Meta Ireland (Meta) has recently been issued with two fines by the Irish Data Protection Commission (DPC) for breaches of the EU General Data Protection Regulation (GDPR) relating to advertisements run on its Facebook and Instagram services. The decisions highlight some fundamental issues for all data controllers in respect of identifying the appropriate legal basis for their data processing operations and the need to be transparent about how personal data is used. The decisions also reveal some core differences in approach between the DPC, the Irish national privacy regulator in this case, and the European Data Protection Board (EDPB). It signals the likelihood of ongoing wrangling between the various European data regulators as they seek to interpret the decisions and as they are (inevitably) challenged through the courts.
The penalty imposed against Meta Ireland
The substantial fines of €210m (approximately $223m) with respect to Facebook and €180m (approximately $191m) with respect to Instagram reflect the consolidated turnover of the Meta group and the level of fines which, in the EDPB’s view, are required to be effective, proportionate and dissuasive in accordance with Article 83(1) of the GDPR. Meta now has 3 months to take corrective action and amend its privacy policies (including identifying an appropriate legal basis for processing) and its operations to bring its data processing in line with the GDPR.
Reflecting the significant divergence in regulatory approach, the initial total fine proposed by the DPC was less than 10% of the final amount, following representations from the other European Supervisory Authorities, which led to the EDPB raising the level of the fines in its final binding decision. However, the EDPB rejected requests from some CSAs to impose a ban on the processing of personal data for the purpose of behavioural advertising.
Substance of the decisions and the decision-making process
The decisions relate to complaints initially brought in 2018 on the day after the GDPR came into force by the data rights pressure group None of Your Business (“NOYB”) on behalf of data subjects in several European jurisdictions.
In April 2018, just before the GDPR became applicable in May 2018, Facebook updated its terms of service. The complainant argued that users were given a binary choice between accepting the Terms of Service or deleting their account and that Facebook relied on “forced consent” to process their personal data and did not give users a genuine choice whether to decline or accept the updated terms of service. In addition, the complainant claimed that it was unclear what legal basis was being relied upon by Facebook for the processing.
Having produced an initial set of draft decisions, the DPC, as Meta’s lead supervisory authority, sought approval from other EU/EEA regulators, or Concerned Supervisory Authorities (“CSAs”). The CSAs, having failed to reach agreement, then referred the points in dispute to the EDPB.
The DPC held that Meta’s processing has breached the following articles of the GDPR:
- Articles 5(1)(a), 12(1) and 13(1)(c) – in that Meta had failed to comply with the principle that personal data should be processed lawfully, fairly and in a transparent manner, having failed to provide sufficient information relating to what processing of personal data was being carried out, the purposes of the processing and the legal basis for the processing.
- Article 6(1) – Meta was not entitled to rely on the legal basis of performance of a contract with Meta users in order to process personal data for the purposes of providing personalized advertising on Facebook and Instagram.
On the second point, the DPC had taken the opposite view in its draft opinion, which was then changed at the direction of the EDPB. However, the DPC and EDPB were aligned on the first point that Meta was not sufficiently transparent in respect of its processing.
The EDPB also made an additional finding, further to representations from the Italian supervisory authority, that Meta had breached the principle of fairness under Article 5(1)(a) of the GDPR and instructed the DPC to include such a finding (and issue appropriate corrective measures) in addition to its findings in respect of breach of the transparency obligations.
The EDPB also upheld the objections of five CSAs regarding the DPC’s finding that Meta was not legally obliged to rely on consent for the processing of personal data and ordered a fresh investigation into Meta’s processing operations to determine if it processes special categories of data, which would require the consent of the user.
Article 6 and the contract basis for personal data processing under the GDPR
At the heart of the ongoing conflict between the different regulators, data controllers, and privacy rights campaigners in this case, is the interpretation of the reliance on the performance of a contract as the basis for lawful processing of personal data. Some regulators, the DPC included, took a similar view to Meta during the deliberations process: that the contractual scope in question can be quite broad, such that it is lawful to process personal data in order to provide personalized ads as part of the personalized service provided to data subjects who sign up (i.e. “contract”) to use social media platforms, including Facebook and Instagram.
However, nine national regulators and the EDPB took a different position, agreeing with privacy campaigners on this issue on the basis that personalized advertising could not be said to be objectively necessary to perform Meta’s contract with the data subjects to deliver Facebook services and is not a core or essential element of it. A question that is likely to continue as the decision is subject to court proceedings is the precise scope of what is necessary for the performance of a contract in this context. Should it be so broad as to mean whatever has been set out in such contract (and effectively what platforms such as Meta choose to do, given the one-sided nature of the agreements)? Or should it be much more limited, as the EDPB noted, to what is objectively necessary for a specific purpose and integral to the delivery of that contractual service to the data subject, having regard to the objective pursued by the GDPR – protecting an individual’s personal data?
Analysis and next steps
Apart from the implications for Meta (which is awaiting the outcome of another parallel complaint relating to its WhatsApp service), data controllers in a broad range of industry sectors will need to re-examine their practices.
Data controllers which rely on contractual necessity will need to re-examine the nature of their contracts and the basic underlying purpose of the services they are providing. Social media platforms such as Meta will need to examine whether users are contracting to take part in a social network driven and underpinned by advertising (and whether they are effectively entering into the agreement to receive advertising), or whether they are contracting for the use of a global communications platform more generally. Privacy activists will counter that advertising is not strictly necessary to deliver such services and that including terms to that effect in user agreements will not, in and of itself, make it necessary. All data controllers will need to re-examine their privacy notices to assess whether they are being sufficiently transparent and specific about their uses of personal data.
Unsurprisingly, given the critical issues for its business and the wide divergence of regulatory views evident in the decisions, Meta has announced its intention to challenge the rulings in court. There were significant differences of opinion among the CSAs that reviewed the DPC’s draft decisions, which were reconciled by a two-thirds majority vote. The issues are likely to take some time to be resolved. The AdTech industry, and those heavily reliant on it, will be following developments closely, particularly in respect of how other supervisory authorities choose to interpret the determinations by the EDPB.
Further action may also extend to the regulators themselves. The DPC has intimated that it intends to take action for annulment before the Court of Justice of the EU in relation to some of the EDPB’s directions. This relates, in particular, to what the DPC refers to as the EDPB “purport[ing] to direct the DPC to conduct a fresh investigation” covering a much broader scope relating to the processing activities of Facebook and Instagram, including special category data. Such purported directions represent, in the view of the DPC, an overreach of its powers by the EDPB because it does not, in the DPC’s opinion, have the power to instruct national authorities in this way.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.