EDPB - Binding Decision 2/2022 - 'Instagram'

From GDPRhub
EDPB - Binding Decision 2/2022
LogoEDPB.png
Authority: EDPB
Jurisdiction: European Union
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 12(1) GDPR
Article 24(2) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 28.07.2022
Published: 15.09.2022
Fine: 405,000,000 EUR
Parties: n/a
National Case Number/Name: Binding Decision 2/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

The EDPB adopted a binding decision, following which the Irish DPC fined Meta €405,000,000 for the lack of legal grounds for processing contact information on children’s business accounts and ‘public by default’-settings for child users.

English Summary

Facts

The DPC had conducted an investigation into Meta, specifically into Instagram. The DPC focused its investigation on two aspects. First: displayed information on business accounts of child users and second: default settings of newly created Instagram accounts. Based on this investigation, the DPC formulated a draft decision under Article 60(3) GDPR.

Processing of contact information on child user’s business accounts

The DPC held that Instagram permitted child users to switch from personal accounts to business accounts. During this switch from personal to business account, the child user was presented with an option screen (titled “Review Your Contact Info”). This screen was automatically filled with the user’s information, which was collected at the time of registration. The child user had the opportunity to modify this information. However, in order to complete switching process from personal- to business account, the child user also had to provide an email address or a phone number (contact information). Before September 2019, the phone number and e-mail were published on the respective user page in the form of a contact button. These contact details were not encrypted and visible in plain text.

Since 4 September 2019, an updated version of this option screen was presented, with possibilities to modify contact details. Also, the user could choose not to provide any contact details at all.

Before march 2019, the contact details of child users were also visible as plain text in the HTML source code of the web-version of Instagram.

Also, for a time between August 2020 and November 2020, e-mail addresses of Instagram business accounts were visible in the HTML source code of the Instagram website as plain text, including to persons not registered as Instagram users.

According to the DPC, by registering for a personal Instagram account, a data subject had to agree to the Instagram Terms of Use. The DPC held that Meta used two legal grounds in these terms of service for processing the personal data of Instagram child users: for the performance of a contract (Article 6(1)(b) GDPR) and for legitimate interest (Article 6(1)(f) GDPR).

Article 6(1)(b) GDPR

In its original draft decision, the DPC held that Meta could use Article 6(1)(b) GDPR GDPR as a legal ground for processing. The data subject would have to accept the terms of service. It also stated that Article 6(1)(b) GDPR does not require the inclusion of explicit contractual provisions. It would be sufficient if processing was necessary in the respective case. The DPC held that in this case, the contact information processing could be necessary for the performance of Meta’s Terms of Service with its users.

Article 6(1)(f) GDPR

The DPC also held that Meta could use Article 6(1)(f) GDPR as a legal ground for processing. This legal ground has three cumulative elements which need to be fulfilled by the controller in order to use this legal ground:

1) the pursuit of a legitimate interest by the controller or by the third party or parties to whom the data are disclosed; In its draft decision, The DPC held that the interests of Meta for processing the contact information were legitimate for Meta as well as for the Instagram users, because publication of contact details may be a reasonable and lawful mode to promote a business or other undertaking. The DPC did not specify if this concerned all Instagram users or a specific type of user. (The EDPB assumed all Instagram users based on submissions of Meta and the interpretation of these by the DPC).

2) the need to process personal data for the purposes of the specific legitimate interests; The DPC held that the processing of contact information could be considered necessary for business account users who wished to provide contact information outside of Instagram. The DPC held in its original draft that the principle of data minimization (Article 5(1)(c) GDPR) had been violated by Meta, which is a relevant factor to decide if processing is necessary. The DPC determined this violation because child users of Instagram business accounts had to publish their information publically on business accounts in the HTML-code of the Instagram Website, prior to 7 March 7 2019.

3) That the fundamental rights and freedoms do not take precedence. (Balancing exercise) The DPC held that Meta’s own analysis, regarding of the adequacy of the information provided to child users, was inadequate. The DPC also held that there was a lack of transparency because child users were not properly informed that the publication of their contact information might result in a high risk situation. Also, parts of the provided information were technical and hypothetical. The DPC came to the same conclusion for the security and safety measures implemented by Meta. The DPC held that these measures did not mitigate all relevant risks for child users. These inadequate measures would result in a risk of possible communication between child users and dangerous individuals, both on the Instagram platform itself as well as outside of the platform.

In the end, the DPC held that Meta could also use Article 6(1)(f) GDPR as a legal ground for processing. the DPC held that in cases where processing occurred in the context of the ‘well-considered professional activities’, it could happen that the legitimate interests at issue would not be overridden by the interests or fundamental rights and freedoms of the child user.

Public-by-default Instagram accounts

Besides the remarks regarding the legal grounds for processing contact information of child users (business accounts), the DPC also determined violations regarding public by default processing of personal Instagram account regarding child users.

The DPC had stated that Instagram accounts were public by default, including accounts belonging to child users. This meant that a new account would automatically be public without changing the settings. This meant that every user in the app or website, registered Instagram user or not, could see the contents of the account. If this had been the private setting, the user would have to approve who could look at their account. Meta informed its child users of the public-by-default account settings in its 2018 and 2020 Data Policies.

The DPC held that Meta had violated Article 12(1) GDPR because it did not inform child users of the purposes of the public-by-default processing in a clear and transparent way.

The DPC also held that Meta had violated Article 5(1)(c) GDPR and Article 25(2) GDPR, because the public-by-default processing was not necessary nor proportionate. The DPC also mentioned that that child users may have a reduced ability to change privacy settings. The DPC held that Meta had failed to implement technical and organizational measures to ensure that only personal data that was necessary for the relevant purpose of processing was collected.

The DPC also held that Meta violated Article 25(1) GDPR by not implementing appropriate technical and organizational measures.

The DPC also held that Meta had violated Article 24(1) GDPR because the DPC found that the safeguards and measures implemented by Meta IE did not assess the specific risks to the rights and freedoms of child users properly.

The Norwegian DPA objected this assessment regarding the 'public by default' accounts, because it wanted the DPC to conclude that the public-by-default processing was not necessary or proportionate on several grounds. It also wanted the DPC to conclude that Article 6(1)(b) GDPR and Article 6(1)(f) GDPR were not applicable legal bases for the public-by-default processing.

Draft decision sent to the EDPB

The DPC had published this draft decision and invited other DPA’s to react. Other DPA’s objected to this draft for various reasons, amongst other things that the conditions for Article 6(1)(b) GDPR and Article 6(1)(f) GDPR were not met. After this, the DPC submitted its draft decision to the consistency mechanism for dispute resolution by the EDPB (Article 65(1)(a) GDPR).


Holding

The EDPB declared most of the objections of the other DPA’s both relevant and reasoned in the context of Article 4(24) GDPR. After this assessment, the EDPB looked into the reasoning of the DPC regarding the legal ground for processing of child user’s data by Meta in the context of business accounts.

Processing of contact information on child user’s business accounts

Article 6(1)(b) GDPR

The EDPB held that the DPC could not have concluded that the contact information processing may be regarded as necessary for the performance of a contract between Meta and child users. As a consequence, the EDPB held that Meta IE could not have relied on Article 6(1)(b) GDPR as a legal basis for processing of contact information. The EDPB focused on the assessment by the DPC regarding the ‘necessity’ for the performance of the contract form Meta. The EDPB formulated several reasons why the processing was not necessary.

The EDPB held that it was important to determine the exact rationale of the contract, regarding substance and objective, to determine whether or not the processing is necessary. Factors to consider are the particular aim, purpose, or objective of the service. The processing should be objectively necessary for a purpose and must be integral to the delivery of the service to the data subject. The controller should also be able to justify the necessity in the context of the mutually understood purpose. This depends both on the controller’s perspective as the perspective of the data subject (an ordinary user). Children merit special protection in this consideration.

The EDPB started by considering that the publication of the contact details on children’s profiles could have not been reasonably expected by these children, considering the high-level information in the Terms of Use and the fact that no specific information about business accounts was provided. Also, the EDPB did not agree that the contact information processing (publishing of phone number or e-mail), could be considered as “integral” or “central” to Instagram. The EPDB referred to a remark by the DPC in its original draft, that it was now possible to operate a professional profile without also publishing contact information.

The EDPB also considered that if there are realistic, less intrusive alternatives, the processing cannot be considered ‘necessary’. The principle of proportionality should be taken into account here. The DPC had even stated in its original draft that there was a possibility on Instagram to contact users directly through direct messaging within the platform. This was even the preferred method for communication for some business account users. This contact method should have been taken into consideration by the DPC as a less intrusive alternative judging the ‘necessity’ of the processing, according to the EDPB.

The EDPB observed that Meta had claimed that the publication of the contact details was intended for traditional businesses. The EDPB held that it was technically possible to distinguish these traditional businesses from child users during the Instagram registration process based on age information. It would have therefore also been possible to avoid publishing child users’ contact information.

The EDPB also held that the publication of the contact information in the HTML source code on the Instagram website was not considered necessary by Facebook’s security team and was therefore discontinued by Facebook. The EDPB also considered here that the principle of data minimization (Article 5(1)(c) GDPR) is relevant for the ‘necessity’ assessment. Considering these facts, the EDPB held that the contact information in the HTML should therefore not have been regarded as ‘necessary’ by the DPC.

The EDPB also held that the publication of contact information meant massive risks to the rights and freedoms of children. This should also have been taken into consideration by the DPC whether or not this processing was ‘necessary’.

Article 6(1)(f) GDPR

The EDPB held that the publication of Children’s contact information did not meet the requirements under Article 6(1)(f) GDPR, because the interests of the data subjects overrode the respective legitimate interests. Therefore, the EDPB held that Meta couldn’t use this legal ground for the processing. The EDPB formulated an opinion on all of the three cumulative arguments, which were necessary for the controller to fulfill in order to use this processing ground.

1) Legitimate Interest(s): The EDPB held that the interests were not specific enough because the controller mentioned them in vague fashion. The EDPB mentioned that the evaluation of the existence of the legitimate interest(s) pursued should have been conducted by the DPC in a better way. Despite the fact that the EDPB could have stopped here, it decided to also assess the other assessments of the DPC on the cumulative criteria.

2) Necessity: The EDPB didn’t agree with the assessment of the DPC regarding the necessity of the processing. For assessing necessity, the EDPB stated that the existence of less intrusive means that would contribute effectively to achieving the interests pursued should be analyzed. The principle of proportionality should also be taken into account. The DPC held that Meta had violated the data minimization principle (Article 5(1)(c) GDPR) because of the mandatory display of contact information for business users in the HTML code of the Instagram website. The problem according to the EDPB was the fact that the DPC didn’t follow this up with a conclusion that the processing was not necessary. The EDPB held that the recognition of the HTML-processing should have concluded the assessment of the DPC that the processing was not necessary. The EDPB also noted that the DPC should have considered direct messaging on Instagram as a less intrusive way of communication for the assessment of necessity, which the DPC hadn’t done in its draft decision. The EDPB continued by calling the DPC approach to determine the ‘necessity’ requirement ‘substantially erroneous’. This was because of the fact that the DPC had named the interests of business users as legitimate interest. The business users are the data subjects, whose interests cannot be seen as legitimate interest. Only interests of the controller or a third party can be regarded as a legitimate interest. The DPC had therefore failed to justify why it considered the publication of the contact details necessary, also considering other communication means, such as direct messaging on Instagram.

3) Balancing exercise: The EDPB held that the risk assessment made the DPC was accurate. The EDPB agreed with the DPC with regard to the lack of adequate safeguards and transparency by Meta. The EDPB did however not agree with the statement of the DPC that it was possible that the legitimate interests of Meta or third parties would not be overridden by the interests or fundamental rights and freedoms of the child users in some circumstances. The EDPB held that the DPC did not properly assess the impact of the processing when performing this balancing exercise, stating it had only taken into account the positive aspects of the processing, despite the risks the DPC had identified itself.

Public-by-default Instagram accounts

The EDPB dismissed the objection from the Norwegian DPA against the DPC’s original draft regarding public-by-default Instagram accounts, because the Norwegian DPA failed to establish a direct connection with the specific legal and factual content of the decision of the DPC. The compliance of 'public by default' processing with Article 6 GDPR was not part of the original DPC decision and the objection of the DPA was not 'reasoned' (Article 4(24) GDPR).

Other grounds

The decision of the EDPB contained other supposed violations of the GDPR. Most of these objections which were brought forward by other DPA’s. These were mostly not analyzed by the EDPB because they were deemed to be neither “relevant”, nor “reasoned” (Article 4(24) GDPR).

Objections to fine:

After the EDPB considered several objections from other DPA’s regarding the fine, the EDPB formulated this binding decision, after which the DPC adapted its original decision and fined Meta €405,000,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

 Binding Decision 2/2022 on the dispute arisen on the draft

 decision of the Irish Supervisory Authority regarding Meta
         Platforms Ireland Limited (Instagram) under

                    Article 65(1)(a) GDPR





                    Adopted on 28 July 2022


















Adopted                                                       1Table of contents


1    Summary of the dispute.................................................................................................................. 5
2    The right to good administration.................................................................................................... 7

3    Conditions for adopting a binding decision..................................................................................... 8

   3.1.    Objections expressed by CSAs in relation to a draft decision................................................. 8

   3.2.    The LSA does not follow the relevant and reasoned objections to the draft decision or is of
   the opinion that the objections are not relevant or reasoned........................................................... 8

   3.3.    Admissibility of the case.......................................................................................................... 8

4    Structure of the binding decision.................................................................................................... 9
5    On legal basis for contact information processing........................................................................10

   5.1.    Analysis by the LSA in the Draft Decision..............................................................................10

   5.2.    Summary of the objections raised by the CSAs.....................................................................12

   5.3.    Position of the LSA on the objections ...................................................................................19
   5.4.    Analysis of the EDPB..............................................................................................................19

     5.4.1.     Assessment of whether the objections were relevant and reasoned ..........................19

     5.4.2.     Assessment on the merits.............................................................................................27

6    On potential further (or alternative) infringements identified by the CSAs.................................40
   6.1.    On potential infringements of Article 6(1)(a), Article 7 and Article 8(1) GDPR regarding

   contact information processing ........................................................................................................40
     6.1.1.     Analysis by the LSA in the Draft Decision......................................................................40

     6.1.2.     Summary of the objection raised by the CSAs..............................................................40

     6.1.3.     Position of the LSA on the objections ...........................................................................41

     6.1.4.     Analysis of the EDPB......................................................................................................41
   6.2.    On potential infringements of Article 5(1)(a) and Article 5(1)(b) GDPR regarding contact

   information processing .....................................................................................................................41
     6.2.1.     Analysis by the LSA in the Draft Decision......................................................................42

     6.2.2.     Summary of the objection raised by the CSAs..............................................................42

     6.2.3.     Position of the LSA on the objections ...........................................................................42

     6.2.4.     Analysis of the EDPB......................................................................................................42
   6.3.    On legal basis regarding public-by-default processing..........................................................43

     6.3.1.     Analysis by the LSA in the Draft Decision......................................................................43

     6.3.2.     Summary of the objection raised by the CSAs..............................................................45

     6.3.3.     Position of the LSA on the objections ...........................................................................45
     6.3.4.     Analysis of the EDPB......................................................................................................46

7    On the determination of the administrative fine..........................................................................46

   7.1.    Analysis by the LSA in the Draft Decision..............................................................................46



Adopted                                                                                                        2   7.2.    Summary of the objections raised by the CSAs.....................................................................48

   7.3.    Position of the LSA on the objections ...................................................................................50

   7.4.    Analysis of the EDPB..............................................................................................................51

     7.4.1.     Assessment of whether the objections were relevant and reasoned ..........................51
     7.4.2.     Assessment on the merits.............................................................................................52

8    Binding Decision............................................................................................................................63

9    Final remarks.................................................................................................................................64






















































Adopted                                                                                                        3The European Data Protection Board



Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the

processing of personal1data and on the freemovement of such data, and repealing Directive 95/46/EC
(hereinafter, “GDPR”) ,

Having regard to the European Economic Area (hereinafter, ‘’EEA’’) Agreement and in particular to
Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA Joint Committee
                            2
No 154/2018 of 6 July 2018 ,

Having regard to Article 11 and Article 22 of its Rules of Procedure (hereinafter, “EDPB RoP”) ,

Whereas:

(1) The main role of the European Data Protection Board (hereinafter, “EDPB”) is to ensure the

consistent application of the GDPR throughout the EEA. To that effect, it follows from Article 60 GDPR
that the lead supervisory authority (hereinafter, “LSA”) shall cooperate with the other supervisory
authoritiesconcerned(hereinafter,“CSAs”)inanendeavourtoreachconsensus,thattheLSAandCSAs

shall exchange all relevant information with each other, and that the LSA shall, without delay,
communicate the relevant information on the matter to the other CSAs. The LSA shall without delay
submit a draft decision to the other CSAs for their opinion and take due account of their views.


