The Data Protection Commission (DPC) has proposed fining Facebook up to €36m in one of more than a dozen probes it has opened into the social media giant, according to a draft decision published by the complainant.
Under European Union 2018 data protection rules, the DPC must now share the preliminary ruling with all concerned EU supervisory authorities and consider their views before making a final verdict.
The Irish commission is the lead regulator of Facebook and many other of the world's largest technology company's under the bloc's "One Stop Shop" data regime, due to the location of their EU headquarters in Ireland.
The complaint, lodged by Austrian privacy activist Max Schrems, concerned the lawfulness of Facebook's processing of personal data, specifically around its terms of service.
A central issue was whether acceptance of the terms of service by a user constitutes or must be considered consent for the purpose of the General Data Protection Regulation (GDPR).
But in its draft decision the DPC found there is no obligation on Facebook to seek to rely solely on consent for the purposes of legitimising personal data processing where it is offering a contract to a user.
"Nor has Facebook purported to rely on consent under the GDPR," the draft decision states.
The DPC also probed whether Facebook failed to provide necessary information regarding its legal basis for processing under its Terms of Service and whether the information was set out in a transparent manner.
in its draft findings the commission said it found three breaches of the GDPR related to this.
The DPC proposed a fine of €28m to €36m for Facebook's failure to provide sufficient information, according to the draft decision, published by Schrems' digital rights group NOYB.
The draft ruling described the infringements as serious in nature and criticised Facebook for a lack of transparency.
The commission also found an order forcing Facebook to bring its data processing into compliance within three months should be imposed.
A spokesman for the DPC said it had sent the draft decision to the other supervisory authorities and had no further comment as the process is ongoing.
The other authorities have a month in which to respond to the draft decision.
Last month the DPC fined WhatsApp Ireland €225m for infringements of data protection rules - the largest fine ever imposed by the DPC and the second largest penalty ever levied on an organisation under EU data laws.
The regulator also ordered the messaging service to bring its processing into compliance by taking a range of specified remedial actions.
WhatsApp has since lodged an appeal against the decision in the High Court.
In December, Twitter was also fined €450,000 by the DPC for data protection breaches after the regulator found that the social media network failed to notify it of the breach in time as required under the General Data Protection Regulation (GDPR).
It also found that it failed to adequately document the breach, contrary to GDPR requirements.
The DPC currently has a second draft decision regarding a case involving Facebook being considered by other data protection supervisory authorities in Europe, as part of procedures under Article 60 of the GDPR.
Additional reporting Will Goodbody