As we reported last week, the Irish Data Protection Commission adopted its decisions regarding complaints about Facebook and Instagram. The decisions concerned the lawfulness and transparency of processing for behavioural advertising.
The EDPB says that the DPC decision incorporate the legal assessment expressed by the EDPB in its binding decisions of 5 December 2022. They were adopted under Article 65(1)(a) GDPR, after the DPC triggered two dispute resolution procedures concerning the objections raised by other regulators. The objections concerned the legal basis for processing under Article 6 GDPR, data protection principles under Article 5 GDPR and the use of corrective measures including fines.
The EDPB decided that Meta inappropriately relied on contract as a legal basis to process personal data int he context of Facebook’s Terms of Service and Instagram’s Terms of Use for behavioural advertising as this was not a core element of the services. The EDPB found in both cases that Meta lacked a legal basis for this processing and therefore unlawfully processed the personal data. Consequently, the EDPB instructed the DPC to include an infringement of Article 6(1) GDPR in its decision.
The EDPB also instructed the DPC to include, in its final decisions, an order for Meta to bring its processing of personal data for behavioural advertising in the context of the Facebook and Instagram services into compliance with Article 6(1) GDPR within three months.
In addition, the EDPB examined whether the complaints had been addressed with due diligence. The complainant had raised the fact that sensitive data is processed by Meta. However, the DPC did not assess processing of sensitive data and so the EDPB did not have sufficient factual evidence to enable it to make findings on any possible infringement of the controller’s obligations under Article 9 GDPR. As a result, the EDPB disagreed with the DPC’s proposed conclusion that Meta is not legally obliged to rely on consent to carry out the processing activities involved in the delivery of its Facebook and Instagram services, as this could not be categorically concluded without further investigations. Therefore, the EDOB decided that the DPC must carry out a new investigation (the DPC has rejected the idea that the EDPB can require this).
In addition, the EDPB instructed the DPC to include in both final decisions a finding of infringement of the principle of fairness and to adopt the appropriate corrective measures. The EDPB noted that the grave breaches of transparency obligations affected the reasonable expectations of the users, that Meta ad presented its services to users in a misleading manner, and that the relationship between Meta and users was imbalanced.
The EDPB said that the DPC should impose an administrative fine for the additional infringements of Article 6(1) GDPR (lack of legal basis for the processing of personal data) and to issue significantly higher fines for the transparency infringements identified. The EDPB found that the DPC fines did not fulfil the requirement of being effective, proportionate, and dissuasive. Therefore, the DPC significantly increased the fines in its final decisions (from a maximum of €36 and €23 million for Facebook and Instagram, to €210 million and €180 million).
The EDPB also adopted another binding decision in December 2022 about an inquiry relating to WhatsApp Ireland Limited. The DPC has yet to adopt its final decision in that case.
