Irish Data Protection Commission forced into u-turn on Meta’s breaches of the GDPR

The General Data Protection Regulation (“GDPR”) lays down rules concerning the protection of and the free movement of personal data within the European Union. Each EU Member State as well as the UK has at least one authority responsible for monitoring the application and enforcement of the GDPR known as the Supervisory Authority.[1] Ireland’s Supervisory Authority[2] is the Irish Data Protection Commission (“IDPC”), which plays a core role in data privacy regulation because Ireland is home to the European headquarters of several global technology companies like Google, Meta/Facebook, Paypal, Microsoft, Twitter, and LinkedIn.[3]

NOYB’s three complaints against Meta group companies

The IDPC commenced its investigations following the filing of a suite of complaints[4] (the “NOYB Complaints") filed by the non-profit privacy protection-focused organization NOYB (“None Of Your Business”), against companies within the Meta Platforms Inc. group of companies (“Meta”) focused on the unlawful use of user data; principally, to serve users with behavioural advertising. The complaints were passed on to the IDPC, which assumed jurisdiction as the Lead Supervisory Authority[5] because the cases related to cross-border processing and the main European establishment of each of the relevant Meta group companies was in Ireland.

The basis of the three complaints is relatively homogenous. Facebook, Instagram, and WhatsApp (the “Meta Platforms”) require their prospective users to create an account to access their service. To create an account, a prospective user is required to accept a series of terms and conditions (“Terms of Service”). Upon their acceptance, the Terms of Service constitute a contract between the (new) user and the Meta Platforms.

In April 2018, the Meta Platforms updated their Terms of Service and associated privacy policy to implement and comply with the obligations set by the GDPR, which were to become applicable from 25 May 2018. Among those obligations, Article 5 GDPR requires that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject.”[6] This translates into the fundamental requirement that data controllers must have a lawful basis for any processing of personal data they undertake.

According to Article 6(1) GDPR, there are six bases for lawful processing: (a) the data subject has given its consent; or that processing is necessary for either (b) the performance of a contract to which the data subject is party; (c) compliance with a legal obligation to which the controller is subject; or (d) to protect the vital interests of the data subject or of another natural person; or (e) for the performance of a task carried out in the public interest or in the exercise of official authority; or (f) for the purposes of the legitimate interests pursued by the controller or by a third party.[7] Additionally, under Article 13(1)(c) GDPR, controllers are required to provide detailed information to users at the time personal data is obtained in relation to “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing,[8] and which should be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.[9]

Essentially, under the GDPR there must be a legal basis for the processing of personal data and transparency in the communication of information regarding that processing to the data subject (user). This is a stark difference from the prior regulation[10] which did not require data controllers to explicitly state what legal basis they relied on in processing particular categories of personal data.

To continue accessing their services, the Meta Platforms required users to accept the updated Terms of Service and associated privacy policy prior to 25 May 2018. The updated Terms of Service and associated privacy policy were brought to the attention of existing users by way of a series of information notices and options on the respective platforms at the final stage of which an embedded hyperlink to the full text of the Terms of Service, the Data Policy, etc. was provided. 

Overview of the NOYB Complaints

The NOYB Complaints claimed that it was unclear when accepting the Terms of Service and accompanying policies which specific legal basis was being relied on by the Meta Platforms. The privacy policy simply listed all six bases for lawful processing under Article 6(1) of the GDPR without stating which legal basis was being relied upon for each specific processing operationIn addition, the NOYB Complaints expressed concern about reliance on Article6 (1)(b) GDPR (necessary for the performance of a contract) as a legal basis for the processing operations detailed in the Terms of Service.

The NOYB Complaints alleged that this amounted to an attempt by the Meta Platforms to bypass the consent requirement of Article 6(1)(a) GDPR by, essentially, asserting that provision of behavioural advertising is a part of the "service" that the Meta Platforms contractually provide to users.[11]

As noted above, the GDPR requires data controllers to provide detailed information to users at the time personal data is obtained, including information about the purpose of the processing as well as the legal basis for it. NOYB alleged that this lack of information breached the GDPR’s transparency and fairness requirements.

