on consent under the GDPR would not apply to Facebook — meaning that Facebook can use all data it has for all