EDPB - Binding Decision 2/2022 - 'Instagram'
From GDPRhub
(Redirected from EDPB - Binding Decision 2/2022)
| EDPB - Binding Decision 2/2022 | |
|---|---|
 | |
| Authority: | EDPB |
| Jurisdiction: | European Union |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 12(1) GDPR Article 24(2) GDPR Article 25(1) GDPR Article 25(2) GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | 28.07.2022 |
| Published: | 15.09.2022 |
| Fine: | 405,000,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Binding Decision 2/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
The EDPB adopted a binding decision, following which the Irish DPC fined Meta €405,000,000 for the lack of legal grounds for processing contact information on children’s business accounts and ‘public by default’-settings for child users.
English Summary
Facts
The DPC had conducted an investigation into Meta, specifically into Instagram. The DPC focused its investigation on two aspects. First: displayed information on business accounts of child users and second: default settings of newly created Instagram accounts. Based on this investigation, the DPC formulated a draft decision under Article 60(3) GDPR.
Processing of contact information on child user’s business accounts
The DPC held that Instagram permitted child users to switch from personal accounts to business accounts. During this switch from personal to business account, the child user was presented with an option screen (titled “Review Your Contact Info”). This screen was automatically filled with the user’s information, which was collected at the time of registration. The child user had the opportunity to modify this information. However, in order to complete switching process from personal- to business account, the child user also had to provide an email address or a phone number (contact information). Before September 2019, the phone number and e-mail were published on the respective user page in the form of a contact button. These contact details were not encrypted and visible in plain text.
Since 4 September 2019, an updated version of this option screen was presented, with possibilities to modify contact details. Also, the user could choose not to provide any contact details at all.
Before march 2019, the contact details of child users were also visible as plain text in the HTML source code of the web-version of Instagram.
Also, for a time between August 2020 and November 2020, e-mail addresses of Instagram business accounts were visible in the HTML source code of the Instagram website as plain text, including to persons not registered as Instagram users.
According to the DPC, by registering for a personal Instagram account, a data subject had to agree to the Instagram Terms of Use. The DPC held that Meta used two legal grounds in these terms of service for processing the personal data of Instagram child users: for the performance of a contract (Article 6(1)(b) GDPR) and for legitimate interest (Article 6(1)(f) GDPR).
In its original draft decision, the DPC held that Meta could use Article 6(1)(b) GDPR GDPR as a legal ground for processing. The data subject would have to accept the terms of service. It also stated that Article 6(1)(b) GDPR does not require the inclusion of explicit contractual provisions. It would be sufficient if processing was necessary in the respective case. The DPC held that in this case, the contact information processing could be necessary for the performance of Meta’s Terms of Service with its users.
The DPC also held that Meta could use Article 6(1)(f) GDPR as a legal ground for processing. This legal ground has three cumulative elements which need to be fulfilled by the controller in order to use this legal ground:
1) the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data are disclosed; In its draft decision, The DPC held that the interests of Meta for processing the contact information were legitimate for Meta as well as for the Instagram users, because publication of contact details may be a reasonable and lawful mode to promote a business or other undertaking. The DPC did not specify if this concerned all Instagram users or a specific type of user. (The EDPB assumed all Instagram users based on submissions of Meta and the interpretation of these by the DPC).
2) the need to process personal data for the purposes of the specific legitimate interests; The DPC held that the processing of contact information could be considered necessary for business account users who wished to provide contact information outside of Instagram. The DPC held in its original draft that the principle of data minimization (Article 5(1)(c) GDPR) had been violated by Meta, which is a relevant factor to decide if processing is necessary. The DPC determined this violation because child users of Instagram business accounts had to publish their information publically on business accounts in the HTML-code of the Instagram Website, prior to 7 March 7 2019.
3) That the fundamental rights and freedoms do not take precedence. (Balancing exercise) The DPC held that Meta’s own analysis, regarding of the adequacy of the information provided to child users, was inadequate. The DPC also held that there was a lack of transparency because child users were not properly informed that the publication of their contact information might result in a high risk situation. Also, parts of the provided information were technical and hypothetical. The DPC came to the same conclusion for the security and safety measures implemented by Meta. The DPC held that these measures did not mitigate all relevant risks for child users. These inadequate measures would result in a risk of possible communication between child users and dangerous individuals, both on the Instagram platform itself as well as outside of the platform.
In the end, the DPC held that Meta could also use Article 6(1)(f) GDPR as a legal ground for processing. the DPC held that in cases where processing occurred in the context of the ‘well-considered professional activities’, it could happen that the legitimate interests at issue would not be overridden by the interests or fundamental rights and freedoms of the child user.
Public-by-default Instagram accounts
Besides the remarks regarding the legal grounds for processing contact information of child users (business accounts), the DPC also determined violations regarding public by default processing of personal Instagram account regarding child users.
The DPC had stated that Instagram accounts were public by default, including accounts belonging to child users. This meant that a new account would automatically be public without changing the settings. This meant that every user in the app or website, registered Instagram user or not, could see the contents of the account. If this had been the private setting, the user would have to approve who could look at their account. Meta informed its child users of the public-by-default account settings in its 2018 and 2020 Data Policies.
The DPC held that Meta had violated Article 12(1) GDPR because it did not inform child users of the purposes of the public-by-default processing in a clear and transparent way.
The DPC also held that Meta had violated Article 5(1)(c) GDPR and Article 25(2) GDPR, because the public-by-default processing was not necessary nor proportionate. The DPC also mentioned that that child users may have a reduced ability to change privacy settings. The DPC held that Meta had failed to implement technical and organizational measures to ensure that only personal data that was necessary for the relevant purpose of processing was collected.
The DPC also held that Meta violated Article 25(1) GDPR by not implementing appropriate technical and organizational measures.
The DPC also held that Meta had violated Article 24(1) GDPR because the DPC found that the safeguards and measures implemented by Meta IE did not assess the specific risks to the rights and freedoms of child users properly.
The Norwegian DPA objected this assessment regarding the 'public by default' accounts, because it wanted the DPC to conclude that the public-by-default processing was not necessary or proportionate on several grounds. It also wanted the DPC to conclude that Article 6(1)(b) GDPR and Article 6(1)(f) GDPR were not applicable legal bases for the public-by-default processing.
Draft decision sent to the EDPB
The DPC had published this draft decision and invited other DPA’s to react. Other DPA’s objected to this draft for various reasons, amongst other things that the conditions for Article 6(1)(b) GDPR and Article 6(1)(f) GDPR were not met. After this, the DPC submitted its draft decision to the consistency mechanism for dispute resolution by the EDPB (Article 65(1)(a) GDPR).
Holding
The EDPB declared most of the objections of the other DPA’s both relevant and reasoned in the context of Article 4(24) GDPR. After this assessment, the EDPB looked into the reasoning of the DPC regarding the legal ground for processing of child user’s data by Meta in the context of business accounts.
Processing of contact information on child user’s business accounts
The EDPB held that the DPC could not have concluded that the contact information processing may be regarded as necessary for the performance of a contract between Meta and child users. As a consequence, the EDPB held that Meta IE could not have relied on Article 6(1)(b) GDPR as a legal basis for processing of contact information. The EDPB focused on the assessment by the DPC regarding the ‘necessity’ for the performance of the contract form Meta. The EDPB formulated several reasons why the processing was not necessary.
The EDPB held that it was important to determine the exact rationale of the contract, regarding substance and objective, to determine whether or not the processing is necessary. Factors to consider are the particular aim, purpose, or objective of the service. The processing should be objectively necessary for a purpose and must be integral to the delivery of the service to the data subject. The controller should also be able to justify the necessity in the context of the mutually understood purpose. This depends both on the controller’s perspective as the perspective of the data subject (an ordinary user). Children merit special protection in this consideration.
The EDPB started by considering that the publication of the contact details on children’s profiles could have not been reasonably expected by these children, considering the high-level information in the Terms of Use and the fact that no specific information about business accounts was provided. Also, the EDPB did not agree that the contact information processing (publishing of phone number or e-mail), could be considered as “integral” or “central” to Instagram. The EPDB referred to a remark by the DPC in its original draft, that it was now possible to operate a professional profile without also publishing contact information.
The EDPB also considered that if there are realistic, less intrusive alternatives, the processing cannot be considered ‘necessary’. The principle of proportionality should be taken into account here. The DPC had even stated in its original draft that there was a possibility on Instagram to contact users directly through direct messaging within the platform. This was even the preferred method for communication for some business account users. This contact method should have been taken into consideration by the DPC as a less intrusive alternative judging the ‘necessity’ of the processing, according to the EDPB.
The EDPB observed that Meta had claimed that the publication of the contact details was intended for traditional businesses. The EDPB held that it was technically possible to distinguish these traditional businesses from child users during the Instagram registration process based on age information. It would have therefore also been possible to avoid publishing child users’ contact information.
The EDPB also held that the publication of the contact information in the HTML source code on the Instagram website was not considered necessary by Facebook’s security team and was therefore discontinued by Facebook. The EDPB also considered here that the principle of data minimization (Article 5(1)(c) GDPR) is relevant for the ‘necessity’ assessment. Considering these facts, the EDPB held that the contact information in the HTML should therefore not have been regarded as ‘necessary’ by the DPC.
The EDPB also held that the publication of contact information meant massive risks to the rights and freedoms of children. This should also have been taken into consideration by the DPC whether or not this processing was ‘necessary’.
The EDPB held that the publication of Children’s contact information did not meet the requirements under Article 6(1)(f) GDPR, because the interests of the data subjects overrode the respective legitimate interests. Therefore, the EDPB held that Meta couldn’t use this legal ground for the processing. The EDPB formulated an opinion on all of the three cumulative arguments, which were necessary for the controller to fulfill in order to use this processing ground.
1) Legitimate Interest(s): The EDPB held that the interests were not specific enough because the controller mentioned them in vague fashion. The EDPB mentioned that the evaluation of the existence of the legitimate interest(s) pursued should have been conducted by the DPC in a better way. Despite the fact that the EDPB could have stopped here, it decided to also assess the other assessments of the DPC on the cumulative criteria.
2) Necessity: The EDPB didn’t agree with the assessment of the DPC regarding the necessity of the processing. For assessing necessity, the EDPB stated that the existence of less intrusive means that would contribute effectively to achieving the interests pursued should be analyzed. The principle of proportionality should also be taken into account. The DPC held that Meta had violated the data minimization principle (Article 5(1)(c) GDPR) because of the mandatory display of contact information for business users in the HTML code of the Instagram website. The problem according to the EDPB was the fact that the DPC didn’t follow this up with a conclusion that the processing was not necessary. The EDPB held that the recognition of the HTML-processing should have concluded the assessment of the DPC that the processing was not necessary. The EDPB also noted that the DPC should have considered direct messaging on Instagram as a less intrusive way of communication for the assessment of necessity, which the DPC hadn’t done in its draft decision. The EDPB continued by calling the DPC approach to determine the ‘necessity’ requirement ‘substantially erroneous’. This was because of the fact that the DPC had named the interests of business users as legitimate interest. The business users are the data subjects, whose interests cannot be seen as legitimate interest. Only interests of the controller or a third party can be regarded as a legitimate interest. The DPC had therefore failed to justify why it considered the publication of the contact details necessary, also considering other communication means, such as direct messaging on Instagram.
3) Balancing exercise: The EDPB held that the risk assessment made the DPC was accurate. The EDPB agreed with the DPC with regard to the lack of adequate safeguards and transparency by Meta. The EDPB did however not agree with the statement of the DPC that it was possible that the legitimate interests of Meta or third parties would not be overridden by the interests or fundamental rights and freedoms of the child users in some circumstances. The EDPB held that the DPC did not properly assess the impact of the processing when performing this balancing exercise, stating it had only taken into account the positive aspects of the processing, despite the risks the DPC had identified itself.
Public-by-default Instagram accounts
The EDPB dismissed the objection from the Norwegian DPA against the DPC’s original draft regarding public-by-default Instagram accounts, because the Norwegian DPA failed to establish a direct connection with the specific legal and factual content of the decision of the DPC. The compliance of 'public by default' processing with Article 6 GDPR was not part of the original DPC decision and the objection of the DPA was not 'reasoned' (Article 4(24) GDPR).
Other grounds
The decision of the EDPB contained other supposed violations of the GDPR. Most of these objections which were brought forward by other DPA’s. These were mostly not analyzed by the EDPB because they were deemed to be neither “relevant”, nor “reasoned” (Article 4(24) GDPR).
Objections to fine:
After the EDPB considered several objections from other DPA’s regarding the fine, the EDPB formulated this binding decision, after which the DPC adapted its original decision and fined Meta €405,000,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Binding Decision 2/2022 on the dispute arisen on the draft
decision of the Irish Supervisory Authority regarding Meta
Platforms Ireland Limited (Instagram) under
Article 65(1)(a) GDPR
Adopted on 28 July 2022
Adopted 1Table of contents
1 Summary of the dispute.................................................................................................................. 5
2 The right to good administration.................................................................................................... 7
3 Conditions for adopting a binding decision..................................................................................... 8
3.1. Objections expressed by CSAs in relation to a draft decision................................................. 8
3.2. The LSA does not follow the relevant and reasoned objections to the draft decision or is of
the opinion that the objections are not relevant or reasoned........................................................... 8
3.3. Admissibility of the case.......................................................................................................... 8
4 Structure of the binding decision.................................................................................................... 9
5 On legal basis for contact information processing........................................................................10
5.1. Analysis by the LSA in the Draft Decision..............................................................................10
5.2. Summary of the objections raised by the CSAs.....................................................................12
5.3. Position of the LSA on the objections ...................................................................................19
5.4. Analysis of the EDPB..............................................................................................................19
5.4.1. Assessment of whether the objections were relevant and reasoned ..........................19
5.4.2. Assessment on the merits.............................................................................................27
6 On potential further (or alternative) infringements identified by the CSAs.................................40
6.1. On potential infringements of Article 6(1)(a), Article 7 and Article 8(1) GDPR regarding
contact information processing ........................................................................................................40
6.1.1. Analysis by the LSA in the Draft Decision......................................................................40
6.1.2. Summary of the objection raised by the CSAs..............................................................40
6.1.3. Position of the LSA on the objections ...........................................................................41
6.1.4. Analysis of the EDPB......................................................................................................41
6.2. On potential infringements of Article 5(1)(a) and Article 5(1)(b) GDPR regarding contact
information processing .....................................................................................................................41
6.2.1. Analysis by the LSA in the Draft Decision......................................................................42
6.2.2. Summary of the objection raised by the CSAs..............................................................42
6.2.3. Position of the LSA on the objections ...........................................................................42
6.2.4. Analysis of the EDPB......................................................................................................42
6.3. On legal basis regarding public-by-default processing..........................................................43
6.3.1. Analysis by the LSA in the Draft Decision......................................................................43
6.3.2. Summary of the objection raised by the CSAs..............................................................45
6.3.3. Position of the LSA on the objections ...........................................................................45
6.3.4. Analysis of the EDPB......................................................................................................46
7 On the determination of the administrative fine..........................................................................46
7.1. Analysis by the LSA in the Draft Decision..............................................................................46
Adopted 2 7.2. Summary of the objections raised by the CSAs.....................................................................48
7.3. Position of the LSA on the objections ...................................................................................50
7.4. Analysis of the EDPB..............................................................................................................51
7.4.1. Assessment of whether the objections were relevant and reasoned ..........................51
7.4.2. Assessment on the merits.............................................................................................52
8 Binding Decision............................................................................................................................63
9 Final remarks.................................................................................................................................64
Adopted 3The European Data Protection Board
Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal1data and on the freemovement of such data, and repealing Directive 95/46/EC
(hereinafter, “GDPR”) ,
Having regard to the European Economic Area (hereinafter, ‘’EEA’’) Agreement and in particular to
Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA Joint Committee
2
No 154/2018 of 6 July 2018 ,
Having regard to Article 11 and Article 22 of its Rules of Procedure (hereinafter, “EDPB RoP”) ,
Whereas:
(1) The main role of the European Data Protection Board (hereinafter, “EDPB”) is to ensure the
consistent application of the GDPR throughout the EEA. To that effect, it follows from Article 60 GDPR
that the lead supervisory authority (hereinafter, “LSA”) shall cooperate with the other supervisory
authoritiesconcerned(hereinafter,“CSAs”)inanendeavourtoreachconsensus,thattheLSAandCSAs
shall exchange all relevant information with each other, and that the LSA shall, without delay,
communicate the relevant information on the matter to the other CSAs. The LSA shall without delay
submit a draft decision to the other CSAs for their opinion and take due account of their views.
(2) Where any of the CSAs expressed a reasoned and relevant objection on the draft decision in
accordance with Article 4(24) GDPR and Article 60(4) GDPR and the LSA does not intend to follow the
relevant and reasoned objection or considers that the objection is not reasoned and relevant, the LSA
shall submit this matter to the consistency mechanism referred to in Article 63 GDPR.
(3) In accordance with Article 65(1)(a) GDPR, the EDPBshall issue a binding decision concerning all the
matters which are the subject of the relevant and reasoned objections, in particular whether there is
an infringement of the GDPR.
(4) The binding decision of the EDPB shall be adopted by a two-thirds majority of the members of the
EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) EDPB RoP, within one month
after the Chair of the EDPB and the competent supervisory authority have decided that the file is
complete. The deadline may be extended by a further month, taking into account the complexity of
thesubject-matterupondecisionoftheChairoftheEDPBonowninitiativeorattherequestofatleast
one third of the members of the EDPB.
(5) In accordance with Article 65(3) GDPR, if, in spite of such an extension, the EDPB has not been able
to adopt a decision within the timeframe, it shall do so within two weeks following the expiration of
the extension by a simple majority of its members.
(6) In accordance with Article 11(6) EDPB RoP, only the English text of the decision is authentic as it is
the language of the EDPB adoption procedure.
1
2OJ L 119, 4.5.2016, p. 1.
References to “Member States” made throughout this decision should be understood as references to “EEA
Member States”.
3EDPB Rules of Procedure, adopted on 25 May 2018.
Adopted 4 HAS ADOPTED THE FOLLOWING BINDING DECISION
1 SUMMARY OF THE DISPUTE
1. This document contains a binding decision adopted by the EDPB in accordance with
Article 65(1)(a) GDPR. This Binding Decision concerns the dispute arisen following a draft decision
(hereinafter, “Draft Decision”) issued by the Irish supervisory authority (“Data Protection
Commission”, hereinafter the “IE SA”, also referred to in this document as the “LSA”) and the
subsequent objections expressed by several CSAs, namely the German supervisory authority for
Hamburg (“Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”) representing
the views of itself and the other German supervisory authorities, including the German supervisory
authority forBerlin(“Der Berliner BeauftragtefürDatenschutz und Informationsfreiheit”),theGerman
supervisory authority for Bremen (“Der Landesbeauftragte für Datenschutz und Informationsfreiheit
der Freien Hansestadt Bremen”) and the German supervisory authority for North Rhein-Westphalia
(“DerLandesbeauftragtefür DatenschutzundInformationsfreiheitNordrhein-Westfalen”),hereinafter
referred to collectively as the “DE SAs”; the Finnish supervisory authority (“Tietosuojavaltuutetun
toimisto”), hereinafter the “FI SA”; the French supervisory authority (“Commission Nationale de
l'Informatique et des Libertés”), hereinafter the “FR SA”; the Italian supervisory authority (“Garante
per la protezione dei dati personali”), hereinafter the “IT SA”; the Dutch supervisory authority
(“Autoriteit Persoonsgegevens”), hereinafter the “NL SA”; and the Norwegian supervisory authority
(“Datatilsynet”), hereinafter the “NO SA”.
2. The Draft Decision related to an “own-volition inquiry” which was commenced by the IE SA on 21
September 2020 regarding processing activities of Facebook Ireland Limited, a company established
in Dublin, Ireland. The company has subsequently changed its name to “Meta Platforms Ireland
Limited”andhereinafteritisreferredtoas“MetaIE”.AnyreferencetoMetaIEinthisBindingDecision
means a reference to either Facebook Ireland Limited or Meta Platforms Ireland Limited, as
appropriate.
3. The Draft Decision concerned Meta IE’s compliance with Article 5(1)(a) and (c), Article 6(1), Article
12(1), Articles 13, 24, 25 and 35 GDPR in respect of certain processing of child users personal data in
the context of the “Instagram” social media networking service (hereinafter, “Instagram”). In
particular,itconcernedthepersonaldataprocessingbyMetaIEinrelationtopublicdisclosureofemail
addresses and/or phone numbers of child users of the Instagram business account feature and a
public-by-default setting for personal accounts of child users on Instagram.
4. The IE SA stated in its Draft Decision that it was satisfied that the IE SA is the LSA, within the meaning
of the GDPR, for Meta IE, as controller in respect of the cross-border processing of personal data in
the context of the Instagram service .
5. The following table presents a summary timeline of the events part of the procedure leading to the
submission of the matter to the consistency mechanism:
21 September 2020 The IE SA commenced the inquiry and requested information from
Meta IE. The scope and legal basis of the inquiry were set out in the
4Instagram registered usersaged between 13 and 17 years old. A person must be at least 13 years old to register
as an Instagram user. See Draft Decision, paragraph 9.
5Draft Decision, paragraphs 47-57.
Adopted 5 Notice of Commencement of the inquiry that was sent to Meta IE on
21 September 2020. The temporary scope of the inquiry was set to
cover a period between 25 May 2018 and 21 September 2020.
On 27 October 2020, Meta IE provided replies to preliminary queries
by the IE SA.
27 November 2020 The IE SA provided Meta IE with a Statement of Issues, where it set
out the factual summaryofrelevant issues and described thematters
for determination under the GDPR.
On 10 December 2020, Meta IE made submissions in response to the
Statement of Issues and on 29 January 2021, provided the IE SA with
an updated Legitimate Interest Assessment.
11 June 2021 The IE SA issued a Preliminary Draft Decision against Meta IE
regarding its processing activities within the scope of the inquiry
(“Preliminary Draft Decision”). The IE SA invited Meta IE to make
submissions on the Preliminary Draft Decision.
August-September 2021 On 9 August 2021, Meta IE provided its submissions on the
Preliminary Draft Decision to the IE SA (“Meta IE Preliminary Draft
Submissions”). On 16 August 2021 Meta IE provided to the IE SA an
additional expert report. On a separate request from the IE SA, on 23
September 2021 Meta IE provided additional submissions regarding
Article 83(3) GDPR (“Meta IE Submissions on Article 83(3) GDPR”).
December 2021 On3December2021,theIESAshareditsDraftDecisionwiththeCSAs
in accordance with Article 60(3) GDPR.
Several CSAs (DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA) raised
objections in accordance with Article 60(4) GDPR. Several comments
were also exchanged.
21 January 2022 The IE SA issued a Composite Response setting out its compromise
proposals (“Composite Response”) and shared it with the CSAs. The
IESArequestedtherelevantCSAsto provideanindicationofwhether
the IE SA’s compromise proposals could be satisfactory for the CSAs
as a possible way forward.
February 2022 In light of the proposals in the Composite Response, further
exchanges took place between the IE SA and the CSAs. During the
exchanges, several CSAs confirmed to the IE SA that its compromise
proposals were not sufficient and they intended to maintain their
objections.
On 25 February 2021 Meta IE was invited to exercise its right to be
heard in respect of all thematerial that the IE SA proposed to refer to
theEDPBandon6April2022MetaIEprovideditssubmissions(“Meta
IE Article 65 Submissions”).
13 May 2022 The IE SA referred the matter to the EDPB in accordance with Article
60(4)GDPR,therebyinitiatingthedisputeresolutionprocedureunder
Article 65(1)(a) GDPR.
Adopted 66. Followingthesubmissionbythe IESAofthismattertotheEDPBinaccordancewithArticle60(4)GDPR
6
in the Internal Market Information system (hereinafter, “IMI”) on 13 May 2022, the EDPB Secretariat
assessedthe completenessof the fileon behalfoftheChair of the EDPB in linewith Article11(2) EDPB
RoP.
7. The EDPB Secretariat contacted the IE SA on 20 May 2022, asking for information and additional
documents to be submitted in the IMI. The IE SA provided the information and documents on 24 May
2022.
8. A matter of particular importance that was scrutinized by the EDPB Secretariat was the right to be
heard, as required by Article 41(2)(a) of the EU Charter of Fundamental Rights. Further details on this
are provided in Section 2 of this Binding Decision.
9. On 1 June 2022, after the IE SA and the Chair of the EDPB confirmed the completeness of the file, the
EDPB Secretariat circulated the file to the EDPB members.
10. The Chair of the EDPB decided, in compliance with Article 65(3) GDPR in conjunction with Article11(4)
EDPB RoP, to extend the default timeline for adoptionof onemonth by a furthermonth on account of
the complexity of the subject-matter.
2 THE RIGHT TO GOOD ADMINISTRATION
11. The EDPB is subject to the EU Charter of Fundamental Rights, in particular Article 41 (the right to good
administration). This is also reflected in Article 11(1) EDPB RoP.
12. The EDPB’s decision “shall be reasoned and addressed to the lead supervisory authority and all the
supervisoryauthoritiesconcernedandbindingonthem”(Article65(2)GDPR).Itisnotaimingtoaddress
directly any third party. However, as a precautionary measure to address the possible need for the
EDPB to offer the right to be heard at the EDPB level to Meta IE , the EDPB assessed if Meta IE was
offered the opportunity to exercise its right to be heard in relation to the procedure led by the LSA
andthesubjectmatterofthedisputetoberesolvedbytheEDPB, andinparticularifallthedocuments
containing the matters of facts and law received and used by the EDPB to take its decision in this
procedure have already been shared previously with Meta IE.
13. The EDPB notes that Meta IE has received the opportunity to exercise its right to be heard regarding
all the documents containing the matters of facts and of law considered by the EDPB in the context of
8
this decision and provided its written observations , which have been shared with the EDPB by the
LSA .
6TheInternalMarketInformation(IMI)isthe informationandcommunicationsystemmentionedinArt.17EDPB
RoP.
7See EDPB Guidelines03/2021 on the application of Article 65(1)(a) GDPR, adopted on 13 April 2021 (version for
public consultation) (hereinafter, “EDPB Guidelines on Article 65(1)(a)”), paragraphs 98-99.
8
In particular, Meta IE Preliminary Draft Submissions dated 9 August 2021, Meta IE Submissions on Article 83(3)
GDPR dated 23 September 2021, Meta IE Article 65 Submissions dated 6 April 2022.
