DPC (Ireland) - Meta Platforms Ireland Limited (Instagram) - IN-18-5-7

From GDPRhub
DPC - IN-18-5-7
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 56 GDPR
Article 58 GDPR
Article 60 GDPR
Article 65 GDPR
Article 77 GDPR
Article 79 GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 25.05.2018
Decided: 31.12.2022
Published: 11.01.2023
Fine: 180,000,000 EUR
Parties: Belgian Instagram user (represented by noyb - European Centre for Digital Rights)
Meta Platforms Ireland Limited
National Case Number/Name: IN-18-5-7
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): English
Original Source: noyb website (in EN)
Initial Contributor: LR

Following a complaint filed by a Belgian Instagram user, the Irish DPA found Meta IE’s processing of personal data for behavioral advertising to be unlawful, and fined the company €180,000,000.

English Summary

Facts

In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a user was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).

Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. Article 6(1) GDPR details the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.

A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (APD), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.

Firstly, there existed a clear imbalance of power between controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.

Secondly, the use of the Instagram service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the controller seeks to rely is invalid.

Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.

Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.

The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.

In response to the complaint Meta IE submitted, among other points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of Article 6(1)(a) GDPR. The company stated that it “does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use” (Para 41).

On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 11 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.

Holding

In the Final Decision, the DPC identified four issues which had to be addressed (three issues the DPC intended to address and an additional issue on which the EDPB directed the DPC to make a finding).


Issue 1 – Whether clicking on the “Agree to Terms” button constitutes or must be considered consent for the purposes of the GDPR and, if so, whether it is valid consent for the purposes of the GDPR

The DPC identified the first issue as consisting of two parts: “first, whether clicking the ‘Agree to Terms’ button actually constitutes consent for the purposes of the GDPR and, second, whether the act of clicking ‘Agree to Terms’ necessarily must be considered consent for such purposes” (34).

On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “as a matter of fact, Meta Ireland did not – and did not seek – to rely on consent as the legal basis for all processing” (46).

Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasized that there is no hierarchy of legal bases for the processing of personal data under the GDPR, any implication otherwise would be “inherently problematic”, and “[no] one ground has normative priority over the others” (51).

However, in its binding decision the EDPB instructed the DPC to remove its conclusion on finding 1 (EDPB - 203), stating as follows:

The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (EDPB - 107). “[The DPC] cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve” (EDPB - 202).

Accordingly, the DPC made no finding on the matters encompassed by their assessment of issue 1.


Issue 2 – Whether Meta Ireland could rely on Article 6(1)(b) GDPR as a lawful basis for processing of personal data in the context of the Terms of Use and/or Data Policy

The second issue concerned whether Meta IE could rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller had to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”.

Taking into account the complainant’s submissions, the EDPB guidelines and the framing of Article 6(1)(b), the DPC acknowledged that “consideration of the meaning of the term ‘contract’ within a data protection context is required”. However, the DPC also asserted that an assessment of the terms “necessary” and “performance” is also required, and they “do not have competence to consider substantive issues of contract law, and, accordingly [their] analysis is limited to the specific contract entered into by the named data subject and Meta Ireland in respect of the Instagram service” (87). The DPC took a broad approach in determining what is necessary for the performance of a contract based on what is “reflected in the terms of the precise contract between those parties” (95). The DPC explained that, in their view, “the core of the service offered is premised on the delivery of personalised advertising” (106) and proposed to conclude that “Meta Ireland may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision of the Instagram service, including through the provision of behavioural advertising” (116).

When issuing its Binding Decision, the EDPB, emphasised "the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Instagram service" (EDPB - 99). With regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:

"The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model” (EDPB - 108).

"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR… the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not" (EDPB - 112).

"...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (EDPB - 119).

Turning to the facts of the case, the EDPB outlined a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Instagram. Firstly, "Meta IE promotes... the perception that the main purpose of the Instagram service serves and for which it processes its users' data is to enable them to share content and communicate with others" (EDPB - 120). The EDPB also takes into account Article 21(2) and (3) GDPR, "the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes". Because this right exists, "the processing cannot be necessary to perform a contract [as the] subject has the possibility to opt out from it at any time, and without providing any reason" (EDPB - 125). The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Meta IE can process personal data on the basis of Article 6(1)(b):

...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of Article 6(1)(b) GDPR, pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject" (EDPB - 134). "As a result, owing to the number of users of the Instagram service, the market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the Complainant and the millions of users of Instagram service in the EEA and affect the protection of the hundreds of millions of people covered by the GDPR" (EDPB - 135).

