27 January 2023

Introduction

On 4 January, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta”) in connection with the delivery of its Facebook and Instagram services. Meta was found to have breached EU data rules, ordered to pay a €390m fine (€210m for Facebook and €180m for Instagram) and directed to bring its data processing operations into compliance within a period of 3 months. The decision of the DPC is significant, not least due to the effect it will have on the advertising practices of companies across Europe and the UK.

Background

The DPC’s investigation was borne of complaints made in 2018 by privacy activist Max Schrems, on behalf of complainants in Austria and Belgium. Under GDPR Article 6, data processing is lawful only to the extent that it complies with one of six identified legal bases for that processing. In 2018, Meta changed the legal basis it relied on for the purpose of processing personal data when running behavioural advertising. Having previously relied on “consent” as the lawful basis, Meta now sought to rely on “performance of a contract”. In furtherance of this change of lawful basis, Meta asked Facebook and Instagram users to click "I accept" to indicate that they agreed to updated terms of service setting out how their data would be used in ads in order to continue using Meta’s products. The complainants contended that Meta was still in fact relying on consent as its lawful basis for processing and that consent was forced, due to accessibility of services being conditional on the acceptance of the updated terms of service.

Following a lengthy consultation process, the DPC, instructed by the European Data Protection Board (“EDPB”), found that Meta was in breach of EU data protection rules, based on the findings outlined below:

  • Meta was not entitled to rely on “performance of a contract” as its legal basis to process personal data in the context of Facebook’s terms of service and Instagram’s terms of use for the purpose of behavioural advertising as this was not a core element of the services.
  • Meta lacked a legal basis for processing and therefore unlawfully processed the data of Facebook and Instagram users.
  • There was an infringement by Meta of its obligations in relation to the fair and transparent processing of users’ personal data.

As well as ordering the fine and providing a direction for compliance within the next 3 months, the EDPB also directed the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The details of the decision can be found here.

Implications of the decision

It is unlikely that Meta will have been surprised by the actions of the DPC, having been fined €265m last year over a data breach that saw the personal details of hundreds of millions of Facebook users published online. In anticipation of further action by data protection authorities, Meta has reportedly set aside €2bn to cover potential European fines in 2023 (according to the Irish Times). Nevertheless, the decision will mean a fundamental change in how Meta operates a key portion of its business, as the bulk of Meta’s revenue (over $118bn) comes from advertising.

The decision of the DPC will have far-reaching effects across the technology sector. Advertising is a key revenue stream for media and technology companies, who must take note of the DPC’s decision and reflect on how they use personal data for advertising if they are to avoid a fine. Schrems has a clear vision for how personal data should be used in advertising going forward: “People now need to be asked if they want their data to be used for ads or not. They must have a yes or no option and can change their mind at any time.”

The decision could also spark fresh judicial action: Meta has expressed its disappointment and intends to appeal, stressing (via Twitter) that the decision does not prevent personalised advertising on its platforms and that “the decisions relate only to which legal basis Meta uses when offering certain advertising”. The DPC also feels it has cause for complaint. The EDPB’s direction for the conduction of a fresh investigation is unusual in jurisdictional terms. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. As a result, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing
 

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more