9The EDPB notes that Meta IE recognised that it “was afforded the opportunity to make written submissions in
respect of the Draft Decision, the Composite Response, and the objections of the CSAs to the [IE SA]” (Meta IE’s
Letter to the EDPB dated 17 May 2022). The IE SA also confirmed that Meta IE was invited to exercise its right to
be heard “in respect of all of the material that IE SA proposed to refer to the EDPB” (Letter from the IE SA to the
Adopted 714. Considering that Meta IE has been already heard by the IE SA on all matters of facts and of law
addressed by the EDPB in its decision, the EDPB is satisfied that the Article 41 of the EU Charter of
Fundamental Rights has been respected.
3 CONDITIONS FOR ADOPTING A BINDING DECISION
15. The general conditions for the adoption of a binding decision by the EDPB are set forth in Article 60(4)
and Article 65(1)(a) GDPR .10
3.1. Objections expressed by CSAs in relation to a draft decision
16. The EDPB notes that several CSAs (DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA) raised objections to
theDraftDecisionviaIMIinaccordance withArticle60(4)GDPR.Eachoftheobjectionswassubmitted
within the deadline provided by Article 60(4) GDPR.
17. The Portuguese supervisory authority (“Comissão Nacional de Proteção de Dados”) and the Danish
supervisory authority (“Datatilsynet”) provided comments on the Draft Decision. As these comments
arenotobjectionswithinthemeaningofArticle4(24)GDPR,theycannottriggerthedisputeresolution
11
mechanism of Article 65(1)(a) GDPR and therefore are not part of the scope of this Binding Decision .
3.2. The LSA does not follow the relevant and reasoned objections to the draft
decision or is of the opinion that the objections are not relevant or reasoned
18. According to the IE SA, the responses received from the CSAs in relation to the Composite Response
showedthat there was no single proposed compromise that was agreeableto allof the relevant CSAs.
In accordance with Article 60(4) GDPR, the IE SA submitted the matter to the consistency mechanism
for dispute resolution by the EDPB pursuant to Article65(1)(a) GDPR. The IE SA clarified in its Letter to
the EDPB Secretariat concerning the Article 65 GDPR referral of the dispute to the EDPB that it does
not propose to “follow” the objections that were raised by the CSAs and/or does not consider the
objections to be relevant and reasoned . 12
3.3. Admissibility of the case
19. As a preliminary remark, the EDPB takes note ofthe views of Meta IE that an escalation by the IE SA to
the EDPB was premature and that the Article 60 GDPR process had not been fully exhausted in the
presentcase .TheEDPBhoweverfindsthatthecaseatissuefulfils,primafacie,alltheelementslisted
EDPB Secretariat dated 12 May 2022). Finally, as Meta IE recognised in its Article 65 Submissions “[t]hese
submissions are directed only to those matters which are the subject of an objection and matters [Meta IE] has
been informed will be referred by the [IE SA] to the dispute resolution mechanism” (Meta IE Article 65
Submissions, p. 1). The EDPB Secretariat checked and confirmed that the EDPB was provided with the same
documents, which contained the relevant matters of fact and of law. The only additional documents included
10re the different submissions of Meta IE.
According to Art. 65(1)(a) GDPR, the EDPB will issue a binding decision when a supervisory authorityhas raised
a relevant and reasoned objection to a draft decision of the LSA and the LSA has not followed the objection or
the LSA has rejected such an objection as being not relevant or reasoned.
11EDPB Guidelines on Article 65(1)(a), paragraph 17.
12The IE SA letter to the EDPB Secretariat dated 12 May 2022. The submission of the dispute on the IMI occurred
13 13 May 2022.
Meta IE Article 65 Submissions, paragraphs 12-17.
Adopted 8 in Article 65(1)(a) GDPR, since several CSAs raised objections to a draft decision of the LSA within the
deadline provided by Article 60(4) GDPR, and the LSA has not followed objections or rejected them as
not relevant or reasoned.
20. The EDPB further takes note of Meta IE’s position that the current Article 65 GDPR dispute resolution
should be suspended due to pending preliminary ruling proceedings before the Court of Justice of the
EU (hereinafter, “CJEU”) in Case C-252/21 . In addition, on 17 May 2022, Meta IE sent a letter to the
15
EDPB , in which Meta IE further asked for stay of proceedings before the EDPB in the procedure at
issue in light of pending CJEU cases: C-446/21 and C-252/21 . Following its assessment, the EDPB
considers that the scope of the dispute to be resolved by the EDPB in the present procedure does not
overlap with the scope of the aforementioned pending preliminary ruling proceedings, given the
different processing operations at stake. Therefore, the EDPB does not need to evaluate further the
possibilitytostayitsproceedingsonthisArticle65GDPRdisputeresolutionpendingthedetermination
of the preliminary rulings by the CJEU.
21. Considering the above, in particular that the conditions of Article 65(1)(a) GDPR are met, the EDPB is
competent to adopt a binding decision, which shall concern all the matters which are the subject of
the relevant and reasoned objections, i.e. whether there is an infringement of the GDPR or whether
the envisaged action in relation to the controller or processor complies with the GDPR . 18
22. The EDPB recalls that its current decision is without any prejudice to any assessments the EDPB may
be called upon to make in other cases, including with the same parties, taking into account the
contents of the relevant draft decision and the objections raised by the CSAs.
4 STRUCTURE OF THE BINDING DECISION
23. For each of the objections raised, the EDPB assesses first whether they are to be considered as
“relevant and reasoned” within the meaning of Article 4(24) GDPR as clarified in the EDPB Guidelines
on the concept of a relevant and reasoned objection . 19
24. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the
EDPB does not take any position on the merit of any substantial issues raised by that objection in this
specific case . The EDPB will analyse the merits of the substantial issues raised by all objections it
deems to be “relevant and reasoned”.
14
Meta IE Article 65 Submissions, paragraph 30: according to Meta IE, in Case C-252/21 the CJEU has been asked
“to address the scope of the legal bases of Article 6(1)(b) and Article 6(1)(f) GDPR, and as a result may be
instructive in application to this matter”.
15Meta IE’s letter to the EDPB dated 17 May 2022.
16
17Request for a preliminary ruling of 20 July 2021, Schrems, C-446/21.
Request for a preliminary ruling of 22 April 2021, Meta Platforms and Others, C-252/21.
18Art. 4(24) GDPR and Art. 65(1)(a) GDPR. Some CSAs raised comments and not per se objections, which were,
therefore, not taken into account by the EDPB.
19
EDPB Guidelines 9/2020 on the concept of relevant and reasoned objection, version 2 adopted on 9 March
2021, (hereinafter, “EDPB Guidelines on RRO”). The Guidelines (version 2) were adopted on 9 March 2021, after
the commencement of the inquiry by the IE SA relating to this particular case.
20EDPB Guidelines on Article 65(1)(a), paragraph 63.
Adopted 9 5 ON LEGAL BASIS FOR CONTACT INFORMATION PROCESSING
5.1. Analysis by the LSA in the Draft Decision
25. In2016,anewtypeofInstagramaccountwasintroduced,calleda“businessaccount”.Instagramusers
who switched from a “personal account” to a “business account” were shown additional information
about their profile and followers. Until September 2019, users, including child users, who switched to
a “business account” were required to display additional public-facing contact details in the form of
an email address and/or a phone number (hereinafter, “contact information”), which were published
21
on theuser’sprofile . On4 September2019 Meta IE removedthemandatoryrequirement to publicly
display the contact information .
26. In its Draft Decision, the IE SA considered whether Meta IE could rely alternatively on Articles 6(1)(b)
and 6(1)(f) GDPR as legal bases for the public disclosure of the contact information of child users of
Instagram business accounts (hereinafter, “contact information processing”). In particular, the IE SA
found that the following processing operations by Meta IE were concerned : 23
(1) Meta IE permitted child users of Instagram to switch from personal accounts to business
accounts.
(2) Until 4 September 2019, when switching to a business account, child users were
presented with an option screen (titled “Review Your Contact Info”) as part of the
switching process. This screen was automatically populated with the user’s information,
asobtainedbyMetaIEatthetimeofuserregistration,whichtheuserhadtheopportunity
to modify. In order to complete the business account switching process, the user was
required to supply either an email address or a phone number. Users who had private
Instagram accounts were prompted to switch to a public account as part of the account
switching process.
(3) Asof4September2019,whenswitchingtoabusinessaccountchilduserswerepresented
with a revised option screen (still titled “Review Your Contact Info”) automatically
populated with the user’s information obtained at the time of registration. At this stage,
users could either modify their contact details or opt not to provide contact information
by pressing the “Don’t use my contact info” button at the bottom of the page.
(4) Where a child user associated an email address and/or phone number with a business
account (whether as a mandatory requirement of switching prior to September 2019, or
on an optional basis after September 2019), this phone number and/or email address
were published on the user’s Instagram profile page, in the form of a “contact button”.
(5) Email addresses and/orphone numbersmade public in the contextof Instagrambusiness
accounts are not encrypted, and are visible as plain text.
(6) Email addresses and/orphone numbersmade public in the contextof Instagrambusiness
accounts are visible to registered Instagram users on the Instagram mobile application.
(7) Additionally, prior to March 2019, email addresses and/or phone numbers associated
with Instagram business accounts were visible (including to persons not registered as
21
Draft Decision, paragraphs 13-14.
22Draft Decision, paragraph 25.
23As described in the Draft Decision, paragraph 42.
Adopted 10 Instagram users) as plain text in the HTML source code of the web-browser version of
Instagram profile pages; and
(8) For a period between August 2020 and November 2020, email addresses associated with
Instagram business accounts were visible (including to persons not registered as
Instagram users) as plain text in the HTML source code of the web-browser version of
Instagram profile pages.
27. The IE SA found that by registering for a personal Instagram account, a data subject agreed to the
Instagram TermsofUse . Section1oftheInstagram TermsofUse(titled the“TheInstagramService”)
25
listed nine service areas stating :
“…[t]he [Instagram] Service is made up of the following aspects (the Service):
Offering personalized opportunities to create, connect, communicate, discover, and share.
Peoplearedifferent.Wewanttostrengthenyourrelationshipsthroughsharedexperiencesyou
actually care about. So we build systems that try to understand who and what you and others
care about, and use that information to help you create, find, join, and share in experiences
thatmattertoyou.Partofthatishighlightingcontent,features,offers,andaccountsyoumight
be interested in, and offering ways for you to experience Instagram, based on things you and
others do on and off Instagram.”
28. InthelightofMetaIE’ssubmissions,theIESAfoundintheDraftDecisionthatMeta IEreliedonArticle
6(1)(b) GDPR for the contact information processing only to the extent that a child user had capacity
26
to enter into an enforceable contract under the applicable Member State law . Meta IE relied on
Article 6(1)(f) GDPR as an alternative legal basis with regard to child users who did not have capacity
under the applicable Member State law to enter into a contract withMeta IE . 27
29. When assessing Meta IE’s reliance on Article 6(1)(b)GDPR for the contact information processing, the
IE SA first observed that, as explained above, a data subject agreed to the Instagram Terms of Use,
when registering for a personal Instagram account and referred to Section 1 of the Instagram Terms
of Use . The IE SA considered that Article 6(1)(b) GDPR does not require the inclusion of express
contractual provisions pertaining to processing in order to provide a legal basis and it is sufficient that
processing is necessary for the performance of a contract with the data subject . The Draft Decision
further stated that “the publication of contact information in the context of business accounts may be
regarded as necessary processing for the purpose of Article 6(1)(b) GDPR” . The Draft Decision found
that “the contact information processing could be necessary for the performance of [Meta IE’s] Terms
of Service with its users” and that no infringement by Meta IE occurred “to the extent that it relied on
31
Article 6(1)(b) GDPR as a legal basis for processing personal data of certain child users” .
30. When assessing Meta IE’s reliance on Article 6(1)(f) GDPR for the contact information processing
relating to child users unable to enter into an enforceable contract, the IE SA first noted that “the
24Instagram Terms of Use, version of 18 April 2018.
25
Draft Decision, paragraph 114.
26Draft Decision, paragraph 114.
27Draft Decision, paragraphs 105 and 114.
28Draft Decision, paragraph 114.
29
Draft Decision, paragraph 115.
30Draft Decision, paragraph 115.
31Draft Decision, paragraph 116.
Adopted 11 processing meets the requirements of Article 6(1)(f) to the extent that the interests pursued in
connection with the contact information processing are legitimate interests of [Meta IE] and other
Instagram users, insofar that publication of contact details to the public may be a reasonable and
32
lawful mode by which to promote a professional undertaking or other public initiative” . With regard
to the necessity of the contact information processing for the purpose of the legitimate interests
pursued, the Draft Decision stated that: “such processing may have been, to an extent, a reasonable
means for Instagram usersto publish off-platform contact details in some circumstances. In particular,
such processing could be regarded as necessary for those business account users who wished to be
publicly contactable by email or phone in connection with their professional activities” . 33
31. Regarding the balancing test, the IE SA concluded in the Draft Decision that: “in some circumstances,
where the contact information processing occurred in the context of the well-considered professional
activities, it is possible thatthe legitimate interests at issue would not be overridden by the interests or
34
fundamental rights and freedoms of the child user” . The IE SA further concluded that the contact
information processing could be lawful on the basis of Article 6(1)(f) GDPR “in respect of some of the
child users at issue” and therefore no infringement by Meta IE occurred “to the extent that it relied on
Article 6(1)(f) GDPR as a legal basis for processing personal data of certain child users” .35
5.2. Summary of the objections raised by the CSAs
32. The DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA raised objections regarding the conclusions by the
LSA in the Draft Decision that no infringement occurred to the extent Meta IE relied on Article 6(1)(b)
GDPR and alternatively on Article 6(1)(f) GDPR for the contact information processing.
33. The NL SA first considered that reliance on Article 6(1)(b) GDPR required clarity on what purposes
were to be regarded in the context of the assessment and a valid contract between the controller and
36
the data subject . The NL SA considered that it is a legal requirement for the IE SA to establish “what
the contract is and whether that contract is suitable to serve as a legal basis under Article 6(1)(b)
37
GDPR” . Considering the serious lack of transparency on behalf of the controller established by the IE
SA in the Draft Decision, the NL SA had a reasonable doubt as to whether data subjects had indeed
been ableto enter into acontractwith theMetaIE both willingly and sufficientlyinformed. Therefore,
the NL SA questioned whether such valid contract existed between Meta IE and the data subjects in
the case at hand . Second, the NL SA questioned whether the data processing activities in question
were actually necessary for the performance of the contract . The NL SA stressed that the Draft
Decision of the IE SA did not address the question of whether Meta IE made the assessment regarding
necessity and if any such assessment met the strict necessity standard that reliance on this legal basis
requires . According to theNL SA, otherevidence in the Draft Decision, in particular referred to in the
last sentence of paragraph 115 of the Draft Decision, as well as the IE SA’s assessment of the data
32Draft Decision, paragraph 118.
33Draft Decision, paragraph 119.
34
Draft Decision, paragraph 123.
35Draft Decision, paragraph 125.
36NL SA objection, paragraph 7.
37NL SA objection, paragraph 10.
38
NL SA objection, paragraph 11.
39NL SA objection, paragraphs 12-15.
40NL SA objection, paragraph 13.
Adopted 12 minimisation, indicated that the necessity criterion of Article 6(1)(b) GDPR would actually not be met
in this case .1
34. TheNLSAstated that thecontact informationprocessing also did not fulfiltherequirementsof Article
6(1)(f) GDPR . Concerning the requirement of the pursued interest being legitimate, the NL SA
observed that the Draft Decision did not include an assessment on why the interest pursued by Meta
IE were sufficiently clarified and precise or exactly whose interests were pursued . The NL SA further
44 45
noted that the IE SA left unassessed if the interests were lawful and real and present . Regarding
the requirementof necessity ofthe processing, theNL SA stated that IE SAdid notclearly expresswhy
therewas a link between the processing and interestspursued. Rather, the NL SAwasof theview that
the IE SA’s statement that the processing may have been a reasonable means to achieve the
46
publication of off-platform contact details was circular reasoning . In addition, according to the NL
SA, in the Draft Decision the IE SA did not appropriately consider whether any other means to achieve
the objectives were available to the controller. In particular, the fact that as from 4 September 2019 it
was no longer mandatory to publish the contact information of child users indicated that it was likely
47
that there were less intrusive means available for the controller to reach its objective . Furthermore,
according to the NL SA, by using phrases like “in some circumstances” and “it is possible that” in the
Draft Decision, the IE SA only addressed those particular situations and possibilities . Such a wording
led to the Draft Decision not addressing questions relating to the necessity of contact information
processing in other situations, such as where child users did not wish to be publicly contactable by
49
email or phone in connection to their professional activities . According to the NL SA, in the context
of the balancing of interests, thewording ofthe DraftDecision suggested thatonly in those situations
where the users were well-informed or digitally literate children who used Instagram for well-
considered professional activities, the legitimate interests pursued would not be overridden by the
interests or fundamental rights of those children. Leading from this, the NL SA suggested that the IE
SA had acknowledged that in other situations, the interests of the data subjects could override the
50
interests of Meta IE. However, such situations were not addressed in the Draft Decision . The NL SA
also argued that without analysing and concluding how evident the legitimate interest pursued was
and if Meta IE’s assessment of the impact of the processing on the data subjects’ interests or
fundamental rights and freedoms was appropriate, the IE SA could not have concluded that the
interests of Meta IE were not overridden by the interests or fundamental rights and freedoms of the
data subjects .51
35. Further, the NL SA asked the LSA to take appropriate corrective measures to address the infringement
and, moreover, the compliance order to the controller, as described in paragraph 627 of the Draft
52
Decision, should include the obligation to remedy the breach of Article 6 GDPR . Finally, the NL SA
stated that the Draft Decision, if unchanged, would lower the lawfulness threshold for processing and
41
NL SA objection, paragraphs 14-15.
42NL SA objection, paragraphs 25-42.
43NL SA objection, paragraph 28.a.
44
45NL SA objection, paragraph 28.b.
NL SA objection, paragraph 28.c.
46NL SA objection, paragraph 31.a.
47NL SA objection, paragraph 31.b.
48
NL SA objection, paragraphs 32 and 35.
49NL SA objection, paragraph 32.
50NL SA objection, paragraph 35.
51
52NL SA objection, paragraph 37.
NL SA objection, paragraphs 19 and 42.
Adopted 13 undermine the protection of personal data of individuals that enter into contracts that entail
processing of personal data; it would also deprive data subjects of the protection mechanisms
envisaged in the GDPR and posed the risk that the choice, agencyand protection ofdata subjects –
53
particularlychildren – isundermined .
***
36. The DE SAs stated that the prerequisites for relying on Article 6(1)(b) GDPR were not fulfilled in the
present case. First, based on the information delivered by the IE SA, no sufficient proof of a valid
contract betweenMeta IEand the child users was provided, although a valid contract is a prerequisite
54
for controllersto rely onArticle6(1)(b) GDPRasmadeclear intheEDPBGuidelines 2/2019 . The IESA
should also have examined or at least obtained an explanation of the validity of the contract on which
thecontrollerrelies .Moreover,accordingtotheDESAs,ifthecontrollerdidnotclearlycommunicate
in a transparent manner that the publication of the contact information would be based on a contract
(as observed in Findings 1 and 2 of the Draft Decision), then no contract with this content could come
56
into existence for which the particular processing could be based on Article 6(1)(b) GDPR . Regarding
necessity,the DE SAs did not agree with the LSA’s analysis in the Draft Decision and stated that Article
6(1)(b) GDPR can only be used to legitimise data processing that constitutes an essential element of
thecontract .Accordingly,onlythedataprocessingthatwasactuallynecessaryforthecorresponding
contractual purpose – the operation of an Instagram business account – can be justified on the basis
of Article 6(1)(b) GDPR. In this respect, according to the DE SAs, it was not comprehensible, nor
explained by Meta IE, why a publication of contact data in plain text or the use of this data for the
HTML source text should be necessary for the operation of such an account. The DE SAs considered
58
that such necessity did not exist in the present case .
37. The DE SAs stated that the contact information processing did not fulfil the requirements of Article
6(1)(f) GDPR. Firstly, according to the DE SAs, the interest pursued by Meta IE was not legitimate.
More precisely, the DE SAs argued that promoting a professional business or other public initiative
could not be alegitimate interestofMeta IEasthebusiness-holders,beingchildren, couldnotexpress
their legally binding commitment to the terms of use of Instagram. According to the DE SAs, treating
children as professional undertakings in circumstances where national contract law protects children
59
by requiring parental consent would undermine the protection of children . Secondly, the DE SAs
argued that the processing did not fulfil the requirement of necessity in relation to the pursued
interest. Here, the DE SAs based its view on the same arguments provided in the context of Article
6(1)(b) GDPR, as referred in the preceding paragraph. In addition, the DE SAs observed that Meta IE
later changed its practice to no longer require the publication of the contact information of business
accounts. Thirdly, the DE SAs stated that the balancing of interests should be based on the protection
of child users in general rather than the specific technical and economic abilities of each child user.
53NL SA objection, paragraphs 20-22 and 43-47.
54
EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the
provision of online services to data subjects Version 2.0, 8 October 2019 (hereinafter, “EDPB Guidelines
2/2019”).
55DE SAs objection, p. 3-4.
56
57DE SAs objection, p. 4.
DE SAs objection, p. 4-5.
58DE SAs objection, p. 5.
59DE SAs objection, p. 6.
Adopted 14 According to the DE SAs, based on their mental vulnerability, the protection of children should prevail
60
over the interests referred by Meta IE .
38. Finally,theDESAsconsideredthattheDraftDecisionposedasignificantriskforthefundamentalrights
and freedoms of child users of Instagram andother data subjects. In particular, since it would result in
the data subjects having no control over their personal data, the LSA’s wide understanding of Articles
6(1)(b) and (f) GDPR would generally render ineffective the protection afforded by the GDPR and
Article 8of the EU Charterof FundamentalRights, and would undermineeffectiveenforcement ofthe
GDPR, which is a precondition for guaranteeing the fundamental rights and freedoms of the data
subjects .1
***
39. The IT SA stated that with respect to Article 6(1)(b) GDPR the assessment of whether a certain
processing activity is necessary should be factually based on the purposes of the service being offered
and the data subject should be made aware of those purposes through the appropriate information.
In the case at hand, very high level information on the purposes of the processing was available and
the arrangements to inform users, especially underage users, were all but unambiguous . According
to the IT SA, Meta IE failed to demonstrate the necessity of the processing. The subsequent change,
whenthe publicationbecameoptional,provedthatthe processing was notnecessary.Thepublication
of data at large in the HTML page source code in the web-based version of Instagram could hardly be
regarded asnecessary . TheIT SA also observed thatMeta IE’sPrivacy Policy available in Italy showed
no reference to the applicable national law, making it accordingly impossible to understand on which
legalbasisitreliedtolegitimisetheprocessingofdatarelatingtochildusersforopeningandmanaging
64
business accounts .
40. The IT SA pointed out that with respect to Article 6(1)(f) GDPR the IE SA drew conclusions only on
digitallyskilfulchildusers.Furthermore,theITSAstatedthatthebalancingexerciseasrequiredunder
Article6(1)(f)GDPRwasflawed .Inthiscontext,theITSAnotedtheconflictbetweenMetaIE’sclaims
that the risks which child users were exposed to by the contact information processing were potential
rather than actual and that appropriate safeguards had been adopted, and the IE SA’s finding that
Meta IE had not implemented appropriate security measures and therefore infringed Articles 24 and
25 GDPR. Moreover, the IT SA observed that Meta IE chose not to carry out a data protection impact
assessment, which indicated a flawed risk assessment. According to the IT SA, the inaccurate risk
evaluation undermined the balancing of interests and left the arguments of the IE SA without
substance but instead with inconsistencies . Furthermore, the IT SA stated that, where national
contract law prevented child users to conclude contracts due to their incapacity to fully understand
the consequences thereof, it was unlikely that a balancing test could result in the interests of the
67
controller overriding the protection of the rights and freedoms of child users .
60DE SAs objection, p. 7.
61
DE SAs objection, p. 9.
62IT SA objection, p. 1-2.
63IT SA objection, p. 2.
64IT SA objection, p. 1.
65
IT SA objection, p. 3.
66IT SA objection, p. 3-4.
67IT SA objection, p. 4.
Adopted 1541. Further, the IT SA asked the LSA to amend the Draft Decision “in respect of the action envisaged in
relation to the controller. In particular, the amount of the administrative fine should be re-calculated
by having regard to the criteria set out in Article 83(2) GDPR” . Finally, the IT SA stated that, if left
unchanged, the Draft Decision would result in a risk to the fundamental rights and freedoms of data
subjects, because there would be no effective deterrence for the infringement of data subjects’ rights
and the approach adopted by the LSA regarding the legal bases would jeopardise the data subjects’
rights in general, as it may be construed as an endorsement of the controller’s approach to the
69
processing of child users’ personal data .
***
42. The FI SA stated that in order to rely on Article 6(1)(b) GDPR there needed to be a valid contract
between the controller and the data subjects but the Draft Decision left this issue unsettled.
Furthermore, according to the FI SA, the Instagram Terms of Use or the Data Policy were not provided
in a particularly clear and plain language that would allow a child to sufficiently understand and be
genuinely informed in order to enter into a contract, also considering the severe issues identified by
70
the Draft Decision concerning the controller’s failure to meet the transparency requirements . In
addition, the FI SA raised the potential issues of children being considered as a legitimate party of a
contract in the context of Article 6(1)(b) GDPR, and considered that, in any case, the assessment on
whether the requirements of Article 6(1)(b) GDPR have been met should be made particularly
71
thoroughly . Regarding whether the processing was necessary, the FI SA considered that the
processingcannotberegardedasnecessaryforthepurposeofArticle6(1)(b)GDPR,whenitwasfound
that the same processing breached the necessity requirement set by Article 5(1)(c) GDPR. Finally, the
FI SA questioned whether the publication of the contact information could be seen as necessary at all
given that it was no longer mandatory . 72
43. The FI SA objected to the conclusion in the Draft Decision regarding Article 6(1)(f) GDPR and stated
that the assessment of the legitimate interest pursued was insufficient. According to the FI SA, the IE
73
SA did not adequately assess and reason the legitimate interests of the controller or a third party .