(2) Where any of the CSAs expressed a reasoned and relevant objection on the draft decision in
accordance with Article 4(24) GDPR and Article 60(4) GDPR and the LSA does not intend to follow the
relevant and reasoned objection or considers that the objection is not reasoned and relevant, the LSA

shall submit this matter to the consistency mechanism referred to in Article 63 GDPR.

(3) In accordance with Article 65(1)(a) GDPR, the EDPBshall issue a binding decision concerning all the
matters which are the subject of the relevant and reasoned objections, in particular whether there is

an infringement of the GDPR.

(4) The binding decision of the EDPB shall be adopted by a two-thirds majority of the members of the
EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) EDPB RoP, within one month

after the Chair of the EDPB and the competent supervisory authority have decided that the file is
complete. The deadline may be extended by a further month, taking into account the complexity of
thesubject-matterupondecisionoftheChairoftheEDPBonowninitiativeorattherequestofatleast

one third of the members of the EDPB.

(5) In accordance with Article 65(3) GDPR, if, in spite of such an extension, the EDPB has not been able
to adopt a decision within the timeframe, it shall do so within two weeks following the expiration of

the extension by a simple majority of its members.

(6) In accordance with Article 11(6) EDPB RoP, only the English text of the decision is authentic as it is
the language of the EDPB adoption procedure.




1
2OJ L 119, 4.5.2016, p. 1.
 References to “Member States” made throughout this decision should be understood as references to “EEA
Member States”.
3EDPB Rules of Procedure, adopted on 25 May 2018.


Adopted                                                                                               4    HAS ADOPTED THE FOLLOWING BINDING DECISION



        1 SUMMARY OF THE DISPUTE

1. This document contains a binding decision adopted by the EDPB in accordance with

    Article 65(1)(a) GDPR. This Binding Decision concerns the dispute arisen following a draft decision
    (hereinafter, “Draft Decision”) issued by the Irish supervisory authority (“Data Protection
    Commission”, hereinafter the “IE SA”, also referred to in this document as the “LSA”) and the

    subsequent objections expressed by several CSAs, namely the German supervisory authority for
    Hamburg (“Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”) representing
    the views of itself and the other German supervisory authorities, including the German supervisory

    authority forBerlin(“Der Berliner BeauftragtefürDatenschutz und Informationsfreiheit”),theGerman
    supervisory authority for Bremen (“Der Landesbeauftragte für Datenschutz und Informationsfreiheit
    der Freien Hansestadt Bremen”) and the German supervisory authority for North Rhein-Westphalia

    (“DerLandesbeauftragtefür DatenschutzundInformationsfreiheitNordrhein-Westfalen”),hereinafter
    referred to collectively as the “DE SAs”; the Finnish supervisory authority (“Tietosuojavaltuutetun
    toimisto”), hereinafter the “FI SA”; the French supervisory authority (“Commission Nationale de

    l'Informatique et des Libertés”), hereinafter the “FR SA”; the Italian supervisory authority (“Garante
    per la protezione dei dati personali”), hereinafter the “IT SA”; the Dutch supervisory authority
    (“Autoriteit Persoonsgegevens”), hereinafter the “NL SA”; and the Norwegian supervisory authority

    (“Datatilsynet”), hereinafter the “NO SA”.

2. The Draft Decision related to an “own-volition inquiry” which was commenced by the IE SA on 21
    September 2020 regarding processing activities of Facebook Ireland Limited, a company established

    in Dublin, Ireland. The company has subsequently changed its name to “Meta Platforms Ireland
    Limited”andhereinafteritisreferredtoas“MetaIE”.AnyreferencetoMetaIEinthisBindingDecision
    means a reference to either Facebook Ireland Limited or Meta Platforms Ireland Limited, as

    appropriate.

3. The Draft Decision concerned Meta IE’s compliance with Article 5(1)(a) and (c), Article 6(1), Article
    12(1), Articles 13, 24, 25 and 35 GDPR in respect of certain processing of child users personal data in
    the context of the “Instagram” social media networking service (hereinafter, “Instagram”). In

    particular,itconcernedthepersonaldataprocessingbyMetaIEinrelationtopublicdisclosureofemail
    addresses and/or phone numbers of child users of the Instagram business account feature and a
    public-by-default setting for personal accounts of child users on Instagram.

4. The IE SA stated in its Draft Decision that it was satisfied that the IE SA is the LSA, within the meaning

    of the GDPR, for Meta IE, as controller in respect of the cross-border processing of personal data in
    the context of the Instagram service .

5. The following table presents a summary timeline of the events part of the procedure leading to the

    submission of the matter to the consistency mechanism:

     21 September 2020          The IE SA commenced the inquiry and requested information from
                                Meta IE. The scope and legal basis of the inquiry were set out in the



    4Instagram registered usersaged between 13 and 17 years old. A person must be at least 13 years old to register
    as an Instagram user. See Draft Decision, paragraph 9.
    5Draft Decision, paragraphs 47-57.


    Adopted                                                                                             5                            Notice of Commencement of the inquiry that was sent to Meta IE on

                            21 September 2020. The temporary scope of the inquiry was set to
                            cover a period between 25 May 2018 and 21 September 2020.

                            On 27 October 2020, Meta IE provided replies to preliminary queries
                            by the IE SA.

 27 November 2020           The IE SA provided Meta IE with a Statement of Issues, where it set
                            out the factual summaryofrelevant issues and described thematters

                            for determination under the GDPR.

                            On 10 December 2020, Meta IE made submissions in response to the
                            Statement of Issues and on 29 January 2021, provided the IE SA with
                            an updated Legitimate Interest Assessment.

 11 June 2021               The IE SA issued a Preliminary Draft Decision against Meta IE
                            regarding its processing activities within the scope of the inquiry

                            (“Preliminary Draft Decision”). The IE SA invited Meta IE to make
                            submissions on the Preliminary Draft Decision.

 August-September 2021      On 9 August 2021, Meta IE provided its submissions on the
                            Preliminary Draft Decision to the IE SA (“Meta IE Preliminary Draft
                            Submissions”). On 16 August 2021 Meta IE provided to the IE SA an

                            additional expert report. On a separate request from the IE SA, on 23
                            September 2021 Meta IE provided additional submissions regarding
                            Article 83(3) GDPR (“Meta IE Submissions on Article 83(3) GDPR”).

 December 2021              On3December2021,theIESAshareditsDraftDecisionwiththeCSAs
                            in accordance with Article 60(3) GDPR.

                            Several CSAs (DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA) raised

                            objections in accordance with Article 60(4) GDPR. Several comments
                            were also exchanged.
 21 January 2022            The IE SA issued a Composite Response setting out its compromise

                            proposals (“Composite Response”) and shared it with the CSAs. The
                            IESArequestedtherelevantCSAsto provideanindicationofwhether

                            the IE SA’s compromise proposals could be satisfactory for the CSAs
                            as a possible way forward.

 February 2022              In light of the proposals in the Composite Response, further
                            exchanges took place between the IE SA and the CSAs. During the
                            exchanges, several CSAs confirmed to the IE SA that its compromise

                            proposals were not sufficient and they intended to maintain their
                            objections.

                            On 25 February 2021 Meta IE was invited to exercise its right to be
                            heard in respect of all thematerial that the IE SA proposed to refer to
                            theEDPBandon6April2022MetaIEprovideditssubmissions(“Meta

                            IE Article 65 Submissions”).
 13 May 2022                The IE SA referred the matter to the EDPB in accordance with Article

                            60(4)GDPR,therebyinitiatingthedisputeresolutionprocedureunder
                            Article 65(1)(a) GDPR.




Adopted                                                                                            66. Followingthesubmissionbythe IESAofthismattertotheEDPBinaccordancewithArticle60(4)GDPR
                                                                    6
    in the Internal Market Information system (hereinafter, “IMI”) on 13 May 2022, the EDPB Secretariat
    assessedthe completenessof the fileon behalfoftheChair of the EDPB in linewith Article11(2) EDPB
    RoP.


7. The EDPB Secretariat contacted the IE SA on 20 May 2022, asking for information and additional
    documents to be submitted in the IMI. The IE SA provided the information and documents on 24 May
    2022.


8. A matter of particular importance that was scrutinized by the EDPB Secretariat was the right to be
    heard, as required by Article 41(2)(a) of the EU Charter of Fundamental Rights. Further details on this
    are provided in Section 2 of this Binding Decision.


9. On 1 June 2022, after the IE SA and the Chair of the EDPB confirmed the completeness of the file, the
    EDPB Secretariat circulated the file to the EDPB members.

10. The Chair of the EDPB decided, in compliance with Article 65(3) GDPR in conjunction with Article11(4)

    EDPB RoP, to extend the default timeline for adoptionof onemonth by a furthermonth on account of
    the complexity of the subject-matter.



        2 THE RIGHT TO GOOD ADMINISTRATION

11. The EDPB is subject to the EU Charter of Fundamental Rights, in particular Article 41 (the right to good

    administration). This is also reflected in Article 11(1) EDPB RoP.

12. The EDPB’s decision “shall be reasoned and addressed to the lead supervisory authority and all the
    supervisoryauthoritiesconcernedandbindingonthem”(Article65(2)GDPR).Itisnotaimingtoaddress

    directly any third party. However, as a precautionary measure to address the possible need for the
    EDPB to offer the right to be heard at the EDPB level to Meta IE , the EDPB assessed if Meta IE was

    offered the opportunity to exercise its right to be heard in relation to the procedure led by the LSA
    andthesubjectmatterofthedisputetoberesolvedbytheEDPB, andinparticularifallthedocuments
    containing the matters of facts and law received and used by the EDPB to take its decision in this

    procedure have already been shared previously with Meta IE.

13. The EDPB notes that Meta IE has received the opportunity to exercise its right to be heard regarding
    all the documents containing the matters of facts and of law considered by the EDPB in the context of
                                                          8
    this decision and provided its written observations , which have been shared with the EDPB by the
    LSA .



    6TheInternalMarketInformation(IMI)isthe informationandcommunicationsystemmentionedinArt.17EDPB
    RoP.
    7See EDPB Guidelines03/2021 on the application of Article 65(1)(a) GDPR, adopted on 13 April 2021 (version for
    public consultation) (hereinafter, “EDPB Guidelines on Article 65(1)(a)”), paragraphs 98-99.
    8
     In particular, Meta IE Preliminary Draft Submissions dated 9 August 2021, Meta IE Submissions on Article 83(3)
    GDPR dated 23 September 2021, Meta IE Article 65 Submissions dated 6 April 2022.
    9The EDPB notes that Meta IE recognised that it “was afforded the opportunity to make written submissions in
    respect of the Draft Decision, the Composite Response, and the objections of the CSAs to the [IE SA]” (Meta IE’s
    Letter to the EDPB dated 17 May 2022). The IE SA also confirmed that Meta IE was invited to exercise its right to

    be heard “in respect of all of the material that IE SA proposed to refer to the EDPB” (Letter from the IE SA to the



    Adopted                                                                                                 714. Considering that Meta IE has been already heard by the IE SA on all matters of facts and of law
    addressed by the EDPB in its decision, the EDPB is satisfied that the Article 41 of the EU Charter of
    Fundamental Rights has been respected.



        3 CONDITIONS FOR ADOPTING A BINDING DECISION


15. The general conditions for the adoption of a binding decision by the EDPB are set forth in Article 60(4)
    and Article 65(1)(a) GDPR .10


        3.1.    Objections expressed by CSAs in relation to a draft decision

16. The EDPB notes that several CSAs (DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA) raised objections to
    theDraftDecisionviaIMIinaccordance withArticle60(4)GDPR.Eachoftheobjectionswassubmitted

    within the deadline provided by Article 60(4) GDPR.

17. The Portuguese supervisory authority (“Comissão Nacional de Proteção de Dados”) and the Danish
    supervisory authority (“Datatilsynet”) provided comments on the Draft Decision. As these comments
    arenotobjectionswithinthemeaningofArticle4(24)GDPR,theycannottriggerthedisputeresolution
                                                                                                           11
    mechanism of Article 65(1)(a) GDPR and therefore are not part of the scope of this Binding Decision .


        3.2.    The LSA does not follow the relevant and reasoned objections to the draft
                decision or is of the opinion that the objections are not relevant or reasoned

18. According to the IE SA, the responses received from the CSAs in relation to the Composite Response

    showedthat there was no single proposed compromise that was agreeableto allof the relevant CSAs.
    In accordance with Article 60(4) GDPR, the IE SA submitted the matter to the consistency mechanism
    for dispute resolution by the EDPB pursuant to Article65(1)(a) GDPR. The IE SA clarified in its Letter to

    the EDPB Secretariat concerning the Article 65 GDPR referral of the dispute to the EDPB that it does
    not propose to “follow” the objections that were raised by the CSAs and/or does not consider the
    objections to be relevant and reasoned . 12


        3.3.    Admissibility of the case

19. As a preliminary remark, the EDPB takes note ofthe views of Meta IE that an escalation by the IE SA to

    the EDPB was premature and that the Article 60 GDPR process had not been fully exhausted in the
    presentcase .TheEDPBhoweverfindsthatthecaseatissuefulfils,primafacie,alltheelementslisted



    EDPB Secretariat dated 12 May 2022). Finally, as Meta IE recognised in its Article 65 Submissions “[t]hese
    submissions are directed only to those matters which are the subject of an objection and matters [Meta IE] has
    been informed will be referred by the [IE SA] to the dispute resolution mechanism” (Meta IE Article 65
    Submissions, p. 1). The EDPB Secretariat checked and confirmed that the EDPB was provided with the same
    documents, which contained the relevant matters of fact and of law. The only additional documents included

    10re the different submissions of Meta IE.
      According to Art. 65(1)(a) GDPR, the EDPB will issue a binding decision when a supervisory authorityhas raised
    a relevant and reasoned objection to a draft decision of the LSA and the LSA has not followed the objection or
    the LSA has rejected such an objection as being not relevant or reasoned.
    11EDPB Guidelines on Article 65(1)(a), paragraph 17.
    12The IE SA letter to the EDPB Secretariat dated 12 May 2022. The submission of the dispute on the IMI occurred

    13 13 May 2022.
      Meta IE Article 65 Submissions, paragraphs 12-17.



