As more details unfold within the Irish Data Protection Commission and European Data Protection Board’s published Meta decisions, the privacy community is grappling with complex and fundamental questions surrounding legal bases for data processing, transparency within privacy notices, uncertainty around EU General Data Protection Regulation compliance, and more.

The DPC last week fined Meta Ireland a combined 390 million euros and in its decisions, officially released with the EDPB’s binding decisions Thursday, announced the platforms’ basis for seeking user permission to collect data for personalized advertising is invalid.

“The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users,” EDPB Chair Andrea Jelinek said. “These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model.”

‘One-stop shop at work’

The decisions, which followed complaints made by advocacy group NOYB in May 2018, highlight the GDPR’s Article 65 dispute resolution process as regulators disagreed on contract as a legal basis for data processing for personalized ads, among other issues.

The DPC initially determined Meta’s use of contract as a legal basis in this context was legal. But after objections from 10 concerned supervisory authorities, EDPB overruled the DPC finding that Meta “inappropriately relied on contract as a legal basis to process personal data” for purposes of personalized advertising. The DPC and EDPB agreed on the topic of transparency, finding Meta’s reliance on contractual necessity within terms of service and use did not meet transparency requirements under the GDPR.

The EDPB instructed the DPC to give Meta three months to bring processing into compliance with the GDPR and directed it increase fines from its initially proposed maximum of 36 and 23 million euros for Facebook and Instagram, respectively, to 210 million euros against Facebook and 180 million euros against Instagram.

The EDPB also adopted a binding decision on Meta’s WhatsApp, which has yet to be adopted by the DPC.

Relevant links for the Meta enforcement decisions 

• Irish Data Protection Commission decisions.
• EDPB binding decisions.
• Irish Data Protection Commission announces conclusion of two inquiries into Meta Ireland. 
• EDPB announces Facebook and Instagram binding decisions.
• Article 65 FAQ.
• Article 6(1)(b) guidelines.

“This is definitely the one-stop shop at work,” Future of Privacy Forum Vice President for Global Privacy Gabriela Zanfir-Fortuna said in a LinkedIn Live Thursday moderated by IAPP President and CEO J. Trevor Hughes, CIPP. “The one-stop shop was designed particularly for situations like this where there will be disagreement among supervisory authorities.”

In comments to The Privacy Advisor, IAPP DACH Regional Leader and Baumgartner Baumann Partner Ulrich Baumgartner, CIPP/E, said authorities’ disagreement “reflects long-standing realities — and something that we in Germany are witnessing for some decades with German SAs taking different views on key questions on a national level.”

Germany is part of 10 CSAs that raised objections to the Irish DPC’s initial decision. The disagreements illustrate a dilemma, Baumgartner said, adding, “A very strict interpretation of the GDPR with the data subject front and center while disregarding commercial realities and business needs.”

While privacy, transparency and fairness are “of course important,” and “market realities like the dominant position of Meta” needs to be considered, Baumgartner said it “increasingly seems that online users are treated like silly little kids — unable to understand what a contract is and how the internet works — who need to be over-protected.”

“As such, the German SA’s objections are just a repetition of their traditional position. That definitely must change — and as a silver lining, we do see more and more liberal voices among German SAs coming forward, albeit still a minority,” he said.

Legal bases for data processing

When the GDPR took effect, Meta shifted Facebook and Instagram’s legal basis for seeking user consent to collect data for personalized advertising from consent to contract — within Facebook’s Terms of Service and Instagram’s Terms of Use, which users had to agree to in order to access the platforms’ services. The EDPB determined personalized advertising was “not a core element of the services” and the contract basis could not be relied upon. It said the main purpose for users to access Facebook and Instagram is to communicate with others, not to received personalized ads.

During the IAPP’s LinkedIn Live, Digiphile Managing Director Phil Lee, CIPP/E, CIPM, FIP, said the decisions are focused on behavioral advertising and do not ban advertising all together on the platforms. They also cannot be considered a ban on behavioral advertising on Facebook or Instagram, he said, as the company could use another lawful basis, like consent.  

“Why this is so important is depending on the lawful ground you use, several consequences flow. If you use contract as a lawful ground, this means the user cannot opt out of anything that’s happening with their data. If you use legitimate interests, which is still on the table, that also comes with an opt-out. So there are some consequences related to each of the lawful grounds used,” Zanfir-Fortuna said. “That’s why it’s so important to define it and choose one that is appropriate and works.”