Neither did theIE SA assessif such interestswereexpressed in asufficiently clearand precisemanner.
The FI SA argued that the IE SA did not substantiate the particular extent to and circumstances under
which the processing was necessary to protect the legitimate interests and expressed that certain
74
processing operations did not fulfil the necessity requirement . In addition, the FI SA found that the
IE SA did not correctly assess the balancing of the legitimate interests and the rights of data subjects.
For example, according to the FI SA, the IE SA left unclear in which circumstances it was possible that
the legitimate interests would not be overridden by the interests and rights of the data subjects, in
particular when they were children and considering the related risks as identified in other parts of the
Draft Decision . Also, the FI SA stated that as the IE SA found infringements of the transparency
obligations under Article 5(1)(a) and Article 12 GDPR, most likely the data subjects could not upon the
68IT SA objection, p. 2 and 4.
69
IT SA objection, p. 2 and 4.
70FI SA objection, paragraphs 3-4.
71FI SA objection, paragraph 5.
72FI SA objection, paragraph 6.
73
FI SA objection, paragraph 13.
74FI SA objection, paragraph 14.
75FI SA objection, paragraph 15.
Adopted 16 collection of their personal data had reasonably expected that their contact information would be
published .76
44. Further, the FI SA considered that the conclusions in the Draft Decision led to a considerable risk for
the rights and freedoms of data subjects, in particular, as the publication of contact information
resulted in risks to child users and the approach regarding legal bases adopted in the present case
77
would undermine the level of protection afforded to them, also in other similar situations . Finally,
the FI SA requested to take “appropriate corrective measures” to address the infringements . 78
***
45. The FR SA noted a contradiction in the Draft Decision insofar as the LSA considered that the display of
contact information was necessary for the performance of the contract under Article 6(1)(b) GDPR
and yet, the LSA found that such display violated the principle of data minimisation. In the FR SA’s
view, the mandatory display of contact information was not necessary for the performance of the
contract, for the reasons set out by the IE SA in paragraphs 221 to 456 of the Draft Decision and the IE
79
SA did not fully draw the conclusions from its own analyses and positions . Also, according to the FR
SA, the fact that Meta IE itself changed its position on the mandatory nature of the display of contact
80
details as of September 2019 proved that it was not essential in the context of business accounts .
The FR SA further observed that in the absence of clear information given to the user on the terms of
contract,thespecificcontract canhardlybeviewedasvalid andin thisrespect the IESA failedto draw
conclusions from its own analysis . With regard to Article 6(1)(f) GDPR, the FR SA observed the
contradiction between the IE SA’s findings that, on the one hand, the contact information processing
may have been necessary for business account holders and, on the other hand, that such processing
82
wentbeyondwhatwasnecessaryandthereby didnotsatisfy thedataminimisation principle . The FR
SA noted that certain risks identified by the IE SA, such as harassment and child grooming, were not
appropriately taken into account in the balancing test under Article 6(1)(f) GDPR. According to the FR
SA, if such risks had been considered, the rights and freedoms of the child users would have prevailed
83
over the interests of the controller . Moreover, the FR SA stated that the balancing of interest also
should have included the finding of the IE SA that Meta IE had not informed its child users of the
84
contact information processing in an appropriate manner . In the view of the FR SA, such lack of
information deprived the child users of control over their personal data and, therefore, was likely to
lead to the child users’ interests prevailing over those of the controller . Finally, the FR SA noted that
the use of legitimate interest as a basis for processing offered less protection to child users compared
to processing based on a contractual obligation. Therefore, according to the FR SA, basing the
processing on legitimate interest deprived the child users of protection in the Member States where
national contract law did not allow the legal basis of contract to be used in such context . As a 86
consequence,theFRSAaskedtheLSAtoobserveabreachofArticle6GDPR,imposeanadministrative
76FI SA objection, paragraph 16.
77FI SA objection, paragraphs 7-9 and 17-19.
78
FI SA objection, paragraphs 10 and 20-22.
79FR SA objection, paragraph 9.
80FR SA objection, paragraph 10.
81
82FR SA objection, paragraph 11.
FR SA objection, paragraph 13.
83FR SA objection, paragraphs 14-16.
84FR SA objection, paragraph 17.
85
FR SA objection, paragraph 18.
86FR SA objection, paragraph 19.
Adopted 17 fine for this additional breach and order Meta IE to comply within three months . Finally, the FR SA
stated that the Draft Decision posed risks to the fundamental rights and freedoms of the persons
concerned, as the approach suggested by the LSA regarding the legal bases in the present case would
significantly reduce the protection that minors should merit regarding their data and expose them to
88
an increased risk of harassment and grooming . In addition, it would create a precedent for other
organisations and would therefore impact other similar cases . 89
***
46. The NO SA first considered that the LSA’s findings and assessment in the Draft Decision logically led to
the conclusion that the requirement of necessity under Article 6(1)(b) and (f) GDPR was not met . 90
The NO SA noted that the LSA found that Meta IE carried out processing beyond what was necessary
for the purposes of the processing and identified considerable risks for child users . Based on these
findings, the NO SA concluded that Meta IE did not fulfil the necessity requirement under Article
6(1)(b)and (f)GDPRand suggestedthattheLSAshould havecarriedoutacorresponding legalanalysis
92
on the processing in the context of Article 6(1)(b) and (f) GDPR .
47. Specifically concerning Article 6(1)(b) GDPR, the NO SA referred to the EDPB Guidelines 2/2019 93
stating that, when processing is based on Article 6(1)(b) GDPR, the controller must assess what is
necessary to fulfil the fundamental and mutually agreed contractual purpose. The NO SA noted that
the LSA found in itsDraftDecisionthatthe processingviolated Article5(1)(c)GDPR. Therefore, theNO
SA considered that the same processing could not be necessary for the fundamental and mutually
94
agreed contractual purpose . The NO SA also considered that since, according to the LSA, the contact
information processing went beyond what was necessary for the specific purpose of processing under
Article 5(1)(c) GDPR, the processing also must have gone beyond what was necessary for the
performance of the contract . Specifically concerning Article 6(1)(f) GDPR, the NO SA stated that the
96
balancing test could not befulfilled for child users . More specifically, the NO SA noted, first, that the
legitimateinterestspursuedby MetaIEwerenotspecifiedintheDraftDecision.Secondly,MetaIEdid
not demonstrate that the contact information processing was necessary for the purposes of the
legitimate interests pursued. Thirdly, the NO SA also considered that since, according to the LSA, the
contact information processing went beyond what was necessary for the specific purpose of
processingunderArticle5(1)(c)GDPR,theprocessingalsomusthavegonebeyondwhatwasnecessary
for the legitimate interests pursued .97
48. Finally, the NO SA asked the LSA to conclude that the legal bases under Article 6(1)(b) and (f) GDPR
were not applicable for the contact information processing and to exercise the following corrective
powers under Article 58(2) GDPR: (1) to order the controller to identify a valid legal basis for the
processing in question, or from now on abstain from such processing activities; and (2) to impose an
87FR SA objection, paragraph 22.
88FR SA objection, paragraphs 23-25.
89
FR SA objection, paragraph 26.
90NO SA objection, p. 2.
91NO SA objection, p. 3.
92
93NO SA objection, p. 3.
EDPB Guidelines 2/2019, paragraphs 32-33.
94NO SA objection, p. 3.
95NO SA objection, p. 5.
96
NO SA objection, p. 3.
97NO SA objection, p. 6.
Adopted 18 administrative fine for unlawfully processing personal data, erroneously relying on Article 6(1)(b) and
98
(f) GDPR . The NO SA further stated that an administrative fine of a substantial amount should be
imposed to ensure effectiveness and dissuasiveness under Article 83(1) and (2) GDPR for the unlawful
processing of personal data, considering the nature and gravity of the infringement, as well as the
99
number of data subject affected and the damage suffered . Finally, according to the NO SA, if left
unchanged in this respect, the Draft Decision would pose significant risks to the protection of data
subjects’ rights. In particular, the NO SA argued that by allowing the processing of personal data
without a legal basis, the Draft Decision would violate the data subject’s fundamental right to data
100
protection and would set a dangerous precedent . In addition, the NO SA stated that, if a fine is not
imposed for the infringements, the rights of the data subjects would not be effectively safeguarded,
thus creating an incentive for the controller and other companies to continue or engage in such
violations .1
5.3. Position of the LSA on the objections
49. The IE SA confirmed that it does not propose to “follow” the objections that were raised by the CSAs
and/or does not consider the objections to be relevant and reasoned . Regarding the objections of
the DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA concerning Meta IE’s compliance with Article 6(1)(b)
and (f) GDPR in relation to the contact information processing, the IE SA further stated that these
objections constituted “relevant and reasoned” objections. However, with respect to “the corrective
action element” in the FI SA, FR SA, IT SA and NL SA objections, the IE SA considered that it was not
adequately rationalised and the significance of the risks for the rights and freedoms of data subjects
was not addressed . Regarding the NO SA objection requiring to reassess the administrative fine
taking into account the potential additional infringement, the IE SA stated that this objection
constituted a “relevant and reasoned” objection . 104
5.4. Analysis of the EDPB
5.4.1. Assessment of whether the objections were relevant and reasoned
50. In this section the EDPB assesses whether the objections of the DE SAs, FI SA, FR SA, IT SA, NL SA and
NO SA, regarding Meta IE’s reliance on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR
for the contact information processing, meet the threshold of Article 4(24) GDPR.
51. The EDPB first takes note of Meta IE’s views that the objections of the DE SAs, FI SA, FR SA, IT SA, NL
SA and NO SA regarding Meta IE’s compliance with Article 6(1) GDPR failed to meet the threshold of
Article 4(24) GDPR. According to Meta IE, all the objections at issue were not relevant and reasoned
astheLSA’sobservationsintheDraftDecisionwereprovisional innature .Further,MetaIEprovided
reasoning, referring to all the objections, whereby they were not reasoned as the significance of the
98
NO SA objection, p. 7.
99NO SA, objection, p. 8.
100NO SA objection, p. 6-7.
101NO SA objection, p. 9.
102
Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
103Letter of the IE SA to Meta IE dated 30 March 2022.
104Letter of the IE SA to Meta IE dated 30 March 2022.
105Meta IE Article 65 submissions, paragraph 3.1 and paragraphs 26-30.
Adopted 19 risks was not clearly demonstrated by the objections . The EDPB recalls that Meta IE’s compliance
with Article 6(1) GDPR in relation to the contact information processing was within the scope of the IE
SA’s inquiry in the case at hand 107and that in the Draft Decision the IE SA drew conclusions on Meta’s
IE reliance on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the specific processing
within the scope of its inquiry, i.e. the contact information processing . Thus there is a clear link
109
between the objections and the Draft Decision . The relevant conclusions in the Draft Decision
assessedthelawfulnessofthe specific processing byMetaIE andprovided for an interpretationofthe
conditions for relying on the legal bases under Article 6(1)(b) and (f) GDPR. The EDPB reiterates that
conclusions on the lawfulness of the personal data processing have significant impact on the effective
protection of the data subjects’ rights, since the lawfulness of processing of personal data is a
fundamental pillar of the EU data protection law . As a consequence, and as further shown and
elaborated by the analysis of the EDPB below, the EDPB disagrees with these arguments brought
forward by Meta IE.
52. The EDPB further analyses whether each of the objections at issue is a “relevant and reasoned
objection” as required under Article 4(24) GDPR.
53. The EDPB considers that the objection of the NL SA concerns “whether there is an infringement of the
GDPR”,astheNLSAopposedtheIESA’sconclusionsthatnoinfringementoccurredtotheextentMeta
IE relied on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the contact information
processing. If followed, the NL SA’s objection would lead to a different conclusion with regard to the
findings on Article 6(1)(b) and (f) GDPR. The objection would also entail a change in the compliance
order to the controller and possibly additional “appropriate corrective measures” . Therefore, as it
demonstratedadirectconnectionwiththesubstanceoftheDraftDecision,theobjectionis“relevant”.
The objection is also “reasoned” since it put forward several factual and legal arguments for the
proposed change in the legal assessment as to why the requirements of Article 6(1)(b) and (f) GDPR
are not met in the case at hand and why Meta IE cannot lawfully rely on those provisions and,
112
therefore,theinfringementmustbe remedied . Accordingly, theEDPBisnot persuaded by MetaIE’s
submissionsthattheobjectionsareneitherrelevantnorreasoned .Inaddition,theEDPBrecallsthat
106
In particular, Meta IE stated with respect to all the objections at issue that, “there are no significant risks to
data subjects because: (i)theDraft Decision relates only tohistoric processing, given the time period within scope
is between 25 May 2018 to the date of commencement of this Inquiry on 21 September 2020; (ii) Meta Ireland
hasmadesignificantchangestothemannerinwhichtheInstagramServiceoperatesastobothBusinessAccounts
and its audience setting for Teen Users; and (iii) in any event, any Article 6 GDPR concerns arising from the
processing of the personal information of Teen Users fall within the scope of the concurrent Legal Bases Inquiry
and involve issues that will be considered by the CJEU in separate proceedings” (Meta IE Article 65 Submissions,
paragraph 41). Regarding the matter on the pending proceedingsbefore the CJEU, the EDPB refers to section 3.3
(paragraph 20) of this Binding Decision.
107Draft Decision, paragraph 46.
108Draft Decision, paragraphs 115-116 and 125.
109
EDPB Guidelines on RRO, paragraph 24; EDPB Guidelines on Art. 65(1)(a ) GDPR, para. 66.
110Art. 8, EU Charter of Fundamental Rights.
111See paragraph 35 of this Binding Decision.
112See paragraphs 33-35 of this Binding Decision. The NL SA argued, inter alia, that the necessity requirement
under Art. 6(1)(b) GDPR and the three cumulative requirements under Art. 6(1)(f) GDPR were not met.
113Meta IE argues that “the objections are not relevant as they are grounded on the incorrect premise that they
relate to a conclusive finding from the Draft Decision on Article 6 GDPR” (Meta IE Article 65 Submissions, Annex
A, p. 33 and 35). It also considers that they are not reasoned since “the NL SA’s objection ignores the [IE SA’s]
preliminaryassessmentofTeenUsers’interestsinmaintainingcontactinformationbuttonsinBusinessAccounts”
(Meta IE Article 65 Submissions, Annex A, p. 35). In this respect, see also paragraph 51 of this Binding Decision.
Adopted 20 the assessment of the merits of the objection is made separately, after it has been established that
114
the objection satisfies the requirements of Article 4(24) GDPR .
54. Concerning the requirement to demonstrate the significance of the risks posed for the rights and
freedoms of data subjects, contrary to Meta IE’s views , the EDPB finds that the objection raised by
the NL SA meets the required standard by pointing out several consequences that the Draft Decision
would have for the fundamental rights and freedoms of data subjects . 116
55. Finally, contrary to the views of the LSA, the EDPB considers that the qualification of the NL SA’s
objection as relevant and reasoned also applies to the part thereof related to the compliance order
and other “appropriate corrective measures”. In this respect, the EDPB underlines that the arguments
put forward by the NL SA, as addressed in the paragraphs 33-34 above, clearly demonstrated why the
Draft Decision should be changed in order to include an infringement regarding the lack of legal basis
for the contact information processing and the consequent need to ensure that such processing
complies with the GDPR, by amending the compliance order to the controller and adopting the
appropriate correctivemeasures. Likewise, the NL SA’sobjection clearly set out the significanceof the
risks for the data subjects if the Draft Decision remained unchanged and the infringement was not
remedied.
***
56. In their objection, the DE SA disagreed with the finding of the IE SA that there was no infringement to
the extent Meta IE relied on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the
contact information processing, thus also concerning “whether there is an infringement of the GDPR”
within the meaning of Article 4(24) GDPR. As it demonstrated a direct connection with the substance
of the Draft Decision and that, if followed, the objection would lead to a different conclusion, the
objection is “relevant”. The objection is also “reasoned” since it put forward several factual and legal
arguments for the proposed change in the legal assessment as to why the requirements of Article
6(1)(b) and (f) GDPR are not met in the case at hand . Accordingly, the EDPB is not swayed by Meta
IE’s submission that the objections are neither relevant nor reasoned . 118
114
See EDPB Guidelines on Article 65(1)(a), paragraph 63.
115Meta IE Article 65 Submissions, Annex A, p. 34 and 36. See paragraph 51 of this Binding Decision.
116For example, the NL SA argued that, if the Draft Decision is kept unchanged and therefore the controller is
allowed to rely on Article 6(1)(b) or (f) GDPR for the processing at stake, it would lower the lawfulness threshold
for processing and would deprive data subjects of the protection mechanisms envisaged in the GDPR (NL SA
objection, paragraphs 22 and 44-47). The NL SA also considered that the Draft Decision does not address the
risks for the data subjects, but rather allows them to continue (NL SA objection, paragraph 45).
117Regarding Art. 6(1)(b) GDPR, the DE SAsargued that the IE SA’s assessment of the validity and necessity of the
contract between Meta IE and child users is incorrect, and provided for an alternative reasoning (see paragraph
36 of this Binding Decision). With regard to Art. 6(1)(f) GDPR, the DE SAs considered that the three cumulative
conditions are not met(see paragraph 37 of this Binding Decision).
118Meta IE argued that the objections are not relevant since the IE SA did not make a formal finding in the Draft
Decision regarding Article 6 GDPR, but rather made preliminary observations (Meta IE Article 65 Submissions,
paragraphs 26-27). In this respect, see paragraph 51 of this Binding Decision. It also considered that the DE SAs
objection on the element of “necessity” was not reasoned since it is “contrary to CJEU case law and applicable
guidance (including from the EDPB), apply the wrong legal standard” (Meta IE Article 65 Submissions, p. 38 and
40). The EDPB recalls that the merits of the objection are dealt with separately from the assessment of whether
the objection fulfils the requirements under Art. 4(24) GDPR.
Adopted 2157. The EDPB also considers that the DE SA demonstrated the significance of the risk for the fundamental
119
rights and freedoms of data subjects .
***
58. Similarly, the objection of the IT SA also concerns “whether there is an infringement of the GDPR”. In
the IT SA’s view, the contact information processing cannot “be regarded as necessary for [the]
120
operation of the service” , hence resulting in the “unlawfulness of the processing based on Article
6(1)(b) [GDPR]” 121and Article6(1)(f) GDPR . As the objection demonstrated a direct connection with
123
the substance of the Draft Decision and, if followed, it would lead to a different conclusion , the
objection is “relevant”.
59. As the IT SA presented arguments on the factual and legal mistakes in theDraftDecision regarding the
124
analysis on Article 6(1)(b) and (f) GDPR , the objection is “reasoned” inasmuch as it concerns the
additional infringement related to the lack of legal basis for the contact information processing.
125
60. The EDPB is not swayed by Meta IE’s submissions to the contrary , as the IT SA explained how its
objection, if followed, would result in a different conclusion and put forward several factual and legal
arguments for the proposed change in the legal assessment.
61. Finally,theEDPBfindsthattheobjectionoftheITSAclearlydemonstratedthesignificanceoftherisks
that the Draft Decision presented to the fundamental rights and freedoms of the data subjects by
layingouthowtherewouldbeno proportionateanddissuasivemeasures regardingtheinfringements
and how the Draft Decision may be construed as an endorsement of the controller’s approach to the
processing of children’s personal data, thus jeopardising their rights . 126
62. WithregardtotherelevantpartsoftheITSA’sobjectionrelatedtotheimpositionofanadministrative
fine for the possible additional infringement related to Meta IE’s reliance on Article 6(1)(b) and (f)
GDPR, it concerns“whether the envisaged action inrelation tothe controller complies with the GDPR”.
119The DE SAs argued, inter alia, that the IE SA’s wide understanding of Art. 6(1)(b) and (f) GDPR would allow for
the processing of personal data without an actual legal basis, thereby rendering the protection afforded by the
GDPR ineffective (DE SAs objection, p. 9).
120IT SA objection, p. 1.
121IT SA objection, p. 2.
122
IT SA objection, p. 4.
123TheITSArequestedachangeintheDraftDecisionregardingtheinfringementonthelegalbasisforthecontact
information processing and the imposition of an administrative fine as a consequence of this additional
infringement.
124
For example, the IT SA considered that the processing was not necessary for the performance of a contract
(seeparagraph 39ofthisBindingDecision)andthatthebalancingtestunderArt.6(1)(f)GDPRtipped thebalance
in favour of the data subject (see paragraph 40 of this Binding Decision).
125
Meta IE Article 65 Submissions, Annex A, p. 49-52. Regarding Meta IE’s arguments on the lack of conclusive
findingsinthe DraftDecision, theEDPBreferstoparagraph 51ofthisBindingDecision.MetaIEalsoargued,inter
alia, that the IT SAs’ objection on the element of “necessity” regarding Article 6(1)(b) GDPR was not reasoned
since “it is contrary to CJEU case law and applicable guidance (including from the EDPB), by applying the wrong
legal standard” (Meta IE Article 65 Submissions, p. 50). Regarding Article 6(1)(f) GDPR, Meta IE argued that the
IT SA did not link the objection with a specific infringement and omits relevant elements of the file (Meta IE
Article 65 Submissions, p. 51-52). The EDPB disagrees with these arguments, since the IT SA provided sufficient
factual and legal elements supporting the objection and reached logical conclusions. The EDPB recalls that the
merits of the objection are dealt with separately from the assessment of whether the objection fulfils the
requirements under Article 4(24) GDPR.
126IT SA objection, p. 2 et seq. The EDPB takes note of Meta IE’s submissions in this regard (Meta IE Article 65
Submissions, p. 50 and 52). Nevertheless, the EDPB disagrees with Meta IE (see paragraph 51 above).
Adopted 22 The objection is linked to the IT SA’s objection on the findings in the Draft Decision on Article 6(1)(b)
and (f) GDPR for the contact information processing. There is a direct connection with the substance
of the Draft Decision and, if followed, the objection would lead to a different conclusion. Thus, it is
“relevant”. However, the EDPB considers that the objection did not sufficiently elaborate the legal or
factualargumentsthatwouldjustifyachangeintheDraftDecisioninthisregardtospecificallyincrease
the level of the fine. Likewise, the significance of the risks for the data subjects related to the
imposition of an administrative fine is not sufficiently explained. Therefore, the IT SA’s objection with
regard to the imposition of an administrative fine for the possible additional infringement is not
“reasoned”.
63. The EDPB therefore considers that the objection of the IT SA, inasmuch as it concerns the additional
infringementrelatedtothelackoflegalbasisforthecontactinformationprocessing,isboth“relevant”
and “reasoned” and meets the threshold set by Article 4(24) GDPR. While, insofar it concerns the
imposition of the administrative fine for the possible additional infringement, the objection of the IT
SA is not “reasoned” and thus does not meet the threshold of Article 4(24) GDPR.
***
64. In its objection, the FI SA disputed the IE SA’s finding that the contact information processing met the
requirements of Article 6(1)(b) and (f) GDPR. Therefore, the FI SA’s objection concerns “whether there
is an infringement of the GDPR”. The objection of the FI SA would also possibly entail additional
“appropriate corrective measures” . As the objection demonstrated a direct connection with the
substance of the Draft Decision and, if followed, it would lead to a different conclusion, the objection
is“relevant”.Forthesamereasonsexplainedabovewithregardto the otherobjectionsinthissection,
128
the EDPB is not swayed by Meta IE’s arguments regarding the lack of relevance of this objection . In
addition, the EDPB considers the objection “reasoned” since the FI SA put forward legal and factual
arguments explaining why the requirements of Article 6(1)(b) and (f) GDPR are not met in the case at
hand, and explained why the IE SA did not assess the application of Article 6 GDPR properly and,
therefore, the infringement must be remedied . 129
65. Having considered Meta IE’s submissions arguing that the objection of the FI SA “relies on vague
assertions” ,theEDPBfindsthattheobjectionoftheFISAconclusivelydemonstratesthesignificance
127See paragraph 44 above. The FI SA requested a change in the Draft Decision regarding the infringement on
the legal basis for the contact information processing, and the adoption of “appropriate corrective measures”
128a consequence of this additional infringement.
Meta IE Article 65 Submissions, Annex A, pp. 53-55. Meta IE argued that the objection is not relevant since
the IE SA did not make a formal finding in the Draft Decision regarding Art. 6 GDPR, but rather made preliminary
observations. In this respect, see paragraph 51 of this Binding Decision.
129See paragraphs42-43 of this Binding Decision. The FI SA argued, inter alia, that the assessment on the validity
and necessity of the contract is insufficient and that the three cumulative conditions under Art. 6(1)(f) GDPR are
not met. In this respect, Meta IE argued, inter alia, that the FI SA merely concurs without the NL SA’s objection
withoutprovidingsufficientdetailsregardingArt.6(1)(b) GDPR(MetaIEArticle65 Submissions,p.53).Regarding
Art. 6(1)(f) GDPR, Meta IE argued that the objection’s conclusion on the infringement was divorced from the
rationale it set forth (Meta IE Article 65 Submissions, p. 55). The EDPB disagrees with both claims, since the FI SA
provided sufficient factual and legal elements supporting the objection and reached logical conclusions. The
EDPB recalls that the merits of the objection are dealt with separately from the assessment of whether the
objection fulfils the requirements under Art. 4(24) GDPR.
130Meta IE Article 65 Submissions, Annex A, p. 54 and 55. In this respect, the EDPB further refers to paragraph
51 above.
Adopted 23 of the risks that the Draft Decision poses to the fundamental rights and freedoms of the data
131
subjects .
66. Finally,contrarytotheviewsoftheLSA,theEDPBconsidersthatthequalificationoftheFISAobjection
asrelevantandreasonedalsoappliestothepartthereofrelatedtotheadditionalcorrectivemeasures.
In this respect, the EDPB underlines that the arguments put forward by the FI SA, as addressed in the
paragraphs 42-43 above, clearly demonstrate why the Draft Decision should be changed in order to
include an infringement regarding the lack of legal basis for the contact information processing and
the consequent need to ensure that such processing complies with the GDPR, by adopting the
“appropriate corrective measures”. Likewise, the FI SA objection clearly set out the significance of the
risks for the data subjects if the Draft Decision remained unchanged and the infringement was not
remedied.
