Facebook and Instagram Decisions: “Important Impact on Use of Personal Data for Behavioural Advertising” (1/12/2023)

UK Version of GDPR

Following the EDPB’s binding dispute resolution decisions of 5 December 2022, the Irish Data Protection Authority (IE DPA) has adopted its decisions regarding Facebook and Instagram (Meta Platforms Ireland Limited, ‘Meta IE’). These decisions are the result of complaint-based inquiries into Facebook’s and Instagram’s activities in particular concerning the lawfulness and transparency of processing for behavioural advertising. Meta IE was fined €210 million in the Facebook decision and €180 million in the Instagram decision by the IE DPA.

The IE DPA’s final decisions of 31 December 2022 incorporate the legal assessment expressed by the EDPB in its binding decisions of 5 December 2022. These binding decisions were adopted based on Art. 65(1)(a) GDPR, after the IE DPA as a lead supervisory authority (LSA) had triggered two dispute resolution procedures concerning the objections raised by concerned supervisory authorities (CSAs) from ten countries in each case. Among others, CSAs issued objections concerning the legal basis for processing (Art. 6 GDPR), data protection principles (Art. 5 GDPR), and the use of corrective measures including fines.

EDPB Chair Andrea Jelinek said: “The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model.”

The EDPB decided that Meta IE inappropriately relied on contract as a legal basis to process personal data in the context of Facebook’s Terms of Service and Instagram’s Terms of Use for the purpose of behavioural advertising as this was not a core element of the services. The EDPB found in both cases that Meta IE lacked a legal basis for this processing and therefore unlawfully processed these data. As a consequence, the EDPB instructed the IE DPA to amend the finding in its draft decisions and to include an infringement of Art. 6(1) GDPR.

The EDPB instructed the IE DPA to include, in its final decisions, an order for Meta IE to bring its processing of personal data for behavioural advertising in the context of the Facebook and Instagram services into compliance with Art. 6(1) GDPR within three months.

Next, the EDPB examined whether the complaints had been addressed with due diligence. The complainant had raised the fact that sensitive data is processed by Meta IE. However, the IE DPA did not assess the processing of sensitive data and therefore, the EDPB did not have sufficient factual evidence to enable it to make findings on any possible infringement of the controller’s obligations under Art. 9 GDPR. As a result, the EDPB disagreed with the IE DPA’s proposed conclusion that Meta IE is not legally obliged to rely on consent to carry out the processing activities involved in the delivery of its Facebook and Instagram services, as this could not be categorically concluded without further investigations. Therefore, the EDPB decided that the IE DPA must carry out a new investigation.

In addition, the EDPB instructed the IE DPA to include in both final decisions a finding of infringement of the principle of fairness and to adopt the appropriate corrective measures. The EDPB noted that the grave breaches of transparency obligations impacted the reasonable expectations of the users, that Meta IE had presented its services to users in a misleading manner, and that the relationship between Meta IE and users was imbalanced.

Concerning the administrative fines, the EDPB directed the IE DPA to impose an administrative fine for the additional infringements of Article 6(1) GDPR (lack of legal basis for the processing of personal data) and to issue significantly higher fines for the transparency infringements identified, as it found the fines proposed did not fulfil the requirement of being effective, proportionate and dissuasive. This led to the IE DPA significantly increasing the fines in its final decisions (from a maximum of €36 and €23 million for the Facebook and Instagram draft decisions to €210 million and €180 million in the final decisions respectively).

Source; https://edpb.europa.eu/news/news/2023/facebook-and-instagram-decisions-important-impact-use-personal-data-behavioural_en

Picture of Dposphere

Dposphere

Recent Post

A new regulation adopted on Thursday, February 29th, allows EU citizens to identify and authenticate themselves

Privacy is getting more and more critical in the modern world. Even giant enterprises face challenges

The UK Competition and Markets Authority’s (CMA) latest report on Google’s Privacy Sandbox raises concerns about