    Adopted                                                                                                 8    in Article 65(1)(a) GDPR, since several CSAs raised objections to a draft decision of the LSA within the

    deadline provided by Article 60(4) GDPR, and the LSA has not followed objections or rejected them as
    not relevant or reasoned.

20. The EDPB further takes note of Meta IE’s position that the current Article 65 GDPR dispute resolution

    should be suspended due to pending preliminary ruling proceedings before the Court of Justice of the
    EU (hereinafter, “CJEU”) in Case C-252/21 . In addition, on 17 May 2022, Meta IE sent a letter to the
          15
    EDPB , in which Meta IE further asked for stay of proceedings before the EDPB in the procedure at
    issue in light of pending CJEU cases: C-446/21 and C-252/21 . Following its assessment, the EDPB

    considers that the scope of the dispute to be resolved by the EDPB in the present procedure does not
    overlap with the scope of the aforementioned pending preliminary ruling proceedings, given the

    different processing operations at stake. Therefore, the EDPB does not need to evaluate further the
    possibilitytostayitsproceedingsonthisArticle65GDPRdisputeresolutionpendingthedetermination

    of the preliminary rulings by the CJEU.

21. Considering the above, in particular that the conditions of Article 65(1)(a) GDPR are met, the EDPB is
    competent to adopt a binding decision, which shall concern all the matters which are the subject of

    the relevant and reasoned objections, i.e. whether there is an infringement of the GDPR or whether
    the envisaged action in relation to the controller or processor complies with the GDPR .    18


22. The EDPB recalls that its current decision is without any prejudice to any assessments the EDPB may
    be called upon to make in other cases, including with the same parties, taking into account the
    contents of the relevant draft decision and the objections raised by the CSAs.



        4 STRUCTURE OF THE BINDING DECISION


23. For each of the objections raised, the EDPB assesses first whether they are to be considered as

    “relevant and reasoned” within the meaning of Article 4(24) GDPR as clarified in the EDPB Guidelines
    on the concept of a relevant and reasoned objection .   19

24. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the

    EDPB does not take any position on the merit of any substantial issues raised by that objection in this
    specific case . The EDPB will analyse the merits of the substantial issues raised by all objections it

    deems to be “relevant and reasoned”.






    14
      Meta IE Article 65 Submissions, paragraph 30: according to Meta IE, in Case C-252/21 the CJEU has been asked
    “to address the scope of the legal bases of Article 6(1)(b) and Article 6(1)(f) GDPR, and as a result may be
    instructive in application to this matter”.
    15Meta IE’s letter to the EDPB dated 17 May 2022.
    16
    17Request for a preliminary ruling of 20 July 2021, Schrems, C-446/21.
      Request for a preliminary ruling of 22 April 2021, Meta Platforms and Others, C-252/21.
    18Art. 4(24) GDPR and Art. 65(1)(a) GDPR. Some CSAs raised comments and not per se objections, which were,
    therefore, not taken into account by the EDPB.
    19
      EDPB Guidelines 9/2020 on the concept of relevant and reasoned objection, version 2 adopted on 9 March
    2021, (hereinafter, “EDPB Guidelines on RRO”). The Guidelines (version 2) were adopted on 9 March 2021, after
    the commencement of the inquiry by the IE SA relating to this particular case.
    20EDPB Guidelines on Article 65(1)(a), paragraph 63.




    Adopted                                                                                                    9        5 ON LEGAL BASIS FOR CONTACT INFORMATION PROCESSING


        5.1.    Analysis by the LSA in the Draft Decision

25. In2016,anewtypeofInstagramaccountwasintroduced,calleda“businessaccount”.Instagramusers
    who switched from a “personal account” to a “business account” were shown additional information

    about their profile and followers. Until September 2019, users, including child users, who switched to
    a “business account” were required to display additional public-facing contact details in the form of
    an email address and/or a phone number (hereinafter, “contact information”), which were published
                        21
    on theuser’sprofile . On4 September2019 Meta IE removedthemandatoryrequirement to publicly
    display the contact information .

26. In its Draft Decision, the IE SA considered whether Meta IE could rely alternatively on Articles 6(1)(b)

    and 6(1)(f) GDPR as legal bases for the public disclosure of the contact information of child users of
    Instagram business accounts (hereinafter, “contact information processing”). In particular, the IE SA
    found that the following processing operations by Meta IE were concerned : 23

            (1) Meta IE permitted child users of Instagram to switch from personal accounts to business

                accounts.

            (2) Until 4 September 2019, when switching to a business account, child users were
                presented with an option screen (titled “Review Your Contact Info”) as part of the

                switching process. This screen was automatically populated with the user’s information,
                asobtainedbyMetaIEatthetimeofuserregistration,whichtheuserhadtheopportunity
                to modify. In order to complete the business account switching process, the user was

                required to supply either an email address or a phone number. Users who had private
                Instagram accounts were prompted to switch to a public account as part of the account
                switching process.

            (3) Asof4September2019,whenswitchingtoabusinessaccountchilduserswerepresented

                with a revised option screen (still titled “Review Your Contact Info”) automatically
                populated with the user’s information obtained at the time of registration. At this stage,

                users could either modify their contact details or opt not to provide contact information
                by pressing the “Don’t use my contact info” button at the bottom of the page.

            (4) Where a child user associated an email address and/or phone number with a business
                account (whether as a mandatory requirement of switching prior to September 2019, or

                on an optional basis after September 2019), this phone number and/or email address
                were published on the user’s Instagram profile page, in the form of a “contact button”.

            (5) Email addresses and/orphone numbersmade public in the contextof Instagrambusiness

                accounts are not encrypted, and are visible as plain text.

            (6) Email addresses and/orphone numbersmade public in the contextof Instagrambusiness
                accounts are visible to registered Instagram users on the Instagram mobile application.

            (7) Additionally, prior to March 2019, email addresses and/or phone numbers associated

                with Instagram business accounts were visible (including to persons not registered as

    21
      Draft Decision, paragraphs 13-14.
    22Draft Decision, paragraph 25.
    23As described in the Draft Decision, paragraph 42.


    Adopted                                                                                            10                 Instagram users) as plain text in the HTML source code of the web-browser version of

                 Instagram profile pages; and

             (8) For a period between August 2020 and November 2020, email addresses associated with

                 Instagram business accounts were visible (including to persons not registered as
                 Instagram users) as plain text in the HTML source code of the web-browser version of

                 Instagram profile pages.

27. The IE SA found that by registering for a personal Instagram account, a data subject agreed to the
    Instagram TermsofUse . Section1oftheInstagram TermsofUse(titled the“TheInstagramService”)
                                     25
    listed nine service areas stating :

            “…[t]he [Instagram] Service is made up of the following aspects (the Service):

            Offering personalized opportunities to create, connect, communicate, discover, and share.

            Peoplearedifferent.Wewanttostrengthenyourrelationshipsthroughsharedexperiencesyou
            actually care about. So we build systems that try to understand who and what you and others

            care about, and use that information to help you create, find, join, and share in experiences
            thatmattertoyou.Partofthatishighlightingcontent,features,offers,andaccountsyoumight

            be interested in, and offering ways for you to experience Instagram, based on things you and
            others do on and off Instagram.”


28. InthelightofMetaIE’ssubmissions,theIESAfoundintheDraftDecisionthatMeta IEreliedonArticle
    6(1)(b) GDPR for the contact information processing only to the extent that a child user had capacity
                                                                                         26
    to enter into an enforceable contract under the applicable Member State law . Meta IE relied on
    Article 6(1)(f) GDPR as an alternative legal basis with regard to child users who did not have capacity
    under the applicable Member State law to enter into a contract withMeta IE .     27


29. When assessing Meta IE’s reliance on Article 6(1)(b)GDPR for the contact information processing, the
    IE SA first observed that, as explained above, a data subject agreed to the Instagram Terms of Use,

    when registering for a personal Instagram account and referred to Section 1 of the Instagram Terms
    of Use . The IE SA considered that Article 6(1)(b) GDPR does not require the inclusion of express

    contractual provisions pertaining to processing in order to provide a legal basis and it is sufficient that
    processing is necessary for the performance of a contract with the data subject . The Draft Decision

    further stated that “the publication of contact information in the context of business accounts may be
    regarded as necessary processing for the purpose of Article 6(1)(b) GDPR” . The Draft Decision found

    that “the contact information processing could be necessary for the performance of [Meta IE’s] Terms
    of Service with its users” and that no infringement by Meta IE occurred “to the extent that it relied on
                                                                                               31
    Article 6(1)(b) GDPR as a legal basis for processing personal data of certain child users” .

30. When assessing Meta IE’s reliance on Article 6(1)(f) GDPR for the contact information processing
    relating to child users unable to enter into an enforceable contract, the IE SA first noted that “the



    24Instagram Terms of Use, version of 18 April 2018.
    25
      Draft Decision, paragraph 114.
    26Draft Decision, paragraph 114.
    27Draft Decision, paragraphs 105 and 114.
    28Draft Decision, paragraph 114.
    29
      Draft Decision, paragraph 115.
    30Draft Decision, paragraph 115.
    31Draft Decision, paragraph 116.




    Adopted                                                                                                 11    processing meets the requirements of Article 6(1)(f) to the extent that the interests pursued in

    connection with the contact information processing are legitimate interests of [Meta IE] and other
    Instagram users, insofar that publication of contact details to the public may be a reasonable and
                                                                                                32
    lawful mode by which to promote a professional undertaking or other public initiative” . With regard
    to the necessity of the contact information processing for the purpose of the legitimate interests

    pursued, the Draft Decision stated that: “such processing may have been, to an extent, a reasonable
    means for Instagram usersto publish off-platform contact details in some circumstances. In particular,

    such processing could be regarded as necessary for those business account users who wished to be
    publicly contactable by email or phone in connection with their professional activities” .  33

31. Regarding the balancing test, the IE SA concluded in the Draft Decision that: “in some circumstances,

    where the contact information processing occurred in the context of the well-considered professional
    activities, it is possible thatthe legitimate interests at issue would not be overridden by the interests or
                                                            34
    fundamental rights and freedoms of the child user” . The IE SA further concluded that the contact
    information processing could be lawful on the basis of Article 6(1)(f) GDPR “in respect of some of the

    child users at issue” and therefore no infringement by Meta IE occurred “to the extent that it relied on
    Article 6(1)(f) GDPR as a legal basis for processing personal data of certain child users” .35


        5.2.     Summary of the objections raised by the CSAs

32. The DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA raised objections regarding the conclusions by the

    LSA in the Draft Decision that no infringement occurred to the extent Meta IE relied on Article 6(1)(b)
    GDPR and alternatively on Article 6(1)(f) GDPR for the contact information processing.


33. The NL SA first considered that reliance on Article 6(1)(b) GDPR required clarity on what purposes
    were to be regarded in the context of the assessment and a valid contract between the controller and
                      36
    the data subject . The NL SA considered that it is a legal requirement for the IE SA to establish “what
    the contract is and whether that contract is suitable to serve as a legal basis under Article 6(1)(b)
           37
    GDPR” . Considering the serious lack of transparency on behalf of the controller established by the IE
    SA in the Draft Decision, the NL SA had a reasonable doubt as to whether data subjects had indeed

    been ableto enter into acontractwith theMetaIE both willingly and sufficientlyinformed. Therefore,
    the NL SA questioned whether such valid contract existed between Meta IE and the data subjects in
    the case at hand . Second, the NL SA questioned whether the data processing activities in question

    were actually necessary for the performance of the contract . The NL SA stressed that the Draft
    Decision of the IE SA did not address the question of whether Meta IE made the assessment regarding

    necessity and if any such assessment met the strict necessity standard that reliance on this legal basis
    requires . According to theNL SA, otherevidence in the Draft Decision, in particular referred to in the

    last sentence of paragraph 115 of the Draft Decision, as well as the IE SA’s assessment of the data





    32Draft Decision, paragraph 118.
    33Draft Decision, paragraph 119.
    34
      Draft Decision, paragraph 123.
    35Draft Decision, paragraph 125.
    36NL SA objection, paragraph 7.
    37NL SA objection, paragraph 10.
    38
      NL SA objection, paragraph 11.
    39NL SA objection, paragraphs 12-15.
    40NL SA objection, paragraph 13.




    Adopted                                                                                                   12    minimisation, indicated that the necessity criterion of Article 6(1)(b) GDPR would actually not be met
    in this case .1


34. TheNLSAstated that thecontact informationprocessing also did not fulfiltherequirementsof Article
    6(1)(f) GDPR . Concerning the requirement of the pursued interest being legitimate, the NL SA

    observed that the Draft Decision did not include an assessment on why the interest pursued by Meta
    IE were sufficiently clarified and precise or exactly whose interests were pursued . The NL SA further
                                                                             44                        45
    noted that the IE SA left unassessed if the interests were lawful and real and present . Regarding
    the requirementof necessity ofthe processing, theNL SA stated that IE SAdid notclearly expresswhy

    therewas a link between the processing and interestspursued. Rather, the NL SAwasof theview that
    the IE SA’s statement that the processing may have been a reasonable means to achieve the
                                                                              46
    publication of off-platform contact details was circular reasoning . In addition, according to the NL
    SA, in the Draft Decision the IE SA did not appropriately consider whether any other means to achieve

    the objectives were available to the controller. In particular, the fact that as from 4 September 2019 it
    was no longer mandatory to publish the contact information of child users indicated that it was likely
                                                                                                   47
    that there were less intrusive means available for the controller to reach its objective . Furthermore,
    according to the NL SA, by using phrases like “in some circumstances” and “it is possible that” in the

    Draft Decision, the IE SA only addressed those particular situations and possibilities . Such a wording
    led to the Draft Decision not addressing questions relating to the necessity of contact information

    processing in other situations, such as where child users did not wish to be publicly contactable by
                                                                       49
    email or phone in connection to their professional activities . According to the NL SA, in the context
    of the balancing of interests, thewording ofthe DraftDecision suggested thatonly in those situations

    where the users were well-informed or digitally literate children who used Instagram for well-
    considered professional activities, the legitimate interests pursued would not be overridden by the

    interests or fundamental rights of those children. Leading from this, the NL SA suggested that the IE
    SA had acknowledged that in other situations, the interests of the data subjects could override the
                                                                                                       50
    interests of Meta IE. However, such situations were not addressed in the Draft Decision . The NL SA
    also argued that without analysing and concluding how evident the legitimate interest pursued was

    and if Meta IE’s assessment of the impact of the processing on the data subjects’ interests or
    fundamental rights and freedoms was appropriate, the IE SA could not have concluded that the

    interests of Meta IE were not overridden by the interests or fundamental rights and freedoms of the
    data subjects .51


35. Further, the NL SA asked the LSA to take appropriate corrective measures to address the infringement
    and, moreover, the compliance order to the controller, as described in paragraph 627 of the Draft
                                                                                              52
    Decision, should include the obligation to remedy the breach of Article 6 GDPR . Finally, the NL SA
    stated that the Draft Decision, if unchanged, would lower the lawfulness threshold for processing and


    41
      NL SA objection, paragraphs 14-15.
    42NL SA objection, paragraphs 25-42.
    43NL SA objection, paragraph 28.a.
    44
    45NL SA objection, paragraph 28.b.
      NL SA objection, paragraph 28.c.
    46NL SA objection, paragraph 31.a.
    47NL SA objection, paragraph 31.b.
    48
      NL SA objection, paragraphs 32 and 35.
    49NL SA objection, paragraph 32.
    50NL SA objection, paragraph 35.
    51
    52NL SA objection, paragraph 37.
      NL SA objection, paragraphs 19 and 42.




