According to a draft proposal, Facebook might face a punishment of up to €36 million for failing to meet its GDPR transparency responsibilities.
The Data Protection Commission (DPC) of Ireland suggests a punishment of between €28 million and €36 million for the social media giant for failing to adequately inform users about how their data is processed in this document.
The potential sanction arises from a complaint filed by Austrian privacy activist Max Schrems against the social media behemoth. His non-profit digital rights organization, NOYB, published the DPC’s draft judgement online today (13 October).
The draftproposal describes the infringements as “serious in nature” and says the case concerns “vast swathes of personal data impacting millions of data subjects” in the EU.
“I note in particular the impact a lack of transparency has on a data subject’s ability to be fully informed about their data protection rights, or indeed about whether in their view they should exercise those rights,”
Data Protection Commissioner Helen Dixon writes in the document.
“I am taking into account the failure of an organisation of this size to provide sufficiently transparent materials in relation to the core of its business model.”
Because Facebook’s European headquarters are in Ireland, the DPC is the principal regulatory authority for the social media corporation in the EU under GDPR’s ‘one-stop shop’ process.
Before making a final judgment, the Irish watchdog must discuss the draft with other EU regulators.
A DPC official told Reuters that the draft decision had been transmitted to the other supervisory authorities and that the process was still ongoing.
Last month, the DPC imposed the highest fine in its history on Facebook-owned WhatsApp. The corporation was fined €225 million for GDPR violations, but it has filed legal action to have the sentence overturned.
Who is Max Schrems?
Schrems is best known for a long-running legal battle with Facebook that culminated in a landmark EU judgement last year against the Privacy Shield function. In Europe, he has also filed a number of GDPR complaints against the social media firm.
In the past, the privacy activist has been critical of the DPC. Last year, he urged European authorities to pressure Ireland’s data protection body to expedite the handling of claims he filed against Facebook.
He also told the Oireachtas Joint Committee on Justice earlier this year that the DPC and GDPR have a “spiral of unresolved complaints.”