On January 4, the Irish Data Protection Commission (DPC) announced it had taken enforcement actions against Facebook and Instagram’s parent company, Meta, for violating the European Union’s (EU) General Data Protection Regulation (GDPR). The charges stem from complaints originally filed on May 25, 2018—the effective date of the GDPR.
The charges against Meta indicate that, prior to May 25 2018, Meta changed their Terms of Service for Facebook and Instagram, and in doing so updated the “legal basis on which it relies to legitimi[z]e its processing of users’ personal data.”
When Meta pushed out their new terms to all existing (and subsequent new) Facebook or Instagram users, it placed an “I accept” button at the bottom of the new terms. That button had to be clicked in order to gain or regain access to the platforms. If a user declined to accept all of the terms of service, the user would not gain access to the sites. Here’s why that’s a problem.
Closing a Loophole
GDPR requires all data processors to have a legal basis for each instance of personal data processing. But instead of providing an itemized list of legal bases and obtaining consent for each, Meta relied on a contractual loophole of sorts.
If Facebook and Instagram users had read more closely before accepting the new terms of service, they’d see that, by accepting all of the updated terms of service, they were considered to be in contract with Meta. And Meta changed its legal basis for processing users’ personal data, to state that processing all users’ personal data was “necessary for the performance of that contract,” which includes “the provision of personalised services and behavioural advertising.”
The Irish DPC found Meta’s actions to be unlawful under GDPR, and has prepared draft decisions that find Meta’s actions to be a “breach of its obligations in relation to transparency” under the GDPR because “the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR.”
But the DPC also found issue with the idea of “forced consent,” which was cited in the original complaint against Meta. The DPC found in its draft decision that forced consent could not be claimed by a user, because Meta was “not required to rely on consent” under the GDPR.
In accordance with the requirements of the GDPR, these draft principals were submitted to peer regulators, also known as Concerned Supervisory Authorities (CSAs). The CSAs’ primary disagreement with the draft decision was that Meta Ireland “should not have been permitted to rely on the contract legal basis” because they did not consider providing personalized advertisements to users to be “necessary to perform the core elements of what was said to be a much more limited form of contract.”
Because CSAs and DPC could not reach a consensus on this point, the DPC was required to refer the points in dispute to the European Data Protection Board (“the EDPB”). On December 5, 2022, the EDPB decided to uphold the DPC’s position relating to Meta Ireland’s lack of compliance with the GDPR’s transparency requirements. The EDPB held that Meta Ireland could not rely on the contract legal basis to engage in the “processing of personal data for the purpose of behavioral advertising.” The final decisions adopted by the DPC reflect this conclusion and as such it has assessed two fines against Meta—one for the activities conducted by Facebook and one conducted by Instagram, totaling 390 million euros ($414 million). Meta Ireland is also required, under the final decisions, to “bring its processing operations into compliance with the GDPR within a period of 3 months.”
Notably, as this Los Angeles Times article points out, the final decision does not specify the actions that Meta Ireland must take to ensure their compliance with the GDPR. According to Australian privacy activist Max Schrems, this ruling could result in a decrease in Meta profits in the EU because “people now need to be asked if they want their data to be used for ads or not,” and this decision can be changed. This may result in a large number of users electing not to share their data, which would substantially impact one of Meta’s largest revenue streams.
Despite this, in response to this decision, Meta claimed that the DPC decision was a result of “a lack of regulatory certainty” surrounding the processing of personal data and stated “[w]e strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
Meta clarified that “[t]hese decisions do not prevent personali[z]ed advertising on our platform. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.” Meta stated that “Facebook and Instagram are inherently personali[z]ed, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service.”
The outcome of Meta’s appeal efforts will serve as guidance for all companies operating in the European Union. As such, these companies should continue to monitor this case.
* * * * * * *
To read our other article discussing how compliance officers can avoid personal liability analyzing Uber’s recent breach as an example, click here.
To read our news alerts discussing: Massachusetts privacy bill, the FTC’s crackdown on dark patterns, the projected increase in biometric lawsuits, and predictive policing using loopholes to expand scopes of public surveillance, click here.
This week’s breach report covers breaches of the following companies: Saif Corporation, Twitter, Upper Peninsula Power Company (UPPCO), Consulate Healthcare, LastPass updates, and the Monarch of North Carolina. Click here to find out more.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
84 | Internet Archive Project Related to Russia’s War with Ukraine (With guest Mark Graham)
83 | Geofence Warrants and January 6: Constitutional and Privacy Issues (with guest Matthew Esworthy)
82 | A Look at the Consequences of the Uber and Twitter CISO Cases (with guest Ron Raether)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.