Data Protection Commission fines Facebook-parent company Meta €390m

Furthermore, the European Data Protection Board has instructed the DPC to begin a fresh investigation that would span all of Facebook and Instagram’s data processing operations. However, the DPC has said it will bring a case before the Court of Justice of the EU to set aside this direction.

The fines relate to an investigation conducted by the DPC into the data processing operations of Meta-owned Instagram and Facebook and whether it made breaches under the landmark European General Data Protection Regulation (GDPR).

The investigations arose based on complaints made against Facebook by Austrian data rights campaigner Max Schrems and his group NOYB on 25 May 2018, the date on which GDPR came into operation.

The complainants against Facebook and Instagram argued that Meta was effectively “forcing” users to consent to have their personal data processed for behavioural advertising and other personalised services, in breach of GDPR, as users had to accept an updated terms of service to still be able to use the platforms.

Meta Ireland had changed its terms of service in advance of 25 May 2018 for Instagram and Facebook users where, having previously relied on the consent of users to the processing of their personal data, it now sought to rely on the “contract” legal basis for such processing — namely a user clicking “I accept” to their updated terms of service.

In its draft decision, the DPC said Meta had breached its obligations regarding transparency to users with a result that users had “insufficient clarity” as to what data of theirs would be processed and for what purpose.

The DPC said it proposed “very substantial” fines on Meta regarding related breaches of GDPR in this matter.

However, the DPC concluded that Meta was not required to rely on users’ consent and, in principle, the GDPR did not preclude Meta’s reliance on the “contract” legal basis.

Referral to Europe

The decision was referred to Ireland’s peer data regulators in the EU, known collectively as Concerned Supervisory Authorities (CSAs).

The DPC said that this group agreed with its decisions, “albeit that they considered the fines proposed by the DPC should be increased”.

However, ten CSAs raised objections regarding the DPC’s view of “contract” legal basis.

“Following a consultation process, it became clear that a consensus could not be reached,” it said. “Consistent with its obligations under the GDPR, the DPC next referred the points in dispute to the European Data Protection Board (‘the EDPB’).” 

The EDPB issued its determinations on 5 December and has substantially amended the original draft decision.

It upheld the DPC’s position in relation to the breach by Meta Ireland of its transparecy obligations, but recommended the insertion of an additional breach of the so-called “fairness” principle and a direction that the DPC increase the amount of the fines it proposed to impose.

The DPC said: “The EDPB took a different view on the ‘legal basis’ question, finding that, as a matter of principle, Meta Ireland was not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising.” This, the EDPB said, was an additional breach of the GDPR.

Under the decision, Meta Ireland must bring its processing operations into compliance with the GDPR within three months.

Separately, the EDPB directed the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations.

However, the DPC said it will take the matter to court.

“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation,” it said.

“The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR.” 

Robust appeal 

Meta Ireland has said it will robustly appeal this decision.

A Meta spokesperson said: “The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area.

“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.” 

The spokesperson said these decisions “do not prevent targeted or personalised advertising” on its platforms and that advertisers could continue to use its platforms to reach potential customers.

Under company documents filed last year, it was revealed that Meta has set aside up to €2bn to discharge fines it expects to receive in Europe over the next year. It’s understood at company level it is believed the level of disagreement between different regulators indicates a lack of regulatory certainty or clarity over the matter which could impact other businesses aside from Meta.

Reacting to the news, Mr Schrems said: “Instead of having a 'yes/no' option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.

“This is a huge blow to Meta's profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a 'yes or no' option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.” 

Mr Shrems also hit out at the DPC for having its original decision overturned by the EDPB and accused the Irish data watchdog of having “dragged out the procedure” for years.

“It is overall the fourth time in a row the Irish DPC got overruled,” he said.