The Data Protection Commission ('DPC') announced, on 4 January 2023, that it had issued, on 31 December 2022, two decisions in which it fined Meta Platforms Ireland Limited a total of €390 million for breaches of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') relating to its Facebook (€210 million) and Instagram (€180 million) services.

Background to the case

In particular, the DPC highlighted that the inquiry stemmed from two separate complaints made by EU data subjects regarding Facebook and Instagram services. More specifically, the DPC explained that prior to the entry into effect of the GDPR, on 25 May 2018, Meta Ireland had changed its Terms of Service for both services, amending the legal basis for processing users' personal data, from consent to performance of contract, for most of its processing operations.

To this end, the DPC explained that the complainants contended that, contrary to Meta Ireland's stated position, Meta Ireland was relying on consent as a lawful basis, arguing that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was requiring users to consent to the processing of their personal data for behavioural advertising and other personalised services, in breach of the GDPR.

Findings of the DPC

Following its investigation, the DPC found that Meta Ireland breached its transparency obligations under the GDPR. On this point, the DPC noted that the information provided about the legal basis relied on by Meta Ireland was not clearly outlined to users, resulting in insufficient clarity as to what processing operations were being carried out on the personal data, for what purpose(s), and the specific legal basis being relied upon. Moreover, the DPC outlined that the lack of transparency on such important matters breached Articles 12 and 13(1)(c) of the GDPR, noting that this also amounted to a breach of Article 5(1)(a) of the GDPR.

In relation to legal basis, however, the DPC found initally that Facebook and Instagram services include and are premised on, the provision of a personalised service that includes personalised or behavioural advertising. Therefore, the DPC found that this understanding between users and their chosen service provider forms part of the contract concluded at the point at which users accept the Terms of Service. Nonetheless, as no consensus was reached during the consultation process, the matter was referred to the Concerned Supervisory Authorities and European Data Protection Board ('EDPB').

On 5 December 2022, the EDPB issued a determination, in relation to which, the DPC noted that the EDPB had upheld the DPC's finding in relation to a breach of transparency requirements, but had taken a differnet approach with regards to the legal basis adopted by Meta Ireland, finding that it was not entitled to rely on the 'contract' legal basis for its processing of personal data for the purpose of behavioural advertising. As a result, the DPC adopted its final decision on 31 December 2022, bringing it into line with the EDPB's findings that Meta Ireland is not entitled to rely on the 'contract' legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of data in such a manner is an infingement of Article 6 of the GDPR.

Outcomes

In light of the above, the DPC increased the fine amount to a total of €390 million for breaches of the GDPR relating to its Facebook (€210 million) and Instagram (€180 million) services. In addition, the DPC also noted that Meta Ireland must bring its processing operations into compliance with the GDPR within a period of three months.

Notably, the DPC commented that, while the EDPB requested it conduct a new investigation into Facebook and Instagram's data processing operations, this would not be in line with the structure of the cooperation and consistency arrangements laid down by the GDPR. Further, the DPC stated that it would consider bringing an action of annulment regarding directions issued in this context.  

You can read the press release here, Facebook's decision here, Instagram's decision here, Meta's reaction here, and NOYB's reaction here.

UPDATE (6 January 2023)

Datatilsynet welcomes DPC's decision to fine Meta

The Norwegian data protection authority ('Datatilsynet') issued, on 5 January 2023, a statement on the DPC's decision to fine Meta €390 million. In particular, the Datatilsynet welcomed the decision and outlined that Meta announced its intention to appeal the decision before Irish courts. Further to this, the Datatilsynet noted that it will probably take several years before the case is finally settled and therefore, it is unlikely that users will see any change on Facebook or Instagram anytime soon.

Moreover, the Datatilsynet pointed out that if the DPC's decision is eventually upheld, Meta will most likely have to make changes to its business model.

You can read the statement, only available in Norwegian, here.