    Adopted                                                                                                       13    undermine the protection of personal data of individuals that enter into contracts that entail

    processing of personal data; it would also deprive data subjects of the protection mechanisms
    envisaged in the GDPR and posed the risk that the choice, agencyand protection ofdata subjects –
                                           53
    particularlychildren – isundermined .

                                                       ***

36. The DE SAs stated that the prerequisites for relying on Article 6(1)(b) GDPR were not fulfilled in the

    present case. First, based on the information delivered by the IE SA, no sufficient proof of a valid
    contract betweenMeta IEand the child users was provided, although a valid contract is a prerequisite
                                                                                                  54
    for controllersto rely onArticle6(1)(b) GDPRasmadeclear intheEDPBGuidelines 2/2019 . The IESA
    should also have examined or at least obtained an explanation of the validity of the contract on which
    thecontrollerrelies .Moreover,accordingtotheDESAs,ifthecontrollerdidnotclearlycommunicate

    in a transparent manner that the publication of the contact information would be based on a contract
    (as observed in Findings 1 and 2 of the Draft Decision), then no contract with this content could come
                                                                                                 56
    into existence for which the particular processing could be based on Article 6(1)(b) GDPR . Regarding
    necessity,the DE SAs did not agree with the LSA’s analysis in the Draft Decision and stated that Article

    6(1)(b) GDPR can only be used to legitimise data processing that constitutes an essential element of
    thecontract .Accordingly,onlythedataprocessingthatwasactuallynecessaryforthecorresponding

    contractual purpose – the operation of an Instagram business account – can be justified on the basis
    of Article 6(1)(b) GDPR. In this respect, according to the DE SAs, it was not comprehensible, nor

    explained by Meta IE, why a publication of contact data in plain text or the use of this data for the
    HTML source text should be necessary for the operation of such an account. The DE SAs considered
                                                          58
    that such necessity did not exist in the present case .

37. The DE SAs stated that the contact information processing did not fulfil the requirements of Article
    6(1)(f) GDPR. Firstly, according to the DE SAs, the interest pursued by Meta IE was not legitimate.

    More precisely, the DE SAs argued that promoting a professional business or other public initiative
    could not be alegitimate interestofMeta IEasthebusiness-holders,beingchildren, couldnotexpress

    their legally binding commitment to the terms of use of Instagram. According to the DE SAs, treating
    children as professional undertakings in circumstances where national contract law protects children
                                                                                     59
    by requiring parental consent would undermine the protection of children . Secondly, the DE SAs
    argued that the processing did not fulfil the requirement of necessity in relation to the pursued

    interest. Here, the DE SAs based its view on the same arguments provided in the context of Article
    6(1)(b) GDPR, as referred in the preceding paragraph. In addition, the DE SAs observed that Meta IE
    later changed its practice to no longer require the publication of the contact information of business

    accounts. Thirdly, the DE SAs stated that the balancing of interests should be based on the protection
    of child users in general rather than the specific technical and economic abilities of each child user.





    53NL SA objection, paragraphs 20-22 and 43-47.
    54
      EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the
    provision of online services to data subjects Version 2.0, 8 October 2019 (hereinafter, “EDPB Guidelines
    2/2019”).
    55DE SAs objection, p. 3-4.
    56
    57DE SAs objection, p. 4.
      DE SAs objection, p. 4-5.
    58DE SAs objection, p. 5.
    59DE SAs objection, p. 6.




    Adopted                                                                                                 14    According to the DE SAs, based on their mental vulnerability, the protection of children should prevail
                                            60
    over the interests referred by Meta IE .

38. Finally,theDESAsconsideredthattheDraftDecisionposedasignificantriskforthefundamentalrights

    and freedoms of child users of Instagram andother data subjects. In particular, since it would result in
    the data subjects having no control over their personal data, the LSA’s wide understanding of Articles

    6(1)(b) and (f) GDPR would generally render ineffective the protection afforded by the GDPR and
    Article 8of the EU Charterof FundamentalRights, and would undermineeffectiveenforcement ofthe
    GDPR, which is a precondition for guaranteeing the fundamental rights and freedoms of the data

    subjects .1

                                                       ***


39. The IT SA stated that with respect to Article 6(1)(b) GDPR the assessment of whether a certain
    processing activity is necessary should be factually based on the purposes of the service being offered

    and the data subject should be made aware of those purposes through the appropriate information.
    In the case at hand, very high level information on the purposes of the processing was available and
    the arrangements to inform users, especially underage users, were all but unambiguous . According

    to the IT SA, Meta IE failed to demonstrate the necessity of the processing. The subsequent change,
    whenthe publicationbecameoptional,provedthatthe processing was notnecessary.Thepublication

    of data at large in the HTML page source code in the web-based version of Instagram could hardly be
    regarded asnecessary . TheIT SA also observed thatMeta IE’sPrivacy Policy available in Italy showed

    no reference to the applicable national law, making it accordingly impossible to understand on which
    legalbasisitreliedtolegitimisetheprocessingofdatarelatingtochildusersforopeningandmanaging
                       64
    business accounts .

40. The IT SA pointed out that with respect to Article 6(1)(f) GDPR the IE SA drew conclusions only on

    digitallyskilfulchildusers.Furthermore,theITSAstatedthatthebalancingexerciseasrequiredunder
    Article6(1)(f)GDPRwasflawed .Inthiscontext,theITSAnotedtheconflictbetweenMetaIE’sclaims

    that the risks which child users were exposed to by the contact information processing were potential
    rather than actual and that appropriate safeguards had been adopted, and the IE SA’s finding that

    Meta IE had not implemented appropriate security measures and therefore infringed Articles 24 and
    25 GDPR. Moreover, the IT SA observed that Meta IE chose not to carry out a data protection impact

    assessment, which indicated a flawed risk assessment. According to the IT SA, the inaccurate risk
    evaluation undermined the balancing of interests and left the arguments of the IE SA without
    substance but instead with inconsistencies . Furthermore, the IT SA stated that, where national

    contract law prevented child users to conclude contracts due to their incapacity to fully understand
    the consequences thereof, it was unlikely that a balancing test could result in the interests of the
                                                                                    67
    controller overriding the protection of the rights and freedoms of child users .





    60DE SAs objection, p. 7.
    61
      DE SAs objection, p. 9.
    62IT SA objection, p. 1-2.
    63IT SA objection, p. 2.
    64IT SA objection, p. 1.
    65
      IT SA objection, p. 3.
    66IT SA objection, p. 3-4.
    67IT SA objection, p. 4.




    Adopted                                                                                                1541. Further, the IT SA asked the LSA to amend the Draft Decision “in respect of the action envisaged in

    relation to the controller. In particular, the amount of the administrative fine should be re-calculated
    by having regard to the criteria set out in Article 83(2) GDPR” . Finally, the IT SA stated that, if left

    unchanged, the Draft Decision would result in a risk to the fundamental rights and freedoms of data
    subjects, because there would be no effective deterrence for the infringement of data subjects’ rights

    and the approach adopted by the LSA regarding the legal bases would jeopardise the data subjects’
    rights in general, as it may be construed as an endorsement of the controller’s approach to the
                                              69
    processing of child users’ personal data .

                                                        ***

42. The FI SA stated that in order to rely on Article 6(1)(b) GDPR there needed to be a valid contract

    between the controller and the data subjects but the Draft Decision left this issue unsettled.
    Furthermore, according to the FI SA, the Instagram Terms of Use or the Data Policy were not provided

    in a particularly clear and plain language that would allow a child to sufficiently understand and be
    genuinely informed in order to enter into a contract, also considering the severe issues identified by
                                                                                                           70
    the Draft Decision concerning the controller’s failure to meet the transparency requirements . In
    addition, the FI SA raised the potential issues of children being considered as a legitimate party of a

    contract in the context of Article 6(1)(b) GDPR, and considered that, in any case, the assessment on
    whether the requirements of Article 6(1)(b) GDPR have been met should be made particularly
                71
    thoroughly . Regarding whether the processing was necessary, the FI SA considered that the
    processingcannotberegardedasnecessaryforthepurposeofArticle6(1)(b)GDPR,whenitwasfound

    that the same processing breached the necessity requirement set by Article 5(1)(c) GDPR. Finally, the
    FI SA questioned whether the publication of the contact information could be seen as necessary at all
    given that it was no longer mandatory .  72


43. The FI SA objected to the conclusion in the Draft Decision regarding Article 6(1)(f) GDPR and stated
    that the assessment of the legitimate interest pursued was insufficient. According to the FI SA, the IE
                                                                                                              73
    SA did not adequately assess and reason the legitimate interests of the controller or a third party .
    Neither did theIE SA assessif such interestswereexpressed in asufficiently clearand precisemanner.

    The FI SA argued that the IE SA did not substantiate the particular extent to and circumstances under
    which the processing was necessary to protect the legitimate interests and expressed that certain
                                                                      74
    processing operations did not fulfil the necessity requirement . In addition, the FI SA found that the
    IE SA did not correctly assess the balancing of the legitimate interests and the rights of data subjects.

    For example, according to the FI SA, the IE SA left unclear in which circumstances it was possible that
    the legitimate interests would not be overridden by the interests and rights of the data subjects, in

    particular when they were children and considering the related risks as identified in other parts of the
    Draft Decision . Also, the FI SA stated that as the IE SA found infringements of the transparency

    obligations under Article 5(1)(a) and Article 12 GDPR, most likely the data subjects could not upon the




    68IT SA objection, p. 2 and 4.
    69
      IT SA objection, p. 2 and 4.
    70FI SA objection, paragraphs 3-4.
    71FI SA objection, paragraph 5.
    72FI SA objection, paragraph 6.
    73
      FI SA objection, paragraph 13.
    74FI SA objection, paragraph 14.
    75FI SA objection, paragraph 15.




    Adopted                                                                                                   16    collection of their personal data had reasonably expected that their contact information would be

    published .76

44. Further, the FI SA considered that the conclusions in the Draft Decision led to a considerable risk for

    the rights and freedoms of data subjects, in particular, as the publication of contact information
    resulted in risks to child users and the approach regarding legal bases adopted in the present case
                                                                                                      77
    would undermine the level of protection afforded to them, also in other similar situations . Finally,
    the FI SA requested to take “appropriate corrective measures” to address the infringements .       78


                                                         ***

45. The FR SA noted a contradiction in the Draft Decision insofar as the LSA considered that the display of

    contact information was necessary for the performance of the contract under Article 6(1)(b) GDPR
    and yet, the LSA found that such display violated the principle of data minimisation. In the FR SA’s

    view, the mandatory display of contact information was not necessary for the performance of the
    contract, for the reasons set out by the IE SA in paragraphs 221 to 456 of the Draft Decision and the IE
                                                                                   79
    SA did not fully draw the conclusions from its own analyses and positions . Also, according to the FR
    SA, the fact that Meta IE itself changed its position on the mandatory nature of the display of contact
                                                                                                               80
    details as of September 2019 proved that it was not essential in the context of business accounts .
    The FR SA further observed that in the absence of clear information given to the user on the terms of

    contract,thespecificcontract canhardlybeviewedasvalid andin thisrespect the IESA failedto draw
    conclusions from its own analysis . With regard to Article 6(1)(f) GDPR, the FR SA observed the

    contradiction between the IE SA’s findings that, on the one hand, the contact information processing
    may have been necessary for business account holders and, on the other hand, that such processing
                                                                                                       82
    wentbeyondwhatwasnecessaryandthereby didnotsatisfy thedataminimisation principle . The FR
    SA noted that certain risks identified by the IE SA, such as harassment and child grooming, were not

    appropriately taken into account in the balancing test under Article 6(1)(f) GDPR. According to the FR
    SA, if such risks had been considered, the rights and freedoms of the child users would have prevailed
                                          83
    over the interests of the controller . Moreover, the FR SA stated that the balancing of interest also
    should have included the finding of the IE SA that Meta IE had not informed its child users of the
                                                                    84
    contact information processing in an appropriate manner . In the view of the FR SA, such lack of
    information deprived the child users of control over their personal data and, therefore, was likely to

    lead to the child users’ interests prevailing over those of the controller . Finally, the FR SA noted that
    the use of legitimate interest as a basis for processing offered less protection to child users compared

    to processing based on a contractual obligation. Therefore, according to the FR SA, basing the
    processing on legitimate interest deprived the child users of protection in the Member States where

    national contract law did not allow the legal basis of contract to be used in such context . As a    86

    consequence,theFRSAaskedtheLSAtoobserveabreachofArticle6GDPR,imposeanadministrative


    76FI SA objection, paragraph 16.
    77FI SA objection, paragraphs 7-9 and 17-19.
    78
      FI SA objection, paragraphs 10 and 20-22.
    79FR SA objection, paragraph 9.
    80FR SA objection, paragraph 10.
    81
    82FR SA objection, paragraph 11.
      FR SA objection, paragraph 13.
    83FR SA objection, paragraphs 14-16.
    84FR SA objection, paragraph 17.
    85
      FR SA objection, paragraph 18.
    86FR SA objection, paragraph 19.




    Adopted                                                                                                   17    fine for this additional breach and order Meta IE to comply within three months . Finally, the FR SA

    stated that the Draft Decision posed risks to the fundamental rights and freedoms of the persons

    concerned, as the approach suggested by the LSA regarding the legal bases in the present case would
    significantly reduce the protection that minors should merit regarding their data and expose them to
                                                       88
    an increased risk of harassment and grooming . In addition, it would create a precedent for other
    organisations and would therefore impact other similar cases .    89

                                                         ***


46. The NO SA first considered that the LSA’s findings and assessment in the Draft Decision logically led to
    the conclusion that the requirement of necessity under Article 6(1)(b) and (f) GDPR was not met .          90

    The NO SA noted that the LSA found that Meta IE carried out processing beyond what was necessary
    for the purposes of the processing and identified considerable risks for child users . Based on these

    findings, the NO SA concluded that Meta IE did not fulfil the necessity requirement under Article
    6(1)(b)and (f)GDPRand suggestedthattheLSAshould havecarriedoutacorresponding legalanalysis
                                                                       92
    on the processing in the context of Article 6(1)(b) and (f) GDPR .

