Irish Data Protection Commission Fines Meta for EU GDPR Breaches
Simmons and Simmons reviews the Irish Data Protection Commission’s latest action against Meta (owner of Facebook and Instagram):
The Data Protection Commission (DPC), the Irish supervisory authority for the EU GDPR, has concluded two of its investigations into the data processing operations of Meta’s Facebook and Instagram services. The final decision delivers two fines totalling €390m, of which €210m relates to Facebook and €180m to Instagram.
Meta has since said that it intends to appeal the decisions:
The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area. We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.
Meta’s statement dove into the weeds on what the DPC’s decision means—and doesn’t mean—from a legal perspective:
Since GDPR came into force, Meta has relied on Contractual Necessity to process the data needed to provide behavioural advertisements in the EU. We have always been open with regulators and courts about this, and in previous assessments of our services they did not object to the use of Contractual Necessity for this type of activity.However, following recent engagement with and directions from other regulators across Europe, the DPC has now found that Meta must change its approach regarding the legal basis on which it processes user data for behavioural ads.[…]The decisions also do not mandate the use of Consent – another available legal basis under GDPR – for this processing. Similar businesses use a selection of legal bases to process data and we are assessing a variety of options that will allow us to continue offering a fully personalised service to our users. The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect.
Meta’s case has significant implications for all social-media companies. The availability, or lack thereof, of a Contractual Necessity basis for personalising services will significantly impact consumers’ privacy. The proceedings are certainly to be among the most-watched in 2023