IPG Kinesso Global Chief Digital Responsibility and Public Policy Officer Sheila Colclasure, CIPP/US, added during the LinkedIn Live that one of the main questions stemming from the decisions is around the “durability” of the lawful basis used by companies.

“There are only six (lawful bases) and do the authorities get to pick which ones we use for which piece of our business model,” she asked. “It seems like it is harder than ever before to find a certain, safe, viable path where brands can participate in a connected marketplace in a legally, safe, durable manner.”

Lee noted one of the things the GDPR does not specify is what particular legal basis companies can use for certain data processing operations.

“But what we are seeing through decisions like this is the DPA saying you can choose a lawful basis, but that lawful basis has to be appropriate to the processing operations at hand. And who is going to decide what is appropriate? Well, ultimately, it’s going to be the DPA,” he said. “So, in a way, what we’re seeing here is the DPA saying we’re going to rule out reliance on some lawful bases for certain types of processing, or at least it’s a first step in that direction.”

Transparency and fairness

In its complaints, NOYB argued Meta’s contract-basis forced users into consenting to data processing for personalized advertising in order to use Facebook and Instagram services. In their decisions, the EDPB and DPC agreed that Meta “presented its services to users in a misleading manner” and that the relationship between the company and its users was “imbalanced.”

The EDPB instructed the DPC to include “a finding of infringement of the principle of fairness” within both the Facebook and Instagram decisions and noted “the grave breaches of transparency obligations impacted the reasonable expectations of the users.” 

“From a practical perspective, controllers will be aware that under the GDPR, privacy notices must be clear and specific for each data processing activity,” IAPP Ireland Country Leader and Pembroke Privacy Director Kate Colleary, CIPP/E, CIPM, said. “We are seeing a trend towards this in practice, through the use of a table format to explain what data is used for what purpose and the relevant legal basis. This format is likely to become best practice following the findings on transparency in this decision.”

During the IAPP’s LinkedIn Live, Colclasure said the decisions “present a practical challenge” for the industry around transparency.

“How do you achieve concise and plan language as you lead a user through the different stages of user engagement with your platform? That’s a practical question that none of us have the answer to,” she said. “In the modern world we live in, where it's fueled with data and technology and we must innovate to compete, how do we blend all of these things together to achieve meaningful transparency?”

Lee said the decisions indicate authorities expect a “massively granular level of information.” But from a “practical implementation standpoint, how do you do that,” he asked. Lee and Colclasure both suggested that leaning towards technology and innovation to present transparent notices through concepts like videos or gamification could be one idea.

“Collectively, our group of very, very smart privacy professionals will find a way to reconcile this,” Zanfir-Fortuna said. “At the end of the day, transparency is essential. It is foundational to ensuring that the rights of individuals and communities are actually respected whenever we collect their data. But we need to realize that putting in front of people these huge scrolls of information will not actually get us anywhere."

‘Long road’ ahead

As privacy professionals sort through the decisions and their impact, Colleary said they should analyze the decisions, assess how their organizations are impacted and agree on an action plan, particularly around transparency and privacy notices. Lee also said determining whether a company uses behavioral advertising in its services and relies on a contract basis for processing data related to that advertising is key.

“If you are, you clearly need to move,” he said. More generally, "I think it’s a question of going back, examining your privacy notices and asking the question ‘Are we meeting the transparency standards that the EDPB seems to expect and are the lawful bases we are relying on appropriate for the processing that we are undertaking?’”

There is also a “long road of legal argument ahead,” Colleary noted. The decision is likely to be appealed on various grounds by various parties, including Meta. The DPC has also said it will issue proceedings before the Court of Justice of the European Union to overturn instructions from the EDPB to conduct an investigation spanning “all of Facebook and Instagram’s data processing operations,” which it called an overreach.

“As the case involves both European and (potentially) Irish constitutional issues, it could ultimately be referred to both the Irish Supreme Court and the CJEU,” she said. “So this is not over.”  

While they continue to play out, Baumgartner said the Meta decisions “have implications for the future of privacy far beyond online advertising.”

“Contract as a legal basis will play an ever more important role in the digital future, whether EU supervisory authorities like it or not,” he said.