On January 4,2023, the Irish Data Protection Commission (hereafter “the DPC”) announced the imposition of two administrative fines of total amount € 390 million on Meta Platforms Ireland Limited (“Meta Ireland”). The fines concerned data protection violations related to Facebook and Instagram services regarding behavioural advertising. The DPC ordered Meta to bring its data processing activities into compliance within a period of 3 months. The decisions of the DPC indicate that many organisations, even big tech giants, experience difficulties in identifying the appropriate lawful basis to rely upon when it comes to processing of personal data in the context of their services. Additionally, the findings of the DPC highlight that compliance with GDPR’s transparency requirements can be a challenging task for data controllers.
According to information provided by the DPC, the inquiries concerned two complaints about Facebook and Instagram services, each one raising the same basic issues. The complaint against Facebook was lodged by an Austrian data subject whereas the complaint against Instagram was made by a Belgian data subject. Both complaints were filed on the first day that the GDPR came into force, 25 May 2018. Ahead of that date, Meta had modified its Terms of Service for its Facebook and Instagram services. Among the various modifications, Meta changed its lawful basis under the GDPR to rely on the performance of a contract, instead of consent. This change covered most of its processing activities including behavioural advertising.
The users of Meta were provided with the option to click “accept” in the updated Terms of Service. If they decided not to click “accept,” they could not access the service. Meta argued that, by accepting the updated Terms of Service, users entered into a contract with Meta. Additionally, Meta asserted that the processing of users’ data was necessary for the performance of that contract, which included the provision of personalised services and behavioural advertising.
DPC Investigation and the role of the EDPB
The DPC investigated the complaints as lead supervisory authority. Initially, in its draft decision, the DPC found that the reliance on the performance of a contract as a legal basis was lawful. However, following objections from 10 concerned supervisory authorities, EDPB’s dispute resolution mechanism of Article 65 of the GDPR was activated. After examining the facts of the cases, the EDPB overturned the DPC’s findings.
The EDPB held that Meta inappropriately relied on contract as a legal basis to process personal data for purposes of personalised advertising considering that the purpose of behavioural advertising was not a core element of the services. The EDPB argued in both cases that Meta did not have a lawful basis for this processing and therefore unlawfully processed these data. Nevertheless, the EDPB took the same approach as the DPC regarding the violation of the transparency requirements given that Meta’s reliance on contractual necessity within Terms of Service did not meet transparency requirements under the GDPR.
Lastly, EDPB examined whether the DPC had investigated the complaints with due diligence. In the case of Instagram, the complainant had raised the issue that sensitive data had been processed by Meta. However, the DPC did not assess this argument leaving EDPB without the sufficient factual evidence to make findings on any possible infringement of the controller’s obligations under Article 9 of the GDPR. EDPB held that the DPC must carry out a new investigation.
The final decisions issued by the DPC on 31 December 2022 were adjusted to the EDPB’s binding rulings as set out above. However, in relation to the further investigation’s direction, the DPC said that it intends to take legal action to annul it considering this direction as a regulatory “overreach.”
Takeaway lessons and recommendations
These decisions confirm that businesses should take specific actions before proceeding with any kind of processing activities. Specifically, organisations should:
- cautiously assess the legal basis that they will rely upon, especially when engaging with direct marketing and personalised advertising activities
- offer and obtain valid consent from the data subjects in line with the GDPR requirements for clarity and granularity
- meet their transparency obligations by drafting and making available privacy notices where the necessary information for the processing activity is being provided
- examine whether the performance of a Data Protection Impact Assessment is deemed necessary to detect and mitigate any risks related to the processing activities.
Trilateral’s Data Protection and Cyber-risk team have data protection specialists with extensive expertise and experience in reviewing the lawfulness of data processing activities and advising your organisation on the necessary actions before engaging in any data processing activities. Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs in light of these decisions.