The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU.
The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into compliance with the EU General Data Protection Regulation. The decisions stem from complaints made by privacy rights group NOYB on May 25, 2018, the day the EU GDPR took effect.
The DPC said its final decisions reflect binding decisions by the European Data Protection Board that Meta violated transparency obligations by not clearly outlining its legal basis for personal data processing to users and invalidating its “contract” legal basis for personal data processing for ad targeting. The sanctions follow four other fines from Irish regulators over data privacy violations since 2021, totaling more than 900 million euros.
“The DPC’s decisions include findings that Meta Ireland is not entitled to rely on the ‘contract’ legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR,” the DPC said.
In its terms of service agreement, which users must accept to access Meta’s services, the Irish DPC said Meta Ireland took the position that “a contract was entered into” between it and users and that “processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising.” Complainants argued Meta was “forcing them to consent to the processing of their personal data for behavioural advertising and other personalised services” in violation of the GDPR, the DPC said.
The DPC’s decision does not outline steps Meta must take to comply, but in a post on Twitter, Future of Privacy Forum VP for Global Privacy Gabriela Zanfir-Fortuna said it is “probably the most significant enforcement decision” since the GDPR’s implementation, not because of the notable fine, but the “changes that Meta will need to make to the services provided.”
NOYB Founder Max Schrems called the decision “a huge blow to Meta’s profits in the EU” and said users will now “need to be asked if they want their data to be used for ads or not."
“They must have a ‘yes or no’ option and can change their mind at any time,” he said. “The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”
A Meta spokesperson said the company will “appeal the substance of the decision.”
“We strongly disagree with the DPC’s final decision, and believe we fully comply with the GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services,” the spokesperson said.
The DPC also announced it will seek an “action for annulment” from the Court of Justice of the European Union over certain “jurisdictional” elements of the EDPB’s decision. The DPC said the EDPB directed it to conduct an investigation “that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations.”
The DPC said its decisions “naturally do not include reference to fresh investigations of all of Facebook and Instagram data processing operations,” calling the EDPB’s direction “problematic” and stating it “does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR.”
Irish Data Protection Commissioner Helen Dixon told POLITICO the EDPB’s direction “is overreaching.”
“We cannot create a scenario where we simply have no agency in our own role as a lead supervisory authority, where you have an entity assign itself a role in telling us what to do and indeed how to do it,” she said.
If you want to comment on this post, you need to login.