On 4th In January 2023, the Irish Data Protection Commission (DPC) published the conclusions of two investigations into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the provision of Facebook and Instagram services. This decision not only severely limits Meta’s ability to collect information from users in order to tailor and sell ads, but it also significantly limits how Meta complies with Principle 1 of the GDPR, i.e. the need to ensure that personal data is processed. It also provides useful insight into the views of EU regulators on in a lawful, fair and transparent manner with respect to the data subject” (Article 5).
In a decision dated 31st In December 2022, the DPC fined Meta Ireland €210m and €180m. Facebook When Instagram service. The fine was imposed in connection with the company’s practice of monetizing a user’s personal data by placing personalized advertisements on the user’s social media accounts. Information about a social media user’s digital footprint (such as a video that encourages them to stop scrolling or the types of links they click) can help marketers place personalized ads in front of people most likely to buy a product. used for display. This practice has allowed Meta to generate $118 billion in revenue for him in 2021.
The DPC’s decision was the result of two complaints from Facebook and Instagram users and was supported by the Privacy Campaign Group: noyb. Both posed the same basic question: how does Meta obtain legal permission to collect personal data from users and use it for personalized advertising. Article 6 of the GDPR (1 ) states:
“Processing is lawful only if at least one of the following applies:
- The data subject has consented to the processing of his/her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.”
Before GDPR takes effect on the 25th May 2018, Meta Ireland changed the terms of use for their Facebook and Instagram services. We have also flagged the fact that we are changing the legal basis on which we rely on the processing of your personal data under Article 6 in connection with the delivery of Facebook and Instagram services (including behavioral advertising). rice field. Previously relying on user consent to process personal data, the company now intends to rely on a “contractual” legal basis for most (but not all) of its processing operations. To indicate that existing and new users agree to the updated Terms of Service in order to continue using Facebook and Instagram I had to click If the user declines, they will not be able to access the service.
Meta Ireland considered that upon acceptance of the updated Terms and Conditions, a contract was formed between Meta Ireland and the User. The processing of your personal data in connection with the delivery of the Facebook and Instagram services was therefore necessary for the performance of this Agreement, including the provision of personalized services and behavioral advertising. It argued that it provided a legitimate basis with reference to Article 6(1)(b) of the GDPR.
Complainants argued that Meta Ireland, in effect, seeks to rely on consent to provide a lawful basis for processing user data. They state that by making the accessibility of the service contingent on users’ acceptance of updated terms and conditions, Meta Ireland actually processes personal data for behavioral advertising and other personalized services. claimed to be “forcing” users to consent to This is not actual consent as defined in Article 4 of the GDPR.
“A freely given, specific, well-informed and unequivocal declaration of the data subject’s intention, whereby the consent to the processing of personal data concerning the data subject is given by a statement or by a clear affirmative action. will be shown.”
The comprehensive investigation followed by consultation with other EU DP regulators (a process required by the GDPR in such cases) and a final decision by the EU European Data Protection Board, the DPC made many discoveries, especially:
1. Meta Ireland did not provide clear information about the processing of your personal data, so that you are fully informed of what processing operations are being carried out on your personal data, for what purposes and for what purposes. It wasn’t clear enough about what you were referring to processing. The DPC said this violates Article 12 (Transparency) and Article 13 (1) (c) (Information provided to data subjects) of the GDPR. It also deemed it a breach of Article 5(1)(a), which states that personal data must be processed lawfully, fairly and transparently.
2. Meta Ireland cannot rely on a contractual legal basis to justify its processing. Although serving personalized ads (as part of the broader suite of personalized services offered as part of the Facebook and Instagram services) is said to be a much more limited form of contract. I couldn’t say it was necessary to run the core elements. The DPC has adopted this position following her EDPB ruling agreeing with other of her EU regulators’ representations to her DPC.
In addition to the fine, Meta Ireland was instructed to ensure that its data processing operations are GDPR compliant within three months. He said he would appeal. The decision is not surprising given that his personalized ad-based business in the EU, one of the largest markets, may need to make costly changes.
It is important to note that this decision still allows Meta to use non-personal data (such as the content of Stories) to personalize ads and solicit user consent for targeted ads. However, under GDPR, users must be able to withdraw their consent at any time. If many do, it will impact one of the most valuable parts of Meta’s business.
An upcoming appeal by Meta will provide much-needed judicial guidance on specific Principle 1 of the GDPR.
Are you an experienced GDPR practitioner looking to take your skills to the next level? Visit us HERE.