47. Specifically concerning Article 6(1)(b) GDPR, the NO SA referred to the EDPB Guidelines 2/2019             93

    stating that, when processing is based on Article 6(1)(b) GDPR, the controller must assess what is
    necessary to fulfil the fundamental and mutually agreed contractual purpose. The NO SA noted that

    the LSA found in itsDraftDecisionthatthe processingviolated Article5(1)(c)GDPR. Therefore, theNO
    SA considered that the same processing could not be necessary for the fundamental and mutually
                                  94
    agreed contractual purpose . The NO SA also considered that since, according to the LSA, the contact
    information processing went beyond what was necessary for the specific purpose of processing under

    Article 5(1)(c) GDPR, the processing also must have gone beyond what was necessary for the
    performance of the contract . Specifically concerning Article 6(1)(f) GDPR, the NO SA stated that the
                                                          96
    balancing test could not befulfilled for child users . More specifically, the NO SA noted, first, that the
    legitimateinterestspursuedby MetaIEwerenotspecifiedintheDraftDecision.Secondly,MetaIEdid

    not demonstrate that the contact information processing was necessary for the purposes of the
    legitimate interests pursued. Thirdly, the NO SA also considered that since, according to the LSA, the

    contact information processing went beyond what was necessary for the specific purpose of
    processingunderArticle5(1)(c)GDPR,theprocessingalsomusthavegonebeyondwhatwasnecessary

    for the legitimate interests pursued .97

48. Finally, the NO SA asked the LSA to conclude that the legal bases under Article 6(1)(b) and (f) GDPR

    were not applicable for the contact information processing and to exercise the following corrective
    powers under Article 58(2) GDPR: (1) to order the controller to identify a valid legal basis for the

    processing in question, or from now on abstain from such processing activities; and (2) to impose an



    87FR SA objection, paragraph 22.
    88FR SA objection, paragraphs 23-25.
    89
      FR SA objection, paragraph 26.
    90NO SA objection, p. 2.
    91NO SA objection, p. 3.
    92
    93NO SA objection, p. 3.
      EDPB Guidelines 2/2019, paragraphs 32-33.
    94NO SA objection, p. 3.
    95NO SA objection, p. 5.
    96
      NO SA objection, p. 3.
    97NO SA objection, p. 6.




    Adopted                                                                                                   18    administrative fine for unlawfully processing personal data, erroneously relying on Article 6(1)(b) and
             98
    (f) GDPR . The NO SA further stated that an administrative fine of a substantial amount should be
    imposed to ensure effectiveness and dissuasiveness under Article 83(1) and (2) GDPR for the unlawful
    processing of personal data, considering the nature and gravity of the infringement, as well as the
                                                                  99
    number of data subject affected and the damage suffered . Finally, according to the NO SA, if left
    unchanged in this respect, the Draft Decision would pose significant risks to the protection of data

    subjects’ rights. In particular, the NO SA argued that by allowing the processing of personal data
    without a legal basis, the Draft Decision would violate the data subject’s fundamental right to data
                                                       100
    protection and would set a dangerous precedent . In addition, the NO SA stated that, if a fine is not
    imposed for the infringements, the rights of the data subjects would not be effectively safeguarded,

    thus creating an incentive for the controller and other companies to continue or engage in such
    violations .1


        5.3.     Position of the LSA on the objections

49. The IE SA confirmed that it does not propose to “follow” the objections that were raised by the CSAs
    and/or does not consider the objections to be relevant and reasoned . Regarding the objections of

    the DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA concerning Meta IE’s compliance with Article 6(1)(b)
    and (f) GDPR in relation to the contact information processing, the IE SA further stated that these

    objections constituted “relevant and reasoned” objections. However, with respect to “the corrective
    action element” in the FI SA, FR SA, IT SA and NL SA objections, the IE SA considered that it was not

    adequately rationalised and the significance of the risks for the rights and freedoms of data subjects
    was not addressed . Regarding the NO SA objection requiring to reassess the administrative fine

    taking into account the potential additional infringement, the IE SA stated that this objection
    constituted a “relevant and reasoned” objection . 104


        5.4.     Analysis of the EDPB


        5.4.1. Assessment of whether the objections were relevant and reasoned

50. In this section the EDPB assesses whether the objections of the DE SAs, FI SA, FR SA, IT SA, NL SA and
    NO SA, regarding Meta IE’s reliance on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR

    for the contact information processing, meet the threshold of Article 4(24) GDPR.

51. The EDPB first takes note of Meta IE’s views that the objections of the DE SAs, FI SA, FR SA, IT SA, NL
    SA and NO SA regarding Meta IE’s compliance with Article 6(1) GDPR failed to meet the threshold of

    Article 4(24) GDPR. According to Meta IE, all the objections at issue were not relevant and reasoned
    astheLSA’sobservationsintheDraftDecisionwereprovisional innature .Further,MetaIEprovided

    reasoning, referring to all the objections, whereby they were not reasoned as the significance of the




    98
      NO SA objection, p. 7.
    99NO SA, objection, p. 8.
    100NO SA objection, p. 6-7.
    101NO SA objection, p. 9.
    102
       Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
    103Letter of the IE SA to Meta IE dated 30 March 2022.
    104Letter of the IE SA to Meta IE dated 30 March 2022.
    105Meta IE Article 65 submissions, paragraph 3.1 and paragraphs 26-30.




    Adopted                                                                                                19    risks was not clearly demonstrated by the objections . The EDPB recalls that Meta IE’s compliance

    with Article 6(1) GDPR in relation to the contact information processing was within the scope of the IE
    SA’s inquiry in the case at hand   107and that in the Draft Decision the IE SA drew conclusions on Meta’s

    IE reliance on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the specific processing
    within the scope of its inquiry, i.e. the contact information processing . Thus there is a clear link
                                                           109
    between the objections and the Draft Decision . The relevant conclusions in the Draft Decision
    assessedthelawfulnessofthe specific processing byMetaIE andprovided for an interpretationofthe

    conditions for relying on the legal bases under Article 6(1)(b) and (f) GDPR. The EDPB reiterates that
    conclusions on the lawfulness of the personal data processing have significant impact on the effective

    protection of the data subjects’ rights, since the lawfulness of processing of personal data is a
    fundamental pillar of the EU data protection law . As a consequence, and as further shown and

    elaborated by the analysis of the EDPB below, the EDPB disagrees with these arguments brought
    forward by Meta IE.


52. The EDPB further analyses whether each of the objections at issue is a “relevant and reasoned
    objection” as required under Article 4(24) GDPR.


53. The EDPB considers that the objection of the NL SA concerns “whether there is an infringement of the
    GDPR”,astheNLSAopposedtheIESA’sconclusionsthatnoinfringementoccurredtotheextentMeta

    IE relied on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the contact information
    processing. If followed, the NL SA’s objection would lead to a different conclusion with regard to the

    findings on Article 6(1)(b) and (f) GDPR. The objection would also entail a change in the compliance
    order to the controller and possibly additional “appropriate corrective measures” . Therefore, as it

    demonstratedadirectconnectionwiththesubstanceoftheDraftDecision,theobjectionis“relevant”.
    The objection is also “reasoned” since it put forward several factual and legal arguments for the
    proposed change in the legal assessment as to why the requirements of Article 6(1)(b) and (f) GDPR

    are not met in the case at hand and why Meta IE cannot lawfully rely on those provisions and,
                                                        112
    therefore,theinfringementmustbe remedied . Accordingly, theEDPBisnot persuaded by MetaIE’s
    submissionsthattheobjectionsareneitherrelevantnorreasoned .Inaddition,theEDPBrecallsthat


    106
       In particular, Meta IE stated with respect to all the objections at issue that, “there are no significant risks to
    data subjects because: (i)theDraft Decision relates only tohistoric processing, given the time period within scope
    is between 25 May 2018 to the date of commencement of this Inquiry on 21 September 2020; (ii) Meta Ireland

    hasmadesignificantchangestothemannerinwhichtheInstagramServiceoperatesastobothBusinessAccounts
    and its audience setting for Teen Users; and (iii) in any event, any Article 6 GDPR concerns arising from the
    processing of the personal information of Teen Users fall within the scope of the concurrent Legal Bases Inquiry
    and involve issues that will be considered by the CJEU in separate proceedings” (Meta IE Article 65 Submissions,

    paragraph 41). Regarding the matter on the pending proceedingsbefore the CJEU, the EDPB refers to section 3.3
    (paragraph 20) of this Binding Decision.
    107Draft Decision, paragraph 46.
    108Draft Decision, paragraphs 115-116 and 125.
    109
       EDPB Guidelines on RRO, paragraph 24; EDPB Guidelines on Art. 65(1)(a ) GDPR, para. 66.
    110Art. 8, EU Charter of Fundamental Rights.
    111See paragraph 35 of this Binding Decision.
    112See paragraphs 33-35 of this Binding Decision. The NL SA argued, inter alia, that the necessity requirement

    under Art. 6(1)(b) GDPR and the three cumulative requirements under Art. 6(1)(f) GDPR were not met.
    113Meta IE argues that “the objections are not relevant as they are grounded on the incorrect premise that they
    relate to a conclusive finding from the Draft Decision on Article 6 GDPR” (Meta IE Article 65 Submissions, Annex

    A, p. 33 and 35). It also considers that they are not reasoned since “the NL SA’s objection ignores the [IE SA’s]
    preliminaryassessmentofTeenUsers’interestsinmaintainingcontactinformationbuttonsinBusinessAccounts”
    (Meta IE Article 65 Submissions, Annex A, p. 35). In this respect, see also paragraph 51 of this Binding Decision.




    Adopted                                                                                                       20    the assessment of the merits of the objection is made separately, after it has been established that
                                                                      114
    the objection satisfies the requirements of Article 4(24) GDPR .

54. Concerning the requirement to demonstrate the significance of the risks posed for the rights and
    freedoms of data subjects, contrary to Meta IE’s views , the EDPB finds that the objection raised by

    the NL SA meets the required standard by pointing out several consequences that the Draft Decision
    would have for the fundamental rights and freedoms of data subjects .      116

55. Finally, contrary to the views of the LSA, the EDPB considers that the qualification of the NL SA’s

    objection as relevant and reasoned also applies to the part thereof related to the compliance order
    and other “appropriate corrective measures”. In this respect, the EDPB underlines that the arguments

    put forward by the NL SA, as addressed in the paragraphs 33-34 above, clearly demonstrated why the
    Draft Decision should be changed in order to include an infringement regarding the lack of legal basis

    for the contact information processing and the consequent need to ensure that such processing
    complies with the GDPR, by amending the compliance order to the controller and adopting the

    appropriate correctivemeasures. Likewise, the NL SA’sobjection clearly set out the significanceof the
    risks for the data subjects if the Draft Decision remained unchanged and the infringement was not
    remedied.


                                                         ***

56. In their objection, the DE SA disagreed with the finding of the IE SA that there was no infringement to
    the extent Meta IE relied on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the

    contact information processing, thus also concerning “whether there is an infringement of the GDPR”
    within the meaning of Article 4(24) GDPR. As it demonstrated a direct connection with the substance

    of the Draft Decision and that, if followed, the objection would lead to a different conclusion, the
    objection is “relevant”. The objection is also “reasoned” since it put forward several factual and legal

    arguments for the proposed change in the legal assessment as to why the requirements of Article
    6(1)(b) and (f) GDPR are not met in the case at hand . Accordingly, the EDPB is not swayed by Meta
    IE’s submission that the objections are neither relevant nor reasoned .   118






    114
       See EDPB Guidelines on Article 65(1)(a), paragraph 63.
    115Meta IE Article 65 Submissions, Annex A, p. 34 and 36. See paragraph 51 of this Binding Decision.
    116For example, the NL SA argued that, if the Draft Decision is kept unchanged and therefore the controller is
    allowed to rely on Article 6(1)(b) or (f) GDPR for the processing at stake, it would lower the lawfulness threshold
    for processing and would deprive data subjects of the protection mechanisms envisaged in the GDPR (NL SA

    objection, paragraphs 22 and 44-47). The NL SA also considered that the Draft Decision does not address the
    risks for the data subjects, but rather allows them to continue (NL SA objection, paragraph 45).
    117Regarding Art. 6(1)(b) GDPR, the DE SAsargued that the IE SA’s assessment of the validity and necessity of the
    contract between Meta IE and child users is incorrect, and provided for an alternative reasoning (see paragraph

    36 of this Binding Decision). With regard to Art. 6(1)(f) GDPR, the DE SAs considered that the three cumulative
    conditions are not met(see paragraph 37 of this Binding Decision).
    118Meta IE argued that the objections are not relevant since the IE SA did not make a formal finding in the Draft
    Decision regarding Article 6 GDPR, but rather made preliminary observations (Meta IE Article 65 Submissions,
    paragraphs 26-27). In this respect, see paragraph 51 of this Binding Decision. It also considered that the DE SAs

    objection on the element of “necessity” was not reasoned since it is “contrary to CJEU case law and applicable
    guidance (including from the EDPB), apply the wrong legal standard” (Meta IE Article 65 Submissions, p. 38 and
    40). The EDPB recalls that the merits of the objection are dealt with separately from the assessment of whether
    the objection fulfils the requirements under Art. 4(24) GDPR.




    Adopted                                                                                                   2157. The EDPB also considers that the DE SA demonstrated the significance of the risk for the fundamental
                                             119
    rights and freedoms of data subjects .

                                                          ***


58. Similarly, the objection of the IT SA also concerns “whether there is an infringement of the GDPR”. In
    the IT SA’s view, the contact information processing cannot “be regarded as necessary for [the]
                                120
    operation of the service” , hence resulting in the “unlawfulness of the processing based on Article
    6(1)(b) [GDPR]”   121and Article6(1)(f) GDPR . As the objection demonstrated a direct connection with
                                                                                                            123
    the substance of the Draft Decision and, if followed, it would lead to a different conclusion , the
    objection is “relevant”.

59. As the IT SA presented arguments on the factual and legal mistakes in theDraftDecision regarding the
                                                 124
    analysis on Article 6(1)(b) and (f) GDPR , the objection is “reasoned” inasmuch as it concerns the
    additional infringement related to the lack of legal basis for the contact information processing.

                                                                              125
60. The EDPB is not swayed by Meta IE’s submissions to the contrary , as the IT SA explained how its
    objection, if followed, would result in a different conclusion and put forward several factual and legal

    arguments for the proposed change in the legal assessment.

61. Finally,theEDPBfindsthattheobjectionoftheITSAclearlydemonstratedthesignificanceoftherisks
    that the Draft Decision presented to the fundamental rights and freedoms of the data subjects by

    layingouthowtherewouldbeno proportionateanddissuasivemeasures regardingtheinfringements
    and how the Draft Decision may be construed as an endorsement of the controller’s approach to the

    processing of children’s personal data, thus jeopardising their rights .   126

62. WithregardtotherelevantpartsoftheITSA’sobjectionrelatedtotheimpositionofanadministrative

    fine for the possible additional infringement related to Meta IE’s reliance on Article 6(1)(b) and (f)
    GDPR, it concerns“whether the envisaged action inrelation tothe controller complies with the GDPR”.



    119The DE SAs argued, inter alia, that the IE SA’s wide understanding of Art. 6(1)(b) and (f) GDPR would allow for

    the processing of personal data without an actual legal basis, thereby rendering the protection afforded by the
    GDPR ineffective (DE SAs objection, p. 9).
    120IT SA objection, p. 1.
    121IT SA objection, p. 2.
    122
       IT SA objection, p. 4.
    123TheITSArequestedachangeintheDraftDecisionregardingtheinfringementonthelegalbasisforthecontact
    information processing and the imposition of an administrative fine as a consequence of this additional
    infringement.
    124
       For example, the IT SA considered that the processing was not necessary for the performance of a contract
    (seeparagraph 39ofthisBindingDecision)andthatthebalancingtestunderArt.6(1)(f)GDPRtipped thebalance
    in favour of the data subject (see paragraph 40 of this Binding Decision).
    125
       Meta IE Article 65 Submissions, Annex A, p. 49-52. Regarding Meta IE’s arguments on the lack of conclusive
    findingsinthe DraftDecision, theEDPBreferstoparagraph 51ofthisBindingDecision.MetaIEalsoargued,inter
    alia, that the IT SAs’ objection on the element of “necessity” regarding Article 6(1)(b) GDPR was not reasoned
    since “it is contrary to CJEU case law and applicable guidance (including from the EDPB), by applying the wrong

    legal standard” (Meta IE Article 65 Submissions, p. 50). Regarding Article 6(1)(f) GDPR, Meta IE argued that the
    IT SA did not link the objection with a specific infringement and omits relevant elements of the file (Meta IE
    Article 65 Submissions, p. 51-52). The EDPB disagrees with these arguments, since the IT SA provided sufficient
    factual and legal elements supporting the objection and reached logical conclusions. The EDPB recalls that the

    merits of the objection are dealt with separately from the assessment of whether the objection fulfils the
    requirements under Article 4(24) GDPR.
    126IT SA objection, p. 2 et seq. The EDPB takes note of Meta IE’s submissions in this regard (Meta IE Article 65
    Submissions, p. 50 and 52). Nevertheless, the EDPB disagrees with Meta IE (see paragraph 51 above).



