EDPB - Binding Decision 3/2022 - 'Meta (Facebook)'

From GDPRhub
Revision as of 16:13, 18 January 2023 by Lr (talk | contribs) (changing logo)
EDPS - Meta Platforms Ireland Limited (Facebook) - Decision 3/2022
LogoEDPB.png
Authority: EDPS
Jurisdiction: European Union
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 56 GDPR
Article 58 GDPR
Article 60 GDPR
Article 65 GDPR
Article 77 GDPR
Article 79 GDPR
Article 83 GDPR
Type: Other
Outcome: n/a
Started: 25.07.2022
Decided: 05.12.2022
Published: 11.01.2023
Fine: n/a
Parties: Austrian Facebook user (represented by noyb - European Centre for Digital Rights)
Meta Platforms Ireland Limited (Facebook)
National Case Number/Name: Meta Platforms Ireland Limited (Facebook) - Decision 3/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: noyb website (in EN)
Initial Contributor: LR

Following a referral under the Article 60 GDPR procedure, the EDPB issued a binding decision finding Meta IE’s processing of personal data for behavioural advertising to be unlawful.

English Summary

Facts

In order to access Facebook, an online social network and media platform operated in the EU by “Meta IE”, a prospective user had to create a Facebook account and was required to accept a series of terms and conditions (the “Terms of Service”) and a privacy policy. In accordance with the GDPR, Facebook was obliged to have a lawful basis for the processing of any personal data they undertook. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to the purposes of any data processing and the legal basis for such processing. To continue to access the Facebook platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Facebook account. An Austrian Facebook user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Facebook platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Austrian DPA (DSB), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”. Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives. Secondly, the use of the Facebook service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the data controller seeks to rely is invalid. Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing. Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction. The Austrian DPA (DSB) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR. Following the circulation of the DPC’s Preliminary Draft Decision, Meta IE responded to the complainant’s assertions. Meta IE submitted, among other points, that it “…did not request or require the data subject’s consent to processing described in the Data Policy, nor did it seek the data subject’s consent to the processing described in, or otherwise performed for the purposes of, the Terms of Service, and as a consequence that the data subject did not in fact consent in this manner.” (Facebook Submissions on Preliminary Draft Decision, paragraph 1.7(B). See also paragraph 3.1)

On 6 October 2021, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, FI, FR, IT, NL, NO, PL, PT, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 25 July 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.

Holding

Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. The EDPB identified five issues in the case at hand, addressing each one in turn before issuing the Binding Decision. Please note: When describing Issues 1-3, it is necessary to explain the proposals in the Irish DPA’s Draft Decision, in order to provide the context for the EDPB decision.

Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis/Unlawful Data Processing This issue concerns whether Meta IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”. In its Draft Decision, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “the core functions of the contract must be assessed in order to determine what processing is objectively necessary”. However, the DPC added that “necessity is to be determined by reference to the particular contract” (4.31) and “it is not for an authority such as the [DPC], tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible” (4.48). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “the nature of the services provided and agreed upon by the parties” (4.53). The DPC observed that “it seems that the core of the Facebook model… is an advertising model” (4.42) and “proposed to conclude that Facebook may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data” (4.53). Nine DPAs objected to this proposed conclusion from the DPC, and the matter was referred to the EDPB. In its binding decision, the EDPB sought to emphasise "the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Facebook service" (96). With regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows: "The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model.” (105) "The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR... Otherwise, the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not" (109) "the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR." (116) Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Facebook. Firstly, "Meta IE promotes... the perception that the main purpose of the Facebook service serves and for which it processes its users' data is to enable them to communicate with others" (117). The EDPB also takes into account Article 21(2) and (3) GDPR, "the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes." Because this right exists, "the processing cannot be necessary to perform a contract [as the] subject has the possibility to opt out from it at any time, and without providing any reason" (122). The EDPB continues, outlining the inherent risk of a finding in the DPC Decision that Meta IE can process personal data on the basis of Article 6(1)(b): “[T]here is a risk that the Draft Decision’s failure to establish Meta IE's infringement of Article 6(1)(b) GDPR, pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject." (130) "As a result, owing to the number of users, market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the complainant and the millions of users of Facebook service in the EEA and affect the protection of hundreds of millions of people covered the GDPR." (131) In light of all of the above, the EDPB directed the following: “behavioural adveritising performed by Meta in the context of the Facebook service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Facebook service and is not an essential or core element of it" (132) "Meta has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data in the context of the Facebook terms of service and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Facebook Terms of Service for the purpose of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (133). Accordingly, the EDPB instructed the DPC to “alter Finding 2 of its Draft Decision, which concludes that Meta IE may rely on Article 6(1)(b) GDPR in the context of its offering of the Facebook Terms of Service, and to include an infringement of Article 6(1) GDPR” (Para 133).

