We first circulated this note on 06 January 2023 and have updated it as more information has come to light and to provide an update on the WhatsApp fine.
On 04 January 2023, the data protection authority in Ireland, the Data Protection Commission (DPC) announced two new fines for Meta – €210m for its Facebook operation and €180m for Instagram for GDPR breaches. In common with other enforcement action, the DPC also ordered Meta to change its data protection practices within three months. Those changes may have more lasting effect on Meta than the fines. The two fines come in at fifth and sixth places respectively in the largest GDPR fines of all time – Meta also occupy places 2, 3 and 4.
These fines and the fines in France this week (see https://www.corderycompliance.com/ea-cookies-01/) bring reported GDPR fines to date to more than €2.5bn.
These investigations have implications much wider than BigTech. Some argue that these cases will see an end to online behavioural advertising. The aftermath of these cases is also likely to have a significant effect on GDPR’s One-Stop-Shop mechanism.
There are some GDPR specific terms used in this alert which are explained at www.bit.ly/gdprwords
What is this about?
The complaints date back to 25 May 2018, the date on which GDPR came into operation. The complaints were backed by Max Schrems and his pressure group NOYB. Mr. Schrems has had a long-running dispute with Meta (then known as Facebook) which led to the annulment of both the Safe Harbor and Privacy Shield schemes. There’s some background to those fights here https://www.corderycompliance.com/ecj-rules-scc-valid-not-ps/.
The investigation relates to Meta’s Terms of Service for its Facebook and Instagram services. Essentially Meta changed the legal basis for processing personal data from consent to the fulfilment of a contract between the user and Meta. If users wanted to still have access to Facebook and Instagram services following the introduction of GDPR they had to accept new Terms of Service.
Meta said this was effectively then a contract between it and its users and that the contract of necessity included agreeing that Meta would provide personalised services and behavioural advertising – essentially it argued that the advertising paid for the service.
The complainants said that Meta was in fact still relying on consent and that since this was forced consent it wasn’t valid under GDPR.
What did the DPC decide?
The DPC found that Meta had not complied with its transparency obligations under GDPR. As we’ve said before the transparency requirement in GDPR has been a feature of most of the big GDPR cases and obliges an organisation to set out clearly, honestly and fairly how data will be processed.
The DPC decided however that the forced consent complaint could not be upheld. It also decided that in principle Meta could rely on the contractual legal basis.
What happened next?
Since the case didn’t just concern Irish residents (and in fact the complainants were based in Austria and Belgium) other DPAs across the EU were consulted on the DPC’s draft findings. They agreed with the DPC on transparency but some DPAs disagreed on the use of the contractual legal basis. Some also felt that ‘necessity’ under GDPR was a high bar which Meta had not met as tailored advertising was not necessary to Meta providing a service. As the DPC wouldn’t concede the EDPB dispute resolution mechanism kicked in. The EDPB issued its determinations on 5 December 2022 and whilst it rejected some of the objections it found against the DPC on the contractual legal basis point.
The EDPB also concluded that the proposed fines should be increased from a maximum of €36 and €23 million for the Facebook and Instagram draft decisions – so 6 times the planned fine for Facebook and almost 8 times the planned fine for Instagram. These are clearly significant increases which the EDPB has said were necessary “to fulfil the requirement of being effective, proportionate and dissuasive.”
The DPC adopted final decisions on 31 December 2022 reflecting the EDPB’s decision.
The DPC’s requirement that Meta Ireland must bring its processing operations into compliance with the GDPR within a period of 3 months has been retained.
What has Meta said?
Meta has a track record of appealing previous decisions against it. We’ve talked about previous Meta cases here https://www.corderycompliance.com/ireland-fines-meta-dp/. Meta says that it is appealing both the substance of the rulings and the fines. It also said in a statement on 04 January:
“These decisions do not prevent personalised advertising on our platform. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.”
What has Mr Schrems said?
Mr Schrems has said that he thinks that the decisions are a “huge blow” for Meta and says that he understands from the DPC that a third decision relating to WhatsApp also responding to an NOYB complaint will lead to a decision in mid-January.