    Adopted                                                                                                      22    The objection is linked to the IT SA’s objection on the findings in the Draft Decision on Article 6(1)(b)
    and (f) GDPR for the contact information processing. There is a direct connection with the substance

    of the Draft Decision and, if followed, the objection would lead to a different conclusion. Thus, it is
    “relevant”. However, the EDPB considers that the objection did not sufficiently elaborate the legal or

    factualargumentsthatwouldjustifyachangeintheDraftDecisioninthisregardtospecificallyincrease
    the level of the fine. Likewise, the significance of the risks for the data subjects related to the

    imposition of an administrative fine is not sufficiently explained. Therefore, the IT SA’s objection with
    regard to the imposition of an administrative fine for the possible additional infringement is not
    “reasoned”.


63. The EDPB therefore considers that the objection of the IT SA, inasmuch as it concerns the additional
    infringementrelatedtothelackoflegalbasisforthecontactinformationprocessing,isboth“relevant”

    and “reasoned” and meets the threshold set by Article 4(24) GDPR. While, insofar it concerns the
    imposition of the administrative fine for the possible additional infringement, the objection of the IT
    SA is not “reasoned” and thus does not meet the threshold of Article 4(24) GDPR.




                                                        ***

64. In its objection, the FI SA disputed the IE SA’s finding that the contact information processing met the
    requirements of Article 6(1)(b) and (f) GDPR. Therefore, the FI SA’s objection concerns “whether there

    is an infringement of the GDPR”. The objection of the FI SA would also possibly entail additional
    “appropriate corrective measures” . As the objection demonstrated a direct connection with the

    substance of the Draft Decision and, if followed, it would lead to a different conclusion, the objection
    is“relevant”.Forthesamereasonsexplainedabovewithregardto the otherobjectionsinthissection,
                                                                                                          128
    the EDPB is not swayed by Meta IE’s arguments regarding the lack of relevance of this objection . In
    addition, the EDPB considers the objection “reasoned” since the FI SA put forward legal and factual
    arguments explaining why the requirements of Article 6(1)(b) and (f) GDPR are not met in the case at

    hand, and explained why the IE SA did not assess the application of Article 6 GDPR properly and,
    therefore, the infringement must be remedied .    129


65. Having considered Meta IE’s submissions arguing that the objection of the FI SA “relies on vague
    assertions” ,theEDPBfindsthattheobjectionoftheFISAconclusivelydemonstratesthesignificance


    127See paragraph 44 above. The FI SA requested a change in the Draft Decision regarding the infringement on
    the legal basis for the contact information processing, and the adoption of “appropriate corrective measures”

    128a consequence of this additional infringement.
       Meta IE Article 65 Submissions, Annex A, pp. 53-55. Meta IE argued that the objection is not relevant since
    the IE SA did not make a formal finding in the Draft Decision regarding Art. 6 GDPR, but rather made preliminary
    observations. In this respect, see paragraph 51 of this Binding Decision.
    129See paragraphs42-43 of this Binding Decision. The FI SA argued, inter alia, that the assessment on the validity

    and necessity of the contract is insufficient and that the three cumulative conditions under Art. 6(1)(f) GDPR are
    not met. In this respect, Meta IE argued, inter alia, that the FI SA merely concurs without the NL SA’s objection
    withoutprovidingsufficientdetailsregardingArt.6(1)(b) GDPR(MetaIEArticle65 Submissions,p.53).Regarding
    Art. 6(1)(f) GDPR, Meta IE argued that the objection’s conclusion on the infringement was divorced from the
    rationale it set forth (Meta IE Article 65 Submissions, p. 55). The EDPB disagrees with both claims, since the FI SA

    provided sufficient factual and legal elements supporting the objection and reached logical conclusions. The
    EDPB recalls that the merits of the objection are dealt with separately from the assessment of whether the
    objection fulfils the requirements under Art. 4(24) GDPR.
    130Meta IE Article 65 Submissions, Annex A, p. 54 and 55. In this respect, the EDPB further refers to paragraph
    51 above.




    Adopted                                                                                                   23    of the risks that the Draft Decision poses to the fundamental rights and freedoms of the data
             131
    subjects .

66. Finally,contrarytotheviewsoftheLSA,theEDPBconsidersthatthequalificationoftheFISAobjection
    asrelevantandreasonedalsoappliestothepartthereofrelatedtotheadditionalcorrectivemeasures.

    In this respect, the EDPB underlines that the arguments put forward by the FI SA, as addressed in the
    paragraphs 42-43 above, clearly demonstrate why the Draft Decision should be changed in order to

    include an infringement regarding the lack of legal basis for the contact information processing and
    the consequent need to ensure that such processing complies with the GDPR, by adopting the
    “appropriate corrective measures”. Likewise, the FI SA objection clearly set out the significance of the

    risks for the data subjects if the Draft Decision remained unchanged and the infringement was not
    remedied.


                                                       ***

67. As laid down in its objection, the FR SA disagreed with the IE SA’s conclusions that the contact
    information processing could be based on Article 6(1)(b)GDPR and alternatively on 6(1)(f) GDPR and

    considered that the IE SA erred in its legal assessment as it should have reached a different
    conclusion . Hence, the objection of the FR SA also concerns “whether there is an infringement of

    theGDPR”and,iffollowed,itwouldleadtoadifferentconclusionwithregardtothefindingsonArticle
    6(1)(b) and (f) GDPR and the corrective measures to the controller . As the objection demonstrated

    a direct connection with the substance of the Draft Decision, it is “relevant”. For the same reasons
    explained above with regard to the other objections in this section, the EDPB is not swayed by Meta
    IE’s arguments regarding the lack of relevance of this objection .134


68. The EDPB also considers that, inasmuch as the objection concerns the additional infringement related
    to the lack of legal basis for the contact information processing and the change in the compliance

    order,theobjectionis“reasoned”,sincetheFRSAclearly set out adisagreementasto theconclusions
    reached by the IE SA in the Draft Decision by highlighting contradictions in the IE SA’s own analyses
    and put forward several factual and legal arguments for the proposed change in the legal assessment,

    including why the controller could not lawfully rely on Article 6(1)(b) and (f) GDPR in this case and,
    therefore, the infringement must be remedied . Therefore, the EDPB is not convinced by Meta IE’s







    131The FI SA explained, inter alia, that the Draft Decision would lead to an insufficient protection of the interests
    of children, thereby setting a dangerous precedent (FI SA objection, paragraph 8). The FI SA also considered that

    the lack of legal basis poses a high risk for data subjects, considering the risks identified in the Draft Decision
    itself (FI SA objection, paragraphs 8 and 18).
    132FR SA, objection p. 3.
    133The FR SA requested a change in the Draft Decision regarding the infringement on the legal basis for the

    contact information processing, and a change in the compliance order and the imposition of an administrative
    fine as a consequence of this additional infringement.
    134MetaIEArticle65 Submissions,AnnexA,pp.56and58.MetaIEarguedthat theobjectionisnotrelevantsince
    the IE SA did not make a formal finding in the Draft Decision regarding Art. 6 GDPR, but rather made preliminary
    observations. In this respect, see paragraph 51 of this Binding Decision.
    135
       See paragraph 45 of this Binding Decision. The FR SA considered, inter alia, that the IE SA’s conclusions on the
    necessity of the processing under Art. 6(1)(b) GDPR are contradictory with the findings on the infringement of
    the data minimisation principle. The FR SA also argued that the balancing exercise is contradictory with the IE
    SA’s findings on the serious risks for child users.




    Adopted                                                                                                24    argument that the FR SA “merely raise[s] abstract and broad (and irrelevant) concerns” and that it
    “fails to link them to a conclusion as to infringement” .36


69. The EDPB finds that the objection of the FR SA sufficiently substantiated the risks to the fundamental
    rights and freedoms of the data subjects since it clearly explained the consequences that the Draft
    Decision would have for the fundamental rights and freedoms of data subjects .     137


70. WithregardtotherelevantpartsoftheFRSA’sobjectionrelatedtotheimpositionofanadministrative
    fine for the possible additional infringement related to Meta IE’s reliance on Article 6(1)(b) and (f)
    GDPR, it concerns whether the envisaged action in relation to the controller complies with the
          138
    GDPR . The objection is linked to theFR SA’sobjectionon thefindings on Article6(1)(b) and(f) GDPR
    for the contact information processing. Given that it concerns the imposition of a corrective measure

    for an additional infringement, which would be found as a consequence of reversing the findings of
    the Draft Decision, there is a direct connection with the substance of the Draft Decision and, if
    followed, the objection would lead to a different conclusion. Thus, it is to be deemed as “relevant”, as

    stated in paragraph 67 above. However, the EDPB considers that the objection does not sufficiently
    elaborate the legal or factual arguments that would justify a change in the Draft Decision with regard

    totheimpositionofthisspecificcorrectivemeasure.Therefore,theFRSA’sobjectionisnot“reasoned”
    withregardto theimpositionofanadministrativefineforthepossibleadditionalinfringement related
    to the legal basis for the contact information processing.


71. The EDPB therefore considers that the objection of the FR SA, inasmuch as it concerns the additional
    infringementrelatedtothelackoflegalbasisforthecontactinformationprocessing,isboth“relevant”
    and “reasoned” and meets the threshold set by Article 4(24) GDPR. While, insofar it concerns the

    imposition of the administrative fine for the possible additional infringement, the objection of the FR
    SA is not “reasoned” and thus does not meet the threshold of Article 4(24) GDPR.




                                                       ***

72. TheobjectionoftheNOSAexpresseddisagreementwithrespectto theIESA’sassessmentintheDraft
    Decision on Article 6(1)(b) and (f) GDPR. If followed, the NO SA’s objection would lead to a different

    conclusion with regard to the findings on Article 6(1)(b) and (f) GDPR and would also have an impact
    on the compliance order to the controller. Therefore, as it demonstrated a direct connection with the

    substance of the Draft Decision, the objection is therefore “relevant”. For the same reasons explained
    above The EDPB is not swayed by Meta IE’s arguments regarding the lack of relevance of this




    136Meta IE Article 65 Submissions, Annex A, p. 56. See also Meta IE Article 65 Submission, Annex A, p. 59 in

    relation to the FR SA’s objection regarding Art. 6(1)(f) GDPR. Regarding Meta IE’s views that the objection of the
    FR SA is legally flawed (Meta IE Article 65 Submissions, p. 57 and 59), the EDPB recalls that the merits of the
    objection are dealt with separately from the assessment of whether the objection fulfilsthe requirements under
    Art. 4(24) GDPR.
    137The FR SA argued that, by allowing reliance on Art. 6(1)(b) or (f), the Draft Decision would expose minors to

    an increase risk of harassment and grooming and thus would not protect them effectively. In addition, it would
    create a precedent for other organisations (FR SA objection, paragraphs 23-26). The EDPB takes note of Meta
    IE’s submissions in this regard (Meta IE Article 65 Submissions, p. 57 and 59). Nevertheless, the EDPB disagrees
    with Meta IE and considers that the FR SA clearly and explicitly identified the significance of the risks. The EDPB
    further refers to paragraph 51 above.
    138
       Art. 4(24) GDPR.



    Adopted                                                                                                 25    objection . The objection is also “reasoned” since it put forward several factual and legal arguments

    for the proposed change in the legal assessment as to why the requirements of Article 6(1)(b) and (f)
    GDPR are not met in the case at hand and why the controller cannot lawfully rely on those provisions
                                                              140
    and, therefore, the infringement must be remedied .

73. Regarding the requirement to demonstrate the significance of the risks posed by the Draft Decision to

    the rights and freedoms of data subjects, the EDPB finds that the objection of the NO SA meets the
    criteria set forth by Article 4(24) GDPR . Therefore, the EDPB is not swayed by Meta IE’s submissions
                     142
    to the contrary .

74. With regard to the NO SA’s objection on the administrative fine to be imposed for the additional

    infringements regarding the lack of legal basis of the contact information processing, the EDPB
    considers that it concerned “whether the envisaged action in relation to the controller complies with
                143
    the GDPR” . The objection is linked to the NO SA’s objection on the findings on Article 6(1)(b) and (f)
    GDPR for the contact information processing. Given that it concerns the imposition of a corrective

    measure for an additional infringement, which would be found as a consequence of reversing the
    conclusions in the Draft Decision, there is a direct connection with the substanceof the DraftDecision

    and, if followed, the objection would lead to a different conclusion. Thus, it is “relevant”. The EDPB is
    not swayed by Meta IE’s arguments regarding the lack of relevance of this objection , including with

    regard to the imposition of an administrative fine for the proposed findings on Article 6(1)(b) and (f)
    GDPR. The EDPB also finds the objection “reasoned” since it put forward several factual and legal
                                                                                                                  145
    arguments that support the imposition of an administrative fine for the alleged infringement .
    Regarding the significance of the risk posed by the Draft Decision to the rights and freedoms of data

    subjects,theobjectionsufficientlydemonstratedwhatwould bethenegativeimpact fordatasubjects
    should a fine for the infringement of the GDPR concerning the lack of legal basis not be imposed .            146



    139
       Meta IE Article 65 Submissions, Annex A, p. 45 and 47. Meta IE argued that the objection is not relevant since
    the IE SA did not make a formal finding in the Draft Decision regarding Art. 6 GDPR, but rather made preliminary
    observations. In this respect, see paragraph 51 of this Binding Decision.
    140
        See paragraphs 46-48 of this Binding Decision. The NO SA argued, inter alia, that the processing was not
    necessary under Art. 6(1)(b) nor (f) GDPR and that the balancing test tipped the balance in favour of the data
    subject. The EDPB is therefore not swayed by Meta IE’s arguments that the objection is based on fundamental
    errors,iscontrarytotheprincipleoflegalcertaintyanddoesnotarticulateanyerrorregardingtheIESA’sanalysis

    (Meta IE Article 65 Submissions, p. 46 and 47). The EDPB recalls that the merits of the objection are dealt with
    separately from the assessment of whether the objection fulfils the requirements under Art. 4(24) GDPR.
    141The NO SA argued that, by allowing the processing of personal data without a legal basis, the Draft Decision
    would violate the data subject’s fundamental right to data protection and would set a dangerous precedent (NO

    SA objection, p. 6-7). Thus, the EDPB considers that the NO SA’s objection clearly set out the significance of the
    risks for the data subjects if the Draft Decision remained unchanged and the infringement was not addressed in
    the compliance order.
    142Meta IE Article 65 Submissions, paragraph 44 and Annex A, p. 46 and 47. In this respect, the EDPB refers to

    paragraph 51 above.
    143Art. 4(24) GDPR.
    144Meta IE Article 65 Submissions, para. 44 and Annex A, p. 48. Meta IE argued that the objection arose from
    non-final observations of the IE SA and, therefore, it was not relevant. In this respect, see paragraph 51 of this

    Binding Decision
    145NO SA objection p. 8-9
    146The NO SA argued that, if a fine was not imposed, the Draft Decision would create a dangerous precedent,

    since there would not be sufficient incentives for Meta IE and other controllers to change their behaviour, thus
    leading to a reoccurrence of such infringements. This would affect the data subjects, as in practice the level of
    protection set out by the GDPR would be denied (NO SA objection, p. 9).




