The recent enforcement decision from the Data Protection Commission (DPC) is the second decision in as many months that has been decided against Meta in relation to its failure to comply with the General Data Protection Regulation (GDPR).
The DPC is the Irish supervisory authority for data protection under the GDPR. On 4 January 2023, the DPC announced the conclusion of two investigations into Meta and its data processing operations in connection with the delivery of both its Facebook and Instagram services.
Our previous article on the decision against Meta from December last year can be found here.
The DPC investigations were started following complaints made in relation to how Terms of Service were updated by Meta for both Facebook and Instagram users. The basis of the complaints made were as a result of how both Facebook and Instagram had given the users a choice of either accepting the new Terms of Service and the associated data privacy policy or deleting their accounts.
The DPC’s investigation centred around the lawfulness of processing and in particular Article 6 of the GDPR and whether Meta could rely on Article 6(1)(b) as its lawful basis for processing, whether the legal basis had been misrepresented and whether Meta had failed to provide the necessary information regarding its legal basis for processing in connection with the Terms of Service and the privacy policy.
Meta had, in advance of 25 May 2018, changed its Terms of Service for Facebook and Instagram and in anticipation for the introduction of the GDPR had requested that users accept the updated Terms of Service. Meta argued that, on accepting the updated terms, a contract was entered into between Meta and the user.
Meta had previously relied upon consent under Article 6(1)(a) of the GDPR as its lawful basis for processing personal data, however it now wanted to rely on Article 6(1)(b) of the GDPR which provides for the processing to be lawful when it is necessary for the performance of a contract. Article 6(1)(b) says:
- “Processing shall be lawful only if and to the extent that at least one of the following applies:…
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
The complainants disputed that there was a contract and complained that by making the accessibility of the services conditional on acceptance of the updated terms by the user, Meta were forcing them into consenting to the processing of their personal data for behavioural advertising and other personalised services.
Following an investigation, including consultation with peer regulators in the EU/EEA and a determination from the European Data Protection Board (EDPB) as a consensus decision could not be reached, the DPC has announced its final decision.
The DPC found that Meta was not precluded, in principle, from relying on Article 6(1)(b) GDPR for the purpose of legitimising the processing of personal data. As the DPC does not make comment on matters of contractual law and contractual interpretation, and the lawful basis provides for personal data being processed where it is necessary for the performance of a contract, it confirmed that data may be processed if, without such processing, the contract could not be performed.
However, as a general rule and this was supported by the EDPB, Meta was not entitled to rely on the “contract” lawful basis in connection with the processing of personal data for the delivery of behavioural or personalised advertising as part of the Facebook or Instagram services and that its processing of users’ data in reliance of this basis amounts to a violation of Article 6 of the GDPR.
The DPC also found that Meta had not been transparent in relation to its obligations to provide information in relation to the lawful basis relied upon to users. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner.
The DPC fined Meta €210 million for breaches of the GDPR relating to its Facebook service, and €180 million for breaches in relation to its Instagram service. Meta have also been directed to bring its data processing operations into compliance within a period of 3 months.
This decision illustrates how important it is to ensure that you consider your lawful basis for processing personal data carefully and document your justification as this decision shows just how costly it can be when businesses fail to do so. It also reflects the need for privacy policies to be transparent as to the lawful basis used.
If you or your organisation have any queries on how to establish a compliant data privacy culture and implement the principles of data protection and effectively safeguard an individual’s rights, please contact Eleanore Beard in our Data Protection Team.
