New decision narrows “contractual necessity” as basis for data processing, highlighting divisions among EU privacy regulators
Author: James Sullivan, John Magee, David Brazil
In addition to raising questions about Meta’s business model, the DPC’s two decisions reflect growing disagreements between European data protection authorities (DPA) on the two fronts. The first relates to the use of “contractual necessity” as an appropriate legal basis under the GDPR for serving personalized advertising. The second relates to the legal powers of the European Data Protection Board (EDPB) Order the DPA to conduct a new investigation.
While we await the full decisions of the DPC and EDPB, this blog post will outline the key facts relevant to these cases and outline the initial points.
Background
Prior to the GDPR effective date of May 25, 2018, Meta changed the terms of use for its Facebook and Instagram services. Whereas it previously relied on user consent, the company sought to use “contractual necessity” as the legal basis for processing users’ personal data under GDPR.
Meta took the position that the user entered into a contract with the company upon accepting the updated Terms of Service. Meta considered that the processing of user data in order to provide personalized advertising in connection with the delivery of the Facebook and Instagram services was necessary for the performance of that contract.
Once the GDPR took effect, two EU petitioners argued that Meta still relied on consent as the legal basis for processing user data. They said that by coordinating the Facebook and Instagram services by agreeing to their updated terms of service, Meta effectively “forces” users to consent to such processing for personalized advertising. claimed to be
In its subsequent draft decision, the DPC made two important findings. Firstly, by not clearly outlining to users the legal basis for processing their personal data, Meta is bound by its transparency obligations and its obligation to process personal data in a lawful, fair and transparent manner under the GDPR. We have determined that we have violated our obligation to process. In a press release, the DPC claims that it proposed to impose “very large fines” against Meta in connection with these infringements.
Importantly, however, the DPC side with Meta, and the GDPR recognizes companies as a “contractual necessity” as the appropriate legal basis for processing data necessary to serve personalized ads. In the DPC’s view, Meta’s personalized advertising offerings were at the heart of negotiations concluded between users and the company’s Facebook and Instagram services.
Ten DPAs across Europe subsequently challenged the decision in the DPC’s draft decision that Meta should be able to rely on the legal basis of “contractual necessity”. According to his DPA involved, Meta’s serving of personalized ads was not necessary for the company to offer his Facebook and Instagram services to users. In their view, the contract with the user contains certain core elements and the delivery of personal advertisements cannot be said to be necessary to fulfill the more limited form of the contract.
On December 5, 2022, the EDPB issued a binding decision on disputes between DPCs and their peer DPAs. In partially overturning the DPC’s draft decision, the EDPB determined that Meta had no right to rely on the legal basis of “contractual necessity.” Additionally, the EDPB has ordered her DPC to conduct a new investigation. all Facebook and Instagram data processing operations.
In its final decision on December 31, 2022, the DPC upheld the EDPB’s binding decision that Meta’s reliance on the legal basis of “contractual necessity” to process user data violates the GDPR. has been incorporated. However, in announcing these final decisions on January 4, 2023, the DPC characterized the EDPB’s mandate to launch a new “free and speculative investigation” of Meta as going too far. The DPC noted that this directive was not included in its decision and indicated that it would file an annulment action with the EU Court of Justice to reverse this element of the EDPB’s decision.
Next steps and implications
- The Future of “Contractual Necessity” for Personalized Advertising
Following the DPC’s decision, Meta announced its intention to appeal both the substance of the decision and the fines imposed thereunder. As a result, the question of whether “contractual necessity” constitutes an appropriate legal basis for personalized advertising is sure to be litigated for years to come.
- Alternative Legal Basis for Personalized Advertising
Although the DPC’s final decision requires Meta to comply with Facebook’s and Instagram’s processing operations within three months, Meta’s stated intention to appeal the decision indicates that the final decision in the appeal process has been reached. It means that we may continue to rely on the same approach to legal basis until the decision is made. Since the decision does not ban personalized advertising on the two platforms, Meta could pivot to other legal bases available under the GDPR, such as consent and “legitimate interests.” there is. In general, “legitimate interest” tends to be an appropriate basis when a company processes personal data in a manner that users would reasonably expect. However, the user has the right to object to the processing under her GDPR where it relies on legitimate interests. This right to object may impair our ability to conduct personalized advertising for all users if Meta chooses to rely on this legal basis rather than “contractual necessity”. I have.
- EDPB Legal Authority to Order Investigations
Finally, the action to reverse some of the EDPB’s decisions before the Court of Justice of the European Union will be the DPC’s first legal challenge to the Council’s direction. The DPC’s claim is that the EDPB, the body responsible for resolving disputes between the DPAs and ensuring consistent enforcement of her GDPR across the EU, has the legal authority to order the DPA to conduct a new investigation. It depends on whether there are
- Broader Meaning of Decision
While the fines imposed are eye-catching and continue the trend of increased DPC enforcement over the past year, the decision’s potential commercial implications for Meta and other companies that rely on digital platforms are significant. Consequences are more important than mere fines. As mentioned in a previous post, Meta saw his stock price drop a significant 6.2% on the day his EPDB positions in these cases were reported. Following this decision, it will become increasingly difficult for Meta to justify its existing approach. This means serving personalized ads to all users without an option to opt-out. This business model has been a key driver of growth and revenue for Meta and many other digital platforms. The anticipated Meta appeal has been watched by many and will continue to provide comments as it progresses.
The DPC’s third decision on Meta’s WhatsApp service is expected soon. However, unlike Facebook’s and Instagram’s decisions, the DPC’s investigation into WhatsApp was about the legality of Meta’s processing of personal data for the purpose of improving its services.