Mr Schrems has said that the case will have a severe impact on Meta’s profits, a claim which Meta seems to deny. Mr Schrems says that the effect of the decision is that Meta must allow users to have a version of all of its apps but without using personal data for its ads within three months. Again, this seems to be a claim that Meta deny and as a general rule enforcement would seem to be unlikely from the DPC if a formal appeal is lodged.
A Brewing Storm between the EDPB and DPC?
The DPC’s announcement of the fine also shows us that there is a brewing storm between the EDPB and the DPC. Effectively, the EDPB tried to direct the DPC to do a sort of audit of Meta and its data protection practices including its processing of special category data (also known as sensitive personal data).
The DPC says that this is ultra vires i.e. it is something outside the EDPB’s powers. The DPC says that it is an independent enforcement authority and that the EDPB is trying to interfere with its independence. The DPC said:
“To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.”
Whether proceedings will in fact be issued by the DPC against the EDPB remains to be seen. It would seem however that this is not just a fight between the EDPB and the DPC. DPAs from Austria, Germany, France, Italy, the Netherlands, Norway, Poland, Portugal and Sweden all raised formal objections against the DPC decision.
What may be even more awkward in the meantime however is how this relates to Meta’s planned appeal. In the past Meta has appealed to both the Irish and EU courts. Since the fines are imposed by the DPA (in this case, the DPC) and not by the EDPB or EU any appeal will fall to be defended by the DPC. The DPC may well be put in the position of seeking to defend the EDPB’s decision which overturned the provisional decision of the DPC.
There’s also a hint at a possible Meta litigation strategy in some filings in a different Meta case. Meta is currently appealing an earlier fine from the DPC again after EDPB intervention. There are details of that €405m fine here https://www.corderycompliance.com/ireland-fines-meta-dp/. In documents related to that action, Meta has challenged the EDPB’s role. It says that the EDPB acted outside of the powers given to it by GDPR Art. 65 and that effectively the EDPB process was not fair as Meta was not given an opportunity to be heard in those proceedings and that as a result the EDPB did not conduct a “comprehensive, fair and impartial assessment.” So it could be that as well as opening up an appeal in Ireland, Meta could again seek to challenge the EDPB’s role at the EU General Court.
There’s also another potential area of conflict ahead as the EDPB has also adopted another binding decision in relation to another Meta property, WhatsApp which may increase the problems for Meta and could be another potential source of conflict between the DPC, the EDPB and other DPAs. On 19 January 2023 the DPC announced that it had fined Meta an additional €5.5m for GDPR issues at WhatsApp. This fine is in addition to a €225m fine for WhatsApp in 2021 (see here https://www.corderycompliance.com/whatsapp-fined-by-irish-dpa/). Meta was given 6 months to improve compliance at WhatsApp and the DPC also seemed to pass the ball to the Hamburg DPA to deal with other issues.
This is likely to get very messy indeed. Already Mr. Schrems has complained to the EDPB about the DPC’s behaviour and it is likely that the spotlight will be on the DPC and its relationship with the EDPB and other DPAs in any future court hearing.
Clearly this case will run on and will take some time to unravel. In the meantime organisations can consider a number of practical steps:
- Make sure that you are transparent about how you handle personal data. As we’ve said almost all of the large GDPR fines feature transparency. Be open, honest and clear.
- Look at your legal basis for processing data. It would seem that the contractual basis is narrow and we know that legitimate interests is narrow too. For many consent isn’t a viable option. Think carefully about how you will legitimise your use of data, especially if you’re using data for advertising purposes or allowing someone else to do that.
- Look carefully at any argument based on necessity. The word ‘necessity’ appears 122 times in GDPR. It is likely to be interpreted narrowly and anyone relying on necessity is likely to bear the burden of proof. Necessity will require more than convenience or it being a preferred route for the data processor.
- Whilst some of the claims that online advertising is now dead would seem to be exaggerated it would be wise for anyone advertising on Meta platforms to do proper due diligence and to make sure that it can lawfully use any personal data from Meta platforms whether it obtains that data directly or through an ad broker, and even if the data is used to enrich ads in a platform rather than being assimilated into the company’s systems.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
You can listen to Cordery’s Jonathan Armstrong discussing the case with Tom Fox here https://www.corderycompliance.com/life-with-gdpr-meta-fines-01/.
The DPC’s announcements are here https://dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-two-inquiries-meta-ireland & https://www.dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-inquiry-whatsapp
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|