[German]The Irish Data Protection Authority (DPC) has imposed a fine of €390 million on Meta for user-based advertising on Facebook and Instagram. As a result, Meta is no longer allowed to run ads using users' personal data without their explicit consent. The whole thing was imposed only after massive protests from the remaining 26 data protection commissioners of other European countries. At the same time, the DPC has announced that it will file a lawsuit against its own decision. Seems it's developing a scandal or a kind of "banana republic".
Advertising
Blog readers had already pointed out the issue (thanks for that). I'm going to broaden the topic a bit, as it offers a lot of explosive material, both for Meta and for the Irish data protection authority and for Europe.
What we are talking about?
Meta's two subsidiaries, Facebook and Instagram, have clauses in their terms of service (TOS) that include user consent for the platforms to use user-related data to play out personalized advertising based on it. This is the core of Meta's business model.
While other websites require a cookie consent solution for personalized advertising, Meta tried to get this consent globally via the TOS. Anyone who does not accept the T&C cannot use the platform.
However, this contradicts the view of noyb and data protectionists of the General Data Protection Regulation (DSGVO, GDPR), and the organization nyob had filed a complaint with the Irish Data Protection Authority (DPC).
The DPC decision vs. Meta
The Irish Data Protection Commission (DPC) published two decisions as of Jan. 4, 2023, fining Meta Ireland €210 million (for violations of the GDPR related to its Facebook service) and €180 million (for violations related to its Instagram service). Meta Ireland was also ordered to bring its data processing operations into compliance within 3 months.
Advertising
The investigations concerned two complaints about the services Facebook and Instagram, each of which raised the same fundamental issues. One complaint was filed by an Austrian data subject (regarding Facebook), the other by a Belgian data subject (regarding Instagram).
The Austrian individual is Max Schrems of the organization noyb. The complaints were filed on May 25, 2018, the day the GDPR entered into force.
The background was that Meta Ireland had changed the terms of use for its Facebook and Instagram services in the run-up to May 25, 2018. Meta also indicated in the terms of use that it was changing the legal basis on which it relied to legitimize the processing of users' personal data. (Under Article 6 of the General Data Protection Regulation, data processing is lawful only if and to the extent that it complies with one of the six legal bases mentioned.)
Previously, Meta Ireland had relied on users' consent to the processing of their personal data in connection with the provision of Facebook and Instagram services (including behavioral advertising). With the change, Meta sought to rely on the "contract" legal basis for most (but not all) of its processing.
The DPC's eclat
Meta relied on the fact that the consent created a new contract through which the personalized advertising could be played. The organization noyb complained against this because the user had no freedom of choice when using the platforms.
The Irish Data Protection Authority (DPC) launched an investigation into the operations after the complaints were filed in 2018, and concluded that the information about the legal basis on which Meta Ireland relied was not clearly presented to users. This resulted in users not knowing clearly enough which processing operations of their personal data were carried out, for what purpose and on which of the six legal bases mentioned in Article 6 of the General Data Protection Regulation.
Following the audit, the DPC proposed very high fines to Meta Ireland for the breach and ordered the company to bring its processing operations into compliance within a specified, short period of time. At the same time, the DPC concluded that the "coerced consent" aspect of the complaints could not be upheld. This point was thus dismissed – Meta should have simply elaborated more clearly on the basis for processing.
As part of a procedure required by the General Data Protection Regulation, the DPC's draft decisions were submitted to the other supervisory authorities in the EU/EEA, the so-called supervisory authorities concerned (CSAs).
- On the issue of whether Meta Ireland had breached its transparency obligations, the CSAs agreed with the DPC's decisions but felt that the fines proposed by the DPC should be increased.
- Ten of the 47 CSAs objected to other elements of the draft decisions. In particular, this group of CSAs considered that Meta Ireland should not be allowed to rely on the legal basis of the contract, as the provision of personalized advertising (as part of the broader package of personalized services offered as part of the Facebook and Instagram services) could not be considered necessary to comply with the core elements of an allegedly much more limited form of the contract.
The DPC disagreed and considered that the Facebook and Instagram services involved and appeared to be based on the provision of a personalized service with personalized or behavioral advertising. After a consultation process, it became clear that no consensus could be reached. The DPC was then overruled by the other DPAs.
In line with its obligations under the GDPR, the Irish DPC referred the contentious issues to the European Data Protection Board (EDPS). In other words, the DPC is at conflict with the rest of the European data protection supervisory authorities.
The organization noyb points out this decision in the above tweet as well as in this post, summarizing the key points. The fine against Meta was increased from the DPC proposal (32 million Euros) to 390 million Euros. And the European Data Protection Board (EDPB) has prohibited Meta's "circumvention" of the GDPR consent via a clause in its terms and conditions. The decision relates to three noyb complaints from 2018. Meta must obtain "opt-in" consent for personalized advertising and must offer users a "yes/no" option for personalized advertising.
In other words, Meta (Facebook, Instagram, WhatsApp) will not be allowed to use personal data for advertising in the EU in the previous way in the future. This is a major blow to Meta's business model in Europe, which could affect the group's core business in the long run. In response, Noyb writes that the EDPB insisted on a massive fine for Meta. After all, the company has based most of its commercial data processing on a legal basis that has already been explicitly excluded by the EDPB in guidelines since 2019.
The breach of the law is therefore clearly intentional from noyb's perspective. Meta has already been fined more than 900 million euros in GDPR fines so far this year. Max Schrems comments, "The fine will go to Ireland – the state that sided with Meta and delayed enforcement for more than four years. Meta is likely to appeal the case, which will lead to further costs for noyb."
The scandal: the Irish Data Protection Authority (DPC) and Meta are working together and were overruled by the Data Protection Committee (EDSA). At the same time, it was revealed that the DPC was attempting to censor the decision, as the complainant noyb was not served with the decision against Meta. The organization was told at the last second that they would not receive the decision, despite being a party to the proceedings. Meta, on the other hand, was served with this decision.
Meta has already announced in a series of tweets that it will appeal both the content of the rulings and the fines. Nothing about these rulings prevents personalized advertising on Meta's platforms, it said. The rulings do not mandate the use of consent, according to Meta. And the suggestion that Meta may no longer offer personalized advertising across Europe without first obtaining each user's consent is wrong, it said.
Meta complains about the lack of legal certainty in this area, and the debate about the legal basis for personalized advertising has, after all, been going on for some time. The DPC had made it clear that it believes "the GDPR does not preclude Meta Ireland from relying on the contractual legal basis."
The DPC has been instructed by the European Data Protection Board (EDPB) to conduct a new investigation that will cover all of Facebook's and Instagram's data processing operations and examine special categories of personal data that may be processed as part of those operations. The Irish DPA says the EDPS does not have a general supervisory role, as national courts have over independent national authorities. It is not for the EDPS to order an authority to conduct open-ended and speculative investigations. The DPC considers it appropriate to bring an action for annulment before the Court of Justice of the EU in order to obtain the annulment of the EDPS's instruction.
In other words, the Irish data protection authority is once again acting in Facebook's interests after four years of brakes were applied by the European Data Protection Board (EDPB). And now they are taking legal action against this order – which is formally the right of Meta and the DPC. But the process shows the state of data protection in Europe. Now it remains to be seen how the EU Court of Justice will rule on the matter. The issue will remain with us for some time to come.
Even for being situated in Ireland, DPC should have been part of the Brexit…