Enforcement
EN

Meta Platforms Ireland Limited: Non-compliance with general data processing principles

€390,000,000 fine - Data Protection Authority of Ireland

Jan 4, 2023 Source

Content

The Irish DPA (DPC) has fined Meta Platforms Ireland Limited EUR 390 million. The DPA has imposed a fine of EUR 210 million for violations related to the provision of its Facebook service and EUR 180 million for violations related to the provision of its Instagram service. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of two individuals. Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of service, Meta informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. Meta assumed that the acceptance of the updated terms of use constituted a contract between Meta and the user, since the processing of the data would be necessary for the provision as well as the improvement of the services. According to Meta, the data processing was therefore lawful pursuant to Art. 6 (1) b) GDPR. However, the complainant argued that Meta was actually trying to rely on consent as a legal basis for processing users' data. By making the access to its services conditional on users' consent to the updated terms of service, Meta was actually forcing users to consent to the processing of their personal data. Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The DPC found that Meta did not rely on user consent as a legal basis, and did not consider 'coerced consent' in this case. It also did not rule out the possibility that Meta relied on a contractual legal basis. In response, the DPC received objections from different supervisory authorities. However, the DPC found that Meta had breached its transparency obligations under the GDPR, by not clearly explaining to users for what purpose and on what legal basis their personal data would be processed. As no agreement could be reached on the disputed points, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR. In its decision, the EDPB confirmed the violation of transparency obligations by Meta. However, the EDPB took a different position than the DPC on the issue of the legal basis and found that Meta was not entitled to rely on a contractual legal basis. The EDPB therefore found that Meta had violated Art. 6 (1) GDPR. The DPC agreed in its final decision and imposed the fine and also required Meta to bring its data processing into compliance within three months.

GDPR Articles: Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 (1) c) GDPR
Industry: Media, Telecoms and Broadcasting

Key Excerpts from Decision

Data Protection Commission announces conclusion of two inquiries into Meta Ireland 04th January 2023 The Data Protection Commission (DPC) has today announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the delivery of its Facebook and Instagram services. (Meta Ireland was previously known as Facebook Ireland Limited). Final decisions have now been made by the DPC in which it has fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service). Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months. The inquiries concerned two complaints about the Facebook and Instagram services, each one raising the same basic issues. One complaint was made by an Austrian data subject (in relation to Facebook); the other was made by a Belgian data subject (in relation to Instagram). The complaints were made on 25 May 2018, the date on which the GDPR came into operation. In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. (Under Article 6 of the GDPR, data processing is lawful only if and to the extent that it complies with one of six identified legal bases). Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising), Meta Ireland now sought to rely on the “contract” legal basis for most (but not all) of its processing operations. If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click “I accept” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so). Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing). The complainants contended that, contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal

View Full Original Decision (English)