On 4 January, Ireland’s Data Protection Commission (DPC) announced the conclusion of two inquiries against Meta Ireland and the decision to issue a €390 million fine in connection to its Facebook and Instagram services.
The inquiries were conducted in relation to two complaints raising the same issue regarding the legal basis for the processing and collection of personal data on Facebook and Instagram platforms.
However, this decision bears more significance than just a cautionary tale and raises important questions regarding the future of the online service provider-consumer relationship.
The entire online service has been a bargain between providers and consumers, where consumers are offered “free” services in exchange for their personal data. This leaves the question of how online services will be paid in the future if providers cannot harvest and monetize data.
Details of the case
Right before the enforcement of the General Data Protection Regulation on May 25, 2018, Meta changed the Terms of Service for its Facebook and Instagram users, changing the legal basis from consent to contract for most of its processing activities.
Users were asked to accept new updated Terms of Services to access their Facebook and Instagram accounts; otherwise, the services would not be available to them.
Meta considered that, by accepting Terms of Services, users would enter into a contract with Meta, claiming that processing of personal data was necessary for the delivery of Facebook and Instagram services and performance of the contract, so any personalized and behavioral advertising would be considered in line with the GDPR.
However, two complainants contended that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta was, in fact, “forcing” them to consent to the processing of their personal data for behavioral advertising and other personalized services, therefore breaching the GDPR.
DPC’s Investigation and Findings
The DPC conducted investigations and made a number of findings against Meta. Notably, the violation of transparency obligation, since the information about legal basis was not clearly defined.
That caused insufficient clarity over what processing activities were being carried out on personal data, for what purpose, and on which of the six legal bases they were basing the collection of personal data.
Therefore, the DPC considered Meta violated the transparency principle related to Articles 12 and 13(1)(c) and Article 5(1)(a), that prescribes personal data must be processed lawfully, fairly, and in a transparent matter, proposing fines to Meta ordering it to bring its processing into compliance.
However, the DPC considered that Meta was not required to rely on consent for its processing activities, so the complaint based on forced consent could not be taken into consideration.
Disagreement over DPC’s draft decision
Under a procedure mandated by the GDPR, the DPC submitted the draft decisions to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (CSA).
A minority of other EU data regulators took the stand that Meta should not be permitted to rely on the contract as a legal basis since the delivery of personalized advertising is not necessary to perform the core elements of the contract and objected to the DPC’s draft decision.
The DPC disagreed, stating that the Facebook and Instagram services appear to be based on the provision of a personalized service that includes personalized or behavioral advertising.
EDPB’s decision
After failing to reach a consensus, the DPC referred the decision to the European Data Protection Board (EDPB), which overruled the DPC’s decision and imposed its own binding decision.
In its decision, EDPB rejected many objections that were raised by the CSAs and took the same stand on the transparency violation (adding the fairness principle to the list of violations) as the DPC.
However, the EDPB found that Meta was not entitled to rely on the contract as a legal basis in connection with the delivery of behavioral advertising as part of its Facebook and Instagram services.
Outcome
In light of new EDPB findings, the DPC has increased the amount of the fine to €390 million (€210 million for violation of the GDPR relating to its Facebook service and €180 million related to Instagram service), ordering Meta to comply within a period of 3 months.
However, more significant than the actual fine is the decision that Meta will not be able to collect personal data relying on a contract as a legal basis to justify data collection of such variety and will have to ask users for consent in order to collect their personal data to sell targeted and personalized advertising.
Read the entire decision: Data Protection Commission announces conclusion of two inquiries into Meta Ireland
Meta will appeal
Meta intends to appeal the DPC’s decision and the fine. The company said it would be assessing a variety of options that would allow it to continue to offer fully personalized services to users.
Meta said in a statement that there had been a lack of regulatory clarity and debate among regulators and policymakers over the legal basis for sharing data for some time.