The IDPC Preliminary Draft Decisions

In 2021, after concluding its investigations, the IDPC issued three preliminary draft decisions against the Meta Platforms.[12] In broadly similar terms, each of the preliminary draft decisions concluded that the Meta Platforms were not precluded “from relying on Article 6(1)(b) GDPR as a legal basis to carry out the personal data processing activities involved in the provision of its service to users,” including “behavioural advertising” for Facebook and Instagram,[13] and “the improvement of the existing service and the maintenance of security standards” for WhatsApp[14] insofar those form a “core part” of their respective services.

In its Preliminary Draft Facebook Decision, the IDPC stated that it considered that Article 6(1)(b) GDPR[15] could not be interpreted as requiring that it be “impossible” to perform the contract without the data processing operations in question. The IDPC declared that it considered behavioural advertising to be a core part of the service offered to and accepted by Facebook users and that this was clearly set out and publicly available to users. It therefore concluded that Facebook (Meta) may, in principle, rely on Article 6(1)(b) GDPR as a legal basis for the processing of users’ data necessary for the provision of its Facebook social media service, including through the provision of behavioural advertising insofar as this forms a core part of the service offered to and accepted by users. While the IDPC concluded that there had been “significant failings of transparency,” it did not change what the IDPC called the “basic fact” that behavioural advertising forms part of the service offered by Facebook.[16] The IDPC concluded that in both Facebook and Instagram’s Terms of Service and privacy policies, there were significant failings of transparency regarding their data processing,[17] which amounted to an infringement of Articles 5(a), 12(1) and 13(1)(c) GDPR.

By the time of adoption of the preliminary draft decisions against Facebook and Instagram, the IDPC had already adopted a preliminary draft decision against WhatsApp which came to a similar conclusion and imposed a €225 million fine and an order for WhatsApp to bring its privacy policy into compliance with the GDPR.[18]

In compliance with the cooperation procedure set in Article 60 GDPR,[19] the IDPC shared the Preliminary Draft Decisions with other Concerned Supervisory Authorities (“CSAs”),[20] several of which raised reasoned objections about the Preliminary Draft Decision pursuant to Article 60(4) GDPR which could not be resolved.[21] As a result, the IDPC referred the matter to the European Data Protection Board (“EDPB”), initiating the dispute resolution procedure under Article 65(1)(a) GDPR.[22]

The EDPB Binding Decisions

Under the dispute resolution process in the GDPR, the EPBD is responsible for adjudicating any dispute between the CSAs and the IDPB about the terms of a preliminary draft decision. The CSAs raised several objections to the Preliminary Draft Decisions; however, the main issue in dispute was whether the IDPC should have found an infringement of Article 6(1) GDPR for lack of a lawful basis for processing of user data. According to the CSAs, there was a “risk” that the IDPC’s “proposed interpretation of Article 6(1)(b) GDPR leads to a situation where data protection principles are either undermined or bypassed entirely”[23] and “would lower the threshold for legality of data processing and thus endanger the rights of data subjects.[24]

The EDPB commented that the principle of lawfulness under Articles 5(1)(a) and 6 GDPR is one of the main safeguards for the protection of personal data, and a restrictive approach should be adopted to the interpretation of those provisions.[25] The EDPB noted that the requirement to process data in a lawful, fair and transparent manner applied even when the practical application of those principles was “inconvenient or runs counter to the commercial interests of Meta IE [Facebook] and its business model.[26]

In order to assess whether, in the terms of Article 6(1)(b) GDPR, the processing of the data was “necessary” for the performance of the contract in question (between the user and Facebook), the EDPB examined whether the provision of behavioural advertising was objectively necessary for Meta IE (Facebook) to provide its Facebook service to the user based on the Facebook terms of service and the nature of the service provided.