***
67. As laid down in its objection, the FR SA disagreed with the IE SA’s conclusions that the contact
information processing could be based on Article 6(1)(b)GDPR and alternatively on 6(1)(f) GDPR and
considered that the IE SA erred in its legal assessment as it should have reached a different
conclusion . Hence, the objection of the FR SA also concerns “whether there is an infringement of
theGDPR”and,iffollowed,itwouldleadtoadifferentconclusionwithregardtothefindingsonArticle
6(1)(b) and (f) GDPR and the corrective measures to the controller . As the objection demonstrated
a direct connection with the substance of the Draft Decision, it is “relevant”. For the same reasons
explained above with regard to the other objections in this section, the EDPB is not swayed by Meta
IE’s arguments regarding the lack of relevance of this objection .134
68. The EDPB also considers that, inasmuch as the objection concerns the additional infringement related
to the lack of legal basis for the contact information processing and the change in the compliance
order,theobjectionis“reasoned”,sincetheFRSAclearly set out adisagreementasto theconclusions
reached by the IE SA in the Draft Decision by highlighting contradictions in the IE SA’s own analyses
and put forward several factual and legal arguments for the proposed change in the legal assessment,
including why the controller could not lawfully rely on Article 6(1)(b) and (f) GDPR in this case and,
therefore, the infringement must be remedied . Therefore, the EDPB is not convinced by Meta IE’s
131The FI SA explained, inter alia, that the Draft Decision would lead to an insufficient protection of the interests
of children, thereby setting a dangerous precedent (FI SA objection, paragraph 8). The FI SA also considered that
the lack of legal basis poses a high risk for data subjects, considering the risks identified in the Draft Decision
itself (FI SA objection, paragraphs 8 and 18).
132FR SA, objection p. 3.
133The FR SA requested a change in the Draft Decision regarding the infringement on the legal basis for the
contact information processing, and a change in the compliance order and the imposition of an administrative
fine as a consequence of this additional infringement.
134MetaIEArticle65 Submissions,AnnexA,pp.56and58.MetaIEarguedthat theobjectionisnotrelevantsince
the IE SA did not make a formal finding in the Draft Decision regarding Art. 6 GDPR, but rather made preliminary
observations. In this respect, see paragraph 51 of this Binding Decision.
135
See paragraph 45 of this Binding Decision. The FR SA considered, inter alia, that the IE SA’s conclusions on the
necessity of the processing under Art. 6(1)(b) GDPR are contradictory with the findings on the infringement of
the data minimisation principle. The FR SA also argued that the balancing exercise is contradictory with the IE
SA’s findings on the serious risks for child users.
Adopted 24 argument that the FR SA “merely raise[s] abstract and broad (and irrelevant) concerns” and that it
“fails to link them to a conclusion as to infringement” .36
69. The EDPB finds that the objection of the FR SA sufficiently substantiated the risks to the fundamental
rights and freedoms of the data subjects since it clearly explained the consequences that the Draft
Decision would have for the fundamental rights and freedoms of data subjects . 137
70. WithregardtotherelevantpartsoftheFRSA’sobjectionrelatedtotheimpositionofanadministrative
fine for the possible additional infringement related to Meta IE’s reliance on Article 6(1)(b) and (f)
GDPR, it concerns whether the envisaged action in relation to the controller complies with the
138
GDPR . The objection is linked to theFR SA’sobjectionon thefindings on Article6(1)(b) and(f) GDPR
for the contact information processing. Given that it concerns the imposition of a corrective measure
for an additional infringement, which would be found as a consequence of reversing the findings of
the Draft Decision, there is a direct connection with the substance of the Draft Decision and, if
followed, the objection would lead to a different conclusion. Thus, it is to be deemed as “relevant”, as
stated in paragraph 67 above. However, the EDPB considers that the objection does not sufficiently
elaborate the legal or factual arguments that would justify a change in the Draft Decision with regard
totheimpositionofthisspecificcorrectivemeasure.Therefore,theFRSA’sobjectionisnot“reasoned”
withregardto theimpositionofanadministrativefineforthepossibleadditionalinfringement related
to the legal basis for the contact information processing.
71. The EDPB therefore considers that the objection of the FR SA, inasmuch as it concerns the additional
infringementrelatedtothelackoflegalbasisforthecontactinformationprocessing,isboth“relevant”
and “reasoned” and meets the threshold set by Article 4(24) GDPR. While, insofar it concerns the
imposition of the administrative fine for the possible additional infringement, the objection of the FR
SA is not “reasoned” and thus does not meet the threshold of Article 4(24) GDPR.
***
72. TheobjectionoftheNOSAexpresseddisagreementwithrespectto theIESA’sassessmentintheDraft
Decision on Article 6(1)(b) and (f) GDPR. If followed, the NO SA’s objection would lead to a different
conclusion with regard to the findings on Article 6(1)(b) and (f) GDPR and would also have an impact
on the compliance order to the controller. Therefore, as it demonstrated a direct connection with the
substance of the Draft Decision, the objection is therefore “relevant”. For the same reasons explained
above The EDPB is not swayed by Meta IE’s arguments regarding the lack of relevance of this
136Meta IE Article 65 Submissions, Annex A, p. 56. See also Meta IE Article 65 Submission, Annex A, p. 59 in
relation to the FR SA’s objection regarding Art. 6(1)(f) GDPR. Regarding Meta IE’s views that the objection of the
FR SA is legally flawed (Meta IE Article 65 Submissions, p. 57 and 59), the EDPB recalls that the merits of the
objection are dealt with separately from the assessment of whether the objection fulfilsthe requirements under
Art. 4(24) GDPR.
137The FR SA argued that, by allowing reliance on Art. 6(1)(b) or (f), the Draft Decision would expose minors to
an increase risk of harassment and grooming and thus would not protect them effectively. In addition, it would
create a precedent for other organisations (FR SA objection, paragraphs 23-26). The EDPB takes note of Meta
IE’s submissions in this regard (Meta IE Article 65 Submissions, p. 57 and 59). Nevertheless, the EDPB disagrees
with Meta IE and considers that the FR SA clearly and explicitly identified the significance of the risks. The EDPB
further refers to paragraph 51 above.
138
Art. 4(24) GDPR.
Adopted 25 objection . The objection is also “reasoned” since it put forward several factual and legal arguments
for the proposed change in the legal assessment as to why the requirements of Article 6(1)(b) and (f)
GDPR are not met in the case at hand and why the controller cannot lawfully rely on those provisions
140
and, therefore, the infringement must be remedied .
73. Regarding the requirement to demonstrate the significance of the risks posed by the Draft Decision to
the rights and freedoms of data subjects, the EDPB finds that the objection of the NO SA meets the
criteria set forth by Article 4(24) GDPR . Therefore, the EDPB is not swayed by Meta IE’s submissions
142
to the contrary .
74. With regard to the NO SA’s objection on the administrative fine to be imposed for the additional
infringements regarding the lack of legal basis of the contact information processing, the EDPB
considers that it concerned “whether the envisaged action in relation to the controller complies with
143
the GDPR” . The objection is linked to the NO SA’s objection on the findings on Article 6(1)(b) and (f)
GDPR for the contact information processing. Given that it concerns the imposition of a corrective
measure for an additional infringement, which would be found as a consequence of reversing the
conclusions in the Draft Decision, there is a direct connection with the substanceof the DraftDecision
and, if followed, the objection would lead to a different conclusion. Thus, it is “relevant”. The EDPB is
not swayed by Meta IE’s arguments regarding the lack of relevance of this objection , including with
regard to the imposition of an administrative fine for the proposed findings on Article 6(1)(b) and (f)
GDPR. The EDPB also finds the objection “reasoned” since it put forward several factual and legal
145
arguments that support the imposition of an administrative fine for the alleged infringement .
Regarding the significance of the risk posed by the Draft Decision to the rights and freedoms of data
subjects,theobjectionsufficientlydemonstratedwhatwould bethenegativeimpact fordatasubjects
should a fine for the infringement of the GDPR concerning the lack of legal basis not be imposed . 146
139
Meta IE Article 65 Submissions, Annex A, p. 45 and 47. Meta IE argued that the objection is not relevant since
the IE SA did not make a formal finding in the Draft Decision regarding Art. 6 GDPR, but rather made preliminary
observations. In this respect, see paragraph 51 of this Binding Decision.
140
See paragraphs 46-48 of this Binding Decision. The NO SA argued, inter alia, that the processing was not
necessary under Art. 6(1)(b) nor (f) GDPR and that the balancing test tipped the balance in favour of the data
subject. The EDPB is therefore not swayed by Meta IE’s arguments that the objection is based on fundamental
errors,iscontrarytotheprincipleoflegalcertaintyanddoesnotarticulateanyerrorregardingtheIESA’sanalysis
(Meta IE Article 65 Submissions, p. 46 and 47). The EDPB recalls that the merits of the objection are dealt with
separately from the assessment of whether the objection fulfils the requirements under Art. 4(24) GDPR.
141The NO SA argued that, by allowing the processing of personal data without a legal basis, the Draft Decision
would violate the data subject’s fundamental right to data protection and would set a dangerous precedent (NO
SA objection, p. 6-7). Thus, the EDPB considers that the NO SA’s objection clearly set out the significance of the
risks for the data subjects if the Draft Decision remained unchanged and the infringement was not addressed in
the compliance order.
142Meta IE Article 65 Submissions, paragraph 44 and Annex A, p. 46 and 47. In this respect, the EDPB refers to
paragraph 51 above.
143Art. 4(24) GDPR.
144Meta IE Article 65 Submissions, para. 44 and Annex A, p. 48. Meta IE argued that the objection arose from
non-final observations of the IE SA and, therefore, it was not relevant. In this respect, see paragraph 51 of this
Binding Decision
145NO SA objection p. 8-9
146The NO SA argued that, if a fine was not imposed, the Draft Decision would create a dangerous precedent,
since there would not be sufficient incentives for Meta IE and other controllers to change their behaviour, thus
leading to a reoccurrence of such infringements. This would affect the data subjects, as in practice the level of
protection set out by the GDPR would be denied (NO SA objection, p. 9).
Adopted 26 Therefore, the EDPB finds that the objection of the NO SA meets the criteria set forth by Article 4(24)
GDPR.
***
75. On the basis of the above considerations, the EDPB finds that the objections raised by the NL SA, DE
SAs, IT SA, FI SA, FR SA and NO SA concerning the conclusions in the Draft Decision on Articles 6(1)(b)
and 6(1)(f) GDPR regarding the contact information processing qualify as relevant and reasoned
objections under Article 4(24) GDPR, including with respect to the changes in the compliance order
requested in the objections of the FR SA, NL SA and NO SA and the additional appropriate corrective
measures requested by the FI SA and NL SA.
76. TheEDPBalso findsthatthe NOSAobjectionregardingtheimpositionofanadministrativefineforthe
findings on Article 6(1)(b) and (f) GDPR is relevant and reasoned under Article 4(24) GDPR. On the
contrary, with regard to the relevant parts of the objections of the FR SA and IT SA regarding the
imposition of an administrative fine for the possible additional infringement related to Meta IE’s
reliance on Article 6(1)(b) and (f) GDPR, the EDPB considers that they are not sufficiently reasoned
and, therefore, do not meet the threshold of Article 4(24) GDPR.
5.4.2. Assessment on the merits
77. TheEDPBconsidersthattheobjectionsfound to be relevantand reasoned inthissubsection 147require
an assessment of whether the Draft Decision needs to be changed in respect of the finding on
compliance with Article 6(1) GDPR. The merits of the objection of the NO SA, with regard to the
imposition of an administrative fine for the proposed additional infringement, are assessed in section
7.4 of this Binding Decision.
78. When assessing the merits of the objections raised, the EDPB takes into account the position of the IE
SA on the objections and the submissions of Meta IE.
79. TheEDPBtakesnotethatforthecontactinformationprocessingMetaIEreliedonArticle6(1)(b)GDPR
(but only to the extent that a child user has capacity to enter into an enforceable contract) or
alternativelyon Article6(1)(f) GDPR(withregardto child userswho did not havecapacity to enterinto
148
a contract withMeta IE) .
5.4.2.1 Regarding Article 6(1)(b) GDPR
80. The EDPB recalls that personal data can be processed on the basis of Article 6(1)(b) GDPR when: (1)
the processing takes place in the context of the performance of a contract with the data subject and
(2)thatprocessingisnecessaryfortheperformanceofthatparticularcontractwiththedatasubject . 149
147These objectionsbeing those of the DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA on Meta IE’s reliance on legal
148es under Art. 6(1)(b) and 6(1)(f) GDPR for the contact information processing.
Draft Decision, paragraphs 105 and 108. Also, see Meta IE Response to Request for Information, Appendix 6
to Meta IE Article 65 Submissions, paragraphs 17-19, where Meta IE explained that it relied on two primary legal
bases for the purposes of providing, personalising and improving the Facebook products (including Instagram),
which included provision of the Instagram Business Account and the display of a contact option in connection
with an Instagram Business Account, those legal bases being Art. 6(1)(b) GDPR or alternatively Art. 6(1)(f) GDPR.
149
Art. 6(1)(b) GDPR.
Adopted 2781. With respect to the existence of a contract, the EDPB takes note of the objections raised by the DE
SAs 150and FI SA , as well as the IT SA 152and FR SA , which questioned the failure by the IE SA to
assess and conclude on the existence of a valid contract between Meta IE and the child users insofar
as it concerns the contact information processing. The NL SA argued that, first, the LSA did not assess
adequately in the Draft Decision if a contract was in place between Meta IE and the data subjects for
the provision of the Instagram business account and, second, the NL SA raised doubts about the
154
validity of such contract .
82. In the Draft Decision, the IE SA found that, when registering for a personal Instagram account, a data
155
subject agreed to the Instagram Terms of Use . The IE SA further found, in the light of Meta IE’s
submissions, that the performance of a contract legal basis could be invoked by Meta IE in relation to
156
processing associated with the business account feature on the basis of the Terms of Use .
83. In its submissions, Meta IE argued that SAs do not have competence to assess validity of contracts 157
andanywaytheDraftDecisionclearlyreferredto acontractualrelationshipbetween MetaIEandeach
user basedontheTermsofUse . MetaIE also claimedthat it hadno legalobligation under theGDPR
to include a specific reference to Business Accounts in the Instagram Terms of Use and thus the lack
of such reference has no impact on the assessment of whether the processing is necessary for the
159 160
performance of a contract and is not contrary to Article 12 GDPR .
84. As recalled above, one ofthe prerequisitesfor acontroller to be ableto relyon Article 6(1)(b) GDPR as
a legal basis for the processing of personal data is that the processing takes places in the context of
the performance of a contract. As previously stated by the EDPB, this condition more specifically
implies that a controller, in line with its accountability obligations under Article 5(2) GDPR, has to be
able to demonstrate that (a) a contract exists and (b) the contract is valid pursuant to applicable
161
national contract laws .
85. In order to assess whether Meta IE could have relied on Article 6(1)(b) GDPR for the contact
informationprocessing,theEDPBanalysesinthefollowingparagraphswhethertheprocessingatstake
is necessary for the performance of the alleged contract with the data subjects in the case at hand.
86. In its submissions, Meta IE claimed that insofar as “necessity” is concerned, the CSAs ignored the
relevant facts and considerations during the period when Business Accounts were first offered and
erredin:(1)applyinganoverlystrictviewoftheelementofnecessityforthepurposesofArticle6(1)(b)
GDPR, and (2) improperly seeking to retroactively find a violation of Article 6(1)(b) GDPR by virtue of
a subsequent product modification, which has dangerous implications for controllers seeking to
developandevolvetheirproductsovertimeinrespectofuserprivacyandsafety .AccordingtoMeta 162
150DE SAs objection, p. 3-4.
151
FI SA objection, paras. 4-5.
152IT SA objection, p. 1.
153FR SA objection, paragraph 11.
154
155NL SA objection, paragraphs 9-11.
Draft Decision, paragraph 114.
156Draft Decision, paragraph 115.
157Meta IE Article 65 Submissions, paragraphs 50-51.
158
Meta IE Article 65 Submissions, paragraph 52.
159Meta IE Article 65 Submissions, paragraphs 53-54.
160Meta IE Article 65 submissions, paragraph 55.
161
162EDPB Guidelines 2/2019, paragraph 26.
Meta IE Article 65 Submissions, paragraph 58.
Adopted 28 IE, “the Business Account was created for Instagram in 2016 and, as relevant for the time, it was built
around the notion of a “traditional” business, which may have used Instagram to support its external
(i.e., off-Instagram) presence, like a website or brick-and-mortar establishment. To enable the off-
Instagram promotion of and contact with the business, the Business Account functionality included a
“Contact” button to allow the Instagram community to communicate with the business through a
contact channel outside of Instagram (e.g., a businessphone or email)” and “the EDPBmust assess the
element of necessity under the correct conceptual framework having regard to the specific purpose of
163
the processing at issue at the time, in line with its prior guidance” . In addition, according to Meta IE,
compliance with Articles 5(1)(c) and 6(1)(b) GDPR must be considered separately, the LSA’s finding on
Article 5(1)(c) GDPR was narrow in scope, and, moreover, Articles 5(1)(c) and 6(1)(b) GDPR have
distinct and separate meanings, thus a finding of non-compliance with Article 5(1)(c) GDPR does not
164
and cannot equate automatically to a finding of non-compliance with Article 6(1)(b) GDPR .
87. The EDPB recalls that the concept of necessity has an independent meaning in Union law, which must
165
reflect the objectives of data protection law . In particular, as the CJEU has stated: “[a]s regards the
condition relating to the necessity of processing personal data, it should be borne in mind that
derogations and limitations in relation to the protection of personal data must apply only in so far as
is strictly necessary” .6
88. When analysing the performance of a contract legal basis, the necessity requirement has to be
interpreted strictly. As stated earlier by the Working Party 29 (hereinafter “WP29”) , this “provision
must be interpreted strictly and does not cover situations where the processing is not genuinely
necessaryfortheperformance of a contract,butrather unilaterally imposed onthe datasubject bythe
controller” .68
89. The EDPB recalls that for the assessment of necessity under Article 6(1)(b) GDPR, “[i]t is important to
determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is
169
against this that it will be tested whether the data processing is necessary for its performance” . As
the EDPB has previously stated, regard should be given to the particular aim, purpose, or objective of
the service and, for applicability of Article 6(1)(b) GDPR, it is required that the processing is objectively
necessary for a purpose and integral to the delivery of that contractual service to the data subject . 170
163
164Meta IE Article 65 Submissions, paragraph 61.
Meta IE Article 65 Submissions, paragraphs 67-72.
165Heinz Huber v Bundesrepublik Deutschland (Case C‑524/06, judgement delivered on 18 December 2008,
ECLI:EU:C:2008:724) (hereinafter, “C-524/06 Huber”), paragraph 52.
166
Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’
(Case C‑13/16, judgement delivered on 4 May 2017, ECLI:EU:C:2017:336) (hereinafter, “C-13/16 Rīgas”),
paragraph 30.
167The WorkingParty 29 - apredecessor oftheEDPB - wasestablishedunderArticle 29ofthe Directive95/46/EC
of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data (hereinafter, “Directive 95/46/EC”)
and had arole, inter alia, to contribute to uniform application of national measures adopted under the Directive.
Many of substantive principles and provisions of the GDPR already existed in the Directive 95/46/EC, thus WP29
guidance in this respect is relevant for the interpretation of the GDPR.
168WP29 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive
95/46/EC, WP 217, adopted on 9 April 2014 (hereinafter, “WP29 Opinion 06/2014 on the notion of legitimate
169erests”), p. 16.
WP29 Opinion 06/2014 on the notion of legitimate interests, p. 17.
170EDPB Guidelines 2/2019, paragraph 30.
Adopted 2990. Moreover, the EDPB notes that the controller should be able to justify the necessity of its processing
byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose.Thisdependsnotonly
onthecontroller’sperspective,butalsoonareasonabledatasubject’sperspectivewhenenteringinto
the contract . In this context, the EDPB recalls that children merit specific protection with regard to
their personal data, as they may be less aware of the risks, consequences and safeguards concerned
and their rights in relation to the processing of personal data . 172
91. Regarding the objective and purpose of the specific contract, Meta IE claimed that, when the Business
Accountwascreated,itwasbuiltaroundthenotionofa“traditional”business andwasaimedto allow
the Instagram community to communicate with the business through a contact channel outside of
Instagram . The IE SA found that “the business account feature, on the basis that this social media
tool allows users to ‘create, find, join, and share in experiences’ with other people (as described in the
Terms of Use), and forms a central part of the Instagram service as offered” . 174
92. WhiletheEDPBagreesthatprocessingmaybeobjectivelynecessaryfortheperformanceofacontract
even if not specifically mentioned in the contract , it should be possible for an ordinary user to
identify the “fundamental and mutually understood” contractual purpose based on the information
presented by the controller . 176
93. Considering the high-level information provided to child users regarding the Instagram service in the
Terms of Use 177and that no specific information about the Business Account feature was provided to
178
the child users , the EDPB considers thatthe publication of the contact detailson their profiles could
have not been reasonably expected by such child users in the context of their use of Instagram,
including the businessaccount feature. Further,the EDPBdoesnotagreethatthe contact information
processing,inrespectofthechildusers,couldbeconsideredas“integral”or“central”totheInstagram
service,includingthebusinessaccountfeature.Moreover,ascorrectlynotedbytheIESA,itispossible
to operate a professional profile without also publishing contact information . 179
94. Furthermore, the EDPB recalls that the assessment of what is necessary involves a combined, fact-
based assessment of the processing for the objective pursued. If there are realistic, less intrusive
180
alternatives, the processing is not necessary . In this respect, the principle of proportionality should
also be taken into account . 181
95. The EDPB observes that, if the publication of the contact details was indeed intended for traditional
businesses only as Meta IE claims, it was technically possible to distinguish them from the child users
171
EDPB Guidelines 2/2019, paragraph 32.
172Recital 38, GDPR: “Such specific protection should, in particular, apply to [...] the collection of personal data
with regard to children when using services offered directly to a child”.
173
Meta IE Article 65 Submissions, paragraph 61.
174Draft Decision, paragraph 115.
175EDPB Guidelines 2/2019, paragraph 27.
176
177EDPB Guidelines 2/2019, paragraph 33.
As identified by the IE SA, the relevant aspect of the service (Section 1, Instagram Terms of Use, version of 19
April2018)waspresentedasfollows:“personalizedopportunitiesto create,connect,communicate,discover,and
share”, see Draft Decision, paragraph 114.
178
Draft Decision, paragraph 115.
179Draft Decision, paragraph 353.
180EDPB Guidelines 2/2019, paragraph 25.
181
VolkerundMarkusScheckeandEifert (CasesC-92/09andC-93/09,judgementdeliveredon 9 November2010,
EU:C:2010:662) (hereinafter, “C-92/09 and C-93/09 Schecke and Eifert”), paragraph 86.
Adopted 30 during the registration process based on age information . It would have therefore been possible to
avoid publishing child users’ contact information, even while maintaining the contact button option
for “traditional” businesses.
96. The EDPB further considers that in the present case the analysis of necessity should be supported by
the above-mentioned analysis of the existence of less intrusive means. However, the IE SA did not
analyse in the Draft Decision whether other less intrusive means were available to effectively achieve
the objective pursued. In this regard, the existing possibility to contact users directly through direct
messaging within the platform should have been taken into consideration. In fact, it is clear from the
Draft Decision that Meta IE was aware that certain business account users preferred to communicate
with their audience through direct messaging on Instagram, rather than by e-mail or phone . The 183
DraftDecisionclearlystatedthat“[MetaIE]acknowledgesthatpublicationofphoneandemailcontact
information was not always preferred from the perspective of business account users” because,
according to Meta IE “[s]ome businesses also noted that they preferred [...] to communicate with their
audience or customers through direct messaging on Instagram rather than traditional means (like
phone or email)” . Despite this, the IE SA failed to take account of such circumstances in its
assessment of the necessity requirements and erred in its conclusion that the contact information
processing was necessary for the performance of the contract in the present case.
97. The EDPB recalls that within the “contact information processing” there was also a processing
operation (occurring for a specific timeframe) consisting in the publication in plain text of the contact
information in the HTML source code on the Instagram website. Meta IE highlighted that “business
contact information appeared in the HTML source code for Business Accounts for the purpose of
providing a “Contact” button on the Web version of Instagram" since "in order for a web browser to
185
render the relevant Instagram Web page, the browser must ‘speak’ to an Instagram Web server” .
The IE SA found an infringement (not disputed by the objections raised) of the principle of data
minimisation limited to this “mandatory publication (prior to 7 March 2019) of contact information on
the website version of Instagram (in HTML) for all business account users”, since this “had the result
that the personal data at issue (i.e. contact information of child users on webpages) was not limited to
what was necessary in relation to the purposes for which [Meta IE] processed this specific
information” . As noted by the IE SA, the HTML publication of contact information was not
187
considered necessary by Facebook’s Security Team and was subsequently discontinued . The EDPB
considers that the analysis of the principle of data minimisation (Article 5(1)(c) GDPR) is relevant for
182Draft Decision, paragraph 435.
183Draft Decision, paragraph 210.
184Draft Decision, paragraphs 210 and 238.
185
Meta IE Article 65 Submissions, paragraph 69.
186Draft Decision, paragraph 429. As further specified in the Draft Decision, finding 7 covers the period from 25
May 2018 to November 2020, but does not include the period between July 2019 to August 2020, see Draft
Decision, paragraph 525.
187
Draft Decision, paragraph 428: “In particular, when abandoning the HTML publication of contact information
in March 2019, a representative with the Facebook Security Team informed Mr Stier ‘After discussing this
functionality with the Instagram team we did take steps to remove thecontact information from the HTML of the
page, since it was not necessary to include in its current form’. As such, [Meta IE]’s submission that this HTML
processing was necessary is directly contradicted by the actions and words of the Facebook Security Team. FB-I
states that this processing was necessary to provide business accounts to child users, who would otherwise be
impeded in promoting their professional activities on Instagram; whereas the Facebook Security Team stated
expressly that this processing was not necessary, and stopped this practice immediately when it was brought to
its attention.”
Adopted 31 the necessity assessment on the basis of Article 6(1)(b) GDPR . Consequently, the EDPB further finds
thatsuchanalysisshouldhavecomplementedthe LSA’sassessmentonthenecessityoftheprocessing
for the performance of thecontract, with specific regard to the publication of thecontact information
in the HTML source code on the Instagram website. The EDPB considers that the IE SA could not have
concluded that the publication of the contact information of child users in the HTML source code may
be regarded as necessary for the performance of the contract between Meta IE and child users.
