On 4 January 2023, the Data Protection Commission (DPC) announced that it has issued fines amounting to a total of €390 million against Meta Platforms Ireland Limited (Meta). A €210 million fine was imposed for breaches of the GDPR relating to Facebook service, and a €180 million fine for breaches in relation to Instagram service.
The DPC also requested Meta to bring its data processing operations into compliance within a period of 3 months.
Facts / background:
- The fines were imposed following two complaints received by the DPC on 25 May 2018 (when the GDPR became applicable).
- One complaint concerned Facebook and was made by a non-profit organization (NOYB) on behalf of an Austrian data subject, while the other concerned Instagram and was made by NOYB on behalf of a Belgian data subject.
- Before 25 May 2018, Meta updated the Terms of Service for Facebook and Instagram. Meta changed the legal basis for the processing of its users’ personal data from consent to contract, for most of its processing activities, including for behavioral advertising. Users were asked to click “I accept” button indicating their acceptance of the updated Terms of Service. Access and use of Facebook and Instagram were no longer available for users who did not comply with this requirement (i.e., clicking on the “I accept” button).
- The two complaints argued that by conditioning the access to Meta’s services on the users accepting the updated Terms of Service, Meta was actually “forcing” its users to consent to the processing of their personal data for behavioral advertising and other personalized services, which was deemed in breach of the GDPR.
- Following the investigations carried out, the DPC issued draft decisions founding that:
- Meta breached its transparency obligations under the GDPR. The DPC noted that Meta failed to provide the users with clear information about the legal basis, resulting in insufficient clarity as to what processing activities were being carried out, for what purposes, and based on what legal basis.
- Meta did not rely on users’ consent, in which context the allegations from the two complaints on Meta “forcing” its users to consent to the processing of their personal data could not be sustained. The DPC considered that Meta relies on the contract (i.e., represented by the Terms of Services) as a legal basis for the processing of its users’ personal data for its personalized services (including behavioral advertising).
- The DPC submitted its draft decisions to the Concerned Supervisory Authorities (CSAs).
- The CSAs agreed with the DPC on the fact that Meta has breached the transparency requirements. They considered however that the fines proposed by the DPC should be increased.
- Several CSAs raised objections regarding the other elements of the DPC’s draft decisions. The DPC noted that the CSAs believed Meta should not be allowed to rely on the contract as a legal basis for providing behavioral advertising. The DPC disagreed with this view.
- The DPC referred the points in dispute to the European Data Protection Board (EDPB).
- On 5 December 2022, the EDPB issued its determinations. The DPC noted that EDPB:
- rejected many of the objections raised by the CSAs
- maintained the DPC’s position on the breach of the transparency requirements, subject to considering that the fairness principle was also breached and increasing the amount of the fines the DPC proposed to impose
- had a different view on the legal basis matter, finding that Meta was not permitted to rely on the contract as a legal basis for the processing of personal data for behavioral advertising.
- The DPC adopted its final decisions on 31 December 2022, reflecting the EDPB’s binding determinations, including retaining that Meta is not entitled to rely on the contract legal basis for the purpose of behavioral advertising, and that its processing of users’ personal data to date, in purported reliance on the contract legal basis, represents a contravention of Article 6 of the GDPR.
- The DPC also noted that the EDPB has claimed the DPC to conduct a new investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC further clarified that its decisions do not include reference to such new investigations.