Facebook parent firm Meta faces fines totalling €390m (£345m) after European regulators found it had been unlawfully processing customers’ personal data to deliver targeted advertising on its Facebook and Instagram social media sites since 2018.
Ireland’s Data Protection Commission has given the company three months to comply with Europe’s data protection laws after regulators found that Meta’s reliance on a “contract” with its users to deliver personalised advertising breached Europe’s General Data Protection Regulation (GDPR).
The decision follows complaints from Noyb, the campaigning group run by Austrian lawyer Max Schrems, which argued Meta had tried to “bypass” the consent requirements of GDPR by making consent a part of its terms and conditions.
“This is a huge blow to Meta’s profits in the EU,” he said.
Meta faces fines of €210m for breaches by Facebook and €180m for breaches by Instagram. A third complaint against WhatsApp is expected to lead to further fines this month.
Facebook said in a statement that it “strongly disagreed” with the DPC’s decision, and planned to appeal the contents of the rulings and the fines.
“We believe we are fully compliant with GDPR by relying on Contractual Necessity for behaviour ads given the nature of our services,” it said.
European Data Protection Board intervened
Ireland’s DPC was forced to take action against Meta after the European Data Protection Board (EDPB) overturned the DPC’s finding that Meta’s reliance on Contractual Necessity to process personal data in Europe is compatible with GDPR.
In a binding decision on 5 December 2022, the EDPB found that Meta’s use of a contract as a legal basis for processing data was in breach of Article 6 of the GDPR, which requires data to be lawfully processed.
The DPC was required to substantially increase its proposed fines against Facebook and Meta to reflect the more serious nature of the breaches identified by the EDPB.
Meta Ireland changed its terms of service when the GDPR came into force on 25 May 2018, to allow it to rely on a contract with its users to deliver personalised services and advertising as a legal basis for processing their data under GDPR.
Facebook and Instagram were required to press “I accept” to agree to the new terms if they wanted to access Facebook and Instagram, according to a statement by the DPC.
Noyb filed complaints on the same day, accusing Facebook and Instagram of trying to “bypass” the consent requirements of GDPR.
According to the complaints, Meta argued that targeted advertisements were part of the service it contractually owes users.
This went beyond the narrow way that Contractual Necessity is normally understood, as well as what was strictly necessary to provide services to users, according to the complaints.
The complaints argued that Meta was “forcing” users to consent to the processing of their data by making accessibility of its services conditional on accepting Facebook and Instagram’s terms.
“Instead of having a ‘yes/no’ option for personalised ads, they just moved the consent clause into the terms and conditions. This is not just unfair but clearly illegal,” said Schrems in a statement.
“We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way,” he added.
Meta failed obligation to be transparent
A draft decision by the DPC found that Meta had failed its obligation to be transparent with its customers about how it processed their data, the purpose of processing their data, and what the legal basis for processing data was.
The DPC concluded, however, that GDPR did not preclude Meta Ireland’s reliance on a contract as a legal basis for processing users’ data, and did not require Meta to rely on users’ consent.
Facebook and Instagram services include providing personalised services and personalised advertising to users, Meta said.
“In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service,” it said in a statement.
Other EU regulators, known as Concerned Supervisory Authorities (CSA), reviewed the DPC’s draft decision as part of the adjudication process.
They agreed with the DPC that Meta had failed to meet its obligations of transparency, but were unable to reach an agreement with the DPC on the validity of Meta’s contract.
A total of 10 CSAs argued that Meta should not be allowed to use a contract as a legal basis for processing data on the grounds that the delivery of personalised advertising could not be “said to be necessary” to fulfil Facebook’s contract with its users.
Following the consultation process, the DPC referred the disputed points to the EDPB for a final decision.
The board found that as a matter of principle, Meta Ireland was not entitled to rely on its contract with users as a lawful legal basis for processing personal data for behaviour advertising.
In its decision on 5 December 2022, the EDPB agreed that Meta Ireland had failed its transparency obligations, and found that in addition it had breached the principle of fairness in processing its customers’ data.
DPC disputes EDPB order to investigate Facebook and Instagram
The DPC said it would challenge a further direction from the EDPB to require it to conduct a fresh investigation into Facebook and Instagram’s data processing operations, focusing on special categories of data.
The DPC argues that the EDPB does not have the authority to direct national data protection regulators to engage in what it calls an “open-ended and speculative” investigation.
“The direction is … problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by GDPR,” it said.
The DPC said it would bring an action for annulment of the EDPB’s direction to launch further investigations into Meta at the European Court of Justice.
DPC ‘cooperated’ with Meta
Schrems said the DPC and Meta had cooperated with Meta, through a series of 10 confidential meetings, to allow it to use a contract with its users to “bypass” GDPR.
Documents obtained by Noyb under Freedom of Information show that the DPC also attempted to introduce the use of “freedom to contract” provisions in proposed EDPB guidelines that would have benefited Facebook.
These proposals, made by the DPC, after receiving the complaint from Noyb against Meta, were rejected by other data protection authorities.
Following the DPC’s decision, Meta must now allow users to have versions of Facebook and Instagram that do not use personal data within three months, said Schrems.
The decision will still allow Meta to use non-personal data, such as the content of a story read by a user to personalise ads, or to give users a “yes/no” option to consent to advertising, he said.
Meta to appeal
Meta said in a statement that it intends to appeal the DPC’s rulings and the fines.
The company said it would be assessing a variety of options that would allow it to continue to offer fully personalised services to users.
It added that suggestions by Schrems and others that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement had first been sought were incorrect.
A Meta spokesman said: “These decisions do not prevent targeted or personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising.”
The company said in a statement that there had been a lack of regulatory clarity and debate among regulators and policy makers over the legal basis for sharing data for some time, and that cases underway in the EU courts may reach different verdicts.
“Given that regulators themselves disagreed with each other on the issue up until the final stages of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date,” it said.
“We believe we fully comply with GDPR by relying on Contractual Necessity for behaviour ads given the nature of our services. As a result, we will appeal the substance of the decision,” it added.
Data protection lawyer Dai Davis said it was not certain that Meta would win an appeal.
The first question for a court is whether Meta can show it has a contract with users. “They either have a contractual agreement which says, ‘We obligate ourselves to send you advertising that we believe from an analysis on your activity on Facebook will be of interest to you’, or they don’t,” he said.
The contract must also be fair and transparent. “You have to make clear what the obligations are that you are processing the data for, and that it’s transparent to the user that you are collecting data to comply with the contract,” said Davis.
If Meta is giving itself the freedom to change its contract with users whenever it wants, that also raises questions about whether the contract is legally binding.
Eddie Powell, partner and regulatory lawyer at law firm Fladgate, said that decision was “very bad news for Meta”. “The DPC was overruled by the EU, which determined that Meta’s practice of forcing users to accept personalised ads as part of the Facebook or Instagram service contract was an additional breach of GDPR,” he said. “As a result, the DPC has increased its fine against Meta to €390m.”
“The order that Facebook and Instagram users cannot be forced to accept their data being used to serve personalised ads must massively reduce the platforms’ attractiveness to advertisers,” he said. “Too many users are likely, if given a choice, to decline personalised ads.”
Meta, however, said in a statement that it had a variety of options to lawfully process users’ data other than asking for consent. “These decisions do not prevent targeted or personalised advertising on our platform,” it said.