98. Also, the EDPB takes note of the findings in the Draft Decision that the contact information processing
could pose severe risks to the rights and freedoms of child users . The existence of such risks could
have also been considered in the assessment as to whether the processing of the child users’ contact
information was necessary for the contract.
99. Considering the above 190and in light of the specific circumstances of the processing, the EDPB finds
that the IE SA could not have concluded in paragraph 115 of the Draft Decision that the contact
information processing may be regarded as necessary for the performance of a contract between
Meta IE and child users.
100. As a consequence, the EDPB finds that Meta IE could not have relied on Article 6(1)(b) GDPR
as a legal basis for the contact information processing.
5.4.2.2. Regarding Article 6(1)(f) GDPR
101. TheEDPBrecallsthatpersonaldatacanbeprocessedonthebasisofArticle6(1)(f)GDPRwhen
the processing is necessary for the purposes of the legitimate interests of the controller or of a third
party, inasmuch as those interests are not overridden by the interests or fundamental rights and
freedoms of the data subjects concerned. In this regard, particular attention should be paid when the
data subject is a child .1
102. TheEDPBrecalls 192thatArticle6(1)(f)GDPRisoneofthelegalgroundsthatcontrollerscanrely
193
on for the processing of personal data, as long as the conditions for relying on it are fulfilled .
103. As the CJEU has confirmed, Article 6(1)(f) GDPR establishes three cumulative conditions, in
order for the processing to be lawful: “first, the pursuit of a legitimate interest by the data controller
or by the third party or parties to whom the data are disclosed; second, the need to process personal
data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and
freedoms of [the data subject] do not take precedence” . 194
a. Existence of a legitimate interest
104. The EDPB recalls that a legitimate interest can have a legal, economic or non-material nature
but needs to be real and present , and not fictitious, for the entity in question: as clarified by the
CJEU caselaw,the legitimate interest must be presentand effective atthe dateofthe dataprocessing
188EDPB Guidelines 2/2019, paragraph 15.
189As set out in Part G.2 of the Draft Decision.
190
191Paragraphs 80-98 of this Binding Decision.
Art. 6(1)(f) and Recital 38, GDPR.
192EDPB Guidelines 8/2020 on the targeting of social media users, version 2.0, adopted on 13 April 2021,
paragraph 48.
193
194See, as well, WP29 Opinion 06/2014 on the notion of legitimate interests, p. 10-11.
C-13/16 Rīgas, paragraph 28.
195EDPB Guidelines 3/2019 on processing of personal data through video devices, version 2.0. adopted on 29
January 2020 (hereinafter, “EDPB Guidelines 3/2019 on video devices”), paragraphs 18 and 20.
Adopted 32 and must not be hypothetical at that date . The EDPB moreover considers that the interest pursued
must be determined in a sufficiently clear and precise manner: the determination and perimeter of
the legitimate interest pursued must be clearly identified in order to ensure that it will be properly
balancedagainsttheinterestsorfundamentalrightsandfreedomsofthedatasubject. Inaddition,the
legitimate interest must also be lawful (i.e., acceptable under the law) . As a general rule, those
interests which can be traced back to the law – a legislative measure or a legal principle – can amount
to “legitimate” interest.
105. As a preliminary matter, the EDPB notes that the DE SAs considered that a legitimate interest
cannot exist when the controller relies on it only in case that Article 6(1)(b) GDPR is not applicable to
minors on the basis of national law. In the view of the DE SAs, accepting reliance on Article 6(1)(f)
GDPR inthissituationwould bea“circumventionofthe corresponding childprotection provisions” and
“contradicts the purpose of these provisions” . In this respect, the EDPB recalls that, as stated by the
WP29, “[a]n appropriate assessment of the balance under [Article 6(1)(f)] (...) may in some cases be a
valid alternative to inappropriate use of, for instance, the ground of ‘consent’ or ‘necessary for the
performanceofacontract’.Consideredinthisway,[Article6(1)(f)]presentscomplementarysafeguards
compared to the other pre-determined grounds” . Therefore, it does not seem impossible for a
controller to rely on Article 6(1)(f) GDPR if, given the specific circumstances of the processing, the
requirements enshrined in the GDPR are met. In order to determine whether processing of personal
data may rely on Article 6(1)(f) GDPR, data controllers must assess in detail whether the cumulative
conditions aforementioned can be met so that the processing of personal data is lawful.
106. In the Draft Decision, the IE SA considered that the legitimate interests pursued are those of
Meta IE and other Instagram users, “insofar that publication of contact details to the public may be a
reasonable and lawful mode by which to promote a professional undertaking or other public
initiative” . The IE SA did not specify if it referred to all Instagram users or to a specific type of users.
Considering the submissions of the controller, to which the Draft Decision referred in paragraph 109,
it appears that the IE SA’s followed the former interpretation (i.e., looking at the interests of all
Instagram users).
107. Initssubmission,MetaIEstatedthat“thedisplayofbusinesscontactinformationserved[Meta
IE]’s legitimate interest of creating, providing, supporting, and maintaining innovative products and
features that enable people under the age of majority to express themselves, communicate, and
engagewithinformationandcommunitiesrelevanttotheirinterestsandbuildcommunity.Thedisplay
of business contact information on a Business Account also served the legitimate interest of other
Instagram users who sought to engage with such an account” . Therefore, in accordance with Meta
IE’s submission, the legitimate interests pursued are connected to the fundamental right to conduct a
business and the fundamental right to freedom of expression of Instagram users . The IE SA seemed
203
to agreewithsuchinterpretation ,althoughtheIESAdidnotspecifyhowitcameto suchconclusion.
196TK v Asociaţia de Proprietari bloc M5A-ScaraA (Case C-708/18, judgement delivered on 11 December 2019,
197I:EU:C:2019:1064), paragraph 44.
See, in this respect, WP29 Opinion 06/2014 on the notion of legitimate interests, p. 25.
198DE SAs objection, p. 5.
199WP29 Opinion 06/2014 on the notion of legitimate interests, p. 10 and 49.
200
201Draft Decision, paragraph 118.
Meta IE Article 65 Submissions, paragraph 77.
202Meta IE Article 65 Submissions, Appendix 5, section 2.a.
203Draft Decision, paragraph 121.
Adopted 33108. The NL SA and the FI SA argued in their objections that the IE SA did not sufficiently assess
whether the interests as formulated by Meta IE are sufficiently clear, precise, lawful (i.e., acceptable
204
under the law) and of real existence .
109. As described above, Meta IE described the different interests that it pursued with the
processing of personal data at stake. More specifically, Meta IE pursued:
- the legitimate interest of the controller of “creating, providing, supporting, and
maintaining innovative products and features that enable people under the age of
majority to express themselves, communicate, and engage with information and
communities relevant to their interests and build community”, and
- the legitimate interest of a third party (i.e., other Instagram users) to be able to engage
with Business Account owners.
110. As stated above, the legitimate interest pursued by the controller must be sufficiently clearly
articulatedandberealandpresent,correspondingtocurrentactivitiesortobenefitsthatareexpected
in the near future . The aforementioned interests the controller claimed to be pursuing via the
processing activities at stake were identified and described in a vague fashion. This is especially the
case for the second interest mentioned. Therefore, the EDPB has doubts that the legitimate interest
argued by Meta IE meets the requirements of being sufficiently specific, despite Meta IE’s allegations
on the contrary . Therefore, due to the lack of specificity, the EDPB cannot assess whether the
interests argued are real and lawful (i.e., acceptable under the law). The EDPB also considers that the
evaluationoftheexistenceofthelegitimate interest(s)pursued should havebeenmoresubstantiated
in the Draft Decision.
111. Inanycase,theexistenceofalegitimateinterestisonlyoneofthethreecumulativeconditions
that must be met in order to lawfully rely on Article 6(1)(f) GDPR. The EDPB analyses below the two
other conditions having regard to the alleged legitimate interests, as described and identified by the
controller, in case they were to be considered sufficiently clear, precise, real and lawful (i.e.,
acceptable under the law).
b. The necessity of the processing for the purposes of the legitimate interests
112. As stated above, the concept of necessity has an independent meaning in Union law, which
must reflect the objectives of data protection law . The assessment of what is necessary involves a
combined, fact-based assessment of the processing for the objective pursued. If there are realistic,
less intrusive alternatives, the processing cannot be considered as necessary . 208
113. With regard to Article 6(1)(f) GDPR, the necessity of the processing requires a connection
betweentheprocessingandthe legitimate interest(s)pursuedandshouldnotleadto anundulybroad
204NL SA objection, paragraph 28; FI SA objection, paragraph 14.
205See also WP29 Opinion 06/2014 on the notion of legitimate interests, p. 24.
206Meta IE Article 65 Submissions, paragraph 77.
207C-524/06 Huber, paragraph 52.
208
EDPB Guidelines2/2019, paragraph 25;Also C-92/09 and C-93/09 Schecke andEifert, paragraph 86. The EDPB
considers that the existence of other less intrusive means as part of the assessment of necessity is in line with
the CJEU case law and the GDPR, inasmuch as such assessment takes account of the possibility to effectively
achieve the objectives via other means. In this respect, there is no contradiction between the objections (and
the EDPB’s position) and the Court of Justice judgement in C-524/06 Huber, contrary to what Meta IE argued
(Meta IE Article 65 Submissions, paragraphs 78-79).
Adopted 34 interpretation thereof . In this context, the EDPB recalls that the principle of data minimisation is
210
relevant . The EDPB notes that the IE SA found an infringement of the principle of data minimisation
limited to “the mandatory publication (prior to 7 March 2019) of contact information on the website
versionofInstagram(inHTML)forallbusinessaccountusers”,sinceit“hadtheresultthatthepersonal
data at issue (i.e. contact information of child users on webpages) was not limited to what was
211
necessary in relation to the purposes for which [Meta IE] processed this specific information” . The
EDPB considers that such analysis should have complemented the assessment on the necessity of the
processing, with specific regard to the HTML publication processing operation, as stated above.
114. In addition, it is relevant to highlight also in this context that when assessing the necessity of a
given processing operation, the existence of less intrusive means that would contribute effectively to
achieving the interests pursued should be analysed. In this respect, the principle of proportionality
should also be taken into account . However, the IE SAdid not analyse in the Draft Decision whether
other less intrusive means were available to effectively achieve the objectives pursued. In this regard,
the existing possibility to contact business account users directly through direct messaging within the
platform should have been taken into consideration. In fact, it is clear from the Draft Decision that
Meta IE was aware, prior to 4 September 2019, that certain business account users preferred to
communicate with their audience through direct messaging on Instagram, rather than by e-mail or
phone . The IE SA clearly stated that “[Meta IE] acknowledges that publication of phone and email
contactinformationwasnotalwayspreferredfromtheperspectiveofbusinessaccountusers”because,
according to Meta IE “[s]ome businesses also noted that they preferred [...] to communicate with their
audience or customers through direct messaging on Instagram rather than traditional means (like
phone or email)” . The IE SA also considered that “it is possible to operate a professional profile
215
without also publishing contact information” . Despite this, the IE SA failed to take account of such
circumstances for the assessment of the necessity of the contact information processing.
115. Finally, the EDPB notes that the IE SA considered that, in some circumstances, the publication
of the contact details of minors may have been necessary in some cases, in particular with respect to
those business account users who wished to be publicly contactable by email or phone in connection
216
with their professional activities .
116. The EDPB considers that the approach adopted by the IE SA when assessing the necessity of
the processing is substantially erroneous. As stated above, reliance on Article 6(1)(f) GDPR requires
that the processing be necessary to achieve the legitimate interests pursued, which, in this case,Meta
IE considers to be the interest to conduct its business and the interest of Instagram users to contact
business accountowners and engage with them . Thebenefitsthat suchprocessing maybring to the
data subject (i.e., in this case, the child business account owners) are not a relevant element for the
assessment of necessity of the processing. Article 6(1)(f) GDPR is clear when it states that the
legitimate interests are those of the controller or of a third party (and not those of the data subject).
Therefore, when assessingthe necessity of the processing, the legitimate interests at stake have to be
209
210WP29 Opinion 06/2014 on the notion of legitimate interests, p. 29.
EDPB Guidelines 3/2019 on video devices, paragraph 29.
211Draft Decision, paragraph 429.
212C-92/09 and C-93/09 Schecke and Eifert, paragraph 86.
213
214Draft Decision, paragraph 210.
Draft Decision, paragraphs 210 and 238.
215Draft Decision, paragraph 353.
216Draft Decision, paragraph 119.
217See paragraph 109 of this Binding Decision.
Adopted 35 considered with regard to the controller and, if relevant, the third parties concerned (i.e., Meta IE and
all Instagram users, in this case).
117. Due to the approach adopted by the IE SA, it failed to justify in the Draft Decision why it
considered the publication of contact details necessary for the attainment of the purposes of
legitimateinterestsofMetaIEandotherInstagramusers.Infact,itisapparentfromtheDraftDecision
that Instagram users had other means of communication with business account users that did not
significantly diminish the possibility of engaging with those accounts. The availability of other means
of communication with business account users is also shown by the fact that certain business account
users even preferred to communicate with their audience via direct messaging within the platform
anddidnotwanttheirinformationto bepublic.AstheIESAacknowledged“[i]tisalsoclearthatmany
business account users did not require the publication of personal contact information in order to
218
pursue their professional purposes on Instagram” and that “the requirement to publish contact
informationwasclearlynot‘appropriate’asofMay2018” .Thisproveswithsignificantcertaintythat
Instagramuserscouldhaveachievedtheallegedlegitimateinterestofengagingwithbusinessaccount
owners even if their contact details were not public and, therefore, Meta IE could also achieve its
alleged legitimate interest to create, provide, support and maintain innovative products that enable
children to express themselves, communicate and engage with others.
118. Therefore,intheviewofthe EDPB,the IE SAfailedto take into accounttherelevant legitimate
interestswhenperformingtheassessmentofnecessityoftheprocessingand,therefore,itshouldhave
220
not concluded that the processing may have been necessary in some circumstances.
119. Forthereasonsdescribedabove,theEDPBconsidersthattherearesufficientelementstoraise
significant doubts on the necessity of the publication of the contact information of child users for the
purposes of the legitimate interests pursued.
120. In any case, even if the necessity of the processing could be established under some
circumstances,inorderto lawfully relyonArticle6(1)(f) GDPRasa legal basisforthe processing,there
isaneedto ensurethattheinterestsandfundamentalrightsandfreedomsofthedatasubjects do not
override the legitimate interests pursued.
c. The balancing exercise
121. WhenacontrollerintendstorelyonArticle6(1)(f)GDPR,ithastoevaluatetherisksofintrusion
on the data subject’s rights. In this respect, the decisive criterion is the intensity of the intervention
221
fortherightsandfreedomsoftheindividual .TheEDPBhaspreviouslystatedthatintensity caninter
alia be defined by the type of information that is gathered, the scope, the number of data subjects
concerned, the situation in question, the actual interests of the group of data subjects, the existence
of alternative means, as well as by the nature and scope of the data assessment . The reasonable
expectations of the data subject at the time and in the context of the processing shall also be
considered .Inthisregard,theEDPBrecallsthattheageofthedatasubjectmaybeoneofthefactors
to take into account in the context of the balancing of interests .
218Draft Decision, paragraph 429.
219Draft Decision, paragraph 433.
220
221See Draft Decision, paragraph 119.
EDPB Guidelines 3/2019 on video devices, paragraph 32.
222EDPB Guidelines 3/2019 on video devices, paragraph 33.
223EDPB Guidelines 3/2019 on video devices, paragraph 36.
224Case C-13/16 Rīgas, paragraph 33; and WP29 Opinion 06/2014 on the notion of legitimate interests, p. 40.
Adopted 36122. Theobjectiveofthebalancingofinterestsistounderstandtheimpactoftheprocessingonthe
data subjects, in order to properly conclude whether their interests or fundamental rights and
freedoms override the legitimate interests of the controller. The purpose is not to prevent any
225
negative impact on the data subject, but to prevent a disproportionate impact . Such impact
encompasses the different ways in which an individual may be affected - positively or negatively - by
the processing, and should address any possible (potential or actual) positive and negative
consequences of such processing . These consequences may include potential or future decisions or
actions by third parties or fear and distress that the data subject may experience when losing control
over personal information, for example through exposure on the internet . The key elements to
assess the impact are the likelihood that the risk materialises, on one hand, and the severity of the
consequenceson theotherone . The EDPB underlines that safeguards play aspecial role in reducing
any undue impact on the data subject. In order to ensure that the interests and fundamental rights
and freedoms of data subjects do not override the legitimate interests pursued, the safeguards in
question must be adequate and sufficient, and must unquestionably and significantly reduce the
impact on data subjects .229
123. The assessment should also take into account themeasures thatthe controller plans to adopt
in order to comply with its obligations, including in terms of proportionality and transparency . The0
relationship between the balancing test, transparency and the accountability principle has already
been underlined bythe WP29,which considered it“crucial” in thecontext ofArticle 6(1)(f)GDPR . In 231
this regard, the EDPB recalls that, if the controller hides important information to the data subject, it
will not fulfil the requirements of reasonable expectations of the data subject and an overall
232
acceptable balance of interests .
124. In the Draft Decision, the IE SA disagreed with Meta IE’s analysis of the adequacy of the
information provided to child users and the security and safety measures implemented, which, in the
view of the IE SA, did not mitigate all relevant risks for child users . In fact, the insufficiency of the
measures led the IE SA to conclude that “there are possible and severe risks associated with the two
forms of processing which are the subject of this Inquiry; these risks are primarily related to possible
communicationbetweenchildusersanddangerousindividuals,bothonandofftheInstagramplatform
(...). I am also satisfied that the measures and safeguards implemented by [Meta IE] (in the form of
account options, tools and information) were not adequate with regard to the specific processing
operations at issue” since they “did not adequately mitigate the risk of communication between
dangerous individuals and child users. Accordingly, I do not share [Meta IE]’s view that the processing
at issue did not result in high risks to the rights and freedoms of child users” . The IE SA also
considered that the changes to the processing in July and September 2019 “reduced but did not
adequately mitigate the risks for child users in connection with the processing” . Meta IE argued that
neither the CSAs nor the IE SA gave “due weight to the other half of the balancing test to mitigate
225WP29 Opinion 06/2014 on the notion of legitimate interests, p. 41.
226
WP29 Opinion 06/2014 on the notion of legitimate interests, p. 37.
227WP29 Opinion 06/2014 on the notion of legitimate interests, p. 37.
228WP29 Opinion 06/2014 on the notion of legitimate interests, p. 38.
229WP29 Opinion 06/2014 on the notion of legitimate interests, p. 31.
230
WP29 Opinion 06/2014 on the notion of legitimate interests, p. 33 and 41.
231WP29 Opinion 06/2014 on the notion of legitimate interests, p. 43.
232See WP29 Opinion 06/2014 on the notion of legitimate interests, p. 44.
233
234Draft Decision, paragraph 120.
Draft Decision, paragraph 356
235Draft Decision, paragraph 389.
Adopted 37 and/or negate” the risks to the data subjects . Therefore, the EDPB disagrees with the view of Meta
IE and considersthattheIESA onthe assessmentofthe riskis accurate. TheEDPBalso underlinesthat
it is possible to accommodate the objective of effectively reducing the risk for children while ensuring
237
their right to freedom of expression, by implementing appropriate safeguards and measures .
125. TheIESAalsoaddressedthelackoftransparencyregardingtheinformationonthepublication
of the contact details. In this respect, the IE SA stated in the Draft Decision that “[Meta IE] facilitated
thepublicationofphoneandemailcontactinformationforchildrenasyoungas13,usingastreamlined
account switching process which automatically completed certain information for the user, without
warning child users that publication of their personal contact information may result in high risks to
their rights and freedoms” 238. Therefore, taking into account both the assessment of the risk and the
mitigatingmeasures,aswellasthelackofinformationprovided,theIESAconcludedthat“thecontact
informationprocessingby[MetaIE](bothbeforeSeptember2019,andafter)resultsinhigh riskstothe
239
rights and freedoms of child users, for the purposes of Article 35(1) GDPR” .
126. As mentioned above, the transparency of the information provided has an impact on the
reasonable expectations of the data subjects. Likewise, adequate and sufficient additional safeguards
are those that unquestionably and significantly reduce the impact on data subjects. These are
important elements to take into account in the assessment of the balancing of interests. However,
despite acknowledging the lack of proper measures and information, and the severe risks that this
creates for child users, when analysing the balancing exercise to verify whether Meta IE could rely on
Article 6(1)(f) GDPR the IE SA only concluded that, in some circumstances, it is possible that the
legitimate interests would not be overridden by the interests or fundamental rights and freedoms of
the child user . In addition, despite the lack of proper information, the IE SA concluded that
241
technicallyliterate usersmay haveexpected the publication, regardlessoftheirage . TheEDPB finds
particularly problematic that, despite the risks of the processing, recognised by Meta IE itself , the
publication ofcontact details of child users was mandatoryuntil 4 September2019. In fact,child users
were not even informed of such publication, since the Option Screen only stated that “these contact
options will be linked to your business profile” . Even though the screen included a note at the end
statingthat“peoplewillbeabletoemail,callandgetdirectionstoyourbusiness[...]”, itdidnotspecify
that it was because of the publication of the information. In the view of the EDPB, it is not reasonable
to expect that a normal user, let alone a child, even if technically literate, could deduce from such a
vague statement that publication of their information would take place and that it would allow any
typeofperson(includingpersonswithwhomtheyhadhadnocontactorlink)tocontactthemdirectly.
In fact, as the IE SA noted, the term “will be able” may have been understood by the child users as a
conditional indication thatan additional contact-publication feature could be implemented optionally
by the user .44
236Meta IE Article 65 Submissions, paragraph 10.
237See Draft Decision, paragraph 353.
238Draft Decision, paragraph 389 (emphasis added).
239
Draft Decision, paragraph 389 (emphasis added).
240Draft Decision, paragraph 123. In particular, the IE SA referred to situations “where the processing occurred
in the context of well-considered professional activities”.
241Draft Decision, paragraph 122.
242
Draft Decision, paragraph 381; Meta IE Article 65 Submissions, Appendix 5, sections 4.2.a and 4.2.b.
243Draft Decision, paragraph 42, Figure 1.
244Draft Decision, paragraphs 184 and 185.
Adopted 38127. Taking the above into consideration, the EDPB is of the view that the IE SA did not properly
assess the impact of the processing when performing the balancing exercise. In fact, the IE SA only
245
took into account the positive consequences of the processing , whereas it failed to give proper
weight to all the other relevant elements and the risks it had itself identified.
128. Therefore, the EDPB considers that, regarding the publication of the contact information of
child users prior to 4 September 2019, the legitimate interests pursued were overridden by the
interestsandfundamentalrightsandfreedomsofchildusers.TheEDPBcomestothisconclusiongiven
the severe risks identified by the IE SA, the lack of appropriate measures to address those risks, the
lack of proper information to data subjects regarding publication and its consequences and the
impossibilitytoopt-outfrom the publication. Alltheseelements combined tipthebalance infavourof
the interests and fundamental rights and freedoms of the data subjects.
129. Withregardtotheprocessingofpersonaldataofchildusersafter4September2019,theEDPB
notes that the Option Screen stated that the contact information would be displayed publicly in the
246
profileoftheusers“sopeoplecancontactyou” .Thischangeinthewordingcouldhaveallowedchild
users to understand that any person couldcontact them as their detailswould be publicly available . 247
In addition, child users were given the option to opt-out from the publication of their contact details.
The availability of a well-designed opt-out option without the need for any justification to exercise it
andtherelationshipbetweenthebalancingtestandtransparencyarecrucialforthebalancingexercise
under Article 6(1)(f) GDPR. In fact, in those cases in which the balance is difficult to strike, a well-
designed and workable mechanism for opt-out could play an important role in safeguarding the rights
248
and interests of the data subjects . In this regard, it is relevant to bear in mind the finding of the IE
SA in the Draft Decision that the information provided to child users by Meta IE after 4 September
2019 in the course of the business account switching process was in compliance with Articles 12(1),
13(1)(c) and 13(1)(e) GDPR (Finding 3 in the Draft Decision) .49
130. This being said, the EDPB finds that these elements are not sufficient to change the outcome
of the balancing test in light of the aforementioned considerations. This is especially the case because
of the high risk resulting from the publication of contact details as explained above in paragraph 124
andofthefactthatchildrenwerenotwarnedaboutsuchrisks.Thesecircumstanceswerenotaffected
by the changes brought as of 4 September 2019 and thus these changes were not sufficient to change
the outcome of the balancing test.
131. Onthebasisoftheabove,thepublicationofthecontactinformationofchildusers priortoand
after 4 September 2019 did not meet the requirements under Article 6(1)(f) GDPR, since the interests
and fundamental rights and freedoms of the data subjects overrode the alleged legitimate interests
pursued.
132. Considering the EDPB’s conclusion in paragraphs 118-119 and, especially, 131 above, it is the
view of the EDPB that Meta IE could not rely on Article 6(1)(f) GDPR for the contact information
processing since the processing was either unnecessary or, if it were to be considered necessary, it
did not pass the balancing test.
245
See Draft Decision paragraph 121, where the IE SA assessed the potential negative consequences if the
processing didn’t take place.
246Draft Decision, paragraph 42, Figure 2.
247See also Draft Decision, paragraph 206.
248WP29 Opinion 06/2014 on the notion of legitimate interests, p. 45.
249
Draft Decision, paragraph 206.
Adopted 39 5.4.2.3. Conclusion regarding the lack of legal basis
133. Considering the conclusions in paragraphs 100 and 132 of this Binding Decision, i.e. that Meta
IE could rely neither on Article 6(1)(b) GDPR, nor on Article 6(1)(f) GDPR for the contact information
processing, and bearing in mind that Meta IE relied on these two legal bases alternatively for the
processing at stake , the EDPB finds that Meta IE processed the personal data unlawfully . As a 251
consequence, to that extent Meta IE infringed Article 6(1) GDPR. Accordingly, the EDPB instructs the
IE SA to change its Draft Decision in order to establish the relevant infringement.
134. Considering the nature and gravity of the infringement, as well as the numberof data subjects
affected, the EDPB further instructs the IE SA to re-assess its envisaged action in accordance with the
conclusionsreachedbytheEDPBinorderto considertheadditionalinfringementofArticle6(1)GDPR.
