By Jade Kowalski & Stuart Hunt

|

Published 31 August 2023

Overview

Evolving regulatory requirements in Europe continue to force Meta not only to make changes to its operations, but also to dig deep into its pockets. Against a backdrop of large fines being issued and perhaps hoping to find a more sympathetic ear, Meta is challenging some of these decisions through the courts yet there remains no let-up in challenges from the data protection regulators across Europe.

As discussed in another article this month, Meta has appealed the €1.2 billion fine imposed on it following the decision of the Irish Data Protection Commission (DPC) in May of this year which related to its international data transfers. Only four months prior, the conclusion of DPC's long-running investigation into the data processing operations of Meta services, Instagram and Facebook, resulted in fines of €210 million in the case of Facebook and €180 million in the case of Instagram.

Meta may have hoped for some short-term respite from further financial pressures pending the appeal of the data transfers fine and making changes to the data processing operations of Instagram and Facebook. However, the Norwegian data protection authority, Datatilsynet, recently announced that Meta will be fined around €86,500  (1 million Norwegian Krona) per day for ongoing privacy breaches from 14 August until 3 November 2023. Across that period, this will amount to approximately €7 million.

Meta has requested a temporary injunction which was considered by the Oslo District Court on 23 August 2023. At the time of publication, the outcome of that hearing is awaited.

From contracts to legitimate interests to consent

The action taken by Datailsynet is a consequence of the decision issued by the DPC. That decision was issued on behalf of all data protection authorities across the European Economic Area in relation to Facebook and Instagram. The investigation concluded following input from the European Data Protection Board as part of the dispute resolution mechanism.

The DPC concluded that "Meta Ireland is not entitled to rely on the “contract” legal basis (Article 6(1)(b) GDPR) in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR."

Following that decision, Meta altered its position to rely on the 'legitimate interests' legal basis (Article 6 (1)(f) GDPR) to proceed with the continued delivery of behavioural advertising from the start of April 2023.

However, as a result of additional regulatory feedback, on 1 August 2023 Meta announced that it would be changing its legal basis again from 'legitimate interests' to 'consent'. Meta's statement confirming this change indicated an expectation that this change would take some time.

It should be noted that the proposed change to consent does not apply to users in the UK. The Information Commissioner's Office released its own statement, indicating that an "appropriate response" is being considered from a UK perspective.

Action by Datatilsynet

Datailsynet was in contact with the DPC throughout the course of the DPC's investigations and had requested that the DPC impose a temporary ban on Meta's processing of personal data for behavioural advertising purposes. Datailsynet considered that additional GDPR violations arose from the change from 'contract' to 'legitimate interest'. The request for a temporary ban was denied.

On 4 July 2023, the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-252/21, Facebook Inc. and Others v Bundeskartellamt. This decision concluded that Meta was not permitted to rely on the 'legitimate interests' legal basis for delivering behavioural advertising.

In an Order issued on 14 July 2023, Datailysnet held Meta to be in a "persistent state of non-compliance" and invited Meta to respond with remedial actions by 4 August 2023. Post that date, the following restrictions apply in Norway:

Personal data shall not be processed for Behavioural Advertising based on Article 6(1)(b) or 6(1)(f) GDPR in the context of the Services (Facebook and Instagram).

In addition, Meta will be subject to the aforementioned daily fine of around €86,500 for the specified period (or until such time as remedial measures are implemented, if sooner). The order does not prevent the operation of Instagram and Facebook in Norway, or prevent Meta from processing personal data for general advertising purposes. The announced move to rely on consent as an alternative legal basis was acknowledged by the regulator, but dismissed as insufficient. 

Irrespective of the outcome of the injunctive hearing, Meta continues to find itself under increasing pressure from data protection regulators in respect of its processing activities.

Authors