The Irish Data Protection Commissioner (DPC) has fined Facebook's parent company, Meta Ireland, €390 million over data breaches relating to a lack of transparency over how people’s data would be used.
Meta Ireland has been issued a fine of €210 million for breaches of EU data privacy rules relating to Facebook, and €180 million for breaches in relation to Instagram.
The two complainants had argued that Meta Ireland was “forcing” them to consent to their personal data being used for behavioural advertising and other services by making access to its social medias conditional on accepting the updated terms of service.
The complainants argued that this was in breach of General Data Protection Regulation (GDPR).
Meta Ireland argued that on accepting the updated terms of service, a contract was entered into between Meta Ireland and the user, and that processing users’ data for its Facebook and Instagram services was necessary for the performance of that contract.
The complainants maintained that, contrary to Meta Ireland’s position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data.
The DPC’s draft decisions found that Meta Ireland was in breach of GDPR in that users’ personal data must be processed “lawfully, fairly and in a transparent manner” and said that users had “insufficient clarity as to what processing operations were being carried out on their personal data”.
But it also found that the “forced consent” aspect of the complaints “could not be sustained”, and that GDPR “did not preclude” Meta Ireland’s reliance on the contract legal basis.
The draft decisions were submitted to its peer regulators in the EU, also known as Concerned Supervisory Authorities (CSAs).
On the question as to whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions, but said the fines proposed by the DPC should be increased.
Contrasting views
On the decision to fine Meta €390 million, the statement from the DPC explained 10 of the 47 CSAs said Meta Ireland should not be permitted to rely on the contract legal basis as personalised advertising could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.
“The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising,” the DPC said.
“In effect, these are personalised services that also feature personalised advertising.
“In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.”
The matter was referred to the EDPB, which ruled on December 31st that Meta Ireland was not entitled to rely on the contract legal basis as providing a lawful basis to process personal data for behavioural advertising.
“Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the ‘contract’ legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR,” the DPC said.
EU direction
The Irish watchdog also said it is to seek a court order to side step a “problematic” direction from the EU’s data protection body which it said could be a jurisdictional “overreach”.
The European Data Protection Board (EDPB) had asked the DPC to investigate Facebook and Instagram’s data processing operations.
This comes after a disagreement between the DPC and the EU data authority on the level of fines against Meta over a lack of transparency over how users’ data would be processed, and whether a contract was entered into between users and the company for their data to be used for personalised ads.
In a statement on Wednesday, the DPC said: “…The EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations.
“The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions.
“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.
“The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR.
“To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.”