The Data Protection Commissioner imposes a fine of €210 million for Facebook violations and €180 million for Instagram violations
On 5 December 2022, the European Data Protection Board adopted a binding decision ( Binding Decision 4/2022 – text at the bottom ) pursuant to art. 65 of the GDPR for a dispute concerning Meta Platforms Ireland Limited. On 31 December 2022, the Irish Regulator sanctioned the company.
1. The question
The story originates on 25 May 2018, the date on which the European Regulation 2016/679 (the so-called “GDPR”) became applicable and on which the organization None Of Your Business (NYOB) founded by the lawyer and activist Max Schrems filed various complaints for violations of the -then- new legislation.
One of the complaints concerned a personal data processing activity carried out by Meta on its social networks Facebook and Instagram: instead of asking for the consent of interested parties for the processing of their personal data for the purpose of showing personalized advertising, the company had included this purpose in the “Terms and conditions” of social media, thus framing the targeting of adverts among the services offered by the platforms to their users.
In this way, the lawfulness condition for the processing of personal data for the purposes of profiling and personalized advertising was identified as that established by art. 6 par. 1 letter b) of the GDPR , which applies when ” the processing is necessary for the execution of a contract of which the interested party is a party or for the execution of pre-contractual measures adopted at the request of the same “. For this reason, Meta argued, it was not necessary to ask for consent from the interested parties, but the processing was based on a different legal basis.
In fact, it is now clear that consent must be asked from interested parties not in an indiscriminate manner for every processing operation of their data, but only when a different condition among those listed in the art. is not applicable. 6 of the GDPR. This is also because consent is subject to strict requirements including, not least, the fact that it must be able to be revoked at any time and with the same ease with which it was given ( art. 7 par. 3 GDPR ). If the processing of data is, however, necessary to provide a service requested by the interested party and which the owner is contractually obliged to provide, it is clear that not only the request for consent to the processing of data for this purpose would be in conflict with the regulatory dictate of the art. 6, since letter b) of par. 1, but such a violation would also risk undermining the very execution of the contract, in the event that the interested party decided to revoke the consent initially provided. To avoid drifts of this type, as well as sanctions for violation of the GDPR, it is necessary to resort to consent only as a last resort .
Having said these premises, however, it must be clarified that the role of consent, although reduced, still remains central in some sectors such as, for example, that of marketing, in which in most cases none of the other conditions of lawfulness listed in the ‘art. 6. The None Of Your Business organization, in its complaint against Meta, contests the fact that the company tried to “circumvent” the need for the data subject’s consent for processing for personalized advertising purposes, by including this service in the contractual terms , with a maneuver which, according to NOYB, is aimed at removing the possibility of choice for interested parties on what is done with their data by social networks.
2. The Irish Data Protection Commissioner’s draft ruling and the EDPB decision
The Supervisory Authority competent to resolve the issue, pursuant to the “Lead Supervisory Authority” mechanism established by art. 56 of the GDPR , is the Irish Data Protection Commissioner (DPC), as the Authority of the State in which the owner’s main establishment is located.
The DPC drafted a draft decision, which was transmitted to the other supervisory authorities of the Union. However, 10 of these (including the Italian Guarantor) raised some objections, and the issue was brought to the attention of the European Data Protection Board to initiate the settlement of disputes delegated to this body by art . 65 of the GDPR . In the draft decision the DPC stated that the GDPR, the relevant case law and the Guidelines issued so far by the EDPB would not preclude the use of the legal basis established by the art. 6 par. 2 lett. b) of the GDPR to provide services to users, including personalized advertising if this constitutes a central element of the service provided by a company (as claimed by Meta in the case in question). The Irish Authority therefore proposed a sanction for Zuckerberg’s company but for violations of the principle of transparency, while it considered the treatment based on this legal basis to be lawful. Other authorities contested this statement, arguing that to process data for personalized marketing purposes, consent must be asked from the interested parties.
It is for these reasons that on 6 December 2022 the EDPB sent its binding decision to the DPC, which the Authority should have aligned with within a month. This decision also addresses other aspects (such as the amount of the fine, the violation of the principle of correctness, the problems of transparency of the processing…) but the central element is certainly the question of the legal basis of the processing for personalized advertising provided by social networks , a topic that we will now analyze in detail.
The EDPB first of all recalls the fundamental purpose of the GDPR, namely to create a solid regulatory framework to protect the fundamental right to the protection of personal data throughout the Union, as enshrined in art. 8 of the Nice Charter and in art. 16 of the TFEU. The GDPR outlines this right as an attribute strictly connected to the dignity of the interested parties and not, however, as an asset susceptible to exchange through a contract. The Court of Justice of the European Union has also already ruled on the topic (in the famous Google Spain case ), stating that, in principle, the fundamental rights to the protection of privacy and personal data prevail over the economic interests of the data controller .
The Committee underlines that, although there is no hierarchy between the various conditions of lawfulness listed in the art. 6 of the GDPR, the identification of which is applicable to a processing operation cannot be a completely discretionary activity of the owner, but must be carried out on the basis of the actual characteristics of the processing and its purposes. In the case of the legal basis pursuant to art. 6 par. 1 letter b) of the GDPR, not only must there be a valid contract between the owner and the interested party (or pre-contractual measures), but the processing must be necessary for the execution of the same. The EDPB cites its Guidelines 2/2019, in which it stated that in assessing the necessity of data processing for the execution of the contract it is important to determine the exact rationale underlying the agreement, i.e. its “substance” and the fundamental objective pursued. The reasonable expectations of interested parties must also be taken into consideration – and this is where transparency issues come in.
The EDPB states that the concept of “necessity” cannot be interpreted in a way that violates the “spirit” of the GDPR as identified above and that, at least from the perspective of data subjects, the processing of personal data to provide personalized advertising is not necessary for the execution of the contract between them and Meta, which concerns the creation of a profile on the social network and the use of this service. This processing cannot be considered “necessary”, in the sense of the term pursuant to the GDPR, not even in light of Meta’s business model which effectively monetizes its service thanks to personalized advertising. The art. 6 par. 1 letter b) does not cover those processing activities that are useful for the owner but not necessary for the execution of the contract with the interested party. These conclusions are also supported by the fact that art. 21 in paragraphs 2 and 3 provides for the right of opposition by the interested party for direct marketing activities: as a general rule, therefore, the processing of personal data to provide personalized advertising is not necessary for the execution of a contract.
As regards the issue of the legal basis of processing for personalized advertising, the EDPB, therefore, in its binding decision last December, instructed the DPC to modify its decision by including the violation of art. 6 par. 1 of the GDPR.
3. The final decision of the DPC
On 4 January 2023, the Data Protection Commissioner announced that he had adopted his final decision on the matter, imposing a fine of 210 million euros on Meta for violations of data processing on the social network Facebook and 180 million euros for violations substantially of the same wording but regarding Instagram. The Irish Authority’s ruling thus conforms to what was stated by the EDPB last December.
The DPC also ordered Meta to adopt the necessary measures to make the processing compliant with the GDPR regulations within 3 months.
A spokesperson for Meta (quoted by Vincent Manancourt on politica.eu) announced that the company intends to appeal against the substantial part of the decision. However, given that the EDPB has already ruled on the subject, it is reasonable to expect that this case will lead to revolutionary changes in the relationship between users and social networks and in the business model used by large platforms which, until now, relied heavily on revenues deriving from personalized advertising.