On 4 January 2023, the Irish Data Protection Commission (DPC) announced that it has fined Meta Platforms Ireland Limited (Meta) €210 million and €180 million respectively for breaches of the GDPR relating to its Facebook and Instagram services.
Before the GDPR came into force, Meta updated its Facebook and Instagram Terms of Service (ToS) to rely on the ‘contract’ lawful basis when processing its users’ personal data for targeted advertising purposes, whereas it previously relied on the lawful basis of ‘consent’. In order to continue using and accessing Facebook and Instagram, users were required to click “I accept” to accept the new ToS.
On 25 May 2018 (the day the GDPR came into effect), complaints were made against Meta arguing that Meta was in breach of GDPR because Meta was still relying on consent as a lawful basis for processing personal data and not the ‘contract’ lawful basis as Meta stated in its ToS. Users could not use the platform without accepting the new ToS, users were “forced” to consent to their personal data being used for targeted advertising.
Meta argued that:
Facebook and Instagram were providing services to its users and users had entered a contract with Meta by accepting the ToS; and
it was necessary to process its users’ personal data, including to deliver targeted advertising, as this was agreed in the ToS.
In its initial draft decisions, the DPC found that:
Meta was in breach of its transparency obligations under the GDPR by not clearly outlining which lawful basis it was relying on and for what purposes it was processing its users’ data and should be fined; and
Meta was not required to rely on consent and could rely on the ‘contract’ lawful basis including to provide targeted advertising as had been agreed in the ToS.
A number of supervisory authorities in the EEA objected to the findings and the level of the fines and, following a consultation process, the DPC referred the matter to the European Data Protection Board (EDPB). In its binding determination, the EDPB concluded that:
Meta had breached its transparency fairness obligations under the GDPR, and the EDPB directed the DPC to increase the level of the fines for these breaches; and
Meta had inappropriately relied on the ‘contract’ lawful basis to process personal data for targeted advertising as such processing was not necessary in order to provide the core elements of Facebook or Instagram.
On reversion to the DPC, the DPC reflected the EDPB’s binding determinations, fining Meta a total of €390 million for its breaches of the GDPR. In addition to the fine, Meta was given three months to bring its processing operations in compliance with GDPR. Meta has stated that it will appeal the decisions for “both the substance of the rulings and the fines”.
Key considerations for businesses
The decision serves as a stark reminder of the enforcement powers available to supervisory authorities and the importance of complying with the GDPR. In particular:
businesses should process personal data in a lawful, fair and transparent manner ensuring that they are providing accurate information in their privacy notices;
it is important for businesses to consider and select a valid and appropriate lawful basis to process personal data as processing personal data without a valid basis is a breach of the GDPR;
for targeted advertising specifically, the ICO and other supervisory authorities have previously stated that such processing is highly likely to require consent due to the nature of the processing and the risks posed to individuals; and
the GDPR sets a high standard for consent and individuals should be offered real choice and control so that they can give informed consent. Businesses should avoid using consent when:
processing personal data is not necessary to provide the relevant service;
they would still process the data on a different lawful basis if consent was refused or withdrawn; and
in a position of power over the individual, for example, when processing their employees’ data.
Businesses should ensure that they have established the most appropriate lawful basis for their processing, and that they understand the risks of getting this wrong. The outcome of this case does not prohibit the processing of personal data for targeted advertising but stresses the importance of businesses giving individuals a choice as to whether their personal data is used for such advertising. Giving individuals such choice will undoubtedly have an impact on businesses whose financial model relies heavily on targeted advertising.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.