    Adopted                                                                                                        26    Therefore, the EDPB finds that the objection of the NO SA meets the criteria set forth by Article 4(24)
    GDPR.

                                                      ***


75. On the basis of the above considerations, the EDPB finds that the objections raised by the NL SA, DE
    SAs, IT SA, FI SA, FR SA and NO SA concerning the conclusions in the Draft Decision on Articles 6(1)(b)
    and 6(1)(f) GDPR regarding the contact information processing qualify as relevant and reasoned

    objections under Article 4(24) GDPR, including with respect to the changes in the compliance order
    requested in the objections of the FR SA, NL SA and NO SA and the additional appropriate corrective

    measures requested by the FI SA and NL SA.

76. TheEDPBalso findsthatthe NOSAobjectionregardingtheimpositionofanadministrativefineforthe
    findings on Article 6(1)(b) and (f) GDPR is relevant and reasoned under Article 4(24) GDPR. On the
    contrary, with regard to the relevant parts of the objections of the FR SA and IT SA regarding the

    imposition of an administrative fine for the possible additional infringement related to Meta IE’s
    reliance on Article 6(1)(b) and (f) GDPR, the EDPB considers that they are not sufficiently reasoned

    and, therefore, do not meet the threshold of Article 4(24) GDPR.

        5.4.2. Assessment on the merits

77. TheEDPBconsidersthattheobjectionsfound to be relevantand reasoned inthissubsection            147require

    an assessment of whether the Draft Decision needs to be changed in respect of the finding on
    compliance with Article 6(1) GDPR. The merits of the objection of the NO SA, with regard to the
    imposition of an administrative fine for the proposed additional infringement, are assessed in section

    7.4 of this Binding Decision.

78. When assessing the merits of the objections raised, the EDPB takes into account the position of the IE
    SA on the objections and the submissions of Meta IE.


79. TheEDPBtakesnotethatforthecontactinformationprocessingMetaIEreliedonArticle6(1)(b)GDPR
    (but only to the extent that a child user has capacity to enter into an enforceable contract) or
    alternativelyon Article6(1)(f) GDPR(withregardto child userswho did not havecapacity to enterinto
                             148
    a contract withMeta IE) .

    5.4.2.1 Regarding Article 6(1)(b) GDPR
80. The EDPB recalls that personal data can be processed on the basis of Article 6(1)(b) GDPR when: (1)

    the processing takes place in the context of the performance of a contract with the data subject and
    (2)thatprocessingisnecessaryfortheperformanceofthatparticularcontractwiththedatasubject .            149







    147These objectionsbeing those of the DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA on Meta IE’s reliance on legal

    148es under Art. 6(1)(b) and 6(1)(f) GDPR for the contact information processing.
       Draft Decision, paragraphs 105 and 108. Also, see Meta IE Response to Request for Information, Appendix 6
    to Meta IE Article 65 Submissions, paragraphs 17-19, where Meta IE explained that it relied on two primary legal
    bases for the purposes of providing, personalising and improving the Facebook products (including Instagram),
    which included provision of the Instagram Business Account and the display of a contact option in connection
    with an Instagram Business Account, those legal bases being Art. 6(1)(b) GDPR or alternatively Art. 6(1)(f) GDPR.
    149
       Art. 6(1)(b) GDPR.



    Adopted                                                                                               2781. With respect to the existence of a contract, the EDPB takes note of the objections raised by the DE
    SAs 150and FI SA , as well as the IT SA    152and FR SA , which questioned the failure by the IE SA to

    assess and conclude on the existence of a valid contract between Meta IE and the child users insofar
    as it concerns the contact information processing. The NL SA argued that, first, the LSA did not assess

    adequately in the Draft Decision if a contract was in place between Meta IE and the data subjects for
    the provision of the Instagram business account and, second, the NL SA raised doubts about the
                              154
    validity of such contract .

82. In the Draft Decision, the IE SA found that, when registering for a personal Instagram account, a data
                                                        155
    subject agreed to the Instagram Terms of Use . The IE SA further found, in the light of Meta IE’s
    submissions, that the performance of a contract legal basis could be invoked by Meta IE in relation to
                                                                                                     156
    processing associated with the business account feature on the basis of the Terms of Use .

83. In its submissions, Meta IE argued that SAs do not have competence to assess validity of contracts         157

    andanywaytheDraftDecisionclearlyreferredto acontractualrelationshipbetween MetaIEandeach
    user basedontheTermsofUse . MetaIE also claimedthat it hadno legalobligation under theGDPR

    to include a specific reference to Business Accounts in the Instagram Terms of Use and thus the lack
    of such reference has no impact on the assessment of whether the processing is necessary for the
                                 159                                         160
    performance of a contract       and is not contrary to Article 12 GDPR .

84. As recalled above, one ofthe prerequisitesfor acontroller to be ableto relyon Article 6(1)(b) GDPR as

    a legal basis for the processing of personal data is that the processing takes places in the context of
    the performance of a contract. As previously stated by the EDPB, this condition more specifically

    implies that a controller, in line with its accountability obligations under Article 5(2) GDPR, has to be
    able to demonstrate that (a) a contract exists and (b) the contract is valid pursuant to applicable
                            161
    national contract laws .

85. In order to assess whether Meta IE could have relied on Article 6(1)(b) GDPR for the contact

    informationprocessing,theEDPBanalysesinthefollowingparagraphswhethertheprocessingatstake
    is necessary for the performance of the alleged contract with the data subjects in the case at hand.


86. In its submissions, Meta IE claimed that insofar as “necessity” is concerned, the CSAs ignored the
    relevant facts and considerations during the period when Business Accounts were first offered and

    erredin:(1)applyinganoverlystrictviewoftheelementofnecessityforthepurposesofArticle6(1)(b)
    GDPR, and (2) improperly seeking to retroactively find a violation of Article 6(1)(b) GDPR by virtue of

    a subsequent product modification, which has dangerous implications for controllers seeking to
    developandevolvetheirproductsovertimeinrespectofuserprivacyandsafety .AccordingtoMeta 162



    150DE SAs objection, p. 3-4.
    151
       FI SA objection, paras. 4-5.
    152IT SA objection, p. 1.
    153FR SA objection, paragraph 11.
    154
    155NL SA objection, paragraphs 9-11.
       Draft Decision, paragraph 114.
    156Draft Decision, paragraph 115.
    157Meta IE Article 65 Submissions, paragraphs 50-51.
    158
       Meta IE Article 65 Submissions, paragraph 52.
    159Meta IE Article 65 Submissions, paragraphs 53-54.
    160Meta IE Article 65 submissions, paragraph 55.
    161
    162EDPB Guidelines 2/2019, paragraph 26.
       Meta IE Article 65 Submissions, paragraph 58.




    Adopted                                                                                                    28    IE, “the Business Account was created for Instagram in 2016 and, as relevant for the time, it was built

    around the notion of a “traditional” business, which may have used Instagram to support its external
    (i.e., off-Instagram) presence, like a website or brick-and-mortar establishment. To enable the off-

    Instagram promotion of and contact with the business, the Business Account functionality included a
    “Contact” button to allow the Instagram community to communicate with the business through a

    contact channel outside of Instagram (e.g., a businessphone or email)” and “the EDPBmust assess the
    element of necessity under the correct conceptual framework having regard to the specific purpose of
                                                                          163
    the processing at issue at the time, in line with its prior guidance” . In addition, according to Meta IE,
    compliance with Articles 5(1)(c) and 6(1)(b) GDPR must be considered separately, the LSA’s finding on

    Article 5(1)(c) GDPR was narrow in scope, and, moreover, Articles 5(1)(c) and 6(1)(b) GDPR have
    distinct and separate meanings, thus a finding of non-compliance with Article 5(1)(c) GDPR does not
                                                                                                     164
    and cannot equate automatically to a finding of non-compliance with Article 6(1)(b) GDPR .

87. The EDPB recalls that the concept of necessity has an independent meaning in Union law, which must
                                                    165
    reflect the objectives of data protection law . In particular, as the CJEU has stated: “[a]s regards the
    condition relating to the necessity of processing personal data, it should be borne in mind that

    derogations and limitations in relation to the protection of personal data must apply only in so far as
    is strictly necessary” .6


88. When analysing the performance of a contract legal basis, the necessity requirement has to be
    interpreted strictly. As stated earlier by the Working Party 29 (hereinafter “WP29”) , this “provision

    must be interpreted strictly and does not cover situations where the processing is not genuinely
    necessaryfortheperformance of a contract,butrather unilaterally imposed onthe datasubject bythe
    controller” .68


89. The EDPB recalls that for the assessment of necessity under Article 6(1)(b) GDPR, “[i]t is important to
    determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is
                                                                                                           169
    against this that it will be tested whether the data processing is necessary for its performance” . As
    the EDPB has previously stated, regard should be given to the particular aim, purpose, or objective of

    the service and, for applicability of Article 6(1)(b) GDPR, it is required that the processing is objectively
    necessary for a purpose and integral to the delivery of that contractual service to the data subject .    170




    163
    164Meta IE Article 65 Submissions, paragraph 61.
       Meta IE Article 65 Submissions, paragraphs 67-72.
    165Heinz Huber v Bundesrepublik Deutschland (Case C‑524/06, judgement delivered on 18 December 2008,
    ECLI:EU:C:2008:724) (hereinafter, “C-524/06 Huber”), paragraph 52.
    166
       Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’
    (Case C‑13/16, judgement delivered on 4 May 2017, ECLI:EU:C:2017:336) (hereinafter, “C-13/16 Rīgas”),
    paragraph 30.
    167The WorkingParty 29 - apredecessor oftheEDPB - wasestablishedunderArticle 29ofthe Directive95/46/EC

    of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard
    to the processing of personal data and on the free movement of such data (hereinafter, “Directive 95/46/EC”)
    and had arole, inter alia, to contribute to uniform application of national measures adopted under the Directive.
    Many of substantive principles and provisions of the GDPR already existed in the Directive 95/46/EC, thus WP29

    guidance in this respect is relevant for the interpretation of the GDPR.
    168WP29 Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive
    95/46/EC, WP 217, adopted on 9 April 2014 (hereinafter, “WP29 Opinion 06/2014 on the notion of legitimate

    169erests”), p. 16.
       WP29 Opinion 06/2014 on the notion of legitimate interests, p. 17.
    170EDPB Guidelines 2/2019, paragraph 30.




    Adopted                                                                                                    2990. Moreover, the EDPB notes that the controller should be able to justify the necessity of its processing
    byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose.Thisdependsnotonly

    onthecontroller’sperspective,butalsoonareasonabledatasubject’sperspectivewhenenteringinto
    the contract . In this context, the EDPB recalls that children merit specific protection with regard to

    their personal data, as they may be less aware of the risks, consequences and safeguards concerned
    and their rights in relation to the processing of personal data . 172


91. Regarding the objective and purpose of the specific contract, Meta IE claimed that, when the Business
    Accountwascreated,itwasbuiltaroundthenotionofa“traditional”business andwasaimedto allow

    the Instagram community to communicate with the business through a contact channel outside of
    Instagram . The IE SA found that “the business account feature, on the basis that this social media

    tool allows users to ‘create, find, join, and share in experiences’ with other people (as described in the
    Terms of Use), and forms a central part of the Instagram service as offered” .    174


92. WhiletheEDPBagreesthatprocessingmaybeobjectivelynecessaryfortheperformanceofacontract
    even if not specifically mentioned in the contract , it should be possible for an ordinary user to

    identify the “fundamental and mutually understood” contractual purpose based on the information
    presented by the controller . 176


93. Considering the high-level information provided to child users regarding the Instagram service in the
    Terms of Use   177and that no specific information about the Business Account feature was provided to
                    178
    the child users , the EDPB considers thatthe publication of the contact detailson their profiles could
    have not been reasonably expected by such child users in the context of their use of Instagram,

    including the businessaccount feature. Further,the EDPBdoesnotagreethatthe contact information
    processing,inrespectofthechildusers,couldbeconsideredas“integral”or“central”totheInstagram

    service,includingthebusinessaccountfeature.Moreover,ascorrectlynotedbytheIESA,itispossible
    to operate a professional profile without also publishing contact information .    179


94. Furthermore, the EDPB recalls that the assessment of what is necessary involves a combined, fact-
    based assessment of the processing for the objective pursued. If there are realistic, less intrusive
                                                    180
    alternatives, the processing is not necessary . In this respect, the principle of proportionality should
    also be taken into account . 181


95. The EDPB observes that, if the publication of the contact details was indeed intended for traditional
    businesses only as Meta IE claims, it was technically possible to distinguish them from the child users



    171
       EDPB Guidelines 2/2019, paragraph 32.
    172Recital 38, GDPR: “Such specific protection should, in particular, apply to [...] the collection of personal data
    with regard to children when using services offered directly to a child”.
    173
       Meta IE Article 65 Submissions, paragraph 61.
    174Draft Decision, paragraph 115.
    175EDPB Guidelines 2/2019, paragraph 27.
    176
    177EDPB Guidelines 2/2019, paragraph 33.
       As identified by the IE SA, the relevant aspect of the service (Section 1, Instagram Terms of Use, version of 19
    April2018)waspresentedasfollows:“personalizedopportunitiesto create,connect,communicate,discover,and
    share”, see Draft Decision, paragraph 114.
    178
       Draft Decision, paragraph 115.
    179Draft Decision, paragraph 353.
    180EDPB Guidelines 2/2019, paragraph 25.
    181
       VolkerundMarkusScheckeandEifert (CasesC-92/09andC-93/09,judgementdeliveredon 9 November2010,
    EU:C:2010:662) (hereinafter, “C-92/09 and C-93/09 Schecke and Eifert”), paragraph 86.




    Adopted                                                                                                    30    during the registration process based on age information . It would have therefore been possible to

    avoid publishing child users’ contact information, even while maintaining the contact button option
    for “traditional” businesses.

96. The EDPB further considers that in the present case the analysis of necessity should be supported by

    the above-mentioned analysis of the existence of less intrusive means. However, the IE SA did not
    analyse in the Draft Decision whether other less intrusive means were available to effectively achieve

    the objective pursued. In this regard, the existing possibility to contact users directly through direct
    messaging within the platform should have been taken into consideration. In fact, it is clear from the
    Draft Decision that Meta IE was aware that certain business account users preferred to communicate

    with their audience through direct messaging on Instagram, rather than by e-mail or phone . The      183
    DraftDecisionclearlystatedthat“[MetaIE]acknowledgesthatpublicationofphoneandemailcontact

    information was not always preferred from the perspective of business account users” because,
    according to Meta IE “[s]ome businesses also noted that they preferred [...] to communicate with their

    audience or customers through direct messaging on Instagram rather than traditional means (like
    phone or email)” . Despite this, the IE SA failed to take account of such circumstances in its

    assessment of the necessity requirements and erred in its conclusion that the contact information
    processing was necessary for the performance of the contract in the present case.

