Ireland’s data watchdog has fined Facebook’s parent company Meta Ireland €390m as a dispute erupted over whether further investigation into the use of personal data was warranted.
Meta Ireland was fined €210 million for violating EU Facebook data privacy rules and €180 million for violations on Instagram.
Meta said it was “disappointed” with the decision and intended to appeal “both the substance of the rulings and the penalties”.
The Irish Data Protection Commission (DPC) is also set to seek an injunction to avoid a “problematic” order from the European Data Protection Board to further investigate Facebook and Instagram’s data processing operations, which it says may be “overreaching”.
This comes after a dispute between the Irish watchdog and the EU data authority over the amount of fines imposed on Meta Ireland for lack of transparency about how users’ data is handled and whether there is a contract between users and the company allowing their data to be used in personalized ads.
Two complainants alleged that Meta Ireland “coerced” them to consent to the use of their personal data for behavioral advertising and other services by making the use of social media conditional upon accepting the terms of service.
The complainants argued that this was in breach of the General Data Protection Regulation (GDPR).
Meta Ireland argued that a contract was entered into between itself and the user upon acceptance of the updated terms and conditions, and that the processing of user data on its Facebook and Instagram services was necessary for the performance of that contract.
The complainants argued that, contrary to Meta Ireland’s position, Meta Ireland in fact still intends to rely on consent to provide a legal basis for processing user data.
The DPC’s draft decisions concluded that Meta Ireland breached the GDPR because users’ personal data must be processed “lawfully, fairly and transparently” and users had “insufficient clarity as to what processing operations were carried out on their personal data” .
However, it also said the “forced consent” aspect of the complaints “could not be upheld” and the GDPR “does not preclude” Meta Ireland from relying on a “contract” legal basis.
The draft decisions have been submitted to the relevant regulatory authorities in the EU, also known as Concerned Supervisory Authorities (CSAs).
On the question of whether Meta Ireland had acted in breach of its transparency obligations, the CSA agreed with the DPC’s decisions but said that the fines proposed by the DPC should be increased.
Ten of the 47 CSAs said that Meta Ireland should not be able to rely on the contract as a legal basis as personalized advertising is not necessary to fulfill the essential elements of a much more limited form of contract.
“The DPC disagreed, reflecting its view that the Facebook and Instagram services include and indeed appear to be based on the provision of a personalized service that includes personalized or behavioral advertising,” said the DPC.
“In effect, these are personalized services that also include personalized advertising.
“In the DPC’s view, this reality is central to the contract between users and the service provider of their choice and forms part of the contract when users accept the terms of service.”
The matter was referred to the EDPB, which ruled on December 31 that Meta Ireland was not entitled to rely on the contract as a legal basis for processing personal data for the purposes of behavioral advertising.
“Therefore, the DPC decisions contain findings that Meta Ireland is not entitled to rely on a “contractual” legal basis in connection with the provision of behavioral advertising on its Facebook and Instagram services and that the user data it has processed so far, allegedly relying on the legal basis of a “contract”, constitutes a violation of Art. 6 GDPR,” said the DPC.
Meta Ireland was asked to bring its data processing operations into compliance within three months.
A Meta spokesperson said in a statement that it “strongly” believes its approach “respects the GDPR” and intends to appeal the decision.
“These decisions do not prevent targeted or personalized advertising on our platform,” it said. “The decisions are only about which legal basis Meta uses to offer certain ads. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.
“There was a lack of regulatory clarity on this issue and the debate among regulators and policy makers around which legal basis is the most appropriate in a given situation has been going on for some time.
“Therefore, we strongly disagree with the final decision of the DPC and consider that we are in full compliance with the GDPR based on the contractual necessity of behavioral advertising, given the nature of our services. As a result, we will appeal on the substance of the decision.”
The Data Protection Commission has also informed that it intends to take legal action to revoke the EDPB’s order to further investigate data processing on Instagram and Facebook.
He said: “Separately, the EDPB allegedly instructed the DPC to conduct a new investigation that would cover all Facebook and Instagram data processing operations and would investigate special categories of personal data that may or may not be processed in the context of these operations.
“The DPC decisions obviously do not include references to new investigations of all data processing operations on Facebook and Instagram that were directed by the EDPB in its binding decisions.
“The EDPB does not have a general supervisory role, like national courts, with respect to independent national authorities and cannot instruct or direct the authority to engage in an open and speculative investigation.
“The direction is therefore problematic from a jurisdictional point of view and does not seem to follow the structure of the cooperation and consistency arrangements set out by the GDPR.
“To the extent that the guidelines may involve undue reach by the EDPB, the DPC considers it appropriate to bring an action for annulment before the Court of Justice of the EU to seek annulment of the EDPB’s recommendations.”