The investigations related to two complaints regarding Facebook and Instagram services provided by an Austrian data subject (affiliated to Facebook) on 25 May 2018, the date of entry into force of the General Data Protection Regulation (GDPR); another by a Belgian data subject (linked to Instagram)2.
With the coming into force of the GDPR, Meta Ireland no longer consented to the processing of users’ personal data in the context of serving Facebook and Instagram services, including behavioral advertising, but now wants to trust. on the legal basis of the contract, within the meaning of Article 6.1.b) of the GDPR, for most of its processing operations.
Facebook and Instagram users have been asked to click “I Accept” to indicate their acceptance of the updated terms of service if they wish to continue using these services. Users who refuse to lose access to said digital services.
Meta Ireland considers that by accepting the updated terms of service, the user has entered into a contract with Meta Ireland and that the processing of user data in the context of the provision of its Facebook and Instagram services is necessary for its implementation. contract involving the provision of personalized services and behavioral advertising, thus these processing operations were legal with reference to article 6.1.b) of the GDPR.
The plaintiffs, in contrast, argued that Meta Ireland still sought to rely on consent to provide a lawful basis for processing user data. They argued that by making access to its service conditional on users accepting the updated terms of service, Meta Ireland was effectively “forcing” them to consent to the processing of their data.
The Irish Data Protection Commission’s final decisions of 31 December 2022 incorporate the legal assessment expressed by the European Data Protection Board (EDPB) in its binding decisions of 5 December 2022, adopted under Article 65(1)(a) of the GDPR. The Irish Data Protection Commission, as the lead authority, has initiated two dispute resolution procedures relating to objections raised by Member States of ten data protection authorities. These authorities raised objections in particular regarding the legal basis of processing (GDPR, Article 6), data protection principles (GDPR, Article 5) and the application of remedial measures, including fines.
The EDPS has asked the Irish Data Protection Commission to include in its final decisions an order for Meta Ireland to comply with Article 6.1 of the GDPR within the framework of the Facebook and Instagram services within three periods of time for the processing of personal data for the purposes of behavioral advertising. month
In addition, the EDPS instructed the Irish Data Protection Commission to include the finding of a breach of the principle of fairness in the two final decisions and to adopt appropriate corrective measures. The EDPS noted that the breach of transparency obligations affected the reasonable expectations of users, that Meta Ireland misrepresented its services to users and that the relationship between Meta and users was unbalanced.
Regarding administrative fines, the EDPS has instructed the Irish Data Protection Commission to impose an administrative fine for additional breaches of Article 6(1) of the GDPR (lack of legal basis for processing personal data) and to impose higher fines for specified breaches. transparency, as he considered that the proposed fines did not meet the requirements of being effective, proportionate and dissuasive. This led the Irish Data Protection Commission to dramatically increase the fines in its final judgments (from €36 and €23 million for the Facebook and Instagram draft judgments to €210 and €180 million in the final judgments).
The decisions of the Irish DPC and EDPS differ on many of the points they emphasize3and by being included in a more general action to clarify the quality of data processing for behavioral advertising purposes4, they are very rich. In further developments, we will focus on the legal basis of data processing for the purpose of distributing behavioral advertising to users of digital social network services. In fact, it follows from the decisions of the Irish Data Protection Commission, modified after the decisions adopted by the European Data Protection Council, that determine the content of contracts for the supply of digital services offered by social networks by excluding behavioral advertising. reflects good compatibility with the new solutions adopted under the latest European instruments regulating digital services.
Clarification of the contractual content of contracts for the supply of digital services offered by social networks
GDPR Article 6.1(b) may not be a lawful basis for processing for behavioral advertising
This processing can only be lawful if it is demonstrated that the processing is necessary for the performance of a contract to which the data subject is a party, according to the meaning of Article 6.1.b) of the GDPR. – contractual measures taken at the request of the latter”.
Pursuant to Article 65 of the GDPR, the EDPS resolved the non-compliance on 5 December 2022 by clarifying that “Meta unlawfully processed personal data for the purpose of behavioral advertising. This advertisement is not necessary for the performance of the contract with Facebook and Instagram users. These decisions could have a significant impact on other platforms that are central to the behavioral advertising business model.”5.
This EDPS solution followed by the Irish DPC is consistent with all opinions and guidance from the EDPS and the former Article 29 Working Party.6. In particular, in the Guidelines 2/2019 on the processing of personal data pursuant to Article 6(1)(b) of the GDPR in the context of providing online services to data subjects, the EDPS proposed the following guidance: Assess the applicability of Article 6(1)(b): “Data What is the nature of the service provided to the subject? What are its distinctive features? What is the precise rationale (ie, its essence and main object) of the contract? What are the main elements of the contract?