DPC (Ireland) - Meta Platforms Ireland Limited (Facebook) - IN-18-5-5

From GDPRhub
(Redirected from DPC (Ireland) - IN-18-5-5)
DPC - IN-18-5-5
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 56 GDPR
Article 58 GDPR
Article 60 GDPR
Article 65 GDPR
Article 77 GDPR
Article 79 GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 25.05.2018
Decided: 31.12.2022
Published: 11.01.2023
Fine: 210,000,000 EUR
Parties: n/a
National Case Number/Name: IN-18-5-5
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): English
Original Source: noyb website (in EN)
Initial Contributor: LR

Following a complaint filed by an Austrian Facebook user, the Irish DPA found Meta IE’s processing of personal data for behavioral advertising to be unlawful, and fined the company €210 million.

English Summary

Facts

In order to access Facebook, an online social network and media platform operated in the EU by “Meta IE”, a prospective user had to create a Facebook account and was required to accept a series of terms and conditions (the “Terms of Service”) and a privacy policy.

In accordance with the GDPR, Facebook was obliged to have a lawful basis for the processing of any personal data they undertook. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Facebook platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Facebook account.

An Austrian Facebook user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Facebook platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Austrian DPA (DSB), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.

Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.

Secondly, the use of the Facebook service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the data controller seeks to rely is invalid.

Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.

Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.

The Austrian DPA (DSB) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.

Following the circulation of the DPC’s Preliminary Draft Decision, Meta IE responded to the complainant’s assertions. Meta IE submitted, among other points, that it “…did not request or require the data subject’s consent to processing described in the Data Policy, nor did it seek the data subject’s consent to the processing described in, or otherwise performed for the purposes of, the Terms of Service, and as a consequence that the data subject did not in fact consent in this manner” (Facebook Submissions on Preliminary Draft Decision, paragraph 1.7(B). See also paragraph 3.1).

On 6 October 2021, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, FI, FR, IT, NL, NO, PL, PT, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 25 July 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.

Holding

In the Final Decision, the DPC identified four issues which had to be addressed (three issues the DPC intended to address and an additional issue on which the EDPB directed the DPC to make a finding).


Issue 1 – Whether Clicking on the “Accept” Button Constitutes or Must be Consent for the Purposes of the GDPR

The DPC identified the first issue as consisting of two parts. Firstly, whether Facebook sought to rely on consent as a legal basis at all and, secondly, whether the controller must rely on consent for the purposes of the GDPR.

On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “as a matter of fact, Facebook did not rely, or purport to rely, on the Complainant’s consent as a legal basis for the processing of personal data” (3.13).

Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasised that “there is no hierarchy of lawful bases that can be used for processing personal data” (3.17) and that no provision of the GDPR requires that the processing of personal data “must necessarily be based on consent” (3.18).

However, in its binding decision the EDPB instructed the DPC to remove its conclusion on finding 1 (198), the EDPB stated:

The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (104). “[The DPC] cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve” (197).

Accordingly, the DPC made no finding on the matters encompassed by their assessment of issue 1.


Issue 2 – Reliance on Article 6(1)(b) GDPR as a Lawful Basis for Personal Data Processing

The second issue concerns whether Meta IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”.

The DPC agreed with the complainant’s submissions and the EDPB guidelines that “the core functions of the contract must be assessed in order to determine what processing is objectively necessary”. However, the DPC added that “necessity is to be determined by reference to the particular contract” (4.31) and “it is not for an authority such as the [DPC], tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible” (4.48). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “the nature of the services provided and agreed upon by the parties” (4.53). The DPC observed that “it seems that the core of the Facebook model… is an advertising model” (4.42) and “proposed to conclude that Facebook may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data” (4.53).

When issuing its Binding Decision, the EDPB, emphasised "the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Facebook service" (96). With regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:

"The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model” (105).

"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR... Otherwise, the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not" (109).

"the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (116).

Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Facebook. Firstly, "Meta IE promotes... the perception that the main purpose of the Facebook service serves and for which it processes its users' data is to enable them to communicate with others" (117). The EDPB also takes into account Article 21(2) and (3) GDPR, "the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes." Because this right exists, "the processing cannot be necessary to perform a contract [as the] subject has the possibility to opt out from it at any time, and without providing any reason" (122). The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Meta IE can process personal data on the basis of Article 6(1)(b):

[T]here is a risk that the Draft Decision’s failure to establish Meta IE's infringement of Article 6(1)(b) GDPR, pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject" (130). "As a result, owing to the number of users, market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the complainant and the millions of users of Facebook service in the EEA and affect the protection of hundreds of millions of people covered the GDPR" (131).

In light of all of the above, the EDPB directed the following:

behavioural adveritising performed by Meta in the context of the Facebook service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Facebook service and is not an essential or core element of it" (132). "Meta has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data in the context of the Facebook terms of service and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Facebook Terms of Service for the purpose of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (133).

Accordingly, under instruction from the EDPB, The DPC altered “Finding 2” of its Draft Decision, finding that “Facebook was not entitled to rely on Article 6(1)(b) GDPR to process the Complainant’s personal data for the purpose of behavioural advertising in the context of the Facebook Terms of Service” (4.56).


Issue 3 – Whether Facebook Provided the Requisite Information on the Legal Basis for Processing on foot of Article 6(1)(b) GDPR and Whether it did so in a Transparent Manner

On the issue of transparency, Article 13(1) GDPR outlines the information the controller must provide to a data subject at the time when personal data are obtained and Article 12(1) GDPR details the manner in which this data must be provided.

Describing the information provided by Meta IE to Facebook users, the DPC stated:

Information on the specific processing operations (necessarily including the data processed) that will be carried out for the purposes specified and by reference to the lawful bases specified... should have been provided to the data subject. To the extent that this was provided at all, it was not clearly linked with a specific purpose or lawful basis, and was described in an ambiguous manner" (5.72). "While there is no particularised requirement under the GDPR to provide data subjects with information on an alteration of a legal basis, or to provide information in a particular part of any such engagement flow, the lack of clarity on such a fundamental issue underlines the inherent lack of transparency in the information provided to the data subject” (5.77).

The DPC also describes the way “Article 5(1)(a) links transparency to the overall fairness of the activities of a controller” and finds that it is therefore “appropriate for the [DPC] to make a finding that Facebook has also infringed Article 5(1)(a)” (5.77).

In light of the above, the DPC found that “In relation to processing for which Facebook indicated reliance upon Article 6(1)(b) GDPR, Articles 5(1)(a), 12(1) and 13(1)(c) have been infringed.


Issue 4 (Additional Issue) – Whether Facebook Infringed the Article 5(1)(a) GDPR Principle of Fairness

During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. The DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Facebook was not afforded the opportunity to be heard in response to a particularised area of wrongdoing” (5.78). The matter was referred to the EDPB, who determined as follows:

"the principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too" (220).

"the concept of fairness stems from the EU Charter of Fundamental Rights" (221).

Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject… [it] underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (221, 222).

"The combination of factors, such as the asymmetry of the information created by Meta IE with regard to Facebook service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages Facebook service users, limits their control over the processing of their personal data and undermines the exercise of their rights” (231).

Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (232).

As directed by the EDPB, the DPC found that “Facebook has infringed the principle of fairness pursuant to Article 5(1)(a) GDPR.”


Summary of Envisaged Action

The DPC made an order pursuant to Article 58(2)(d) GDPR, requiring Meta IE to bring processing into compliance in accordance with its transparency obligations under Articles 5(1)(a), 12(1) and 12(1)(c) GDPR, within 3 months of the date of the date of notification of any final decision. The order also requires Meta IE to address the EDPB’s finding that it is not entitled to carry out data processing on the basis of Article 6(1)(b) GDPR, and to bring its processing into compliance with Article 6(1) GDPR.

Furthermore, pursuant to Articles 58(2)(i) and 83 GDPR, and under the direction of the EDPB, the DPC imposed an administrative fine in the amount of €210 million. This fine is made up of an €80 million fine for failing to provide sufficient information on processing operations (Articles 5(1)(a) and 13(1)(c) GDPR); a €70 million fine for failing to provide this information in a concise, transparent, intelligent, and easily accessible form, using clear and plain language (Articles 5(1)(a) and 12(1) GDPR); and a €60 million fine for the unlawful processing of personal data (Article 6(1) GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.