Background

Prior to the introduction of the General Data Protection Regulation (‘GDPR’) on 25th May 2018, Meta changed the legal basis on which it was processing users’ data in its Terms of Services for its Facebook and Instagram users. Previously Meta relied on the consent of its users, but they now sought to rely upon contractual as the legal basis for the majority of its processing operations. All users were asked to select ‘I accept’ to indicate their acceptance of the updated Terms of Service however if users declined, they would no longer be able to access the services.

According to Meta, by selecting ‘I accept’ this created a contract between it and the user. Meta thereby contended that the processing of users’ data for the delivery of its Facebook and Instagram services was necessary for the performance of the contract and this included the provision of personalised services and behavioural advertising. However, objections by an Austrian data subject and a Belgian data subject were raised arguing that by restricting the accessibility to the services resulted in ‘forcing’ the user to consent to the processing of their personal data for behavioural advertising and other personalised services and that this was in breach of the GDPR.

Findings

Draft decisions were prepared by the DPC in which it found against Meta on a lack of transparency, however, the DPC also noted that Meta was not required to rely on consent and in principle, the GDPR did not preclude Meta’s reliance on the contract as a legal basis for processing.

When this draft decision was circulated with other EU privacy regulators, several of them objected to the Irish DPC’s “contract” position.

The matter was referred to the European Data Protection Board (‘EDPB’), which agreed that “contract” could not be relied on as means of personal data procession legitimacy in this case.

Accordingly, the DPC’s final decisions include findings that Meta is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.

WhatsApp

On 19th January 2023, the DPC fined WhatsApp Ireland Limited (‘WhatsApp’), also owned by Meta, €5.5m for breaches of the GDPR similar to its sister companies Facebook and Instagram in trying to unlawfully force users to accept changes to its terms of service. WhatsApp has also been directed to bring its data processing operations into compliance.

The combined nearly €400 million fine brings to more than €1.3 billion the total amount of financial penalties the DPC has levied against Meta and its platforms in the last 16 months. The DPC also has a further 10 separate inquiries still open into Meta and its services.

For further details on the DPC’s decision, please go to the following link:

Data Protection Commission announces conclusion of two inquiries into Meta Ireland | 04/01/2023 | Data Protection Commission

Data Protection Commission announces conclusion of inquiry into WhatsApp | 19/01/2023 | Data Protection Commission

For information about RegSol’s Data Protection training courses, please see our training timetable below or, if you wish to discuss arranging tailored staff training in your firm, please contact us at info@regsol.ie