On 4 January 2023, the Data Protection Commission announced its final decision in response to two inquiries involving Meta Platforms Ireland Limited in which it was fined a total of €390 million for its breaches of the General Data Protection Regulation (Regulation (EU) 2016/679). Both inquiries relate to complaints raised on 25 May 2018 regarding concerns surrounding the lawfulness and transparency of processing personal data for the purposes of behavioural advertising and personalised services by Meta Ireland on its Facebook and Instagram platforms. The fines were allocated between the breaches in delivery of Meta Ireland’s Facebook services (in which it was fined €210 million) and its Instagram services (in which it was fined €180 million). The DPC stated that Meta Ireland Limited must ensure its data processing activities become compliant within three months. Meta Ireland has announced that it intends to appeal this decision.
Background of the case
Shortly before the introduction of the EU GDPR, Meta Ireland altered its Terms of Service on each platform, highlighting a change to its lawful purpose under Article 6 of the EU GDPR for legitimising the processing of the personal data of its users. While Meta Ireland had previously relied on the lawful purpose of “consent”, it would now rely on the lawful purpose of “contract” for most of its processing of users personal data, including the processing of personal data for behavioural advertising and personalised services.
To be eligible to use the platforms, users were required to indicate their acceptance to the updated Terms of Service by clicking “I accept”. Upon confirming acceptance, Meta Ireland considered that the data subject and Meta Ireland had entered into a contract, requiring Meta Ireland to process the data subject’s data, including for the purposes of behavioural advertising and personalised services, to fulfil its obligations under the contract.
Complainants argued that Meta Ireland’s decision to change the lawful basis from consent to contract was flawed. By requiring users to “accept” the updated data processing terms within the Terms of Service, Meta Ireland denied users of any control over the use of their personal data for behavioural advertising and personalised services. By making the acceptance of this processing a condition of service, complainants claimed that Meta Ireland was in breach of Article 6 of the EU GDPR.
The DPC undertook thorough investigations into the complaints and drafted decisions in respect of their proposed action against Meta Ireland, which it submitted to Concerned Supervisory Authorities (“CSAs”) for peer review.
The DPC initially considered whether Meta Ireland were correct in changing its lawful basis to process personal data for behavioural advertising from consent to contract. In its draft decision the DPC decided that while Meta Ireland had failed to meet its transparency obligations under Article 5 of EU GDPR, it “was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal purpose” on the basis that the processing of personal data for behavioural advertising and personalised services was integral to the service provided by the organisation and fulfilment of its contact with its platform users. However, a number of CSAs disagreed arguing that behavioural advertising and personalised services were not required for the delivery of core elements of said contract to be delivered to the user and in that respect Meta Irelands reliance on “contract” as its lawful basis for the processing of personal data for behavioural advertising or personalised services was incorrect. As a consensus could not be reached, the DPC was required to refer the case to the European Data Protection Board (“EDPB”) for consideration. The EDPB upheld the finding by the DPC that Meta Ireland was in breach of its transparency obligations under Article 5 the EU GDPR, agreeing with the DPC that Meta Ireland had not clearly communicated to users the processing operations in respect of the users personal data by the organisation. The EDPB held this decision was subject only to adding an additional breach of the fairness principle by Meta Ireland, as well as the requirement for an increase of the initial fines determined by the DPC to be payable by Meta Ireland. However, in respect of the lawful purpose argument, the EDPB decided differently from the DPC, determining that Meta Ireland was not entitled to rely on “contract” as their lawful purpose for processing personal data for behavioural advertising, and personalised services and this decision taken by Meta Ireland was in contravention of Article 6 of the EU GDPR. The final decision taken by the DPC on 31st December 2022, reflect the conclusions taken by the EDPB and these should be published in due course.
Key considerations following the DPC’s decision
Under the EU GDPR, an organisation is required to choose an appropriate lawful purpose for the processing of personal data in which it will ensure that data is processed lawfully, fairly and in a transparent manner. It is perhaps understandable that Meta Ireland considered the lawful purpose of “contract” to be most appropriate for the processing of most of its personal data, including behavioural advertising and personalised services. The main consideration for the lawful purpose of “contract” is necessity. Meta Ireland delivers a free service to users and relies on advertising as one of the main revenue streams for the organisation. Therefore, it is understandable why it would consider the processing of personal data for behavioural advertising and personalised services as a necessity in order to perform a contract with the user and allow the user to use the social media platform.
If this type of processing was not accepted as being included under this lawful purpose, the organisation would require to rely on another lawful purpose such as “consent”. If Meta Ireland were to use “consent” as the alternative, this could significantly affect the proportion of users who wish to be subjected to behavioural advertising and personalised services thus impacting Meta’s revenue stream, perhaps significantly
Separately, the different positions adopted by the DPC and the EDPB in respect of coming to a decision on the lawful purpose argument reflects how uncertain the outcome may be if your organisation’s choice of lawful purpose is placed under scrutiny.
If your organisation presently chooses to process personal data for behavioural advertising or personalised services, we would recommend you carefully consider which lawful purpose is most appropriate and ensure you have strong evidence and reasoning for this decision. We are awaiting more information regarding the full judgements by the DPC and EDPB. It has been reported by Meta Ireland that they plan to appeal the decision by the DPC, and we will closely monitor the case for any developments.
If your organisation has any questions about how to manage its processing activities, please contact Thorntons Data Protection Team on 03330 430350.