A recent decision by the Irish Data Protection Commission (DPC) could have far-reaching implications for Meta, the company that owns Facebook and Instagram. It also clarifies one of the fundamentals of GDPR compliance: the need for a legal basis for processing personal data (Article 6).

Ibrahim hasan

Ibrahim Hasan

On 4 January 2023, the DPC fined Meta Platforms Ireland €210m and €180m, relating to its Facebook and Instagram services respectively. The fines were imposed in connection with Meta’s practice of monetising users’ personal data by running personalised adverts on their social media accounts. Information about a social media user’s digital footprint, such as what videos prompt them to stop scrolling or what types of link they click on, is used by marketers to get personalised adverts in front of people who are the most likely to buy their products. This practice helped Meta generate $118bn in revenue in 2021.

The DPC’s decision was the result of two complaints from Facebook and Instagram users, both of which raised the same basic issue: how Meta obtains legal permission from users to collect and use their personal data for personalised advertising. Article 6(1) of the GDPR states that: ‘Processing shall be lawful only if and to the extent that at least one of the following applies:

a. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.’

In advance of the GDPR coming into force on 25 May 2018, Meta Ireland changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis upon which it relies to process users’ personal data under Article 6 in the context of the delivery of Facebook’s and Instagram’s services (including behavioural advertising). Having previously relied on the consent of users to the processing of their personal data, the company now sought to rely on the ‘contract’ legal basis for most (but not all) of its processing operations. Existing and new users were required to click ‘I accept’ to indicate their acceptance of the updated Terms of Service in order to continue using Facebook and Instagram. The services would not be accessible if users declined to do so.

Meta Ireland considered that, on accepting the updated Terms of Service, a contract was concluded between itself and the user. Consequently, the processing of the user’s personal data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of this ‘contract’, which includes the provision of personalised services and behavioural advertising. This it claimed provided a lawful basis by reference to Article 6(1)(b) of the GDPR.

The complainants contended that Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact ‘forcing’ them to consent to the processing of their personal data for behavioural advertising and other personalised services. This was not real consent as defined in Article 4 of GDPR: ‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’ (my emphasis).

Following comprehensive investigations, consultation with other EU DP regulators (a process required by GDPR in such cases) and a final ruling by the European Data Protection Board (EDPB), the DPC made a number of findings; notably:

1. Meta Ireland did not provide clear information about its processing of users’ personal data, resulting in users having insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6. The DPC said this violated Articles 12 (transparency) and 13(1)(c) (information to be provide to the data subject) of GDPR. It also considered it to be a violation of Article 5(1)(a), which states that personal data must be processed lawfully, fairly and transparently.

2. Meta Ireland cannot rely on the contract legal basis for justifying its processing. The delivery of personalised advertising (as part of the broader suite of personalised services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract. The DPC adopted this position following a ruling by the EDPB, which agreed with other EU regulators’ representations to the DPC.

In addition to the fines, Meta Ireland has been directed to ensure its data processing operations comply with GDPR within a period of three months. It has said it will appeal; not surprising, considering the decision has the potential to require it to make costly changes to its personalised advertising-based business in the EU, one of its largest markets.

It is important to note that this decision still allows Meta to use non-personal data (such as the content of a story) to personalise adverts or to ask users to give their consent to targeted adverts. However, under GDPR users should be able to withdraw their consent at any time. If a large number do so, it would impact one of the most valuable parts of Meta’s business.

The appeal by Meta will provide much-needed judicial guidance on the GDPR. Given the social media giant’s deep pockets, it will also be interesting to see how far the DPC and other DP regulators go to force a company to change its business practices.

 

Ibrahim Hasan is a solicitor and director of Act Now Training