Earlier this month, the Irish Data Protection Commission (DPC) published its final rulings against Meta Platforms Ireland Limited (“Meta”), for violations of the GDPR in relation to both its Facebook and Instagram services. The DPC’s conclusion of the two enquiries came a month after the European Data Protection Board’s (EDPB) binding decisions on both cases, which the DPC were obliged to follow. The EDPB became involved in the matter, as a total of ten Concerned Supervisory Authorities (CSAs) raised objections to the DPC’s draft rulings on the matter, published in 2021, which triggered the Article 65 GDPR dispute resolution process*.
*For an overview of the Article 65 procedure see our previous article on the subject.
Background
The inquiries concerned two complaints about Facebook and Instagram services, made on 25 May 2018, the date on which the GDPR came into force. The complaints were initiated by representatives of the NOYB European Center for Digital Rights, an organisation chaired by Maximilian Schrems (yes, that Mr Schrems). While the complaints were initiated in other countries, they were transferred to the DPC as a Lead Supervisory Authority under the one-stop-shop mechanism.
As many organisations did, Facebook and Instagram changed their privacy policy on or around 25 May 2018. As part of that change, a popup appeared on users’ screens flagging that the relevant platform was changing the legal basis on which it relies to process users’ personal data. Both platforms had previously relied on the consent of users to the processing of their personal data (Article 6(1)(a) GDPR) in the context of the delivery of the Facebook’s and Instagram’s services. The platforms now sought to rely on the “contract” legal basis (Article 6(1)(b) GDPR) for most of their processing operations, including in relation to behavioural advertising. Users had to click “I accept” to indicate their acceptance of the updated Terms of Service, or, alternatively, delete their accounts and lose access to Facebook and Instagram’s services.
Meta considered that, on accepting the updated Terms of Service (either as a new user, or by agreeing to the 25 May update), a contract was entered into between Meta and the user, therefore the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract. This included the provision of personalised services and behavioural advertising.
The DPC’s Draft Decision
The DPC issued a Preliminary Draft Decision at the end of 2021, a revised version of which was made available to all CSAs, in the form of a Draft Decision dated 1 April 2022. Ten CSAs raised objections to the Preliminary Draft Decision, none of which were accepted by the DPC, triggering the Article 65 GDPR procedure.
The DPC’s initial findings in the Draft Decision were as follows:
“Transparency”
According to the DPC, both platforms were in breach of their GDPR obligations in relation to transparency, as information in relation to the legal basis relied on by Meta was not clearly outlined to users. The result was that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 GDPR. Therefore, the DPC concluded, a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) GDPR. It also considered that it amounted to a breach of the first data protection principle – that of lawfulness, fairness and transparency, found in Article 5(1)(a) GDPR.
“Lawfulness”
NOYB argued that the binary choice given to users (i.e. “accept our Terms of Use or don’t use the platform”) meant that Meta was relying on consent as a lawful basis and amounted to “forced consent”. This was arguably the key source of disagreement between the DPC and the CSAs, with the DPC disagreeing with NOYB’s argument. The DPC also ruled that it did not have the competence in contract law to assess the validity of the contract between Meta and the users (i.e. the Terms of Use), as such competence could not be inferred from the powers of supervisory authorities under the GDPR.
The EDPB’s binding decision
“Transparency”
As there were no objections by the CSAs on the “transparency” findings by the DPC in the Draft Decision, the EDPB did not examine this matter further and these were incorporated into the DPC’s final decision.
“Lawfulness”
However, in relation to the “lawful basis” issue, the EDPB decided that Meta had inappropriately relied on Article 6(1)(b) GDPR to process the users’ personal data in the context of the Terms of Use and therefore lacked a legal basis to process these data for the purposes of behavioural advertising, making such processing unlawful. This finding was unsurprising, given that the EDPB’s own Guidelines on the Targeting of Social Media Users, state that consent is the only possible legal basis in such instances.
“Fairness”
Having established breaches of “transparency” and “lawfulness”, the Italian DPA asked the DPC to find that Meta had also breached the “fairness” part of the first data protection principle. The EDPB underlined fairness, lawfulness and transparency, were “distinct but intrinsically linked interdependent principles that every controller should respect when processing personal data”.
Among the key fairness elements that controllers should consider, the EDPB mentioned autonomy of the data subjects, their expectation, power balance, avoidance of deception, ethical and truthful processing - all elements which were particularly relevant in the case at hand. The EDPB noted that in this particular case the breach of Meta’s transparency obligations was “of such gravity” that it clearly impacted the reasonable expectations of the platform users by confusing them on whether clicking the “Agree to Terms” button resulted in giving their consent to the processing of their personal data.
In the EDPB’s view, there were clear indications that Facebook and Instagram users’ expectations with regard to the applicable legal basis had not been fulfilled, leaving users “in the dark”. Moreover the processing by Meta could not be regarded as ethical and truthful because it was confusing with regard to the type of data processed, the legal basis and the purpose of the processing, which ultimately restricted the users’ possibility to exercise their data subjects’ rights.
In line with the above, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) GDPR by Meta.
Processing of Special Category Data
A majority of the CSAs also considered that the DPC should have identified and separately assessed any processing of special categories of personal data under Article 9 GDPR in the context of the Terms of Use, since the performance of a contract is not a Processing Condition pursuant to Article 9(2) GDPR. Agreeing with these objections, the EDPB held that by deciding not to investigate this, the DPC had left unaddressed the risks this processing posed for users, including that:
- special categories of personal data are processed within the platforms to build intimate profiles of users for behavioural advertising purposes without a legal basis;
- Meta did not consider as special categories of personal data (in line with the GDPR and the CJEU case-law) certain categories of personal data it processed and consequently, that Meta did not treat them accordingly;
- platform users whose special categories were processed may have been deprived of certain special protections derived from the use of consent, such as the possibility to specifically consent to certain processing operations and not to others and to the further processing of personal data (Article 6(4) GDPR); the freedom to withdraw consent (Article 7 GDPR) and the subsequent right to be forgotten (Article 17 GDPR);
- given the great size and dominant market share of Meta in the social media market, leaving unaddressed its current ambiguity in the processing of special categories of personal data, and its limited transparency vis-à-vis Instagram and Facebook users, may set a precedent for controllers to operate in the same manner and create legal uncertainty hampering the free flow of personal data within the EU.
Consequently, the EDPB decided that the DPC shall carry out a new investigation into Meta’s processing operations in Instagram and Facebook to determine if it processes special categories of personal data, and complies with the relevant obligations under the GDPR.
The DPC’s final decision
The Irish regulator accepted the majority of the EDPB’s findings, as it is bound to do, and imposed revised fines of €210 million in the case of Facebook and €180 million in the case of Instagram. Meta has been given three months to brings its processing operations into compliance with the GDPR.
However, the DPC did not accept the final part of the EDPB decision, which mandated a new investigation into Meta’s processing of special category data. Announcing the conclusion of its inquires, the DPC stated:
“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.” (emphasis added).
Meta has also mentioned legal action over the decisions. A company spokesperson told Politico that company was “disappointed” with the decisions and intended to appeal them. However, the tech giant is adamant that the rulings do not mean that it will start using consent as a legal basis, as “other legal options are available for it to process data”.
*The quote in the title belongs to Dr. Gabriela Zanfir-Fortuna, Vice President for Global Privacy at the Future of Privacy Forum.