This month (September 2022), the Irish Data Protection Commission (DPC) issued a decision which included the imposition of a fine on Meta related to its social media platform, Instagram. The Meta fine was issued by the DPC following input from Supervisory Authorities from other EU Member States into the DPCs draft decision and a subsequent Binding Decision issued by the EDPB. This article outlines the Irish DPC’s position alongside the objecting Supervisory Authorities, and the EDPB’s subsequent findings, specifically on the scale of the infringement and the associated scale of the fine.
Background
With respect to the scale of the infringement, this specifically relates to whether Instagram (and Meta, the parent company of Instagram) processed children’s contact data lawfully. The details of the processing in question are as follows. In 2016, Instagram included an option for all users, regardless of age, to switch from a personal account to a business account. As part of a business account, certain contact information (specifically email address and/or telephone number) would be made publicly available on the Instagram platform as part of a “Contact” function for the business account. Until September 2019, when switching to a business account, the contact information was pre-filled, based on the information provided by the user when they first registered, and business account users were required to publish some publicly-available contact information (regardless of age). As a result, child users who intentionally or unintentionally switched to a business account before September 2019 had their contact details publicly displayed. Consequently, the DPC opened an investigation into Instagram in September 2020.
In its submission as part of the DPC investigation, Meta explained that it relied on two legal bases for publishing the contact details of business users. Specifically, for business account users, Instagram relied on Article 6(1)(b) GDPR performance of a contract, as the lawful basis, since users agreed to Instagram’s Terms of Use. For child users unable to enter into an enforceable contract, Instagram relied on Article 6(1)(f), whereby Instagram had a legitimate interest in making business contact information publicly available to all users based on “the legitimate interest of a third party (i.e., other Instagram users) to be able to engage with Business Account owners” regardless of age. Initially, the Irish Data Protection Commission accepted this rationale in relation to the lawful basis for publishing contact data for children with business accounts.
However, when the DPC shared its Draft Decision with the other Supervisory Authorities under Article 60(3) GDPR, the German, Finnish, French, Italian, Dutch and Norwegian Supervisory Authorities disputed it under Article 60(4) GDPR. This prompted the EDPB Secretariat to assess the situation, and its subsequent findings, issued under Article 65(1)(a) GDPR differed from the DPC’s assessment.
Lawful Basis Assessment
In relation to whether Instagram could rely on Article 6(1)(b) GDPR performance of a contract as the lawful basis, the EDPB disagreed with the DPC. It found that the Irish Data Protection Commission’s analysis of this lawful basis, via the initial Draft Decision, did not take the following considerations into account sufficiently:
“children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data “
“no specific information about the Business Account feature was provided to the child users”
“the publication of the contact details on their profiles could have not been reasonably expected by such child users in the context of their use of Instagram, including the business account feature.”
“the contact information processing, in respect of the child users, could [not] be considered as “integral” or “central” to the Instagram service, including the business account feature”
As such, the EDPB found that Instagram could not rely on performance of a contract as a legal basis for the processing.
In relation to whether Instagram could use Article 6(1)(f) (legitimate interest) as the legal basis for processing personal data, the EDPB also disagreed with the DPC. First, the EDPB reaffirms that when relying on legitimate interest, the processing must be “necessary for the purposes of the legitimate interests of the controller or of a third party, inasmuch as those interests are not overridden by the interests or fundamental rights and freedoms of the data subjects concerned.” The EDPB argued that since business account users could be contacted via the direct message function within the platform, which it indicated was a less intrusive means of communication, the necessity part of the assessment criteria was not met. Second, since “the age of the data subject may be one of the factors to take into account in the context of the balancing of interests”, the EDPB has found that “the legitimate interests pursued were overridden by the interests and fundamental rights and freedoms of child users”. Again, the EDPB’s findings differed from the DPC in that the EDPB found that Instagram could not rely on legitimate interest to process the contact information.
Instructions to the Data Protection Commission
As a result of these analyses which included consideration of fundamental issues concerning the processing of children’s data, the EDPB has found that Meta (Instagram) did not have a lawful basis for processing the contact details of child users and instructed the DPC to “change its Draft Decision” to account for this finding and infringement. The DPC also noted that the fine issued to Instagram / Meta should take account of this additional infringement. Thus, in its announcement the DPC included both the infringement and the maximum €405 million fine[1].
This investigation demonstrates that the EDPB is being responsive to other Supervisory Authority’s objections when one Supervisory Authority appears to have inaccurately assessed a situation. Furthermore, the binding decision issued by the EDPB to the DPC should also be understood in the context of two larger questions. The first is around data protection enforcement across the European Union in respect of “big tech”, and the second is the introduction of new legislative frameworks for responsibly managing and supporting the data economy within Europe (i.e., the Digital Services Act, Data Act, Digital Markets Act and AI Act).
It will be interesting to follow how the interactions between different Supervisory Authorities continue to evolve as the initial findings of some of these major “big tech” investigations are released and the dispute resolution procedure provided by the GDPR is further utilised.
Finally, the EDPB’s instructions reinforce that all organisations, regardless of their size, need to carefully consider how they assess their lawful basis for processing personal data, particularly in relation to principles like transparency and necessity.
If you need assistance identifying a lawful basis for processing personal data, including personal data related to young people, our team of expert advisors is available to help. Contact Trilateral’s Data Protection and Cyber-risk team for more information.
[1] While this article focuses on the lawful basis assessment, in total, there were 10 violations identified which contributed to the fine imposed. The violations included breaches of Article 25 (data protection by design and by default), Article 12(1) (provision of transparency modalities), Article 5(1)(a) (fairness and transparency), Article 35 (requirement to conduct a Data Protection Impact Assessment), Article 5(1)(c) (data minimisation) and Article 6(1) (lawfulness of processing) of the GDPR.
