noyb's third "Advent Reading": Facebook's laughable Record of Processing Activities (ROPA)
In its third "Advent Reading" (in protest of the DPC unlawfully removing noyb from a pending procedure) noyb is publishing Facebook's main GDPR compliance document: Facebook's "Record of Processing Activities" under Article 30 GDPR (short: "ROPA"). Such legally required document should allow to easily assess Facebook's compliance with the GDPR, but in fact it only has a laughable four pages. Usually such documents otherwise have hundreds of pages. Schrems: "Facebook's core GDPR compliance document is symptomatic of their ignorance of the law - it only has four pages. Usually such a document would be hundreds of pages. The Irish DPC knows about the lack of documentation since 2018, but did not take action."
GDPR compliance in four pages? The document actually says very little, instead of a detailed description of thousands of processing operations, Facebook mainly refers to its privacy policy and otherwise added some generic lines. For a deeper dive noyb was joined by Peter Hense, Partner at Spirit Legal, who has worked on hundreds of such documents before. He could hardly believe that Facebook's ROPA is limited to four pages and commented "Every soccer club has a more detailed ROPA" in noyb's Advent Reading. He went on to highlight that as an auditor he would have to treat this ROPA as non-existent and that Facebook's processing is therefore "illegal".
DPC is aware since 2018. The Irish Data Protection Commission ("DPC") was provided with this laughable "Record of Processing Activities" on 27.9.2018 by Facebook, but has not taken any action over the obvious breach of Article 30 GDPR to noyb's knowledge.
Max Schrems, Chair of noyb.eu: "The Irish DPC knew that Facebook Ireland does not even have the most basic compliance documents in order and did nothing about it."
Threat to noyb in 2019. Instead of taking action on Facebook, the DPC went after noyb: once the document was provided to noyb in August 2019 via the Austrian Data Protection Authority ("DSB"), Max Schrems has shared the fact that the ROPA only contains four pages on Twitter, together with a picture of the backside of the documents. This triggered the DPC to send angry letters to noyb, demanding that this tweet be deleted.
"Fan Mail" by the DPC and Facebook. As noyb informs all relevant parties before our Advent Readings, we have again received threat letters (we call it "fan mail") by Facebook's law firm Mason Hayes and Curran and the Irish DPC – basically threatening legal action against noyb, despite not having any legal basis to do so, as pointed out in our responses to Facebook and our response to the Irish DPC.
Legal Basis for the publication. As pointed out in our First Advent Reading, the four noyb Advent Readings are in protest of the DPC's illegal removal of noyb in a pending procedure. All documents were provided via the Austrian DSB. The Austrian DSB decided that these documents are not protected under the relevant provision (§ 17 Abs 3 AVG) and noyb is free to use them under applicable Austrian law. Even under the (non-applicable) Irish Data Protection Act 2018, there is no legal basis to withhold or otherwise limit the use of documents by the parties. While the DPC usually relies on Section 26 of the Act, this provision clearly only applies to DPC staff ("relevant persons") and not to third parties.
Potential "SLAPP suit" by the DPC and Facebook. Given the baseless threats, despite a clear legal basis for these publications, noyb is now expecting baseless "SLAPP suits" (see a great summary by John Oliver, unfortunately only on YouTube) by the DPC and/or Facebook Ireland Limited. It is not unlikely that Facebook or the DPC would try to bring a case to Ireland or the UK, as these legal systems are extremely expensive and a perfect jurisdictions to ruin an NGO. We have therefore geoblocked the relevant documents in these jurisdictions.
Today's Documents. The ROPA document is part of our "GDPR bypass" litigation and available here:
- Facebook's Four Page ROPA (may not be available in all countries)
Exchanges about the legality of this publication:
- Letter by the DPC on the publication of the ROPA
- Response by noyb on why the DPC's points are incorrect
- Letter by Facebook's law firm on the publication of the ROPA
- Response by noyb on why Facebook's "intention" is not a relevant factor
Week in review. For anyone that is interested in what happened since last week's Advent Reading, we recommend this article by POLITICO on how the DPC tried to squeeze Facebook's "GDPR bypass" into EDPB papers. This triggered a number of interesting articles, all the way to calls within Ireland to replace the leadership of the DPC. Later this week, an Article 60 objection against the DPC's draft decision on the "GDPR bypass" by the Norwegian DPA was reported by POLITICO, highlighting that the DPC's Draft Decision would "end right to privacy" according to the Norwegian DPA. This lead to further discussions within Ireland about the DPC, such as this reporting by the Irish Times.