With reference to its published guidance on Article 6(1)(b) GDPR,[27] the EDPB noted that the processing must be objectively necessary and integral to the delivery of the contractual service to the data subject to be deemed “necessary” within the meaning of Article 6(1)(b) GDPR. Necessity was to be determined by reference to the mutually understood contractual purpose, which depends not only on the controller’s perspective, but also on a reasonable data subject’s perspective when entering into the contract. The EDPB held that a reasonable user cannot expect that their personal data will be processed for behavioural advertising simply because Facebook briefly refers to this processing in the Terms of Service (which the EDPB considered to constitute the entirety of the contract), or because of the “wider circumstances” or “recognised public awareness of behavioural advertising” derived from its “widespread prevalence.”[28] The EDPB also noted both that behavioural advertising has a “particularly massive and intrusive nature,” and that it is “extremely difficult to argue that an average user can fully grasp it, be aware of its consequences and impact on their rights to privacy and data protection, and reasonably expect it solely based on the Facebook Terms of Service.

The same conclusions were reached in the EDPB WhatsApp decision with regard to Meta (WhatsApp)’s reliance on Article 6(1)(b) as the lawful basis for the processing of WhatApp users’ data for the purpose of “service improvements and security features.” The EDPB noted in this decision that: given the main purpose for which a user uses WhatsApp is to communicate with others, and WhatsApp makes the processing of the user’s data a requirement of the contract which includes the service improvement and security features, there would be no way for a user to opt-out of that processing other than to decline the Terms of Service which would, effectively, “exclude[..] them from a service that enables them to communicate with millions of users.[29]

Accordingly, in each of the EDPB Binding Decisions, the EDPB found that the Meta Platforms inappropriately relied on Article 6(1)(b) GDPR as the lawful basis for their data processing, meaning they lacked a legal basis for their data processing and that they infringed their transparency obligations under Arts. 5(1)(a), 12(1) and 13(1)(c) GDPR.[30]

The IDPC Final Decisions

In compliance with the EDPB’s Binding Decisions, the IDPC exercised its corrective powers and issued an order pursuant to Article 58(2)(d) GDPR,[31] requiring the Meta Platforms to take the necessary action to address the EDPB’s findings that they were not entitled to carry out their data processing on the basis of Article 6(1)(b) GDPR.[32] In addition, Facebook and Instagram were ordered to bring their Data Policy and Terms of Service into compliance with Articles 5(1)(a), 12(1) and 13(1)(c) GDPR regarding the information provided on: (i) data processed pursuant to Article 6(1)(b) GDPR and (ii) data processed for the purposes of “behavioural advertising.” WhatsApp was given six months to comply with the order, while Facebook and Instagram were given three months.

The IDPC also imposed, under to Articles. 58(2)(i) and 83 GDPR, an administrative fine of €5.5 million on WhatsApp, and €210 million and €180 million respectively on Facebook and Instagram. Facebook and Instagram’s total fine was split into three elements: (i) €80 million and €70 million for their failure to provide sufficient information regarding their processing based on Article 6(1)(b) GDPR (infringing Articles. 5(1)(a) and 13(1)(c) GDPR); (ii) €70 million and €60 million for their failure to provide the required information in a transparent manner (infringing Articles. 5(1)(a) and 12(1) GDPR); and (iii) €60 million and €50 million for their infringement of Article 6(1) GDPR.[33]

Plus ça change

Not entirely unsurprisingly given their business models, the Meta Platforms have not elected to cease using personal data for behavioural advertising (or in the case of WhatsApp, “service improvements and security features”). Instead, the Meta Platforms have pivoted to rely upon the “legitimate interest” basis in Article 6(1)(f) GDPR, which provides that processing is lawful where it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child as the legal basis for their data processing.” The adoption of this approach appears to ignore various findings by Supervisory Authorities (including the Italian Supervisory Authority against TikTok[34]) that under Article 6(1)(f) GDPR, “legitimate interest” cannot be relied upon as the legal basis for processing user data for the purpose of serving behavioural advertising. NOYB has announced its intent to file new complaints.

*Lesley Hannah is Partner and Santiago Dutas was previously a legal intern in London.