In this respect, the additional infringement of Article 6(1) GDPR shall be considered in the compliance
order, to the extent that the processing is ongoing, in order to ensure that full effect is given to Meta
IE’s obligations under Article 6(1) GDPR.
135. With regard to the imposition of an administrative fine for the infringement of Article 6(1)
GDPR, the EDPB refers to section 7.4.2.4 of this Binding Decision for its assessment.
6 ON POTENTIAL FURTHER (OR ALTERNATIVE) INFRINGEMENTS
IDENTIFIED BY THE CSAs
6.1. On potential infringements of Article 6(1)(a), Article 7 and Article 8(1) GDPR
regarding contact information processing
6.1.1. Analysis by the LSA in the Draft Decision
136. In its inquiry and the Draft Decision, with regard to the legal basis for the contact information
processing,the IE SA solely consideredwhetherMeta IE could rely on Articles6(1)(b) and alternatively
on 6(1)(f) GDPR as the legal bases 252(as summarized above in paragraphs 25-31 of this Binding
Decision).
6.1.2. Summary of the objection raised by the CSAs
137. The DE SAs raised an objection whereby the only applicable legal basis for the contact
informationprocessing is consentunder Article6(1)(a) GDPR. Accordingto theDE SAs,MetaIE should
haveadditionallyobtainedparental consent forminorusers under16 yearsofage, unlessthenational
legislator has regulated this differently . The DE SAs also objected to the LSA having not found an
infringements of Articles 7 and 8(1) GDPR regarding contact information processing as a consequence
of the infringement of Article 6(1)(a) GDPR. In the view of the DE SAs, Meta IE should have complied
with the requirements for consent under Article 7 GDPR and the conditions applicable to a child’s
consent under Article 8(1)GDPR. However, Meta IE had neither fulfilled the conditions under Article 7
GDPR, nor obtained parental consent with regard to children below the age of 16 years as required
250Draft Decision, paragraphs 105 and 108; Meta IE Article 65 Submissions, Appendix 6 (Meta IE Response to
Request for Information), paragraphs 17-19.
251Art. 6(1) GDPR: “Processing shall be lawful only if and to the extent that at least one of the following applies:
252.]”.
Draft Decision, paragraphs 100-125.
253DE SAs objection, p. 8-9.
Adopted 40 under Article 8 GDPR . The DE SAs also requested the LSA to take specific additional corrective
measures as a consequence of the possible infringements . 255
6.1.3. Position of the LSA on the objections
138. TheIESAconfirmedthatitdoesnotproposeto“follow”theobjectionsthatwereraisedbythe
CSAs and/or does not consider the objections to be relevant and reasoned . 256
6.1.4. Analysis of the EDPB
139. The EDPB observes that in the Draft Decision the IE SAanalysed if Meta IE could rely on Article
6(1)(b) and alternatively on Article 6(1)(f) GDPR for the contact information processing. The EDPB
notesthattheCSAscanraisearelevantandreasonedobjectiononadditionalinfringementsinrelation
the conclusions to be drawn from the findings of the investigation , or on whether the LSA has
258
sufficientlyinvestigatedthe relevantinfringementsoftheGDPR . TheDESAs’objection requeststhe
LSA to find infringementsof Article6(1)(a) GDPRand,consequently,of Article7 and Article8(1) GDPR.
In this regard, the potential infringements of Article 7 and Article 8(1) GDPR is a consequence of the
potential infringement of Article 6(1)(a) GDPR. However, the EDPB firstly considers that the objection
regarding the infringement of Article 6(1)(a) GDPR fails to establish a direct connection with the
specific legal and factual content of the Draft Decision, thus lacking relevance. As the EDPB finds that
the DE SAs objection, insofar it concerns Meta IE’s compliance with Article 6(1)(a) GDPR, is not
relevant, this also affects the relevance of the DE SAs objection, insofar it concerns Meta IE’s
compliance with Article 7 and Article 8(1) GDPR. Consequently, the EDPB finds that the DE SAs
objection on the potential infringements Article 6(1)(a), Article 7 and Article 8(1) GDPR are not
“relevant”.
140. The EDPB further observes that it remains unclear from the DE SAs objection if in the present
casetheinfringementsofArticle7andArticle8(1)GDPRcanbeestablishedonthebasisofthefindings
in the Draft Decision or the LSA’s inquiry. Moreover, the EDPB finds that the DE SAs objection in
relation to Article 7 and Article 8(1) GDPR does not provide sufficiently precise and detailed legal
reasoningregardinginfringementofeachspecificprovisioninquestion.Inaddition,theobjectiondoes
not put forward sufficient arguments to demonstrate the significance of the risk posed by the Draft
Decision for the rights and freedoms of the data subjects or the free flow of data within the EU.
Therefore, the objection is also not sufficiently “reasoned” in light of the Guidelines on RRO .
141. Considering the above, the EDPB finds that the DE SAs objection, insofar it concerns Article
6(1)(a),Article7andArticle8(1)GDPRdoesnotmeetthethresholdofArticle4(24)GDPR.Withregard
to the potential infringement of Article 6(1)(a) GDPR, the DE SAs objection is not “relevant” and,
regarding Article 7 and Article 8(1) GDPR, the DE SAs objection is neither “relevant”, nor “reasoned”.
Consequently, there is no need for the EDPB to further analyse the merits of this objection.
6.2. On potential infringements of Article 5(1)(a) and Article 5(1)(b) GDPR
regarding contact information processing
254
255DE SAs objection, p. 8-10.
DE SAs objection, p. 10.
256Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
257EDPB Guidelines on Article 65(1)(a), paragraphs 73-76; EDPB Guidelines on RRO, paragraphs 26-28.
258EDPB Guidelines on Article 65(1)(a), paragraphs 77-81.
259
EDPB Guidelines on RRO, paragraphs 19 and 25 and 35-48.
Adopted 41 6.2.1. Analysis by the LSA in the Draft Decision
142. In its Draft Decision, the IE SA considered whether Meta IE could rely on Article 6(1)(b) GDPR
260
oralternativelyonArticle6(1)(f)GDPRforthecontactinformationprocessing (assummarizedabove
in paragraphs 25-31 of this Binding Decision).
6.2.2. Summary of the objection raised by the CSAs
143. The DE SAs objected to the IE SA not finding that an infringement of Articles 5(1)(a) and (b)
GDPR occurred. In the view of the DE SAs, the IE SA should have found an infringement of Articles
261
5(1)(a) and (b) GDPR stemming from Meta IE’s lack of legal basis for the processing .
144. The DE SAs considered that as a consequence of Meta IE not validly relying on any of the legal
bases of Article 6(1) GDPR, Meta IE violated the principle of lawfulness under Article 5(1)(a) GDPR.
Moreover, by disregarding the special requirements for consent under Article 7 and Article 8(1) GDPR
as proposed by the DE SAs (see section 6.1 of this Binding Decision), Meta IE processed personal data
in an unlawful manner that breached Article 5(1)(a) GDPR . 262
145. In the context of Article 5(1)(b) GDPR, the DE SAs argued that the lack of legal basis for
processing undermined the principle of purpose limitation. The DE SAs argued that Meta IE did not
definespecificpurposesofprocessingforallgroupsofchildren,butratherexpressedtheperformance
of a contract as a common purpose for all processing. As the purpose of processing was the
performanceofacontract,MetaIEcouldnotsimultaneouslyclaimthatthepurpose forcertaingroups
of minors was legitimate interest as this would have been against the controller’s duty to collect
263
personal data for specified, explicit and legitimate purposes .
6.2.3. Position of the LSA on the objections
146. TheIESAconfirmedthatitdoesnotpropose to“follow”theobjectionsthatwereraisedbythe
CSAs and/or does not consider the objections to be relevant and reasoned . 264
6.2.4. Analysis of the EDPB
147. The EDPB observes that in the Draft Decision the LSA analysed if Meta IE could rely on Article
6(1)(b) and alternatively on Article 6(1)(f) GDPR for the contact information processing. As noted
above, the CSAs can raise a relevant and reasoned objection on additional infringements in relation
the conclusions to be drawn from the findings of the investigation , or on whether the LSA has
266
sufficiently investigated the relevant infringements of the GDPR . However, the EDPB considers that
in this specific case the DE SAs objection insofar as it requests the IE SA to find the infringements of
Article 5(1)(a) and Article 5(1)(b) GDPR fails to establish a direct connection with the specific legal and
260
261Draft Decision, paragraphs 100-125.
DE SAs objection, p. 10. The EDPB observes that, although on page 2 of their objection the DE SAs referred to
Art. 5(1)(a) and 5(1)(c), on page 10 of their objection the DE SAs referred to Art. 5(1)(a) and 5(1)(b), thus the
EDPB has considered that the DE SAs raised an objection with regard to Art. 5(1)(a) and 5(1)(b) GDPR.
262DE SAs objection, p. 9.
263
DE SAs objection, p. 9.
264Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
265EDPB Guidelines on Article 65(1)(a), paragraphs 73-76; EDPB Guidelines on RRO, paragraphs 26-28.
266EDPB Guidelines on Article 65(1)(a), paragraphs 77-81.
Adopted 42 factualcontentoftheDraftDecision.Therefore,theEDPBfindsthattheDESAsobjectiontotheextent
it concerns the potential infringements Article 5(1)(a) and Article 5(1)(b) GDPR is not “relevant”.
148. The EDPB further finds that the DE SAs objection does not put forward sufficiently precise and
detailed legal, as well as factual reasoning in relation to infringement of each specific provision in
question. In addition, the objection does not provide sufficient arguments to demonstrate the
significance of the risk posed by the Draft Decision for the rights and freedoms of the data subjects or
the free flow of data within the EU. Therefore, the objection is also not sufficiently “reasoned” in light
267
of the Guidelines on RRO .
149. Considering the above, the EDPB finds that the DE SAs objection regarding the infringements
of Article 5(1)(a) and (b) GDPR does not meet the threshold of Article 4 (24) GDPR, as it is neither
“relevant”, nor “reasoned”. Consequently, there is no need for the EDPB to further analyse the merits
of this objection.
6.3. On legal basis regarding public-by-default processing
6.3.1. Analysis by the LSA in the Draft Decision
150. In its Draft Decision, the IE SA considered whether the default account settings for child users
by Meta IE were contrary to the GDPR, particularly Article 5(1)(c), Article 12(1), Article 24(2), Articles
25(1) and (2) GDPR. As explained by the IE SA in its Draft Decision , public-by-default processing
refers to Instagram having a default setting which allowed the social media content of an Instagram
account to be viewed by any Instagram user,or by persons who had not registered as Instagram users
if the latter were accessing the web-browser version of Instagram (hereinafter, “public-by-default
processing”).Incontrast,ifauseraccountwassetasprivate,thecontentpostedontheaccountcould
be accessed only by users approved by the account holder personally . To make a user account
private, the account holder had to change the default settings after registration as an Instagram
user .70
151. The IE SA identified that Meta IE had two separate purposes for processing the personal data
of its Instagram users in relation to the public-by-default setting. In case of a public profile, Meta IE
processed personal data for the purpose of sharing social media content with anyone, including
persons who had not registered as Instagram users. In case of a private profile, the purpose of
processing was to share content only with Instagram users who had been approved by the account
holder .71
152. Meta IE informed its child users of the public-by-default account settings in its 2018 and 2020
Data Policies under a section titled “Sharing on Facebook Products”, which stated that “When you
share and communicate using our Products, you choose the audience for what you share”. The section
further stated the following :72
“Public information can be seen by anyone, on or off our Products, including if they
don't have an account. This includes your Instagram username; any information you
267
268EDPB Guidelines on RRO, paragraphs 19 and 25, and paragraphs 35-48.
The specific processing as described in the Draft Decision, paragraph 43.
269Draft Decision, paragraph 43.
270Draft Decision, paragraph 44.
271Draft Decision, paragraph 153.
272
Draft Decision, paragraph 132.
Adopted 43 share with a public audience; information in your public profile on Facebook; and
content you share on a Facebook Page, public Instagram account or any other public
forum, such as Facebook Marketplace”.
153.TheDataPolicy containedahyperlinkto asectiontitled “How doIsetmy Instagram accounttoprivate
so that only approved followers can see what I share?” included in Instagram’s support webpage. The
section stated the following :73
“By default, anyone can see your profile and posts on Instagram. You can make your
account private so that only followers you approve can see what you share. If your
account is set to private, only your approved followers will see your photos or videos
on hashtag or location pages.”
154.The instructions on how to switch the account from public to private were included in a section on the
support webpage titled “How do I set my Instagram account to private so that only approved followers
can see what I share?” and in additional informational resources created by Meta IE for its child users
and their parents. In addition to the above contents, the Data Policy 2018 included another hyperlink
to a support webpage titled “Controlling Your Visibility”. This webpage included informationon how to
274
switch to a private account .
155. With respect to the compatibility with Article 12(1) GDPR, the IE SA concluded that Meta IE
infringed this provision because it did not inform the child users of Instagram of the purposes of the
275
public-by-default processing in a clear and transparent manner .
156. Assessing the public-by-default processing in the context of Article 5(1)(c) and Article 25(2)
GDPR, the IE SA noted that the public-by-default processing was not necessary or proportionate for
thetwopurposesofthisprocessingthatwereidentifiedbytheIESA.Inparticular,theIESAconsidered
that child users may have a reduced ability to change the privacy settings of their account. Moreover,
276
the public-by-default processing was global in extent . The IE SA found that Meta IE had failed to
implement technical and organisational measures to ensure that, by default, only personal data that
was necessary for the relevant purpose of processing was collected. Particularly considering that the
child users’ accounts were by default made visible to an indefinite number of natural persons, the IE
277
SA found that the processing had infringed Article 5(1)(c) and Article 25(2) GDPR .
157. The IE SA also concluded that Meta IE infringed Article 25(1) GDPR by not implementing
appropriate technical and organisational measures to implement the data protection principles in an
effective manner and integrate the necessary safeguards to protect child users from the severe risks
that the public-by-default processing posed .278
158. Further, the IE SA found that the safeguards and measures implemented by Meta IE did not
properly take into account the specific risks to the rights and freedoms of child users . The IE SA
280
concluded that Meta IE infringed Article 24(1) GDPR .
273
274raft Decision, paragraph 132.
Draft Decision, paragraph 132.
27Draft Decision, Finding 1.
27Draft Decision, paragraph 450.
277
278raft Decision, Finding 10.
Draft Decision, Finding 11.
27Draft Decision, paragraph 456.
28Draft Decision, Finding 12.
Adopted 44159. The IE SA’s findings in the Draft Decision regarding Article 5(1)(c), Article 12(1), Article 24(1),
Articles25(1)and (2) GDPRin relation withpublic-by-default processing are notsubject to the present
dispute.
6.3.2. Summary of the objection raised by the CSAs
160. The NO SA first considered that the IE SA’s findings and assessment in the Draft Decision
logically led to the conclusion that the requirement of necessity under Article 6(1)(b) and (f) were not
281
met . The NO SA noted that the IE SA found that Meta IE carried out processing beyond what was
necessary for the purposes of the processing, such as in paragraph 450 of the Draft Decision, and
identified considerable risks for child users. Based on these findings, the NO SA concluded that Meta
IE did not fulfil the necessity requirement under Article 6(1)(b) and (f) GDPR . The NO SA suggested
that the IE SA should have carried out a legal analysis on the processing to verify if it could rely on
Article 6(1)(b) and (f) . The NO SA suggested that the scope of the inquiry allowed the investigation
of whether the lawfulness obligations under Article 6 GDPR were met. This was based on the fact that
the Draft Decision included an assessment of Article 6 GDPR and conclusions that were relevant for
the assessment of lawfulness .284
161. Specifically on the public-by-default processing, the NO SA stated that the fact that the IE SA
found that the public-by-default processing was not necessary or proportionate on several grounds
indicated that there was a violation of Article 6(1) GDPR. Such grounds were that Meta IE’s child users
may have had reduced ability to apply Instagram’s privacy settings, the processing of public accounts
was global and the processing was not necessary for such child users who did not wish to have their
Instagram account public. The NO SA concluded that the public-by-default processing was not
necessaryfortheperformanceofacontractorthepurposesofthelegitimateinterestspursuedbythe
285
controller .
162. Finally, the NO SA asked the IE SA to conclude that the legal bases under Article 6(1)(b) and (f)
GDPR were not applicable legal bases for the public-by-default processing and to exercise corrective
powers under Article 58(2) GDPR: (1) to order the controller to identify a valid legal basis for the
processing in question, or from now on abstain from such processing activities; and (2) to impose an
administrativefine for unlawfully processing personaldata, erroneouslyrelying on Articles6(1)(b)and
(f) GDPR .86
6.3.3. Position of the LSA on the objections
163. TheIESAconfirmedthatitdoesnotproposeto“follow”theobjectionsthatwereraisedbythe
CSAs and/or does not consider the objections to be relevant and reasoned . 287
281NO SA objection, p. 2.
282NO SA objection, p. 3.
283NO SA objection, p. 3.
284
NO SA objection, p. 2.
285NO SA objection, p. 4.
286NO SA objection, p. 7.
287Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
Adopted 45 6.3.4. Analysis of the EDPB
164. The EDPBobserves that, although the public-by-default processingwasexaminedby the IE SA
288
in the Draft Decision , the question of compliance of the public-by-default processing with Article 6
GDPR was neither within the scope of the inquiry of the IE SA, nor it was addressed by the IE SA in the
Draft Decision. At the same time, the EDPB recalls that the CSAs can raise a relevant and reasoned
objection on additional infringements in relation the conclusions to be drawn from the findings of the
289
investigation , or on whether the LSA has sufficiently investigated the relevant infringements of the
GDPR . However, the EDPB considers that in this specific case the NO SA objection fails to establish
a direct connection with the specific legal and factual content of the Draft Decision, thus it is not
“relevant”.
165. Furthermore, the EDPB considers that, given the legal and factual elements available in the
Draft Decision and the arguments presented by the NO SA, the objection does not explain sufficiently
clearly, nor substantiate in sufficient detail how the conclusion regarding Meta IE’s compliance with
Article 6 GDPR in relation to the public-by-default processing could be reached on that basis.
Therefore, the EDPB finds that this NO SA objection is not “reasoned”.
166. Consideringtheabove,theEDPBfindsthattheNOSAobjectionregardingthepublic-by-default
processing does not meet the threshold of Article 4(24) GDPR and consequently there is no need for
the EDPB to further analyse the merits of this objection.
7 ON THE DETERMINATION OF THE ADMINISTRATIVE FINE
7.1. Analysis by the LSA in the Draft Decision
167. In the Draft Decision, the IE SA analysed the criteria in Article 83(2) GDPR in deciding whether
291
to impose an administrative fine and determine its amount . The IE SA also specified that the
“decision as to whether to impose an administrative fine in respect of each infringement, and the
amount of that fine where applicable, is independent and specific to the circumstances of each
particular infringement” . As regards the calculation of the fine, in the Draft Decision the IE SA
293
considered the nature, gravity and duration of the infringement, as per Article 83(2)(a) GDPR . In
terms of nature, the infringements of Article 12(1) GDPR in respect of both the public-by-default
294
processing and the contact information processing were found to be most serious in nature . The IE
SA found that the infringement of Article 5(1)(a) GDPR regarding the contact information processing
295 296
was serious in nature and that the infringements of Article 35(1), 24(1), 25(1) , 5(1)(c) and 25(2)
GDPR 297were serious in nature in respect of both the public-by-default processing and the contact
information processing. In terms of gravity, the LSA considered that the gravity of infringements of
288See section 6.3.1 of this Binding Decision for the summary of the main relevant conclusions in the Draft
Decision.
289EDPB Guidelines on Article 65(1)(a), paragraphs 73-76; EDPB Guidelines on RRO, paragraphs 26-28.
290
291EDPB Guidelines on Article 65(1)(a), paragraphs 77-81.
Draft Decision, paragraphs 485-564.
292Draft Decision, paragraph 486.
293Draft Decision, paragraphs 487-526.
294
295Draft Decision, paragraphs 503-504.
Draft Decision, paragraph 505.
296Draft Decision, paragraph 506.
297Draft Decision, paragraph 507-508.
Adopted 46 Article 12(1) GDPR in respect of both the public-by-default processing and the contact information
298
processing was highly serious . The IE SA found that the gravity of the infringement of Article 5(1)(a)
GDPR regarding the contact information processing was serious 299 and that the gravity of the
300 301
infringements of Articles 35(1), 24(1), 25(1) , 5(1)(c) and 25(2) GDPR in respect of both the public-
by-default processing and the contact information processing was serious. In terms of duration of the
infringement, the IE SA considered that the period of infringement was the period between the
entering into application of the GDPR on 25 May 2018 and the commencement of the inquiry on 21
302
September 2020 . The IE SA found the aforementioned period to be the duration of the
infringements apart from the infringement of Article 12(1) GDPR regarding contact information
processing, which the IE SA found to have ended on 4 September 2019, the infringement of Article
5(1)(a) GDPR concerning contact information processing, which the IE SA found to have commenced
from4September2019andtheinfringementofArticle35(1)GDPRregardingbothcontactinformation
andpublic-by-defaultprocessing,whichtheLSAfoundtohavecommencedon25July2018.Moreover,
the LSA found that the duration of the infringement of Articles 5(1)(c) and 25(2) GDPR concerning the
contactinformationprocessingendedonNovember2020anddidnotincludetheperiodbetweenJuly
303
2019 to August 2020 .
168. In relation to the intentional or negligent character of the infringements, as per Article
83(2)(b) GDPR, the IE SA concluded that certain Meta IE’s infringements were intentional and others
negligent in character . The LSA found that the infringements of Article 12(1) GDPR regarding both
public-by-defaultprocessingandcontactinformationprocessingwerenegligentandtheinfringements
of Articles 24(1) and 25(1) GDPR regarding both public-by-default processing and contact information
305
processing were highly negligent . As for the other infringements, the LSA found that the
infringements of Article 5(1)(a) GDPR regarding contact information processing and Articles 35(1),
5(1)(c) and 25(2) GDPR in respect of both public-by-default processing and contact information
processing were intentional . 306
169. With regard to other aggravating or mitigating factors, as per Article 83(2)(k) GDPR, the Draft
Decisionassessedthefinancialbenefit gainedbyMetaIEfromtheinfringements.TheIESAconcluded
that the infringement of Article 12(1) GDPR resulted in a financial benefit to Meta IE and considered
this to be an aggravating factor . Regarding the infringement of Article 24 GDPR, the IE SA stated
that this infringement was considered separately to other infringements and it was not considered to
be an aggravating factor with regard to theother infringementsat issue,or an issue which is pertinent
to the calculation of the administrative fines .08
170. The assessment by the IE SA of the criteria in Article 83(2)(a) and (c) to (j) GDPR is not subject
to the present dispute.
298Draft Decision, paragraphs 511-512.
299
Draft Decision, paragraph 513.
300Draft Decision, paragraph 514.
301Draft Decision, paragraph 515-516.
302Draft Decision, paragraph 526.
303
Draft Decision, paragraphs 518-525.
304Draft Decision, paragraphs 527-544.
305Draft Decision, paragraphs 531-534 and 537.
306
307Draft Decision, paragraphs 535-536 and 538-539.
Draft Decision, paragraph 564.
308Draft Decision, paragraphs 486 and 568.
Adopted 47171. In the Draft Decision, the IE SA considered the criteria outlined in Article 82(2)(a)-(k) GDPR
cumulativelyinrespectofeachinfringement,whendecidingwhetherto imposeanadministrativefine
and when deciding the amount of each administrative fine . The IE SA concluded that an
administrative fine for each of the infringements was appropriate and necessary to dissuade non-
compliance in the case at hand and similar future cases of Meta IE and other controllers or processors
carrying out similar processing activities. Here, the IE SA considered the seriousness of the
infringements in nature and gravity, the proportionality of the fines with regard to the nature, gravity
anddurationoftheinfringements,theintentionalornegligentcharacteroftheinfringements, thefact
that the infringements related to personal data of children, the financial benefit gained from the
public-by-default processing and the lack of previous relevant infringements of Meta IE . Based on310
these circumstances, the IE SA determined a range for each of the fines that it considered to be
effective, proportionate and dissuasive in accordance with Article 83(1) GDPR . 311
172. The IE SA proposed in the Draft Decision to impose nine administrative fines within the total
312
range of EUR 202 million to 405 million .
7.2. Summary of the objections raised by the CSAs
173. The DE SAs objected to the amount and calculation of the administrative fine which the LSA
proposed to impose in the Draft Decision. In the view of the DE SAs, the LSA’s Draft Decision did not
ensure a consistent application of administrative fines, and the envisaged amount of the fines were
not effective, proportionate or dissuasive . The DE SAs argued that fines could only be effective,
proportionate and dissuasive if the profitability of the undertaking was taken into account in their
calculation. This was based on the argument that the undertaking’s sensitivity to administrative fines
was significantly influenced by profitability, not only turnover. According to the DE SAs, the LSA did
not explain in its Draft Decision how the element of profitability was taken into account in the
309Draft Decision, paragraph 565.
310
311Draft Decision, paragraph 567.
Draft Decision, paragraphs 570-572.
312Draft Decision, paragraphs569 and 627(3). Specifically, on the basis of the LSA’s findingsin the Draft Decision,
the following fine amount ranges were envisaged in respect of the infringements:
1) For the infringement of Art. 12(1) GDPR regarding the public-by-default processing (Finding 1), a fine of
between EUR 55 million and 100 million;
2) For the infringement of Art. 12(1) GDPR regarding the contact information processing (Finding 2), a fine
of between EUR 46 million and 75 million;
3) For the infringement of Art. 5(1)(a) GDPR regarding the contact information processing (Finding 4), a
fine of between EUR 9 million and 28 million;
4) For the infringement of Art. 35(1) GDPR regarding the contact information processing (Finding 5), a fine
of between EUR 28 million and 45 million;
5) Infringement of Art. 35(1) GDPR regarding the public-by-default processing (Finding 6), a fine of
between EUR 28 million and 45 million;
6) For the infringement of Art. 5(1)(c) and 25(2) GDPR regarding the contact information processing
(Finding 7), a fine of between EUR 9 million and 28 million;
7) For the infringement of Art. 25(1) GDPR regarding the contact information processing (Finding 8), a fine
of between EUR 9 million and 28 million;
8) For the infringement of Art. 5(1)(c) and 25(2) GDPR regarding the public-by-default processing (Finding
10), a fine of between EUR 9 million and 28 million;
9) For the infringement of Art. 25(1) GDPR regarding the public-by-default processing (Finding 11), a fine
of between EUR 9 million and 28 million.