In light of all of the above, the EDPB directed the following:

“...behavioural adveritising performed by Meta in the context of the Instagram service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Instagram service and is not an essential or core element of it" (EDPB - 136). "Meta has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data in the context of the Instagram Terms of Use and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Instagram Terms of Use for the purpose of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (EDPB - 137).

Accordingly, under instruction from the EDPB, The DPC altered “Finding 2” of its Draft Decision, finding that “Meta Ireland was not entitled to rely on Article 6(1)(b) GDPR to process the Complainant’s personal data for the purpose of behavioural advertising in the context of the Instagram Terms of Use”.


Issue 3 – Whether Meta Ireland provided the requisite information on the legal basis for processing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent manner

On the issue of transparency, Article 13(1) GDPR outlines the information the controller must provide to a data subject at the time when personal data are obtained and Article 12(1) GDPR details the manner in which this data must be provided.

Describing the information provided by Meta IE to Instagram users, the DPC stated:

Meta Ireland has not provided meaningful information as to the processing operation(s) and/or set(s) of operations that occur in the context of the Instagram service, either on the basis of Article 6(1)(b) GDPR or any other legal basis. Indeed, I would go so far as to say that it is impossible for the user to identify with any degree of specificity what processing is carried out on what data, on foot of the specified lawful bases, in order to fulfil these objectives… Indeed, it could be said that there is a significant deficit of information made available to data subjects” (188). “Taking into account the circular, disjointed nature of the information provided by Meta Ireland and the generalised, high-level overview it provided, I am not satisfied that the information was clear and concise” (190).

The DPC also describes the “significant link” (194) between the principle of transparency and the principle of fairness in Article 5(1)(a) GDPR, and finds that, with regards to the issue of transparency, it is appropriate to made a finding of an infringement of the principle of Article 5(1)(a) (Para 197).

In light of the above, the DPC found that “In relation to processing for which Meta Ireland indicated reliance upon Article 6(1)(b) GDPR, Articles 5(1)(a), 12(1) and 13(1)(c) have been infringed”.


Issue 4 (Additional Issue) – Whether Meta Ireland Infringed the Article 5(1)(a) Principle of Fairness

During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. The DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Meta Ireland was not afforded the opportunity to be heard in response to a particularised area of wrongdoing” (200). The matter was referred to the EDPB, who determined as follows:

"the principle of fairness has an independent meaning and… an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too" (EDPB - 224).

"the concept of fairness stems from the EU Charter of Fundamental Rights" (EDPB - 225).

Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject… [it] underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” ( EDPB - 225, 226).

"The combination of factors, such as the asymmetry of the information created by Meta IE with regard to the Instagram service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages the Instagram service users, limits their control over the processing of their personal data and undermines the exercise of their rights” (EDPB - 234).

Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to adopt the "appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (EDPB - 235).

As directed by the EDPB, the DPC found that “Meta Ireland has infringed the principle of fairness pursuant to Article 5(1)(a) GDPR”.


Summary of Envisaged Action

The DPC made an order pursuant to Article 58(2)(d) GDPR, requiring Meta IE to bring processing into compliance in accordance with its transparency obligations under Articles 5(1)(a), 12(1) and 12(1)(c) GDPR, within 3 months of the date of the date of notification of any final decision. The order also requires Meta IE to address the EDPB’s finding that it is not entitled to carry out data processing on the basis of Article 6(1)(b) GDPR, and to bring its processing into compliance with Article 6(1) GDPR.

Furthermore, pursuant to Articles 58(2)(i) and 83 GDPR, and under the direction of the EDPB, the DPC imposed an administrative fine in the amount of €180 million. This fine is made up of an €70 million fine for failing to provide sufficient information on processing operations (Articles 5(1)(a) and 13(1)(c) GDPR); a €60 million fine for failing to provide this information in a concise, transparent, intelligent, and easily accessible form, using clear and plain language (Articles 5(1)(a) and 12(1) GDPR); and a €50 million fine for the unlawful processing of personal data (Article 6(1) GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.