Irish regulators reportedly worked with Facebook to develop new terms of service to circumvent GDPR (European data protection law).

That's the harsh accusation from nyob, the European digital rights center, an Austrian NGO focused on bringing GDPR-related lawsuits; but the one it filed in Ireland against Facebook for violating these laws could end up with a joke fine of up to €36 million.

Also in the Irish Data Protection Commission's (DPC) draft is why it has not decided to pursue larger fines: because it believes that Facebook is not violating the GDPR, simply because it believes that the company is not required to ask for user consent if it is offering a contract.

Wait a minute, a contract? Indeed, since May 25, 2018 at midnight, just when the GDPR came into force, the terms of service speak of a "contract" to use Facebook; a term that replaces the word "consent" in the same context. Without telling anyone, Facebook changed the terms of use overnight just to change one word, and at nyob they believe they did so on the advice of Irish regulators, following a meeting between Facebook representatives and the DPC in 2018. 

Facebook's headquarters in Ireland

That's why the DPC's proposed fine is not for breaching GDPR, but for "lack of transparency" about how it does so; otherwise, the commission expresses support for the company for the way it doesn't require express user consent. And presumably, it's because the DPC itself explained to Facebook how it could do so.

This is not the first time Irish regulators have come under suspicion for helping Facebook, which for years had its European headquarters in Ireland. Last month they proposed a €50 million fine for failing to explain how WhatsApp shares data with Facebook, its owner; but when the draft reached the European Data Protection Committee, the fine ballooned to €225 million, accompanied by an order for WhatsApp to change its terms of use. WhatsApp has confirmed that it will appeal the decision.

Now, the same may happen with this latest draft; nyob is hopeful that the rest of the European authorities will realize that this decision may teach the rest of the companies how to bypass the GDPR, making the great European privacy law become little less than a dead letter.