313DE SAs objection, p. 15.
Adopted 48 calculation of the fine . The DE SAs also found that the envisaged amount of fines were too low to
315
create special and general preventive effect and to be effective . According to the DE SAs, in view of
the nature, gravity and duration of the infringement and the number of data subjects concerned, it
was necessary to issue a fine that has noticeable impacts for the undertaking. Based on this, the DE
SAs suggested that, in order to create a preventive effect and impose an effective fine, the amount of
316
fine should generate an impact of approximately one percent of the annual profit of Meta IE .
Furthermore, with regard to the Draft Decision, the DE SAs stated that: “the envisaged fine could not
have a general preventive effect. Rather, it will likely have the opposite effect” .
174. Additionally, the DE SAs was of the view that the LSA did not consider appropriately the
financial benefit that Meta IE gained from the infringement. Based on publicly available data, the DE
SAs proposed an estimation of the financial benefit gained by Meta IE from the public-by-default
processing and argued that it should be further considered when calculating the fine . 318
175. Regarding the calculation criteria in Article 83(2) GDPR, the DE SAs argued that the facts
identified by the IE SA pointed towards intentional, not negligent behaviour and therefore disagreed
with the IE SA’s assessment in the Draft Decision in this respect. According to the DE SAs, Meta IE
wilfullydecidedonthecontentofitsswitchingprocessandtheirDataPolicyandwilfullyusedlanguage
thatwasexcessivelygeneralandmadeitdifficultforchildrento understandtheconsequencesoftheir
choice; moreover, Meta IE as a global data processing company had enough resources to be aware of
the problem beforehand . 319
176. As for aggravating factors, the DE SAs stated that the LSA should have considered the
infringement of Article 24 GDPR as an aggravating factor in respect of the other infringements under
Article 83(2)(k) GDPR. In the view of the DE SAs, although the infringement of Article 24 GDPR is not
itself subject to an administrative fine under the GDPR, it must be reflected in the decisions of
supervisory authorities, since the scope of Article 83(2)(k) GDPR, which is necessarily open-ended,
320
should include all the reasoned considerations, including the infringement of Article 24(1) GDPR .
177. Furthermore, according to the DE SAs, the calculation criteria of Article 83(2) GDPR were
wrongly weighted resulting in a fine which is too low. The DE SAs stated that, considering the
circumstances of the particular case, including the nature and gravity of the infringements, as well as
the sensitivity of the data subjects affected, a fine in the upper range of the possible level of4% of the
turnover would be expected. However, the envisaged fines in the Draft Decision, which amount to
about 0.58% of the turnover, are significantly lower .321
178. In addition, the DE SAs stated that the IE SA should use the turnover figure of 2021 instead of
that of 2020 .22
179. Finally, the DE SAs elaborated on the risks posed by the Draft Decision to the fundamental
rights and freedoms of the data subjects: as the Draft Decision did not promote a consistent
314DE SAs objection, p. 16-17.
315
316DE SAs objection, p. 17-18.
DE SAs objection, p. 17.
317DE SAs objection, p. 18.
318DE SAs objection, p. 18.
319
320DE SAs objection, p. 19-20.
DE SAs objection, p. 20-21.
321DE SAs objection, p. 21.
322DE SAs objection, p. 21-22.
Adopted 49 application of administrative fines, this would result in a significant risk to the rights and fundamental
freedoms of data subjects, since the undertaking and other controllers could orientate their abidance
of data protection law on such a barely noticeable fine ; the summed up proposed fines for the
infringements were not able to create a deterrent effect and thus would lead to a lesser protection of
thefundamentalrightsandfreedomsofthedatasubjects;andtheeffectiveenforcementoftheGDPR,
which is the precondition for the protection of the fundamental rights and freedoms of the data
subjects, would not be ensured . 324
***
180. As already referred in section 5.2 of this Binding Decision, the NO SA in its objection asked the
IE SA to change its exercise of corrective powers in order to impose an administrative fine for the
additional infringement regarding the lackof legal basis for the contact information processing. The IT
SAandFRSAalsospecifically requestedanadditionalcorrectivemeasureintermsof anadministrative
fine for the additional infringement .25
7.3. Position of the LSA on the objections
181. TheIESAconfirmedthatitdoesnotproposeto“follow”theobjectionsthatwereraisedbythe
326
CSAs and/or does not consider the objections to be relevant and reasoned .
182. TheIESAdidnotagreewiththeDESAs’viewthatMetaIEactedwithknowledgeandwilfulness
taking into account the objective elements of conduct gathered from the facts of the inquiry, except
in thosepartsoftheDraftDecisionwhere theIE SAfound thatMetaIEactedintentionally.In addition,
theIESAdisagreedthatArticle24GDPRhadtobetakenintoaccountasanaggravatingfactorpursuant
to Article 83(2)(k) GDPR .27
183. The IE SA further noted that the Draft Decision appropriately concluded that the infringement
resulted in a financial benefit to Meta IE, which is an aggravating factor for the purpose of Article
83(2)(k) GDPR. The IE SA also reiterated that the Draft Decision took into account the undertaking’s
turnover in the context of Article 83 GDPR, in the manner described in paragraphs 624 and 625 of the
Draft Decision .28
184. In view of the IE SA, paragraph 569 of the Draft Decision presented a thorough, detailed and
specific formulation of the amount of each of the nine fines which allows for the CSAs to properly
consider whether the fines are effective, dissuasive and proportionate. According to the IE SA, the
overall fining range reflected a number of smaller and larger proposed fines, which have been
calculated pursuant to the EDPB’s interpretation of Article 83(3) GDPR in Binding Decision 1/2021 , 329
and that, when each of the proposed fines is considered on an individual basis, the proposed fining
ranges are sufficiently clear to determine whether they are effective, dissuasive and proportionate . 330
323DE SAs objection, p. 18, 20, 22.
324
325DE SAs objection, p. 22.
See section 5.2 of this Binding Decision, in particular paragraphs 41, 45 and 48. Only the NO SA objection in
this respect is considered to be relevant and reasoned, see paragraph 76 of this Binding Decision.
326Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
327
328Composite Response, p. 4.
Composite Response, p. 4.
329EDPB, Binding Decision 1/2021, adopted on 28 July 2021 (hereinafter, “Binding Decision 1/2021”).
330Composite Response, p. 3.
Adopted 50185. Finally,withrespectto thedeterminationoftheyearofturnover,IESAagreedwiththeDESAs
that the relevant year is the year immediately preceding the date of the final decisionand confirmed
that this will be accounted for in the final decision .331
7.4. Analysis of the EDPB
7.4.1. Assessment of whether the objections were relevant and reasoned
186. In its objection on the proposed calculation of the fine, the DE SAs considered the fine
proposed in the Draft Decision to be ineffective, disproportionate and non-dissuasive and outlined
several arguments why they disagreed with the Draft Decision in this respect . The EDPB considers
333
that the DE SAs’ objection related to the content of the Draft Decision and included sufficient
reasoning 334as to why, if accepted, it would lead to a different conclusion. The EDPB notes that this
335
objection concerned “whether the action envisaged in the Draft Decision complies with the GDPR” .
Therefore, the EDPB considers the objection to be “relevant”.
187. In its objection, the DE SAs set out legal and factual arguments in relation to each element
raised in the objection, in particular its reasoning on how the Draft Decision should assess the criteria
of Articles 83(1) and (2) GDPR considering the facts of the specific case and how this would lead to a
different conclusion in theDraftDecision . The DE SAsprovided detailed reasoning that a higher fine
337
ought to be imposed, considering the profitability and the global turnover of the undertaking .
Furthermore, the DE SAs considered that without amendment the Draft Decision would set a
dangerous precedent with regard to deterrence and clearly demonstrated its view on the significance
of the risks posed by the Draft Decision . Therefore, the EDPB considers the objection to be
“reasoned”.
188. The EDPB is not swayed by Meta IE’s submissionthat the objection at issue is neither relevant,
nor reasoned. In this regard, Meta IE failed to explain why the threshold of Article 4(24) GDPR is not
met in relation to this specific objection . In addition, the EDPB recalls that the assessment of the
340
merits of the objection is made separately, after it has been established that the objection satisfies
the requirements of Article 4(24) GDPR . 341
331Composite Response, p. 5.
332
333DE SAs objection, p. 15-22.
In particular, sections M and N of the Draft Decision (paragraphs 481-627).
334See section 7.2 of this Binding Decision, paragraphs 173-179.
335EDPB Guidelines on RRO, paragraph 32.
336
DE SAs objection, p. 16-22.
337DE SAs objection, p. 16-17.
338DE SAs objection, p. 15-22, in particular p. 22. The DE SAs considered, inter alia, that the lack of a deterrent
effect due to the low fine would entail a significant risk to the rights and freedoms of data subjects, since the
controller and other companies would not be dissuaded to comply with data protection law.
339Meta IE Article 65 Submissions, paragraphs 8-10, 95-102 and Annex A, p. 43-45.
340Although Meta IE stated that this DE SAs objection does not meet the Art. 4(24) GDPR threshold (Meta IE
Article 65 Submissions, Annex A, p. 43) and alleged that the DE SAs failed to demonstrate the significance of the
risk (Meta IE Article 65 submissions, Annex A, p. 45, subparagraph ‘sixth’), no further reasoning in this respect
wasprovidedinMetaIE’ssubmissions.TheEDPBnotesthatMetaIE’sreasoninginMetaIEArticle65Submissions
(paragraphs 8-10, 95-102 and Annex A, p. 43-45) relating to the DE SAs objection under sub-section “Objections
in relation to the calculation of the administrative fines” mostly concerned the merits of the objection, i.e.
whether the proposed fines were compliant with Art. 83(1) and (2) GDPR.
341EDPB Guidelines on Article 65(1)(a), paragraph 63.
Adopted 51189. Considering the above, the EDPB finds that the DE SA objection, insofar it concerns the
determination of the administrative fine, is a “relevant and reasoned” objection in accordance with
Article 4(24) GDPR.
***
190. With regard to the NO SA objection on the imposition of an administrative fine in relation to
thefindingsonArticle6(1)(b)andArticle6(1)(f)GDPRonthecontactinformationprocessing,theEDPB
342
recallsthatitis“relevantandreasoned” inaccordancewithArticle4(24)GDPR .Onthecontrary,the
relevant parts of the objections of the IT and FR SAs on the specific matter of an administrative fine
for the additional infringement do not meet the threshold under Article 4(24) GDPR, as analysed by
the EDPB in section 5.4.1 of this Binding Decision .43
7.4.2. Assessment on the merits
191. The EDPB recalls that the consistency mechanism may also be used to promote a consistent
application of administrative fines : where a relevant and reasoned objection challenges the
elements relied upon by the LSA to calculate the amount of the fine, the EDPB can instruct the LSA to
engageinanewcalculationoftheproposedfinebyeliminatingtheshortcomingsintheestablishment
of causal links between the facts at issue and the way the proposed fine was calculated on the basis
of the criteria in Article 83 GDPR and of the common standards established by the EDPB . A fine 345
should be effective, proportionate and dissuasive, as required by Article 83(1) GDPR, taking account
of thefacts of thecase . In addition, whendeciding onthe amountofthe fine,theLSA shall take into
consideration the criteria listed in Article 83(2) GDPR.
7.4.2.1. Preliminary matters: the relevant year for the turnover
192. TheDESAscontestedtheturnoverfigurecited intheDraftDecision.ThoughtheIE SAdeemed
the objection not relevant and/or not reasoned, in the Composite Response the IE SA agreed with the
DE SAs on the determination of the year of the turnover when calculating the administrative fine . 347
193. On the notion of “preceding financial year”, the EDPB recalls the decision taken in its Binding
Decision 1/2021 348and takes note of the IE SAs intention 349to take the same approach in the current
case.
194. The EDPB agrees with the approach taken by the IE SA for the present case to include in the
Draft Decision a provisional turnover figure based on the most up to date financial information
available at the time of circulation to the CSAs pursuant to Article 60(3) GDPR. The EDPB recalls that
when issuing its final decision in accordance with Article 65(6) GDPR, the IE SA shall take into account
the undertaking’s annual turnover corresponding to the financial year preceding the date of its final
decision, i.e. the turnover of Meta Platforms Inc. in 2021.
342Paragraphs 74 of this Binding Decision.
343
Paragraphs 62-63 and 70-71 of this Binding Decision.
344Recital 150 GDPR.
345EDPB Guidelines on RRO, paragraph 34.
346Article 29 Working Party, Guidelines on the application and setting of administrative fines for the purposes of
the Regulation 2016/679, WP 253, adopted on 3 October 2017 and endorsed by the EDPB on 25 May 2018
(hereinafter, “WP29 Guidelines on Administrative Fines”), p. 7.
347Composite Response, p. 5.
348Binding Decision 1/2021, paragraph 298.
349
Also, as stated in the Draft Decision, paragraph 625.
Adopted 52 7.4.2.2. The application of the criteria under Article 83(2) GDPR
a. The intentional or negligent character of the infringement (Article 83(2)(b) GDPR)
195. Article 83(2) GDPR considers, among the factors to be taken into account when deciding the
imposition and amount of an administrative fine, “the intentional or negligent character of the
infringement”. In the same sense, Recital 148 GDPR states that “[i]n order to strengthen the
enforcement of the rules ofthis Regulation, penalties including administrative fines should be imposed
for any infringement of this Regulation [...]. Due regard should however be given to the nature, gravity
and duration of the infringement, the intentional character of the infringement, actions taken to
mitigate the damage suffered, degree of responsibility [...]” (emphasis added).
196. The characterisation of the infringement as intentional or negligent may therefore have a
direct impact on the amount of the fine proposed. The main elements to be taken into account in this
regard were already established in the WP29 Guidelines on Administrative Fines, endorsed by the
EDPB. The EDPB Guidelines on the calculation of administrative fines under the GDPR 350 rely heavily
on the WP29 Guidelines on Administrative Fines in this respect.
197. As the EDPB recalls in its Guidelines on Administrative Fines, “intentional infringements,
351
demonstratingcontemptfor theprovisionsofthelaw,aremoreseverethanunintentionalones” and
therefore, the supervisory authority is likely to attribute weight to this circumstance. This is likely to
warrant the application of a (higher) fine.
198. As the IE SA noted in the Draft Decision, “the GDPR does not identify the factors that need to
be present in order for an infringement to be classified as either ‘intentional’ or ‘negligent’” . The
EDPB Guidelines on Administrative Fines, quoting the WP29 Guidelines on Administrative Fines, refer
to the fact that “in general, ‘intent’ includes both knowledge and wilfulness in relation to the
characteristics of an offence, whereas ‘unintentional’ means that there was no intention to cause the
infringement although the controller/processor breached the duty of care which is required in the
law” . In other words, the EDPB Guidelines on Administrative Fines confirm that there are two
cumulative elements on the basis of which an infringement can be considered intentional: the
knowledgeofthebreachandthewilfulnessinrelationtosuchact.Ontheotherhand,aninfringement
is “unintentional” when there was a breach of the duty of care, without having intentionally caused
the infringement. The EDPB takes note of Meta IE’s position that it did not act intentionally with the
354
aim to infringe the GDPR .
199. The characterisation of an infringement as intentional or negligent shall be done on the basis
of objective elements of conduct gathered from the facts of the case . The EDPB Guidelines on
Administrative Fines refer to someexamplesof conduct thatmay demonstrate the existenceof intent
and negligence . It is worth noting the broader approach adopted with respect to the concept of
negligence,sinceitalsoencompassessituationsinwhichthecontrollerorprocessorhasfailedtoadopt
350EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 1.0, adopted on
351May 2022 (hereinafter “EDPB Guidelines on Administrative Fines”).
EDPB Guidelines on Administrative Fines, paragraph 57 and WP29 Guidelines on Administrative Fines, p. 12.
352Draft Decision, paragraph 527.
353EDPB Guidelines on Administrative Fines, paragraph 56 and WP29 Guidelines on Administrative Fines, p. 11
(emphasis added).
354
Meta IE Article 65 Submissions, paragraph 100 and Annex A, p. 44.
355EDPB Guidelines on Administrative Fines, paragraph 57 and WP29 Guidelines on Administrative Fines p. 12.
356 EDPB Guidelines on Administrative Fines, paragraph 56 (Example 4). See also WP29 Guidelines on
Administrative Fines, p.12.
Adopted 53 the required policies, which presumes a certain degree of knowledge about a potential
357
infringement .
200. In this case, the IE SA considered that the infringements of Article 12(1) GDPR with regard to
thecontactinformationprocessingandwithregardtothepublic-by-defaultprocessingwerenegligent
as they fell “short of the standard required” . Regarding the public-by-default processing, the IE SA
took into consideration that at the relevant time, the information that the accounts were public by
default and on how to switch to a private account was available in several sources and hyperlinked in
the Data Policy. The IE SA considered that these objective elements suggested an intention to provide
the information with clarity and transparency . Considering this, the IE SA concluded that the
infringement was not intentional, even though Meta IE should have been aware that the information
provided was not clear and transparent enough. Consequently, the IE SA considered that Meta IE was
360
negligent . Likewise, with respect to the contact information processing, the IE SA considered that
the language used did not suggest a deliberate attempt from Meta IE to avoid its transparency
361
obligations . Considering this, the IE SA concluded that the infringement was not intentional, but it
considered it negligent since Meta IE should have been aware that the way in which the information
362
was provided did not meet the standards .
201. It stems from the above that Meta IE had (or should have had) knowledge about the
infringement of Article 12(1) GDPR. However, this mere element is not sufficient to consider an
infringement intentional, as stated above, since the “aim” or “wilfulness” of the action should be
demonstrated. In this respect, the IE SA has not found out that Meta IE wilfully disregarded its
obligations.
202. In this regard, the DE SAs argued that Meta IE had enough resources to identify the problem
beforehand, and that it wilfully decidedon the contentof theswitching process, using a language that
was excessively general . The DESAs consideredthatMeta IEwas infact awareofthe problem given
thattheinformationwasprovidedintheInstagramHelpCentreandotherancillarysources.Therefore,
theDESAswasoftheviewthatMetaIEactedatleastwith“recklessdisregardfortheinfringement” . 364
The DE SAs also argued that the level of care required must be determined taking into account the
size, economic activities and data processing processes of the company . 365
203. The EDPB recalls that that having knowledge of a specific matter does not necessarily imply
having the “will” to reach a specific outcome. This is in fact the approach adopted in the EDPB and
WP29 Guidelines on Administrative Fines, where the knowledge and the “wilfulness” are considered
two distinctive elements of the intentionality . While it may prove difficult to demonstrate a
357
The EDPB Guidelines on Administrative Fines, paragraph 56 (Example 4) quote the WP29 Guidelines on
AdministrativeFines,whichmention,amongthecircumstancesindicativeofnegligence,“failuretoadoptpolicies
(ratherthansimplyfailuretoapplythem)”.Thisprovidesan indicationthatnon-complianceinsituationsinwhich
the controller or processor should have been aware of the potential breach (in the example provided, due to the
lack of the necessary policies) may amount to negligence.
358Draft Decision, paragraphs 531 and 533.
359Draft Decision, paragraph 531.
360Draft Decision, paragraph 532.
361
Draft Decision, paragraph 533.
362Draft Decision, paragraphs 533 and 534.
363DE SAs objection, p. 19.
364
365DE SAs objection, p. 20.
DE SAs objection, p. 20.
366EDPB Guidelines on Administrative Fines, paragraph 56, and WP29 Guidelines on Administrative Fines, p. 11.
Adopted 54 subjective element such as the “will” to act in a certain manner, there need to be some objective
367
elements that indicate the existence of such intentionality .
204. The EDPB recalls that the CJEU has established a high threshold in order to consider an act
intentional. In fact, even in criminal proceedings the CJEU has acknowledged the existence of “serious
negligence”,ratherthan“intentionality”when“thepersonresponsiblecommitsapatentbreachofthe
duty of care which he should have and could have complied with in view of his attributes, knowledge,
368
abilities and individual situation” . In this regard, the EDPB confirms that a company for whom the
processing of personal data is at the core of its business activities is expected to have sufficient
measures in place for the safeguard of personal data : this does not, however, per se change the
nature of the infringement from negligent to intentional.
205. It shall be underlined that, in the context of the assessment of Article 83(2)(c) GDPR, the IE SA
noted that the provision of the information in the Instagram Help Centre and other ancillary sources,
hyperlinked in theDataPolicy, suggested that Meta IEdid not intentionally intendto “deny child users
370
of Instagram an understanding of the purposes of the processing” , with regard to the public by
default processing. Regarding the contact information processing, the IE SA considered that “older
Instagram users may have understood the consequences of providing their contact information” and
that the language used “does not suggest a deliberate attempt on the part of Meta IE to avoid its
obligations” . The EDPB notes that, with respect to the contact information processing, the
assessment carried out by the IE SA is general and could have been more nuanced and detailed.
However, the EDPB agrees with the IE SA that the objective elements of the case would indicate the
absenceofwilfulnesstoactinbreachofthelawwithregardtotheinfringementsofArticle12(1)GDPR.
Therefore, on the basis of the available information, the EDPB is not able to identify a will of Meta IE
to act in breach of the law as it cannot be concluded that Meta IE intentionally acted to circumvent its
legal obligations.
206. Therefore, the EDPB considers that the arguments put forward by the DE SAs fail to provide
objective elements that indicate the intentionality of the behaviour of Meta IE. Accordingly, the EDPB
is of the view that the Draft Decision does not need to be changed with respect to the findings on the
character of the infringements of Article 12(1) GDPR.
b. Other aggravating factors - relevance of the infringement of Article 24(1) GDPR
207. Article 83(2)(k) GDPR gives the supervisory authority room to take into account any other
aggravating or mitigating factors applicable to the circumstances of the case, in order to ensure that
the sanction applied iseffective, proportionateand dissuasive in each individualcase . The provision
isopen-endedanditentailsthatthesocio-economic,legalandmarketcontextsinwhichthecontroller
or processor operates should be taken into account . 373
367See EDPB Guidelines on Administrative Fines, paragraphs 56 and 57, and WP29 Guidelines on Administrative
368es, p. 12.
The Queen, on the application of International Association of Independent Tanker Owners (Intertanko) and
Others v Secretary of State for Transport (Case C-308/06, judgement delivered on 3 June 2008,
ECLI:EU:C:2008:312), paragraph 77.
369EDPB Binding Decision 01/2020, adopted on 9 November 2020, paragraph 195.
370
Draft Decision, paragraph 531.
371Draft Decision, paragraph 533.
372EDPB Guidelines on Administrative Fines, paragraph 107.
373EDPB Guidelines on Administrative Fines, paragraph 109.
Adopted 55208. In this regard, the DE SAs considered that, even though the infringement of Article 24 GDPR is
notsubjectto thepossibilityofimposing anadministrativefine,becauseit is notlisted inArticle83(4)-
(6) GDPR, it should have been considered as an aggravating factor under Article 83(2)(k) GDPR, since
it is part of the assessment of the legal context in which Meta IE operates .374
209. The EDPB firstly notes the reference to other infringements in Article 83(2)(e) GDPR, which
states that when considering whether to impose a fine and its amount, due regard should be given to
“anyrelevantpreviousinfringementsbythecontrollerorprocessor”.However,theprovisiondealswith
previous infringements, but does not make any reference to other current infringements as
aggravating factors.
210. In this respect, the IE SA disagreed with the DE SAs and considered that Article 83(2)(k) GDPR
does not aim at being a “catch all provision” but at requiring the LSA “to account for any special loss
or damage which arose due to the conduct (or omission) of the controller” . 375
211. The EDPB disagrees with the IE SA on the nature of Article 83(2)(k) GDPR and underlines that
this open-ended provision aims at ensuring that the considerations regarding the context (be it the
socio-economic, legal, or market context) in which the controller or processor operates are taken into
account, so as to impose a fine that is effective, proportionate and dissuasive. At the same time, the
EDPB agrees with the IE SA that the infringement of Article 24 GDPR cannot be considered an
aggravating factor under Article 83(2)(k) GDPR. In this respect, the EDPB notes that it seems to be a
consciouschoicebythelegislatornotto subjectinfringementsofthatprovisiontoadministrativefines
under the GDPR . If such infringements were taken into account under Article 83(2)(k) GDPR,
infringementsofArticle24GDPRwouldindirectlybesubjectto anadministrativefine, despitethefact
that the co-legislators did not provide for the possibility of sanctioning this infringement by means of
an administrative fine.
212. The EDPB also notes that, albeit not subject to an administrative fine, infringements of Article
24 GDPR can be subject to other corrective powers of the SA as per Article 58(2) GDPR or to other
penalties, as established in Article 84 GDPR.
213. Finally, the EDPB emphasises that Article 24 GDPR is an expression of the accountability
principle enshrined in Article 5(2) GDPR. In this respect, the accountability of the controller is taken
into account by the supervisory authorities when deciding whether to impose an administrative fine
377
and its amount, since Article 83(2) GDPR includes several provisions in that regard .
7.4.2.3. The effectiveness, proportionality and dissuasiveness of the administrative fine
a. Weighing of the financial benefit obtained from the infringement
214. As explicitlystated inArticle83(2)(k)GDPR, financial benefitsgained directlyor indirectly from
the infringement can be considered an aggravating element for the calculation of the fine. The EDPB
considersthisprovision“offundamentalimportanceforadjustingtheamountofthefinetothespecific
case” and that “it should be interpreted as an instance of the principle of fairness and justice applied
378
to the individual case” .
374
375DE SAs objection, p. 20-21.
Composite Response, section 2.f.iii.
376Earlier draft versionsof the proposal for the GDPR had included Article 24 GDPR among the provisions subject
to administrative fines, but this was eventually removed in the version of the GDPR agreed by the co-legislators.
377See, for example, Article 83(2)(d) and (j) GDPR.
378
EDPB Guidelines on Administrative Fines, paragraph 108.
Adopted 56215. The scope of Article 83(2)(k) GDPR should include all the reasoned considerations regarding
379
the socio-economic, legal and market contexts in which the controller or processor operates . When
taking account of these considerations, the supervisory authorities must “assess all the facts of the
380
case in a manner that is consistent and objectively justified” . Therefore, financial benefits from the
infringement could be an aggravating circumstance if the case provides information about profit
381
obtained as a result of the infringement of the GDPR .
