Ireland’s data watchdog has fined Facebook’s parent company Meta Ireland 390m euros over a debate over whether further investigation of people’s use of their data is necessary.
Meta Ireland was fined 210 million euros for violating EU data privacy rules regarding Facebook and 180 million euros for violating Instagram.
Meta said it was “disappointed” by the decision and plans to appeal “both the substance of the decisions and the fines”.
The Irish Data Protection Commission (DPC) will seek a court order to avoid a “problematic” order from the European Data Protection Board to further investigate Facebook and Instagram’s data processing operations, saying it could be “over-access”.
This came after a dispute between the Irish watchdog and the EU data authority over the level of fines imposed on Meta Ireland over the lack of transparency over how user data will be processed and whether a contract was made between users and the company to allow it. data to be used for personalized advertisements.
The two complainants claimed that Meta Ireland “forced” their personal data to be used for behavioral advertising and other services by making the use of their social media conditional on accepting their terms of service.
Complainants argued that this violated the General Data Protection Regulation (GDPR).
By accepting the updated terms of service, Meta Ireland argued that a contract has been made between it and the user and that the processing of users’ data for Facebook and Instagram services is necessary for the fulfillment of this contract.
The complainants argued that contrary to Meta Ireland’s position, Meta Ireland still wishes to rely on consent to provide a legal basis for its processing of user data.
DPC’s draft rulings found Meta Ireland to violate GDPR that users’ personal data must be processed “lawfully, fairly and transparently” and said users had “insufficient clarity about what processing took place”. personal data”.
However, it also found that the “compulsory consent” aspect of the complaints “cannot be maintained” and that GDPR “does not prevent” Meta Ireland from being based on a “contract” legal basis.
Draft resolutions have been submitted to peer regulators in the EU, also known as the Relevant Supervisory Authorities (CSA).
When asked if Meta Ireland had breached its transparency obligations, the CSAs agreed with the DPC’s decisions but said the fines recommended by the DPC should be increased.
47 from the CSA said Meta Ireland should not be allowed to rely on contract as a legal basis because personalized advertising is not necessary to fulfill the essential elements of a much more limited form of contract.
“DPC disagreed, reflecting the view that Facebook and Instagram services include and indeed are based on the provision of a personalized service that includes personalized or behavioral advertising,” the DPC said.
“Actually, these are personalized services, including personalized ads.
“In DPC’s view, this reality is at the heart of the negotiation between users and their chosen service provider and forms part of the contract signed at the point where users accept the terms of service.”
The matter was referred to the EDPB, which on 31 December held that Meta Ireland had no contractual right to rely on it as it provided a legal basis to process personal data for behavioral advertising.
Accordingly, DPC’s decisions include findings regarding Meta Ireland’s lack of ‘contract’ legal basis in connection with the provision of behavioral advertisements as part of the Facebook and Instagram services and its processing of user data to date. allegedly based on a ‘contract’ legal basis constitutes a violation of Article 6 GDPR,” said the DPC.
Meta Ireland was directed to harmonize its data processing operations within three months.
A Meta spokesperson said in a statement that he “strongly believes” his approach “respects GDPR” and plans to appeal the decision.
“These decisions do not prevent targeted or personalized advertising on our platform,” he said. “Decisions are solely based on Meta’s legal basis for serving certain ads. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.
“There is a lack of regulatory clarity on this issue, and the debate between regulators and policy makers on which legal basis is most appropriate in a given situation has been going on for some time.
“Therefore, we strongly disagree with DPC’s final decision and believe that we fully comply with GDPR, relying on the contractual requirement for behavioral advertising due to the nature of our services. As a result, we will challenge the substance of the decision.”
The Data Protection Commission also said it plans to take legal action to revoke an EDPB mandate to further scrutinize data processing on Instagram and Facebook.
Separately, the EDPB also alleged to direct the DPC to conduct a new investigation that would cover all data processing operations of Facebook and Instagram and examine specific categories of personal data that may or may not be processed in this context. these transactions.
“The DPC’s decisions do not naturally refer to new investigations into all Facebook and Instagram data processing operations that the EDPB manages in its binding decisions.
“The EDPB does not have a general supervisory role similar to national courts for national independent authorities and it is not possible for the EDPB to instruct and direct an authority to conduct open-ended and speculative investigations.
“The routing is problematic from a jurisdictional point of view and does not appear to be consistent with the nature of the collaboration and consistency regulations set by GDPR.
“To the extent that the diversion may involve the EDPB overdoing it, the DPC considers it appropriate to file an action for annulment with the EU Court of Justice to seek the annulment of the EDPB’s guidelines. ”