Meta Ireland fined €390 million for unlawful legal basis

The DPC launched an investigation into Meta Ireland (Meta) on 25 May 2018, following complaints about Facebook and Instagram, two services provided by Meta. The complaints primarily focused on the legal basis for the processing of personal data that Meta uses for its services. Meta previously relied on consent from its users as the basis for processing their personal data. Since the entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018, however, Meta has relied on the ‘performance of a contract’ basis for its processing activities. By accepting Meta’s terms of service, the user allegedly enters into an agreement with the platform. According to Meta, the processing of users’ personal data is necessary for the purpose of providing personalised advertisements, among other purposes.

DPC’s draft decision

The DPC published its draft decision on 6 October 2021, proposing a fine of up to €23 million for Instagram and a fine of up to €36 million for Facebook. In its decision, the DPC stated that:

• Meta had breached its transparency obligations under the GDPR, as it was insufficiently clear to users of the services how their personal data was being processed, for what purposes and on which legal basis; and
• providing personalised advertisements is a core element of the services that Meta provides, which allowed Meta to rely on the ‘performance of a contract’ basis.

This draft decision was then presented to the other concerned supervisory authorities (CSAs).

European Consistency Mechanism

In the case of cross-border processing, a lead supervisory authority is designated and submits its draft decision to the other CSAs. In this case, ten European supervisory authorities, including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), disagreed with the DPC's draft decision. They found that (i) providing personalised advertisements is not a core element of the services provided by Meta; and (ii) users should be able to use social media without their personal data being processed to provide personalised ads. As the authorities failed to reach consensus, the consistency mechanism was triggered. The European Data Protection Board (EDPB) then makes a binding decision, after which the lead supervisory authority arrives at a final decision. The EDPB issued that decision on 5 December 2022.

EDPB's binding decision

In its binding decision, the EDPB upheld the DPC's position regarding breaches of transparency obligations but – unlike the DPC – found that the ‘performance of a contract’ was not a lawful basis for the processing of personal data for the purpose of personalised advertisements.

First, the EDPB found that Meta is not contractually obligated to offer personalised ads to the user based on its terms of service. According to the EDPB, this contractual obligation sooner exists between Meta and its advertisers. Second, there can be no ‘performance of a contract’ if it is insufficiently clear to data subjects how their personal data are processed, for what purposes and on what basis. These transparency requirements are an indispensable part of this legal basis. Third, under Article 21(2) and (3) of the GDPR, data subjects may object to the processing of their personal data for direct marketing purposes. The EDPB argues that if the user has the possibility to object to processing at any time and without giving any reason, this processing would not be necessary. Based on the above considerations, the EDPB found that the Meta services are mainly used for communication and not to receive personalised advertisements.

In addition, the EDPB stated that the fines proposed by the DPC should be increased significantly.

DPC’s final decision

In its final decision of 31 December 2022, the DPC adopted the EDPB's binding decision. Meta may not use the ‘performance of a contract’ legal basis in connection with the provision of personalised ads as part of its Facebook and Instagram services. The processing activities that relied on this basis constitute breach of Article 6(1) of the GDPR from the moment the GDPR entered into force to date. The DPC fined Meta €180 million for its Instagram services and €210 million for its Facebook services. Meta has three months to bring its data processing activities in line with the GDPR.

Impact

The Meta decisions have significant implications for the future of data protection law within the adtech space, but does not appear to have put an end to the conflict, which has been dragging on since 2018.

These decisions have struck Meta at its core, since Meta's business model is mainly based on sending personalised advertisements. The company is already expecting a billion-dollar drop in revenue due to the introduction of a feature in Apple's iOS that allows users to opt out of tracking. This decision could also have significant implications for other platforms that business models rely on to provide personalised ads. Since Meta may not rely on this legal basis for providing personalised ads, it will have to investigate whether it can rely on another legal basis, such as consent or a ‘legitimate interest’. If Meta loses the appeal and opts for the ‘legitimate interest’ legal basis, that will create uncertainties. Currently, preliminary questions regarding the ‘legitimate interest’ legal basis are pending before the European Court of Justice (CJEU) (C-621/22). Meta announced that it would appeal the decision. Since the case involves both European and (possibly) Irish constitutional issues, it may ultimately be referred to both the Irish Supreme Court and the CJEU.

Moreover, the DPC's decision shows a major disagreement between the DPC and the other European supervisory authorities. According to the EDPB, the DPC should have conducted a more extensive investigation, also into the basis of each of Facebook and Instagram's data processing operations. In response to this, the DPC believes that the EDPB has exceeded its powers and will seek to have this decision overturned.