Ireland's Data Protection Commission issued the much-anticipated decisions regarding the EU General Data Protection Regulation legal basis Meta can use in connection with processing personal data for targeted advertising. The decisions are a revised version of the draft opinion issued by DPC in October 2022, pursuant to objections filed by the supervisory authorities of Austria, France, Germany, Italy, the Netherlands, Norway, Poland, Portugal and Sweden and EDPB determination. Per the revised decisions, Meta may not use contractual necessity as the legal basis for targeted advertising. The fine was amended to a total of 390 million euros for Facebook and Instagram.
1. All legal bases are (generally) equal, but (in a specific case) some are more equal than others: The fact that all legal bases are created equal (in standing) doesn't mean that a controller has absolute discretion to choose the legal basis that best suits its commercial interests. The controller may only rely on one of the legal bases established under Article 6 of the GDPR if it is appropriate for the processing at stake. The legal basis will not be appropriate if its application to a specific processing defeats this practical effect "effet utile" pursued by the GDPR and Articles 5(1)(a) and 6.
2. Target(ed advertising) practice: As a general rule, the processing of personal data for behavioral advertising is not necessary for the performance of a contract for online services. Normally, it would be hard to argue the contract had not been performed because there were no behavioral ads. This is supported by the fact data subjects have the absolute right under Article 21 to object to the processing of their data for direct marketing purposes. The EDPB set out that processing cannot be rendered lawful by Article 6(1)(b) "simply because processing is necessary for the controller's wider business model." The EDPB has also acknowledged that "personalisation of content may (but does not always) constitute an essential or expected element of certain online services."
3. That was unexpected: A reasonable user cannot expect their personal data is being processed for behavioral advertising simply because you briefly refer to this processing in your terms of service. "Wider circumstances" or "recognised public awareness of behavioral advertising" derived from its "widespread prevalence" does not change this.
4. Unfair, do care: Processing of personal data based on what is deemed to be an unfair term under Directive 93/13/EEC on unfair terms in consumer contracts will generally not be consistent with the requirement under Article 5(1)(a) the processing is lawful and fair. Lack of transparency can make it almost impossible in practice for the data subjects to exercise an informed choice over the use of their data, which is in contrast with the element of "autonomy" of data subjects as to the processing of their personal data and can arise to the level of a violation of the fairness principle.
5. Size does matter: Giving users a "take it or leave it choice" or either agreeing to terms that limit the right to determine the processing of personal data and giving up the right to opt out of direct marketing or to be unable to communicate with millions of users. This adversely affects freedom of expression and information.
6. If you draft it, will they come? Referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b). Consider the particular aim, purpose or objective of the service and, for applicability of Article 6(1)(b), it is required processing is objectively necessary for a purpose and integral to the delivery of that contractual service to the data subject.
7. Was that necessary? Article 6(1)(b) will not cover processing that is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller's other business purposes. If there are realistic, less intrusive alternatives, the processing is not. In this case, there are less invasive options like contextual advertising based on geography, language and content, which do not involve intrusive measures such as profiling and tracking of users. A business model of offering services, at no monetary cost for the user to generate income by behavioral advertisement to support a service, among others, does not make this processing necessary to perform the contract. Under the principle of the lawfulness of the GDPR and Article 6, it is the business model which must adapt itself and comply with the requirements the GDPR sets out in general and for each of the legal bases and not the reverse.
8. The bulleted lists are dead; Long live process-based disclosure: Article 13 clearly requires the purposes and legal bases must be specified in respect of the intended processing. Purposes and legal bases cannot simply be cited in the abstract and detached from the personal data processing they concern. Without a level of specificity as to what the data controller is doing with the data, and more fundamentally, what data they are processing, the information on the purposes of this unspecified processing would be almost useless to a data subject.
9. Keep your disclosure close. It's better to have a single composite text or layered route available to the user that would allow them to quickly and easily understand the full extent of processing operations. Don't make the users work so hard and dig through multiple duplicative documents.
10. What's next: Facebook must, within three months:
- Bring its data policy and terms of service into compliance with Articles 5(1)(a), 12(1), and 13(1)(c) regarding information provided on: (i) data processed pursuant to Article 6(1)(b) as well as (ii) data processed for behavioral advertising in the context of the Facebook service, per the principles set out in this decision.
- Take the necessary action to bring its processing of personal data for behavioral advertising, in the context of Facebook's terms of service, into compliance with Article 6(1) per the conclusion reached by the EDPB. Per the DPC, such action may include, but is not limited to, the identification of an appropriate alternative legal basis, in Article 6(1) GDPR, for the processing together with the implementation of any necessary measures, as might be required to satisfy the conditionality associated with that/those alternative legal basis/bases.