Georgetown Law
Technology Review

Are Terms of Service a Loophole in GDPR Consent?

On the first day of GDPR enforcement, Austrian privacy activist Max Schrems filed a series of lawsuits against Facebook accusing it of coercing users into sharing personal data. In the latest case against the technology behemoth, Schrems v. Facebook Ireland Limited, 4, the Vienna Higher Regional Court (Oberlandesgericht) ruled on December 28, 2020 that Facebook does not need to obtain the explicit consent of its users to use their data for targeted advertisements.

The adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in 2016 established a new legal framework that mandates how EU residents’ personal data is used and requires businesses to address privacy parameters. Due to the widespread uncertainty over how European regulators treat GDPR requirements, such as affirming data accuracy and restricting data processing, many social media platforms have had to make sweeping changes to the way they collect data and consent from users in order to avoid huge fines for noncompliance.

For example, before the GDPR came into effect in 2018, all Facebook users outside of the United States and Canada were governed by terms of service published by the company’s international headquarters in Ireland. Because any user data processed in Ireland is governed by the GDPR, Facebook redrafted its terms of service so that its 1.5 billion users are now governed by more lenient U.S. privacy laws. If companies are deemed to have obtained consent by adding provisions to their terms and conditions, these adhesion contracts would undermine the GDPR, leaving Facebook users susceptible to a lesser standard of data protection.

Terms of Service or Smoke and Mirrors?

The GDPR requires an existing valid contract under the applicable national law, and on the night the GDPR came into effect, Facebook published its comprehensive terms and conditions. Notably, contracts do not need to fulfill the strict requirements of “consent” under the GDPR, such as allowing withdrawal.

Personal data processing is lawful when necessary for the performance of a contract with the data subject, but necessity has been narrowly interpreted. The European Data Protection Board has specifically stated that if there are realistic and less intrusive alternatives to the type of processing envisaged, data processing is not necessary. Schrems argued that Facebook’s tactic was intended to circumvent the stricter data protection requirements demanded by EU lawmakers. However, the Vienna Higher Regional Court disagreed, noting that when a user agrees to Facebook’s Terms of Service, she also agrees to allow the company to provide “tailor-made advertising” using personal data. Because Facebook provides a free, personalized platform, the court determined that “the processing of personal user data is a supporting pillar of the contract concluded between the parties to the dispute.”

GDPR Bypass?

The ruling potentially means that a company can use its terms of service to circumvent GDPR’s consent requirement. Given that more than 90 percent of consumers accept legal terms and conditions without reading them, most will not realize the amount of personal data they are surrendering. Notwithstanding the lack of data-use transparency, the Vienna Higher Regional Court held that “[a]chievement of revenue through personalised advertising, made possible by the personal data of Facebook users is explained in the terms and conditions in a way that is easily understandable for any reader who is even moderately attentive.”

Currently, Facebook receives data from third parties about its users’ online activities outside of Facebook. User requests for “Activities Outside Facebook” data are often rejected. The court held that users have a right to be told which other parties have provided data to Facebook or if and to whom Facebook has provided data. As a result, Facebook has to pay Schrems 500 Euros for the alleged emotional damage caused by the uncertainty about how Facebook is handling his personal data. There is no requirement for an individual to have a Facebook account for the company to gather data from third parties, such as the Facebook pixel, a code embedded into a website that links visitors’ onsite behavior to Facebook user profiles, and applications that provide data to Facebook like Spotify, Duolingo, and TripAdvisor. Therefore, users who do not have Facebook accounts and do not agree to the site’s terms of service are still potentially susceptible to Facebook’s data processing without offering consent.

Ultimately, the ruling suggests that companies like Facebook can simply grant themselves the right to use all data from users and nonusers in their terms and conditions. The court opinion seems antithetical to GDPR’s goal of ensuring that users retain control of how their data is used. GDPR was meant to ensure that users retained control of how their data was used. Implied consent was meant to be a vestige of bygone era.

Max Schrems has already expressed his desire to appeal to the Austrian Supreme Court. After submission, it is likely that Austria will request a preliminary ruling reference from the European Court of Justice (CJEU), which is responsible for ensuring uniform application of EU law. The EU’s highest court would have the ultimate say as to whether Facebook’s terms and service agreement is legal under the GDPR. The pending appeal could redefine the scope of the GDPR as well as Europe’s role in setting standards for internet regulation.

As the European Commission is scheduled to publish a suite of new sweeping standard setting laws for the internet, data-driven business models and data privacy practices will likely be impacted by stricter rules for targeted advertising, including data restrictions, more user controls, and transparency reporting. The combination of consumer awareness and regulation will turn a spotlight on data ethics as a driver for decision making in 2021.