Meta Fined By Data Protection Commission: New Decision Highlights Requirements To Comply With EU Data Laws
On January 4, 2023, Ireland’s Data Protection Commission (DPC) announced two separate findings of violations of the General Data Protection Regulation (GDPR) by Meta Platforms Ireland Limited (Meta Ireland). Meta Ireland is a subsidiary of Meta Platforms, Inc., the owner of Facebook, Instagram, and WhatsApp. The violations were found by the DPC in connection with Meta Ireland’s provision of Facebook and Instagram services in Ireland. The GDPR violations relating to Facebook have resulted in fines totaling €210 million, while the violations concerning Instagram total €180 million. In issuing these fines, the DPC has highlighted considerations that should be top of mind for entities doing business in the EU:
What does GDPR require?
Under Article 6 of GDPR, processing of data subjects’ personal data is only permitted to occur pursuant to certain legal bases. In total, GDPR provides six general bases that can serve as a legal justification for processing a data subject’s personal data: (1) data subject consent for a purpose; (2) necessity for the performance of a contract to which the data subject is a party; (3) necessity for the controller’s (i.e., the business’s) compliance with a legal obligation; (4) necessity to protect the vital interests of a natural person; (5) necessity for the public interest; or (6) necessity for the legitimate interests of the relevant entity. As a general principle, entities who are subject to GDPR must not handle, collect, or otherwise process any EU resident’s personal data without justifying such processing through one or more of the foregoing legal bases.
Additionally, Articles 12 and 13 of GDPR carry requirements that the controller be sufficiently transparent in outlining information related to the processing of personal data. Specifically, communications to data subjects regarding processing must be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.”
Why did the DPC find that Meta Ireland violated GDPR?
Meta Ireland’s Facebook and Instagram operations relied, in part, upon the “contractual necessity” legal basis for certain processing activities conducted by the two social media websites. Effectively, Facebook and Instagram’s Terms of Service agreements set out that data subjects were permitting Facebook and Instagram to collect usage data from them in order to provide personalized advertisements to them. By using the websites, data subjects were executing a contract, where such contract gave Meta Ireland the right to use personal data to provide targeted advertisements. Neither Facebook nor Instagram provided the option for data subjects to opt-out of such processing of their personal data; the only way for a data subject to bar such collection of their personal data was to not engage with Meta Ireland’s websites. Because data subjects had no meaningful choice to opt-out of Meta Ireland’s processing of personal data for targeted advertising, the DPC found that this practice was a “contravention of . . . the GDPR.” This is largely in line with Recital 43 of GDPR concerning consent, which sets out that data subject consent must be freely given, and consent may not be found in certain situations where there is a “clear imbalance” between the data subject and controller.
Additionally, the DPC found that Meta Ireland violated GDPR’s obligations of transparency. Neither Facebook nor Instagram’s disclosures concerning their privacy practices made clear which legal bases they were relying upon for legal justification of their processing of personal data. Some disclosures gave the impression that Meta Ireland was relying upon data subject consent, while others gave the impression that Meta Ireland was relying upon the “contractual necessity” legal basis.
Moving forward, how should businesses take steps to ensure compliance with GDPR?
The DPC’s decisions in these cases may have wide-reaching consequences for GDPR entities. As your business continues to maintain and update its data privacy compliance policies and procedures, consider taking the following actions:
- Require an affirmative action to establish data subject consent or to establish an effective contractual obligation or right.
o Meta Ireland did not require an affirmative action from data subjects to confirm Meta Ireland’s right to process personal data for the purpose of showing personalized advertising, instead just including such right in their Terms of Service agreements. By using a separate, affirmative “I Agree” button for this right, controllers can more effectively argue that data subjects’ genuinely consent to this contractual term and desire personalized ads.
- Consider allowing data subjects to opt-out of certain types of processing.
o By compartmentalizing its processing activities, a business could build a framework that allows data subjects to opt-out and opt-in to certain types of processing. Although certain processing is inevitably necessary for the provision of services or goods, businesses should consider permitting data subjects to opt-out of extraneous processing activities.
- Clearly disclose legal bases for processing that your business is relying upon.
o Any legal bases that your business relies upon for processing personal data should be clearly articulated in easily accessible documentation. Data subjects should have a clear understanding of why, how, and what justifications are being relied upon pursuant to any processing of their personal data.
Are you subject to GDPR? Contact a member of McGrath North’s Privacy & Cybersecurity team to ensure that your compliance framework is up-to-date and that your business is posed to address new developments in the privacy landscape.