Privacy: Meta Ireland Fined 390 Million Euro

Illustrazione vettoriale ePrivacy aziendale globale

On 4 January 2023, the Irish Data Protection Authority (Data Protection Commission) announced that it had imposed two sanctions on Meta Ireland, of EUR 210 million for GDPR violations relating to Facebook and EUR 180 million for violations relating to Instagram, respectively.

The inquiry carried out by the Irish Authority had been initiated following two complaints filed on 25 May 2018 by an Austrian data subject (in relation to Facebook services) and a Belgian data subject (in relation to Instagram services).

In advance of  25 May 2018, the date from which the GDPR came into force in the European Union Member States, Meta Ireland would have changed the terms of service for its Facebook and Instagram services, indicating that it would change the legal basis on which it based the data processing operations of users. In particular, Meta Ireland, which had based the processing of users’ personal data until that in the context of the provision of Facebook and Instagram services, including behavioral advertising, on the consent of the data subjects, would have resorted to the contractual legal basis for most processing operations, pursuant to Article 6(1)(b) of the GDPR, by requiring users to accept the updated Terms of Service. In case of refusal, therefore, the Facebook and Instagram services, including the provision of personalized services and behavioral advertising, would not have been accessible to users.

The complainants, therefore, denounced a breach of the GDPR to the extent that Meta Ireland, by using the contractual legal basis and subordinating the provision of its services on acceptance of the updated Terms of Service, ‘forced’ users to consent to the processing of their personal data also for behavioral advertising and other personalized services.

At the outcome of the inquiry, the Irish Authority found that Meta Ireland had breached its transparency obligations towards users and, therefore, Articles 12 and 13(1)(c) of the GDPR. The Authority also has considered that Meta Ireland’s processing violated Article 5(1)(a) of the GDPR, according to which personal data must be processed lawfully, fairly and in a transparent manner towards the data subject. The Authority clarified, however, that Meta Ireland would not in any event be required to base processing operations on consent and that, in principle, the GDPR would not preclude it from using the legal basis of contract.

Given the relevance of the topic, the drafts of these decisions were discussed with the European Concerned Supervisory Authorities of a similar level and then, considering the objections raised by some of the Supervisory Authorities concerned, they were submitted to the European Data Protection Board, as provided for in Article 65 of the GDPR. On 5 December 2022, the Board confirmed the position of the Irish Data Protection Authority in relation to Meta Ireland’s breach of its transparency obligations and included the further breach of the principle of fairness and an indication to the Irish Authority to increase the amount of the proposed sanctions.

With regard to the profile of the legal basis, the EDPB, taking a different position from that of the Irish Authority, found that, in principle, Meta Ireland could not resort to the contractual legal basis in order to be able to process users’ data for the purposes of behavioral advertising in the context of its Facebook and Instagram services and that, therefore, the processing of personal data of data subjects carried out on the basis of the contract was in breach of Article 6 of the GDPR.

The final decisions were adopted by the Irish Authority on 31 December 2022, considering the binding determinations of the EDPB. Meta Ireland will, therefore, have to conform its user personal data processing operations in line with the GDPR within a period of three months.

The EDPB also requested the Irish Authority to conduct a fresh investigation, including all processing operations carried out by Facebook and Instagram, and to examine the special categories of personal data that may or may not be processed in the context of those operations.