The DPC has fined Meta Ireland €210 million for breaches of the GDPR relating to its Facebook service. It has also fined Meta Ireland €180 million for breaches in relation to its Instagram service. In addition, it has directed Meta Ireland to bring its data processing operations into compliance within a period of three months.
The inquiries concerned two complaints about the Facebook and Instagram services, each one raising the same basic issues. One complaint was made by an Austrian data subject (in relation to Facebook); the other was made by a Belgian data subject (in relation to Instagram). The complaints were made on 25 May 2018, when the GDPR took effect.
In advance of the GDPR coming into force, Meta Ireland had changed its terms of service for Facebook and Instagram. It also highlighted that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. As SCL readers will be aware, Article 6 of the GDPR provides that data processing is lawful only if and to the extent that it complies with one of six identified legal bases. Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising), Meta Ireland now sought to rely on the “contract” legal basis for most (but not all) of its processing operations.
If they wished the continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click “I accept” to indicate their acceptance of the updated Terms of Service. The services would not be accessible if users declined.
Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also considered that processing users’ data in connection with the delivery of its Facebook and Instagram services was necessary to perform that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful under Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).
The complainants argued that, contrary to Meta Ireland’s stated position, Meta Ireland was in face still looking to rely on consent to provide a lawful basis for its processing of users’ data. By making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” users to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of GDPR.
The DPC investigated the complaints as lead supervisory authority. It made several findings against Meta Ireland. Its findings were considered by other EU/EEA regulators, some of whom disagreed with some of the DPC’s findings and the level of the fines. The points in dispute were referred to the European Data Protection Board which issued its determinations on 5 December 2022. The DPC’s final decision follows the EDPB’s binding determinations.
Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.
The DPC has increased the amount of the administrative fines imposed on Meta Ireland to €210 million (in the case of Facebook) and €180 million in the case of Instagram. The revised levels of these fines also reflect the EDPB’s views in relation to Meta Ireland’s breaches of its obligations in relation to the fair and transparent processing of users’ personal data.
The EDPB has also directed the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC disagrees that the EDPB has the power to issue such a direction so there may be more to come on this issue.