216. Theaim ofArticle83(2)(k)istoensurethatthesanctionappliediseffective,proportionateand
382
dissuasive in each individual case . With regard to the financial benefits obtained from the
infringement, the EDPB considers that when there is a benefit, the sanction should aim at
“counterbalancing the gains from the infringement” while keeping an effective, dissuasive and
proportionate fine .83
217. The financial benefit obtained by Meta IE was considered by the IE SA in the Draft Decision
with regard to Finding 1 (i.e. the infringement of Article 12(1) GDPR for the public-by-default
384
processing ). In particular, the IE SA considered that “the objective of switching new accounts to
‘public’ was clearly also intended to drive the creation of more public user-generated content for
consumption, increasing engagement and creating favourable commercial conditions for the sale of
targeted advertising by [Meta IE]” 385and, therefore, the IE SA concluded that Meta IE benefited from
386
the infringement and considered this an aggravating factor .
218. In this respect, the DE SAs considered that the IE SA did not properly weigh this factor, since
the fine proposed in the Draft Decision for the infringement of Article 12(1) GDPR was less than the
DE SAs’ estimation of the financial benefit obtained with the infringement. The DE SAs engaged in a
very detailed calculation to justify the estimation of the benefit, although they acknowledged that it
387
was based on assumptions .
219. The relevance of the financial benefit gained with the infringement for the calculation of the
fine amount has been addressed by the CJEU in competition law cases. In fact, the CJEU has stated
that the benefits obtained from the infringement are among the factors that may be taken into
account in order to determine the amount of the fine, but there is no obligation to ensure that the
fine is directly proportional to the benefits achieved by that undertaking or “that it does not exceed
388
those profits” . Nonetheless, the CJEU has made clear that the amount of the fine must be
proportionate to “the duration of the infringement and the other factors capable of affecting the
assessment ofthe gravity of the infringement, including the profitthat itwas ableto derive from those
practices” . In fact, the CJEU has clearly accepted that the amount of the fine can be increased on
379
EDPB Guidelines on Administrative Fines, paragraph 109.
380WP29 Guidelines on Administrative Fines, p. 6 (emphasis added), quoted in Binding Decision 1/2021,
paragraph 403.
381EDPB Guidelines on Administrative Fines, paragraph 110.
382
EDPB Guidelines on Administrative Fines, paragraph 107.
383EDPB Guidelines on Administrative Fines, examples 7c and 7d.
384Draft Decision, paragraph 563.
385Draft Decision, paragraph 563.
386
Draft Decision, paragraph 564.
387DE SAs objection, p. 17-18.
388 Donau Chemie AG v European Commission (Case T-406/09, judgement delivered on 14 May 2014
389I:EU:T:2014:254), paragraph 258.
Ibidem, paragraph. 257. See also KME Germany AG and others v European Commission (Case C-272/09 P,
judgement delivered on 8 December 2011, ECLI:EU:C:2011:810), paragraph 96 and the case law quoted therein.
Adopted 57 the basis of the financial benefit obtained with the infringement, in order to reinforce the deterrent
effect of such fine . It is an accepted practice in EU competition law to increase the amount of the
fine in order to exceed the amount of the gain obtained as a result of the infringement, where it is
possible to estimate that amount .391
220. Consideringtheneedto havefinesthatareeffective,proportionateanddeterrent,andinlight
of common accepted practice in the field of EU competition law, which inspired the fining framework
undertheGDPR,theEDPBisoftheviewthat,whencalculatingtheadministrativefine,thesupervisory
authority could take account of the financial benefits obtained from the infringement, in order to
impose a fine that exceeds that amount.
221. In the presentcase,theIE SA has explicitlyconsideredthe financial benefitsobtained from the
infringement as an aggravating factor. However, the IE SA has not provided any estimation of the
amount gained by Meta IE with the specific infringement and the DE SAs’ calculation is still largely
basedonassumptions.Duetothis,theEDPBdoesnothavesufficientlypreciseinformationtoevaluate
the specific weight of the financial benefit obtained from the infringement.
222. Therefore, the EDPB considers that it does not have objective elements to conclude whether
the fine envisaged in relation to Finding 1 takes sufficient account of the financial benefit obtained
from the infringement and, therefore, has a deterrent effect.
223. Nonetheless,theEDPBacknowledgestheneedto preventthatthefineshavelittletonoeffect
if they are disproportionally low compared to the benefits obtained with the infringement. The EDPB
considers that the IE SA should have elaborated in more detail the weight given to this element in
paragraphs 563, 564 and 567 of its Draft Decision. Therefore, the EDPB requests the IE SA to further
elaborate its reasoning on this aspect and, if further estimation of the financial benefit from the
infringement is possible in this case and results in the need to increase the amount of the fine
proposed, the EDPB requests the IE SA to increase the amount of the fine proposed.
b. Weighing of other criteria under Article 83(2) GDPR and assessment of the fine in light of Article
83(1) GDPR
224. In its objection, the DE SAs claimed that the elements of Article 83(2) GDPR were not weighed
correctly by the LSA when calculating the administrative fines in the present case, in light of the
requirements of Article 83(1) GDPR. The DE SAs argued that the mitigating circumstances were few,
therefore a fine in the upper range of the possible level would be expected. Also, according to the DE
SAs, the amount of the proposed fines did not reflect the nature and gravity of the infringements, in
particular,whenitcomestotheseriousnessoftheinfringements,inlightofthenumberandsensitivity
of the data subjects (children) affected . Furthermore, the DE SAs argued that the proposed fines
were ineffective, disproportionate and non-dissuasive and they provided for neither special, nor
general preventive effect, especially considering the total profit and the total turnover of the specific
undertaking .93
390
SA Musique Diffusion française and others v Commission of the European Communities (Joined Cases 100-
103/80, judgement delivered on 7 June 1983, ECLI:EU:C:1983:158)(hereinafter, “Joined Cases 100-103/80,
Musique Diffusion”), paragraph 108.
391European Commission Guidelines on the method of setting fines imposed pursuant to Article 23(2)(a) of
Regulation No 1/2003, C210/02, 1.9.2006, paragraph 31.
392DE SAs objection, p. 21.
393
DE SAs objection, p. 16-17.
Adopted 58225. In this regard, the EDPB notes that theDraftDecision contained an assessment bythe IE SA on
the different elements in relation to each infringement . The EDPB further notes that in the Draft
Decision the IE SA explained why it considered the proposed fines to be effective, proportionate and
dissuasive in relation to each infringement, taking into account all the circumstances of the IE SA’s
395
inquiry . Finally, the EDPB observes the differences in the level of ranges of the envisaged fines by
theIESA,wherethehigherrangesareenvisagedfortheinfringementsofArticle12(1)GDPRregarding
both the public-by-default processing and the contact information processing, as well as for the
infringements of Article 35(1) GDPR regarding both the public-by-default processing and the contact
396
information processing compared to the envisaged fines for the remaining infringements .
226. The EDPB takes note of the position of Meta IE that the fines set out in the Draft Decision are
excessive and disproportionate and therefore any objections aiming to increase the quantum of fines
arenotcompatiblewithArticle83 GDPR .AccordingtoMetaIE,anycallsbytheobjectionsto further
increase the proposed fines would need to be supported by compelling evidence of a serious and
intentional infringement and consequential harm, however, no such evidence was ever provided by
398
theLSAor the CSAs . Furthermore,according to Meta IE, Article83(2)GDPRdoesnot identifyannual
profit as a factor to which the LSA should have regard in calculating the amount of the administrative
fine and selecting one percent of annual profit would be arbitrary, punitive and undermining the
discretion and independence of the LSA in making its fine assessment . Also, it is the view of Meta IE
that there is no basis in the GDPR for concluding that the amount of the fine must have a general
preventive effect .00
227. TheEDPBreiteratesthatitisincumbentuponthesupervisoryauthoritiestoverifywhetherthe
amount of the envisaged fines meets the requirements of effectiveness, proportionality and
dissuasiveness, or whetherfurther adjustmentsto theamount are necessary, considering the entirety
of the fine imposed and all the circumstances of the case, including e.g. the accumulation of multiple
infringements, increases and decreases for aggravating and mitigating circumstances and
financial/socio-economic circumstances . Further, theEDPBrecallsthatthe settingof a fineis not an
402
arithmetically precise exercise , and supervisory authorities have a certain margin of discretion in
this respect .03
228. TheEDPBrecallsthat,whendeterminingwhetherafinefulfilstherequirementsofArticle83(1)
GDPR, due account must be given to the elements identified on the basis of Article 83(2) GDPR . In 404
394
395Draft Decision, paragraph 567.
Draft Decision, paragraphs 570-576.
396Draft Decision, paragraph 627(3).
397Meta IE Article 65 Submissions, paragraphs 95-97, as well as Annex A, p. 43-44.
398
Meta IE Article 65 Submissions, paragraph 101.
399Meta IE Article 65 Submissions, Annex A, p. 43.
400Meta IE Article 65 Submissions, Annex A, p. 43-44.
401EDPB Guidelines on Administrative Fines, paragraph 132, and WP29 Guidelines on Administrative Fines, p. 6,
specifying that ”administrative fines should adequately respond to the nature, gravity and consequences of the
breach, and supervisory authorities must assess all the facts of the case in a manner that is consistent and
objectively justified”.
402
See Altice Europe NV v Commission (Case T-425/18, judgment delivered on 22 September 2021,
ECLI:EU:T:2021:607), paragraph 362; Romana Tabacchi v Commission (Case T‑11/06, judgment delivered on 5
October 2011), ECLI:EU:T:2011:560), paragraph 266.
403 See, inter alia, Caffaro Srl v Commission (Case T-192/06, judgment delivered on 16 June 2011,
ECLI:EU:T:2011:278), paragraph 38. See also EDPB Guidelines on Administrative Fines, p. 2.
404Binding Decision 1/2021, paragraph 416.
Adopted 59 the present case, the EDPB notes that in the Draft Decision the LSA considered all the infringements
405
as serious in nature , and that the gravity of infringements of Article 12(1) GDPR in respect of both
thepublic-by-defaultprocessingandthecontactinformationprocessingwashighlyserious,thegravity
of the infringement of Article 5(1)(a) GDPR regarding the contact information processing was serious
and that the gravity of the infringements of Articles 35(1), 24(1), 25(1), 5(1)(c) and 25(2) GDPR in
respect of both the public-by-default processing and the contact information processing was
serious . Furthermore, the EDPB underlines that, as established by the IE SA, each infringement
related to processing of personal data of a significant number of vulnerable individuals (children) and
related to significant damage to those vulnerable individuals . The EDPB also observes that each
408
infringement carried either an intentional or negligent character . In addition, the IE SA did not
attribute significant weight to any mitigating factor .09
229. The EDPB reiterates that all these elements need to be given due regard when determining
the proportionality of the fine. In other words, a fine must reflect the gravity of the infringement,
taking into account all the elements that may lead to an increase (aggravating factors) or decrease of
the amount (mitigating factors). The EDPB further assesses in the following paragraphs whether the
envisaged fines in the Draft Decision meet the requirement of being effective, proportionate and
dissuasive in accordance with Article 83(1) GDPR.
230. In its objection, the DE SAs argued that the proposed fines, which were well below the
envisaged maximum under Article 83 GDPR, would be insignificant to Meta IE, considering the global
turnover of the undertaking, and they would be neither effective, nor sufficiently dissuasive . 410
231. The EDPB takes note that in its objection, the DE SAs also requested the IE SA to additionally
411
consider the annual profit of the undertaking at hand in its assessment under Article 83 GDPR .
Regarding this specific issue, the EDPB recalls that, when it comes to the determination of
administrative fines under Article 83 GDPR, this determination is to be based on the total worldwide
annual turnover of the undertaking, which “gives an indication, albeit approximate and imperfect, of
412
the size of the undertaking and of its economic power” . Therefore, the EDPB does not find that in
the case at hand the LSA should be requested to amend its Draft Decision to additionally consider the
annual profit of the undertaking. At the same time, the EDPB reiterates that the imposition of an
appropriate fine cannot bethe resultof a simple calculation basedon the totalturnover 413and that as
stated above all the circumstances of the specific case have to be considered in order to assess if the
administrative fine is effective, proportionate and dissuasive as required by Article 83(1) GDPR.
232. With regard to effectiveness of the fines, the EDPB recalls that the objective pursued by the
corrective measure chosen can be to re-establish compliance with the rules or to punish unlawful
behaviour(orboth) .Inaddition,theEDPBnotesthattheCJEUhasconsistentlyheldthatadissuasive
405Draft Decision, paragraphs 501-509, 567(1).
406
407Draft Decision, paragraphs 510-517, 567(1)-(2).
Draft Decision, paragraphs 487-500, 567(2) and (4).
408Draft Decision, paragraphs 527-544, 567(3).
409Draft Decision, paragraph 567(6).
410
411DE SAs objection, p. 17, including concrete calculations presented therein.
DE SAs objection, p. 16-17.
412Joined Cases 100-103/80, Musique Diffusion, paragraph 121.
413See, inter alia, Altice Europe NV v Commission (Case T-425/18, judgment delivered on 22 September 2021,
ECLI:EU:T:2021:607), paragraph 362; Romana Tabacchi v Commission (Case T‑11/06, judgment delivered on 5
October 2011), ECLI:EU:T:2011:560), paragraph 266.
414WP29 Guidelines on Administrative Fines, p. 6.
Adopted 60 penalty is one that has a genuine deterrent effect. In that respect, a distinction can be made between
general deterrence (discouraging others from committing the same infringement in the future) and
specific deterrence (discouraging the addressee of the fine from committing the same infringement
again) . Therefore, in order to ensure deterrence, the fine must be set at a level that discourages
both the controller or processor concerned as well as other controllers or processors carrying out
similar processing operations from repeating the same or a similar unlawful conduct, while not going
416
beyond what is necessaryto attain that objective . In this respect,the EDPB disagrees with Meta IE’s
views that there is no basis to conclude that the amount of the fine must have a general preventive
417
effect .
233. Moreover,thesizeoftheundertakingconcernedanditsfinancialcapacity 418areelementsthat
should be taken into account in the calculation of the amount of the fine in order to ensure its
dissuasive nature . Taking into consideration the size and global resources of the undertaking in
question is justified by the impact sought on the undertaking concerned, in order to ensure that the
fine has sufficient deterrent effect, given that the fine must not be negligible in the light, particularly,
420
of its financial capacity . The EDPB recalls that a fine to be imposed on an undertaking may need to
be increased to take into account a particularly large turnover of the undertaking, so the fine is
sufficiently dissuasive . In this respect, the EDPB further notes that in order to ensure a sufficiently
deterrent effect, the global turnover of the undertaking can be considered also in light of the
undertaking’s ability to raise the necessary funds to pay its fine . 422
234. The EDPB takes note of the IE SA’s determination on the administrative fines in the present
case 423 and of the proposed amounts of the fines in the Draft Decision . While, in this Binding
Decision, the EDPB does not address as such the use of fine ranges in draft decisions, it notes that the
proposed ranges in the Draft Decision in the case at hand are wide . 425
415
See, inter alia, Versalis Spa v European Commission (Case C-511/11 P, judgment delivered on 13 June 2013,
ECLI:EU:C:2013:386), paragraph 94.
416 MT v Landespolizeidirektion Steiermark (Case C‑231/20, judgment delivered 14 October 2021,
ECLI:EU:C:2021:845), paragraph 45 (“the severity of the penalties imposed must […] be commensurate with the
seriousness of the infringements for which they are imposed, in particular by ensuring a genuinely deterrent
effect, while not going beyond what is necessary to attain that objective”).
417Meta IE Article 65 Submissions, Annex A, p. 43.
418
Lafarge v European Commission (Case C-413/08 P, judgment delivered on 17 June 2010, ECLI:EU:C:2010:346)
(hereinafter, “C-413/08 P Lafarge”), paragraph 104.
419Binding Decision 1/2021, paragraphs 408-412.
420
YKK and Others v Commission (Case C‑408/12 P, judgment delivered on 4 September 2014,
ECLI:EU:C:2014:2153), paragraph 85; C-413/08 P Lafarge, paragraph 104. In addition, the EDPB recalls that in
some circumstances the imposition of a deterrence multiplier can be justified and that the exceptional financial
capacity of an undertaking may be one such circumstance (see EDPB Guidelines on Administrative Fines,
paragraph 144; and Showa Denko v Commission (C-289/04 P, judgement delivered on 29 June 2006,
ECLI:EU:C:2006:431), paragraphs 29, 36-38).
421 The same approach is suggested in the European Commission Guidelines on the method of setting fines
imposed pursuant to Article 23(2)(a) of Regulation No 1/2003, C210/02, 1.9.2006, paragraph 30.
422C-413/08 P Lafarge, paragraph 105.
423See section 7.1 of this Binding Decision.
424
425Draft Decision, paragraphs 569 and 627.
Draft Decision, paragraph 627(3). Specifically, on the basis of the LSA’s findings in the Draft Decision, the
following fine amount ranges were envisaged in respect of the infringements:
1) For the infringement of Art. 12(1) GDPR regarding the public-by-default processing (Finding 1), a fine of
between EUR 55 million and 100 million;
Adopted 61235. Taking into account the serious nature and gravity of the infringements, their duration, and
that each of the infringements related specifically to children’s personal data, aswell as the economic
power and the global resources of the undertaking, the EDPB considers that in the present case each
fine should fall within the higher segment of the envisaged fine amount ranges, in order to be
sufficiently effective and dissuasive in accordance with Article 83(1) GDPR.
236. The EDPB therefore asks the IE SA to ensure that the final amount of the administrative fines
in the IE SA’s final decision meets the requirements of Article 83(1) GDPR.
7.4.2.4. Administrative fine for the additional infringement of Article 6(1) GDPR
237. TheEDPBrecallsitsconclusioninthisBindingDecisionontheadditionalinfringementofArticle
6(1) GDPR regarding the contact information processing . The EDPB also recalls that the NO SA
requested the IE SA to impose an administrative fine for this additional infringement . 427
238. The EDPB takes note of Meta IE’s views that, even if an infringement is found, no additional
fine is warranted given the significance of other administrative fines already imposed for the same
processing.Moreover,MetaIEclaimedthat anyadditionalfinewoulddisregardMetaIE’scooperation
and mitigation efforts and would further make the totality of the administrative fine disproportionate
428
and punitive .
429
239. The EDPB however agrees with the reasoning of the NO SA in its objection . The EDPB
reiterates that lawfulness of processing is one of the fundamental pillars of the data protection law
and considers that processing of personal data without a legal basis is a clear violation of the data
subjects’ fundamental right to data protection . Taking into account the nature and gravity of the
infringement in accordance with Article 83(2) GDPR, the EDPB considers that an administrative fine
shouldbeimposedforthisinfringement.Inthisrespect,theEDPBrecallsthattheinfringementatissue
431
relates to the processing of personal data of a significant number of children and that the level of
damage affecting them 432 has to be considered. Further, the EDPB notes that the identified
2) For the infringement of Art. 12(1) GDPR regarding the contact information processing (Finding 2), a fine
of between EUR 46 million and 75 million;
3) For the infringement Art. 5(1)(a) GDPR regarding the contact information processing (Finding 4), a fine
of between EUR 9 million and 28 million;
4) For the infringement of Art. 35(1) GDPR regarding the contact information processing (Finding 5), a fine
of between EUR 28 million and 45 million;
5) Infringement of Art. 35(1) GDPR regarding the public-by-default processing (Finding 6), a fine of
between EUR 28 million and 45 million;
6) For the infringement of Art. 5(1)(c) and 25(2) GDPR regarding the contact information processing
(Finding 7), a fine of between EUR 9 million and 28 million;
7) For the infringement Art. 25(1) regarding the contact information processing (Finding 8), a fine of
between EUR 9 million and 28 million;
8) For the infringement Art. 5(1)(c) and 25(2) GDPR regarding the public-by-default processing (Finding
10), a fine of between EUR 9 million and 28 million;
9) For the infringement of Art. 25(1) GDPR regarding the public-by-default processing (Finding 11), a fine
of between EUR 9 million and 28 million.
426
427Section 5.4.2.3 of this Binding Decision.
Paragraphs 48 and 180 of this Binding Decision. The EDPB found that in this respect the NO SA objection is
relevant and reasoned, see paragraph 74 of this Binding Decision.
428Meta IE Article 65 Submissions, paragraph 98 and Annex A, p. 48.
429
430NO SA objection, p. 8.
Article 8(2), EU Charter of Fundamental Rights.
431Draft Decision, paragraph 489.
432Draft Decision, paragraphs 499-500.
Adopted 62 infringement lasted at least from 25 May 2018 until the commencement of the IE SA’s inquiry in the
present case on 21 September 2020 . Finally, the EDPB takes note of the position of the IE SA in the
Draft Decision that administrative fines in respect of each of the other infringements envisaged in the
Draft Decision, relating to the contact information processing, are appropriate, necessary and
proportionate in view of ensuring compliance with the GDPR . 434
240. Therefore, the EDPB instructs the IE SA to consider the identified infringement of Article 6(1)
GDPR in its determination on the administrative fines, by imposing a fine for the additional
infringement, which is effective, proportionate and dissuasive in accordance with Article 83(1) and (2)
GDPR.
8 BINDING DECISION
241. In light of the above and in accordance with the task of the EDPB under Article 70(1)(t) GDPR
to issue binding decisions pursuant to Article 65 GDPR, the EDPB issues the following binding decision
in accordance with Article 65(1)(a) GDPR:
242. On the objections concerning legal basis for the contact information processing:
1. The EDPB decides that theobjections of the DE SAs, FI SA, FR SA, IT SA, NL SA andNO SA regarding
Meta IE’s reliance on Article 6(1)(b) GDPR and alternatively Article 6(1)(f) GDPR, meet the
requirements of Article 4(24) GDPR.
2. The EDPB finds that the objection of the NO SA regarding the imposition of an administrative fine
for the proposed additional infringement, meets the requirements of Article 4(24) GDPR. On the
contrary, the EDPB decides that the relevant parts of the objections of the FR SA and IT SA on the
specific matter relating to an administrative fine for the additional infringement do not meet the
threshold of Article 4(24) GDPR.
3. The EDPB instructs the IE SA to find in its final decision that there has been an infringement of
Article 6(1) GDPR, on the basis of the conclusion reached by the EDPB in this Binding Decision.
4. The EDPB instructs the IE SA to consider the additional infringement of Article 6(1) GDPR in the
compliance order, to the extent that the processing is ongoing, in order to ensure that full effect
is given to Meta IE’s obligations under Article 6(1) GDPR.
243. On the objections relating to the possible further (or alternative) infringements of the GDPR
identified by the CSAs:
5. With regard to the objection by the DE SAs concerning the possible additional infringements of
Article 6(1)(a), Article 7 and Article 8(1) GDPR in relation to the contact information processing,
the EDPB decides this objection does not meet the requirements of Article 4(24) GDPR and,
therefore, the IE SA is not required to amend its Draft Decision in this regard.
6. With regard to the objection by the DE SAs concerning the possible additional infringements of
Article 5(1)(a) and Article 5(1)(c) GDPR in relation to the contact information processing, the EDPB
decides this objection does not meet the requirements of Article 4(24) GDPR and, therefore, the
IE SA is not required to amend its Draft Decision in this regard.
433Draft Decision, paragraph 39.
434Draft Decision, paragraph 565.
Adopted 63 7. With regard to the objection by the NO SA concerning the legal basis for the public-by-default
processing,theEDPB decides thisobjection does notmeet the requirementsofArticle4(24)GDPR
and, therefore, the IE SA is not required to amend its Draft Decision in this regard.
244. On the objections concerning the administrative fine:
8. The EDPB decides that the DE SAs objection regarding the calculation of the administrative fine
meets the requirement of Article 4(24) GDPR.
9. In relation to consideration of the infringement of Article 24 GDPR under Article 83(2)(k) GDPR as
proposed in theDE SAsobjection, theEDPBdoes not find that theinfringementof Article24 GDPR
can be considered an aggravating factor under Article 83(2)(k) GDPR and, therefore, the IE SA is
not required to amend its Draft Decision in this regard.
10. In relation to intentionality under Article 83(2)(b) GDPR, the EDPB considers that the arguments
put forward by the DE SAs in their objection fail to provide objective elements that indicate the
intentionalityof thebehaviour ofMeta IE. Accordingly, the IE SA is not required to amend itsDraft
Decision with respect to the findings on the character of the infringements of Article 12(1) GDPR.
11. Regarding the relevance of profit of the undertaking as argued in the DE SA objection, the EDPB
finds that in the present case the IE SA does not have to amend its Draft Decision to additionally
consider the annual profit of the undertaking pursuant to Article 83 GDPR.
12. The EDPB instructs the IE SA to re-assess its envisaged corrective measure in terms of the
administrative fine in accordance with Article 83(1) and (2) GDPR, namely:
12.1. to further elaborate its reasoning concerning the weight given to the financial benefit
obtained by Meta IE fromthe infringement referred to in Finding 1 of the Draft Decision
and, if further estimation of the financial benefit from the infringement is possible in
this case and results in the need to increase the amount of the fine proposed, the EDPB
requests the IE SA to increase the amount of the fine proposed.
12.2. to ensure that the final amounts of the administrative fines are effective, proportionate
and dissuasive.
12.3. to consider the identified infringement of Article 6(1) GDPR in the IE SA’s determination
on the administrative fines and impose an administrative fine for the additional
infringement, which is effective, proportionate and dissuasive.
9 FINAL REMARKS
245.This Binding Decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on
the basis of this Binding Decision pursuant to Article 65(6) GDPR.
246.Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the
EDPB does not take any position on the merit of any substantial issues raised by these objections. The
EDPB reiterates that itscurrent decision iswithout any prejudice to any assessments the EDPBmay be
called upon to make in other cases, including with the same parties, taking into account the contents
of the relevant draft decision and the objections raised by the CSAs.
247.According to Article65(6)GDPR, theIE SA shallcommunicate itsfinal decision to the Chair oftheEDPB
within one month after receiving this Binding Decision.
Adopted 64248.Once such communication is done by the IE SA, this Binding Decision will be made public pursuant to
Article 65(5) GDPR.
249.PursuanttoArticle70(1)(y)GDPR,theIESA’sfinaldecisioncommunicatedtotheEDPBwillbeincluded
in the register of decisions which have been subject to the consistency mechanism.
For the European Data Protection Board
The Chair
(Andrea Jelinek)
Adopted 65
