Data Protection Commission announces conclusion of two inquiries into Meta Ireland
04th January 2023
The Data Protection Commission (DPC) has today announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the delivery of its Facebook and Instagram services. (Meta Ireland was previously known as Facebook Ireland Limited).
Final decisions have now been made by the DPC in which it has fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).
Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months.
The inquiries concerned two complaints about the Facebook and Instagram services, each one raising the same basic issues. One complaint was made by an Austrian data subject (in relation to Facebook); the other was made by a Belgian data subject (in relation to Instagram).
The complaints were made on 25 May 2018, the date on which the GDPR came into operation.
In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. (Under Article 6 of the GDPR, data processing is lawful only if and to the extent that it complies with one of six identified legal bases). Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising), Meta Ireland now sought to rely on the “contract” legal basis for most (but not all) of its processing operations.
If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click “I accept” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so).
Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).
The complainants contended that, contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of the GDPR.
Following comprehensive investigations, the DPC prepared draft decisions in which it made a number of findings against Meta Ireland. Notably, it found that:
- 1. In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time.
- 2. In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis.
Under a procedure mandated by the GDPR, the draft decisions prepared by the DPC were submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”).
On the question as to whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions, albeit that they considered the fines proposed by the DPC should be increased.
Ten of the 47 CSAs raised objections in relation to other elements of the draft decisions (one of which was subsequently withdrawn in the case of the draft decision relating to the Facebook service). In particular, this subset of CSAs took the view that Meta Ireland should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalised advertising (as part of the broader suite of personalised services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.
The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.
Following a consultation process, it became clear that a consensus could not be reached. Consistent with its obligations under the GDPR, the DPC next referred the points in dispute to the European Data Protection Board (“the EDPB”).
The EDPB issued its determinations on 5 December 2022.
The EDPB determinations rejected many of the objections raised by the CSAs. They also upheld the DPC’s position in relation to the breach by Meta Ireland of its transparency obligations, subject only to the insertion of an additional breach (of the “fairness” principle) and a direction that the DPC increase the amount of the fines it proposed to impose.
The EDPB took a different view on the “legal basis” question, finding that, as a matter of principle, Meta Ireland was not entitled to rely on the “contract” legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising.
The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.
In terms of sanctions, and in light of this additional infringement of the GDPR, the DPC has increased the amount of the administrative fines imposed on Meta Ireland to €210 million (in the case of Facebook) and €180 million in the case of Instagram. (The revised levels of these fines also reflect the EDPB’s views in relation to Meta Ireland’s breaches of its obligations in relation to the fair and transparent processing of users’ personal data).
The DPC’s existing requirement that Meta Ireland must bring its processing operations into compliance with the GDPR within a period of 3 months has been retained.
Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.