The Irish data watchdog said Facebook’s infringements were ‘serious in nature’.
Facebook could be facing a fine of up to €36m for breaching its transparency obligations under GDPR, according to a draft decision.
In this document, Ireland’s Data Protection Commission (DPC) proposes a fine of between €28m and €36m for the social media giant for failing to sufficiently inform users about how their data is processed.
The proposed fine stems from a complaint lodged against the social media giant by Austrian privacy activist Max Schrems. His non-profit digital rights group NOYB published the draft decision from the DPC online today (13 October).
The draft decision describes the infringements as “serious in nature” and says the case concerns “vast swathes of personal data impacting millions of data subjects” in the EU.
“I note in particular the impact a lack of transparency has on a data subject’s ability to be fully informed about their data protection rights, or indeed about whether in their view they should exercise those rights,” Data Protection Commissioner Helen Dixon writes in the document.
“I am taking into account the failure of an organisation of this size to provide sufficiently transparent materials in relation to the core of its business model.”
The DPC is the lead supervisory authority for Facebook in the EU, under GDPR’s ‘one-stop shop’ mechanism, as the social media company has its European headquarters in Ireland.
The Irish watchdog must now share the draft with other EU regulators before a final decision is made.
Siliconrepublic.com reached out to the DPC for comment. A spokesperson for the DPC told Reuters that it had sent the draft decision to the other supervisory authorities and had no further comment as the process is ongoing.
Last month, Facebook-owned WhatsApp was issued the DPC’s largest ever fine. The company was ordered to pay €225m for GDPR breaches, but it has issued legal proceedings aimed at setting aside the fine.
Who is Max Schrems?
Schrems is perhaps best known for a longstanding case against Facebook that resulted in a landmark EU ruling against the Privacy Shield tool last year. He has also filed several GDPR complaints against the social media company in Europe.
The privacy activist has been critical of the DPC in the past. Last year, he called on European authorities to push the Irish data watchdog to speed up its handling of cases he brought against Facebook.
He also told an Oireachtas Joint Committee on Justice earlier this year that there is a “spiral of unresolved complaints” when it comes to the DPC and GDPR.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.