Issue 2 – On whether the LSA’s Draft Decision includes sufficient analysis and evidence to conclude that Meta IE is not obliged to rely on consent to process the Complainant’s personal data In its Draft Decision, the DPC sought to consider whether clicking the “consent” button constitutes or should be considered consent for the purposes of the GDPR. According to the DPC, this question consists of two parts, firstly, whether Facebook sought to rely on consent as a legal basis at all and, secondly, whether the controller must rely on consent for the purposes of the GDPR. On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “as a matter of fact, Facebook did not rely, or purport to rely, on the Complainant’s consent as a legal basis for the processing of personal data” (3.13). Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasised that “there is no hierarchy of lawful bases that can be used for processing personal data” (3.17) and that no provision of the GDPR requires that the processing of personal data “must necessarily be based on consent” (3.18). However, five DPAs raised objections to this proposed finding by the DPC. In its binding decision, the EDPB stated:

“The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake." (104)

“[The DPC] cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve.” (197) As a result, the EDPB instructed the DPC to remove its proposed finding regarding consent as a basis for lawful processing. The EDPB also decided that the DPC shall carry out a new investigation into Meta IE’s processing operations in its Facebook service to determine if it processes special categories of personal data (Article 9 GDPR), and complies with the relevant obligations under the GDPR (Para 198).

Issue 3 – On the Potential Infringement of the Principle of Fairness During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. The DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Facebook was not afforded the opportunity to be heard in response to a particularised area of wrongdoing” (5.78). The matter was referred to the EDPB, who determined as follows: "the principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too" (220). "the concept of fairness stems from the EU Charter of Fundamental Rights" (221). “Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject… [it] underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (221, 222). "The combination of factors, such as the asymmetry of the information created by Meta IE with regard to Facebook service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages Facebook service users, limits their control over the processing of their personal data and undermines the exercise of their rights” (231). Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (232).

Issue 4 – On the potential additional infringement of the principles of purpose limitation and data minimisation During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision, on account of Meta IE’s failure to comply with the purpose limitation and data minimisation principles. The Italian DPA argued that the DPC should not have confined its assessment to only the purpose of personalised advertising (while Facebook’s services would actually be composed of several processing activities pursuing several purposes). Accordingly, the fact Meta inappropriately based its multifarious processing activities only on Article 6(1)(b) GDPR entails an infringement of the purpose limitation and data minimisation principles (Para 236). Furthermore, “the failure to specify and communicate the purposes of the processing to the data subject creates a risk of artificially expanding the types of processing or the categories or personal data considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would nullify the safeguards afforded to data subjects under data protection law” (237). In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned. In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it related to specific parts of the DPC’s Draft Decision and the DPC could have made a finding of an infringement of the principles of purpose limitation and data minimisation. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “substantial and plausible” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy Article 4(24) GDPR.

Issue 5 – On Corrective Measures Other than Additional Fines In its Draft Decision, the DPC proposed the imposition of an order to bring processing in compliance with Articles 5(1)(a), 12(1) and 13(1) GDPR within three months of the date of notification of any final decision. This concerned the DPC’s finding that Meta had breached its transparency obligations under the GDPR, a conclusion which was not objected to by any DPAs and thus was not referred to the EDPB. However, under the Article 60 GDPR process, a range of objections were made to the proposed order to bring Meta’s processing activities into compliance. These objections proposed: the imposition of corrective measures other than additional fines (see “Issue 6” below and EDPB decision paras 253, 254); a temporary ban on processing (251); measures to remedy the infringement of Article 6(1)(b) GDPR (Para 252); and to delete any unlawfully processed data (255). The EDPB considered the objections raised in accordance with Article 4(24) GDPR, assessing whether they are “relevant” and “reasoned”. The EDPB also considered the need for any corrective measures applied by a supervisory authority to be “appropriate, necessary and proportionate in view of ensuring compliance with the regulation” (Article 58(2) GDPR) (Para 278). Having considered the objections, the EDPB instructed the DPC to include in its final decision an order for Meta IE to bring its data processing for behavioural advertising into compliance with Article 6(1) GDPR within 3 months (288). In addition, the EDPB notes that the order should be modified to reflect the EDPB’s finding that Meta IE is not entitled to rely on Article 6(1)(b) GDPR for this data processing (289). Furthermore, the EDPB instructed the DPC to amend its order regarding transparency obligations to include data processed for the purpose of behavioural advertising, and not just data processed pursuant to Article 6(1)(b) (Para 290).

Issue 6 – On the determination of the administrative fine The EDPB considered the DPC’s assessment of the criteria in Article 83(2) GDPR in deciding whether to impose an administrative fine for the infringement of its transparency obligations under the GDPR (Paras 292 – 310). The EDPB also noted the objections raised by five DPAs, requesting a “significantly higher administrative fine with reference to the established infringements” (311). The EDPB found these objections to be relevant and reasoned in accordance with Article 4(24) GDPR and, after conducting its own assessment of the factors under Article 83(2) GDPR, found that the proposed fine “is not effective, proportionate and dissuasive, in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of doing business” (Para 391). Therefore, the EDPB instructed the DPC to “set out a significantly higher fine amount for the transparency infringements identified, in comparison with the upper limit for the administrative fine envisaged in the Draft Decision” (394). Furthermore, following a range of further objections by DPAs to the administrative fine proposed by the DPC, the EDPB instructed the DPC to impose an administrative fine for the additional infringement of Article 6(1) GDPR, and to take into account the additional infringement of the principle of fairness in Article 5(1)(a) GDPR in its adoption of corrective measures.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.