One year to go: DPAs are sharpening their blades

One year to go: DPAs are sharpening their blades
May 25, 2017 Arne Defurne

Could you hear the clock ticking? As of today – companies have only one year to finalise their preparations for the GDPR implementation. Meanwhile several Data Protection Authorities across Europe are already practicing their bite on Facebook.

Luckily enough for the social network site, DPAs haven’t got their sharpest teeth quite yet. By now, most of us are aware that non-compliant organisations will face fines of up to 4% of global turnover once the GDPR is finally in full force. For Facebook, this could mean potentially coughing up a whopping one billion euros. Right now, the damage is limited to a measly 150k, the French DPA’s maximum fine.

But even now, more might still follow. After all, the 150k fine was imposed by the French watchdog, CNIL, while proceedings in Belgium, the Netherlands, Germany and Spain are still ongoing. Collectively called the Contact Group, these DPAs have chosen to cooperate in their effort to scrutinise Facebook. To go over each of their investigations briefly:


The CNIL mainly observed that:

  • Facebook compiles personal data of internet users on a massive scale for the purpose of targeted advertising. Because users do not have the possibility to opt in or – out Facebook lacks the legal basis to do so.
  • The collection of personal data includes browsing activity on non-Facebook websites using the ‘data’ Facebook’s cookie banner mentioned that data is collected ‘on- and outside Facebook’, but this was not enough to inform the users, leading to a lack of transparency.


The Belgian Privacy Commission also investigated Facebook’s use of cookies and concluded that:

  • The consent provided by data subjects cannot be considered informed, free or specific;
  • Specific to non-users of Facebook: their only possibility to refuse consent is to not use Facebook. Because of the important role Facebook plays in society, this was said to unduly pressure them into consenting;
  • Because there is no valid consent to collect personal data for the purpose of advertising, the processing that is actually performed is considered disproportional.

The Privacy Commission has decided to take Facebook to court, where pleadings will begin on the 12th of October.

The Netherlands

The Autoriteit Persoonsgegevens considered Facebook in violation of 9,6 million Dutch users’ privacy rights by:

  • Providing inadequate information on several occasions;
  • Using sensitive personal data (sexual orientation) for the purpose of targeted advertising, without explicit consent.


The Hamburg DPA has issued two different orders against Facebook:

  • Against Facebook’s real-name policy: the order to allow pseudonyms is currently suspended after appeal by Facebook awaiting European Court of Justice proceedings;
  • An order against combining Facebook and WhatsApp data without prior consent.


Two procedures for infringements against Spanish data proteciton laws are currently opened, after preliminary investigations into Facebook’s privacy policy and terms of use.

Incidentally and not entirely unrelated, Facebook incurred the considerable fine of 110 million euros earlier this week. This time, the fine was the result of Facebook falsely alleging that it was incapable of matching Facebook and WhatsApp identities during their 2014 merger process.

While the 150k fine may seem like a silly excuse for a slap on the wrist to a gargantuan like Facebook, the brave efforts of five DPAs should not be underestimated. The thorough investigations have resulted in substantial reports, establishing various points of non-compliance. Now, Facebook has been given a year to get in line. We, for one, expect them to take this seriously, because the bite from the freshly sharpened teeth will be painful.