The Irish Privacy Regulator Imposes a €390M Fine for Behavioral Advertising Practices
10 January 2023
The Irish Data Protection Commission (“DPC“) has announced that it imposed a fine totaling to €390M against Meta. The fines come after the DPA has concluded its decisions on two inquiries into the company’s legal bases for processing of personal data in the context of behavioral advertising.
The inquiries concerned two complaints involving two of the company’s platforms (Facebook and Instagram), which were filed on 25 May 2018 – the day on which the GDPR entered into force. According to the complaints, in anticipation for the entry into force of the GDPR, Meta has made changes to the platforms’ terms of use, changing its legal basis for processing of personal data for behavioral advertising under Article 6 of the GDPR. Following the change, users who wished to have access to the services, had to actively accept the updated terms of use, which included provisions concerning the use of personal data for the purpose of behavioral advertising. By doing this, Meta has shifted its legal basis from consent, on which it relied prior to the GDPR, to processing on the basis of a “performance of a contract”. According to Meta, by accepting the terms, users entered into a contract and the processing of personal data for behavioral advertising was necessary for the performance of that contract. However, the complainants contended that in practice, Meta relied on the users’ consent, which was not freely given as required under the GDPR, as users were forced to provide their consent to continue using the services.
At first, the DPC published a draft decision in which it suggested fining Meta for breach of the lawfulness, fairness and transparency principles under Article 5 of the GDPR . However, the DPC accepted Meta’s reliance on “performance of a contract” as a legal basis for processing. The DPC shared the draft with its peer Supervisory Authorities, who did not agree with its conclusions concerning the legal basis question. Since a consensus could not be reached, the issue at hand was referred to the European Data Protection Board (“EDPB“).
Unlike the DPC, the EDPB concluded that Meta was not entitled to rely on “performance of a contract” as its legal basis for processing personal data for behavioral advertising purposes and as such its processing is in breach of Article 6 of the GDPR. In addition, the EDPB concluded that Meta also breached the fairness principle. As a result, the DPC updated its decision to reflect the EDPB binding decision and fined Meta with a total of €390M, €210M for Facebook and €180M for Instagram. The DPC also required the company to bring its processing operations into compliance with the GDPR within 3 months.
In addition, the EDPB has also directed the DPC to conduct new investigations on Meta’s processing activities, including the processing of special category data under Article 9 of the GDPR. In its statement, the DPC objected to the EDPB’s instructions, claiming that the EDPB has no legal power to instruct and direct any supervisory authority to engage in open-ended and speculative investigation. The DPC went even further and stated that it would consider bringing an action against the EDPB to the Court of Justice of the EU, to the extent the EDPB will not set aside its directions to the DPC.
Feel free to contact us if you have any questions regarding these developments and their potential effects on your company’s compliance efforts.