Facebook is to be fined up to €36m under European Union data protection laws for failing to let users know the legal basis for processing their personal data.

In an unpublished draft decision issued last week, The Data Protection Commission (DPC) found that Facebook had not provided necessary information to its users about what they were agreeing to when they accepted the social media company’s terms of service (TOS).

The violation carries a fine of between €28m and €36m. The company will also have to bring its data processing into compliance within three months of the ruling.

However, the DPC ruled in Facebook’s favour on the more controversial and wide-reaching question of whether users are consenting or entering into a contract when they accept the company’s TOS.

Facebook argued that agreeing to the TOS constitutes a contract with the company and is not consent under the General Data Protection Regulation (GDPR), a view critics say allows the company to bypass the data laws at the expense of users.

Austrian privacy activist Max Schrems, whose digital rights group noyb represented an Austrian complainant in the case against Facebook, said the company’s argument was a “legal trick” to get around GDPR.

"It is painfully obvious that Facebook simply tries to bypass the clear rules of the GDPR by relabeling the agreement on data use as a 'contract',” said Mr Schrems in an analysis on the noyb.eu website.

"If this would be accepted, any company could just write the processing of data into a contract and thereby legitimise any use of customer data without consent. This is absolutely against the intentions of the GDPR, that explicitly prohibits to hide consent agreements in terms and conditions."

The complaint, which was filed on May 25, 2018, the day GDPR came into effect, said that Facebook’s privacy policy and TOS effectively forced users to give consent to blanket processing of personal data as a condition of using its service. noyb argued that this was contrary to the new data laws.

Mr Schrems is a vocal critic of the Irish DPC and the commissioner, Helen Dixon. His long-running complaints in relation to Facebook have forced wide-ranging changes to the EU’s data-protection regime including protections for personal information being shipped to the US.

Mr Schrems told the Oireachtas Justice Committee in April that Ireland was on the verge of facing infringement proceedings in Europe because of its “extremely poor” GDPR enforcement record, particularly in relation to big tech companies.

However, Ms Dixon slammed “inaccuracies” in some of the criticism presented against her office, adding that hostile commentary was “exaggerated” and “simplistic”.