Ireland’s data watchdog has fined Facebook’s parent company Meta Ireland 390 million euro as a row erupted over whether further investigation of the use of people’s data is warranted.
Meta Ireland was fined 210 million euro for breaches of EU data privacy rules relating to Facebook, and 180 million euro for breaches on Instagram.
Meta said it was “disappointed” by the decision and intends to appeal against “both the substance of the rulings and the fines”.
Ireland’s Data Protection Commission (DPC) is also to seek a court order to side-step a “problematic” direction from the European Data Protection Board to investigate Facebook and Instagram’s data processing operations further, which it said could be an “overreach”.
This comes after a disagreement between the Irish watchdog and the EU data authority on the level of fines against Meta Ireland over a lack of transparency over how users’ data would be processed, and whether a contract was entered into between users and the company to allow their data to be used for personalised ads.
Two complainants had argued that Meta Ireland was “forcing” them to consent to their personal data being used for behavioural advertising and other services by making the use of its social medias conditional on accepting its terms of service.
The complainants argued this was in breach of General Data Protection Regulation (GDPR).
Meta Ireland argued that on accepting the updated terms of service, a contract was entered into between it and the user, and that processing users’ data for its Facebook and Instagram services was necessary for the performance of that contract.
The complainants maintained that contrary to Meta Ireland’s position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data.
The DPC’s draft decisions found that Meta Ireland was in breach of GDPR in that users’ personal data must be processed “lawfully, fairly and in a transparent manner”, and said users had “insufficient clarity as to what processing operations were being carried out on their personal data”.
But it also found the “forced consent” aspect of the complaints “could not be sustained”, and GDPR “did not preclude” Meta Ireland’s reliance on the “contract” legal basis.
The draft decisions were submitted to its peer regulators in the EU, also known as Concerned Supervisory Authorities (CSAs).
On the question of whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions, but said the fines proposed by the DPC should be increased.
Ten of the 47 CSAs said Meta Ireland should not be permitted to rely on the contract as a legal basis as personalised advertising were not necessary to perform the core elements of a much more limited form of contract.
“The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising,” the DPC said.
The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions
Data Protection Commission
“In effect, these are personalised services that also feature personalised advertising.
“In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the terms of service.”
The matter was referred to the EDPB, which ruled on December 31 that Meta Ireland was not entitled to rely on the contract as providing a lawful basis to process personal data for behavioural advertising.
“Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the ‘contract’ legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR,” the DPC said.
Meta Ireland has been directed to bring its data processing operations into compliance within three months.
A Meta spokesperson said in a statement that it “strongly” believes its approach “respects GDPR” and it intends to appeal against the decision.
“These decisions do not prevent targeted or personalised advertising on our platform,” it said. “The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.
“There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal basis is most appropriate in a given situation has been ongoing for some time.
“That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on contractual necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision.”
The Data Protection Commission also said that it intends to take legal action to annul an EDPB direction to examine data processing at Instagram and Facebook further.
It said: “Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations.
“The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions.
“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.
“The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the co-operation and consistency arrangements laid down by the GDPR.
“To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.”