The investigations concerned two complaints relating to the Facebook and Instagram services, filed on 25 May 2018, the date of entry into force of the General Data Protection Regulation (GDPR), one by an Austrian data subject (in relation to Facebook); the other from a Belgian data subject (in relation to Instagram)2.
With the entry into force of the GDPR, Meta Ireland no longer relied on users’ consent to process their personal data in the context of the provision of Facebook and Instagram services, including behavioral advertising, but now wanted to rely on the basis legal contract, pursuant to article 6.1.b) of the GDPR, for most of its processing operations.
Users of the Facebook and Instagram services, should they wish to continue to have access to these services, have been asked to click on “I accept” to indicate their acceptance of the updated terms of service. Users who have refused to accept have lost access to said digital services.
Meta Ireland has deemed that by accepting the updated terms of service you have entered into a contract with Meta Ireland and that the processing of your data in the context of providing its Facebook and Instagram services is necessary for the performance of that contract, to include the provision of personalized services and behavioral advertising, so such processing operations were lawful under Article 6.1.b) of the GDPR.
The plaintiffs argued, by contrast, that Meta Ireland was in fact still seeking to rely on consent to provide a legal basis for its processing of user data. They argued that, by making access to its services conditional on users agreeing to the updated terms of service, Meta Ireland was effectively “forcing” them to consent to the processing of their data.
The final decisions of the Irish Data Protection Commission of 31 December 2022 incorporate the legal assessment expressed by the European Data Protection Board (EDPB) in its binding decisions of 5 December 2022, adopted on the basis of Article 65(1) , letter a) of the GDPR, after the Irish Data Protection Commission, as lead authority, initiated two dispute resolution procedures relating to objections raised by ten data protection authorities of the Member States. These authorities have raised objections in particular regarding the legal basis of the processing (GDPR, art. 6), data protection principles (GDPR, art. 5) and the use of corrective measures, including fines.
Resolving the discrepancies, the EDPS decided that Meta Ireland was improperly relying on the contract as a legal basis for the processing of personal data in the context of the Facebook and Instagram terms of use for behavioral advertising purposes, as it was not a core part of the services . The EDPS considered in both cases that Meta did not have a legal basis for such processing and therefore processed such data unlawfully. Consequently, the EDPS requested the Irish Data Protection Authority to modify the conclusions of its draft decisions and to include a violation of Article 6.1 of the GDPR.
The EDPS has requested the Irish Data Protection Commission to include in its final decisions an order requiring Meta Ireland to bring its processing of personal data for behavioral advertising purposes into line with Article 6(1) of the GDPR under the Facebook and Instagram services within three months.
Furthermore, the EDPS instructed the Irish Data Protection Commission to include in the two final decisions a finding of breach of the principle of fairness and to take the appropriate corrective measures. The EDPS noted that breaches of transparency obligations impacted the reasonable expectations of users, that Meta Ireland misrepresented its services to users and that the relationship between Meta and users was unbalanced.
Regarding administrative fines, the EDPS ordered the Irish Data Protection Commission to impose an administrative fine for further violations of Article 6(1) of the GDPR (lack of legal basis for processing personal data) and to impose much higher penalties for violations identified transparency, considering that the proposed penalties did not meet the requirement of effectiveness, proportionality and dissuasion. This led the Irish Data Protection Commission to drastically increase the fines in its final decisions (from €36m and €23m for the Facebook and Instagram draft decisions, to €210m and €180m in the final decisions).
The decisions of the Irish DPC and the EDPS, due to differences of analysis on many points they highlight3and their inclusion in a more general movement to clarify the qualification of data processing for behavioral advertising purposes4they are very rich. In the following developments, we will focus on the question of the legitimate basis of data processing for the purpose of distributing behavioral advertisements to users of digital social network services. In fact, the decisions of the Irish Data Protection Commission, modified following those taken by the European Data Protection Board, emerge a definition, by exclusion of behavioral advertising, of the content of contracts for the supply of digital services offered by social networks, which reflects a good consistency with the new solutions adopted in the context of the recent European instruments that regulate digital services.
Clarification of the contractual content of contracts for the supply of digital services offered by social networks
Article 6.1(b) of the GDPR cannot be a lawful basis for processing for behavioral advertising
The central disagreement between the Irish Data Protection Commission and the supervisory authorities of several other Member States concerned the legitimacy of the processing of data of users of the digital services Facebook and Instagram for the purpose of serving behavioral ads from the acceptance required by these users by Meta Ireland, with effect from 25 May 2018, of the general conditions of use and of the privacy policy of the Facebook and Instagram services.
Such processing could only be lawful if it were demonstrated, pursuant to article 6.1.b) of the GDPR, that “the processing is necessary for the execution of a contract of which the data subject is a party. or for the execution of pre-measures agreements adopted at the latter’s request”.
Based on Article 65 of the GDPR, the EDPS resolved the discrepancy, on 5 December 2022, clarifying “the fact that Meta unlawfully processed personal data for behavioral advertising purposes. This advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions can also significantly impact other platforms whose behavioral ads are critical to their business model.”5.
This EDPS solution, with which the Irish DPC complied, is consistent with the whole body of opinions and guidelines from the EDPS and the former Article 29 Working Party6. In particular, in his Guidelines 2/2019 on the processing of personal data pursuant to Article 6, paragraph 1, letter b) of the GDPR in the context of the provision of online services to data subjects, the EDPS had proposed the following guide for assessing the applicability of Article 6(1)(b): “What is the nature of the service provided to the data subject? What are its distinctive features? What is the exact justification of the contract (that is, its substance and fundamental object)? What are the essential elements of the contract?…