Footnotes

[1] Article 51 GDPR – Supervisory authority.
[2] Background | Data Protection Commissioner.
[3] Companies In Ireland with European Headquarters [Updated For 2020].
[4] The three complaints were filed by private individuals supported by NOYB against entities within the Meta Platforms Inc group: Instagram (Facebook Ireland Ltd) complaint-instagram.pdf (noyb.eu), WhatsApp Ireland Ltd complaint-whatsapp.pdf (noyb.eu) and Facebook Ireland Ltd complaint-facebook.pdf (noyb.eu) on 25 May 2018, the first day of application of the GDPR.
[5] Pursuant to Art. 56 GDPR.
[6] Article 5 GDPR – Principles relating to processing of personal data.
[7] Article 6 GDPR – Lawfulness of processing.
[8] Article 13 GDPR – Information to be provided where personal data are collected from the data subject.
[9] Article 12 GDPR – Transparent information, communication and modalities for the exercise of the rights of the data subject.
[10] The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995.
[11] Just € 5,5 Million on WhatsApp. DPC finally gives the finger to EDPB.
[12] Preliminary draft decision issued to Meta (Facebook) on14 May 2021 (the “Preliminary Draft Facebook Decision”); Preliminary draft decision issued to Meta (Instagram) on 23 December 2021 (the “Preliminary Draft Instagram Decision”); Preliminary draft decision issued to Meta (WhatsApp) on 23 December 2021 (the “Preliminary Draft WhatsApp Decision”) (together, the "Preliminary Draft Decisions”). The Preliminary Draft Decisions are summarised in the EDPB’s three binding decisions adjudicating the dispute between the IDPC and a number of CSAs on the terms of the Preliminary Draft Decisions (EDPB Binding Decision Facebook (EDPB FB); EDPB Binding Decision Instagram (EDPB IG), EDPB Binding Decision WhatsApp (EDPB WA)).
[13] EDPB Binding Decision Facebook (EDPB FB), 30; EDPB Binding Decision Instagram (EDPB IG), 28.
[14] EDPB Binding Decision WhatsApp (EDPB WA), 30.
[15] Article 6(1)(b) GDPR provides that processing shall be lawful only if and to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” (emphasis added).
[16] As summarised in paragraphs 32-40 of the EDPB FB decision on the dispute between the IDPC and a number of the CSA on the terms of the Preliminary Draft Facebook Decision.
[17] EDPB FB 39; EDPB IG 39.
[18] Data Protection Commission announces decision in WhatsApp inquiry, 02/09/2021.
[19] Article 60 GDPR – Cooperation between the lead supervisory authority and the other supervisory authorities concerned.
[20] Meta (Facebook), 06 October 2021; Instagram, 01 April 2022; WhatsApp, 1 April 2022.
[21] Germany, Spain, Finland, Hungary, Netherlands, Norway, and Sweden raised objections to the Preliminary Draft Instagram Decision; Austria, Germany, Norway, Italy, France, and Netherlands raised objections to the Preliminary Draft Facebook Decision; and Germany, Finland, France, Italy, Netherlands, and Norway raised objections to the Preliminary Draft WhatsApp Decision.
[22] Article 65 GDPR – Dispute resolution by the Board.
[23] EDPB FB 56; EDPB IG 57.
[24] EDPB WA 82.
[25] EDPB WA 98; EDPB FB 102; EDPB IG 105.
[26] EDPB FB 105.
[27] EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf (europa.eu) (EDPB Guidelines).
[28] EDPB WA 113; EDPB FB 123; EDPB IG 125.
[29] EDPB WA 119.
[30] EDPB WA 115; EDPB FB 125; EDPB IG 129.
[31] Article 58 GDPR – Powers.
[32] EDPB WA 9.105; EDPB FB 10.44; EDPB IG 417.
[33] IDPC WA 9.106; IDPC FB 10.45; IDPC IG 418.
[34] Provvedimento del 7 luglio 2022 [9788429] - Garante Privacy (gpdp.it)

Other Publications