97. The EDPB recalls that within the “contact information processing” there was also a processing

    operation (occurring for a specific timeframe) consisting in the publication in plain text of the contact
    information in the HTML source code on the Instagram website. Meta IE highlighted that “business

    contact information appeared in the HTML source code for Business Accounts for the purpose of
    providing a “Contact” button on the Web version of Instagram" since "in order for a web browser to
                                                                                                              185
    render the relevant Instagram Web page, the browser must ‘speak’ to an Instagram Web server” .
    The IE SA found an infringement (not disputed by the objections raised) of the principle of data
    minimisation limited to this “mandatory publication (prior to 7 March 2019) of contact information on

    the website version of Instagram (in HTML) for all business account users”, since this “had the result
    that the personal data at issue (i.e. contact information of child users on webpages) was not limited to

    what was necessary in relation to the purposes for which [Meta IE] processed this specific
    information” . As noted by the IE SA, the HTML publication of contact information was not
                                                                                                   187
    considered necessary by Facebook’s Security Team and was subsequently discontinued . The EDPB
    considers that the analysis of the principle of data minimisation (Article 5(1)(c) GDPR) is relevant for



    182Draft Decision, paragraph 435.
    183Draft Decision, paragraph 210.
    184Draft Decision, paragraphs 210 and 238.
    185
       Meta IE Article 65 Submissions, paragraph 69.
    186Draft Decision, paragraph 429. As further specified in the Draft Decision, finding 7 covers the period from 25
    May 2018 to November 2020, but does not include the period between July 2019 to August 2020, see Draft
    Decision, paragraph 525.
    187
       Draft Decision, paragraph 428: “In particular, when abandoning the HTML publication of contact information
    in March 2019, a representative with the Facebook Security Team informed Mr Stier ‘After discussing this
    functionality with the Instagram team we did take steps to remove thecontact information from the HTML of the
    page, since it was not necessary to include in its current form’. As such, [Meta IE]’s submission that this HTML
    processing was necessary is directly contradicted by the actions and words of the Facebook Security Team. FB-I

    states that this processing was necessary to provide business accounts to child users, who would otherwise be
    impeded in promoting their professional activities on Instagram; whereas the Facebook Security Team stated
    expressly that this processing was not necessary, and stopped this practice immediately when it was brought to
    its attention.”




    Adopted                                                                                                   31    the necessity assessment on the basis of Article 6(1)(b) GDPR . Consequently, the EDPB further finds

    thatsuchanalysisshouldhavecomplementedthe LSA’sassessmentonthenecessityoftheprocessing
    for the performance of thecontract, with specific regard to the publication of thecontact information

    in the HTML source code on the Instagram website. The EDPB considers that the IE SA could not have
    concluded that the publication of the contact information of child users in the HTML source code may

    be regarded as necessary for the performance of the contract between Meta IE and child users.

98. Also, the EDPB takes note of the findings in the Draft Decision that the contact information processing
    could pose severe risks to the rights and freedoms of child users . The existence of such risks could

    have also been considered in the assessment as to whether the processing of the child users’ contact
    information was necessary for the contract.

99. Considering the above   190and in light of the specific circumstances of the processing, the EDPB finds

    that the IE SA could not have concluded in paragraph 115 of the Draft Decision that the contact
    information processing may be regarded as necessary for the performance of a contract between

    Meta IE and child users.

100.        As a consequence, the EDPB finds that Meta IE could not have relied on Article 6(1)(b) GDPR

    as a legal basis for the contact information processing.

    5.4.2.2. Regarding Article 6(1)(f) GDPR
101.        TheEDPBrecallsthatpersonaldatacanbeprocessedonthebasisofArticle6(1)(f)GDPRwhen

    the processing is necessary for the purposes of the legitimate interests of the controller or of a third
    party, inasmuch as those interests are not overridden by the interests or fundamental rights and

    freedoms of the data subjects concerned. In this regard, particular attention should be paid when the
    data subject is a child .1

102.        TheEDPBrecalls    192thatArticle6(1)(f)GDPRisoneofthelegalgroundsthatcontrollerscanrely
                                                                                                     193
    on for the processing of personal data, as long as the conditions for relying on it are fulfilled .

103.        As the CJEU has confirmed, Article 6(1)(f) GDPR establishes three cumulative conditions, in

    order for the processing to be lawful: “first, the pursuit of a legitimate interest by the data controller
    or by the third party or parties to whom the data are disclosed; second, the need to process personal

    data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and
    freedoms of [the data subject] do not take precedence” .  194

    a. Existence of a legitimate interest

104.        The EDPB recalls that a legitimate interest can have a legal, economic or non-material nature
    but needs to be real and present , and not fictitious, for the entity in question: as clarified by the

    CJEU caselaw,the legitimate interest must be presentand effective atthe dateofthe dataprocessing



    188EDPB Guidelines 2/2019, paragraph 15.
    189As set out in Part G.2 of the Draft Decision.
    190
    191Paragraphs 80-98 of this Binding Decision.
       Art. 6(1)(f) and Recital 38, GDPR.
    192EDPB Guidelines 8/2020 on the targeting of social media users, version 2.0, adopted on 13 April 2021,
    paragraph 48.
    193
    194See, as well, WP29 Opinion 06/2014 on the notion of legitimate interests, p. 10-11.
       C-13/16 Rīgas, paragraph 28.
    195EDPB Guidelines 3/2019 on processing of personal data through video devices, version 2.0. adopted on 29
    January 2020 (hereinafter, “EDPB Guidelines 3/2019 on video devices”), paragraphs 18 and 20.




    Adopted                                                                                                 32    and must not be hypothetical at that date . The EDPB moreover considers that the interest pursued

    must be determined in a sufficiently clear and precise manner: the determination and perimeter of
    the legitimate interest pursued must be clearly identified in order to ensure that it will be properly

    balancedagainsttheinterestsorfundamentalrightsandfreedomsofthedatasubject. Inaddition,the
    legitimate interest must also be lawful (i.e., acceptable under the law) . As a general rule, those

    interests which can be traced back to the law – a legislative measure or a legal principle – can amount
    to “legitimate” interest.

105.        As a preliminary matter, the EDPB notes that the DE SAs considered that a legitimate interest

    cannot exist when the controller relies on it only in case that Article 6(1)(b) GDPR is not applicable to
    minors on the basis of national law. In the view of the DE SAs, accepting reliance on Article 6(1)(f)

    GDPR inthissituationwould bea“circumventionofthe corresponding childprotection provisions” and
    “contradicts the purpose of these provisions” . In this respect, the EDPB recalls that, as stated by the

    WP29, “[a]n appropriate assessment of the balance under [Article 6(1)(f)] (...) may in some cases be a
    valid alternative to inappropriate use of, for instance, the ground of ‘consent’ or ‘necessary for the

    performanceofacontract’.Consideredinthisway,[Article6(1)(f)]presentscomplementarysafeguards
    compared to the other pre-determined grounds” . Therefore, it does not seem impossible for a
    controller to rely on Article 6(1)(f) GDPR if, given the specific circumstances of the processing, the

    requirements enshrined in the GDPR are met. In order to determine whether processing of personal
    data may rely on Article 6(1)(f) GDPR, data controllers must assess in detail whether the cumulative

    conditions aforementioned can be met so that the processing of personal data is lawful.

106.        In the Draft Decision, the IE SA considered that the legitimate interests pursued are those of

    Meta IE and other Instagram users, “insofar that publication of contact details to the public may be a
    reasonable and lawful mode by which to promote a professional undertaking or other public
    initiative” . The IE SA did not specify if it referred to all Instagram users or to a specific type of users.

    Considering the submissions of the controller, to which the Draft Decision referred in paragraph 109,
    it appears that the IE SA’s followed the former interpretation (i.e., looking at the interests of all

    Instagram users).

107.        Initssubmission,MetaIEstatedthat“thedisplayofbusinesscontactinformationserved[Meta

    IE]’s legitimate interest of creating, providing, supporting, and maintaining innovative products and
    features that enable people under the age of majority to express themselves, communicate, and

    engagewithinformationandcommunitiesrelevanttotheirinterestsandbuildcommunity.Thedisplay
    of business contact information on a Business Account also served the legitimate interest of other
    Instagram users who sought to engage with such an account” . Therefore, in accordance with Meta

    IE’s submission, the legitimate interests pursued are connected to the fundamental right to conduct a
    business and the fundamental right to freedom of expression of Instagram users . The IE SA seemed
                                       203
    to agreewithsuchinterpretation ,althoughtheIESAdidnotspecifyhowitcameto suchconclusion.



    196TK v Asociaţia de Proprietari bloc M5A-ScaraA (Case C-708/18, judgement delivered on 11 December 2019,

    197I:EU:C:2019:1064), paragraph 44.
       See, in this respect, WP29 Opinion 06/2014 on the notion of legitimate interests, p. 25.
    198DE SAs objection, p. 5.
    199WP29 Opinion 06/2014 on the notion of legitimate interests, p. 10 and 49.
    200
    201Draft Decision, paragraph 118.
       Meta IE Article 65 Submissions, paragraph 77.
    202Meta IE Article 65 Submissions, Appendix 5, section 2.a.
    203Draft Decision, paragraph 121.




    Adopted                                                                                                 33108.        The NL SA and the FI SA argued in their objections that the IE SA did not sufficiently assess
    whether the interests as formulated by Meta IE are sufficiently clear, precise, lawful (i.e., acceptable
                                          204
    under the law) and of real existence .

109.        As described above, Meta IE described the different interests that it pursued with the
    processing of personal data at stake. More specifically, Meta IE pursued:


                 - the legitimate interest of the controller of “creating, providing, supporting, and
                 maintaining innovative products and features that enable people under the age of
                 majority to express themselves, communicate, and engage with information and

                 communities relevant to their interests and build community”, and

                 - the legitimate interest of a third party (i.e., other Instagram users) to be able to engage
                 with Business Account owners.


110.        As stated above, the legitimate interest pursued by the controller must be sufficiently clearly
    articulatedandberealandpresent,correspondingtocurrentactivitiesortobenefitsthatareexpected
    in the near future . The aforementioned interests the controller claimed to be pursuing via the

    processing activities at stake were identified and described in a vague fashion. This is especially the
    case for the second interest mentioned. Therefore, the EDPB has doubts that the legitimate interest

    argued by Meta IE meets the requirements of being sufficiently specific, despite Meta IE’s allegations
    on the contrary . Therefore, due to the lack of specificity, the EDPB cannot assess whether the
    interests argued are real and lawful (i.e., acceptable under the law). The EDPB also considers that the

    evaluationoftheexistenceofthelegitimate interest(s)pursued should havebeenmoresubstantiated
    in the Draft Decision.

111.        Inanycase,theexistenceofalegitimateinterestisonlyoneofthethreecumulativeconditions

    that must be met in order to lawfully rely on Article 6(1)(f) GDPR. The EDPB analyses below the two
    other conditions having regard to the alleged legitimate interests, as described and identified by the

    controller, in case they were to be considered sufficiently clear, precise, real and lawful (i.e.,
    acceptable under the law).

    b. The necessity of the processing for the purposes of the legitimate interests

112.        As stated above, the concept of necessity has an independent meaning in Union law, which
    must reflect the objectives of data protection law . The assessment of what is necessary involves a

    combined, fact-based assessment of the processing for the objective pursued. If there are realistic,
    less intrusive alternatives, the processing cannot be considered as necessary . 208

113.        With regard to Article 6(1)(f) GDPR, the necessity of the processing requires a connection

    betweentheprocessingandthe legitimate interest(s)pursuedandshouldnotleadto anundulybroad



    204NL SA objection, paragraph 28; FI SA objection, paragraph 14.
    205See also WP29 Opinion 06/2014 on the notion of legitimate interests, p. 24.
    206Meta IE Article 65 Submissions, paragraph 77.
    207C-524/06 Huber, paragraph 52.
    208
       EDPB Guidelines2/2019, paragraph 25;Also C-92/09 and C-93/09 Schecke andEifert, paragraph 86. The EDPB
    considers that the existence of other less intrusive means as part of the assessment of necessity is in line with
    the CJEU case law and the GDPR, inasmuch as such assessment takes account of the possibility to effectively
    achieve the objectives via other means. In this respect, there is no contradiction between the objections (and
    the EDPB’s position) and the Court of Justice judgement in C-524/06 Huber, contrary to what Meta IE argued

    (Meta IE Article 65 Submissions, paragraphs 78-79).



    Adopted                                                                                                34    interpretation thereof . In this context, the EDPB recalls that the principle of data minimisation is
             210
    relevant . The EDPB notes that the IE SA found an infringement of the principle of data minimisation
    limited to “the mandatory publication (prior to 7 March 2019) of contact information on the website

    versionofInstagram(inHTML)forallbusinessaccountusers”,sinceit“hadtheresultthatthepersonal
    data at issue (i.e. contact information of child users on webpages) was not limited to what was
                                                                                                       211
    necessary in relation to the purposes for which [Meta IE] processed this specific information” . The
    EDPB considers that such analysis should have complemented the assessment on the necessity of the

    processing, with specific regard to the HTML publication processing operation, as stated above.

114.        In addition, it is relevant to highlight also in this context that when assessing the necessity of a
    given processing operation, the existence of less intrusive means that would contribute effectively to

    achieving the interests pursued should be analysed. In this respect, the principle of proportionality
    should also be taken into account . However, the IE SAdid not analyse in the Draft Decision whether

    other less intrusive means were available to effectively achieve the objectives pursued. In this regard,
    the existing possibility to contact business account users directly through direct messaging within the

    platform should have been taken into consideration. In fact, it is clear from the Draft Decision that
    Meta IE was aware, prior to 4 September 2019, that certain business account users preferred to

    communicate with their audience through direct messaging on Instagram, rather than by e-mail or
    phone . The IE SA clearly stated that “[Meta IE] acknowledges that publication of phone and email

    contactinformationwasnotalwayspreferredfromtheperspectiveofbusinessaccountusers”because,
    according to Meta IE “[s]ome businesses also noted that they preferred [...] to communicate with their

    audience or customers through direct messaging on Instagram rather than traditional means (like
    phone or email)” . The IE SA also considered that “it is possible to operate a professional profile
                                                   215
    without also publishing contact information” . Despite this, the IE SA failed to take account of such
    circumstances for the assessment of the necessity of the contact information processing.

115.        Finally, the EDPB notes that the IE SA considered that, in some circumstances, the publication

    of the contact details of minors may have been necessary in some cases, in particular with respect to
    those business account users who wished to be publicly contactable by email or phone in connection
                                      216
    with their professional activities .

116.        The EDPB considers that the approach adopted by the IE SA when assessing the necessity of

    the processing is substantially erroneous. As stated above, reliance on Article 6(1)(f) GDPR requires
    that the processing be necessary to achieve the legitimate interests pursued, which, in this case,Meta

    IE considers to be the interest to conduct its business and the interest of Instagram users to contact
    business accountowners and engage with them . Thebenefitsthat suchprocessing maybring to the

    data subject (i.e., in this case, the child business account owners) are not a relevant element for the
    assessment of necessity of the processing. Article 6(1)(f) GDPR is clear when it states that the

    legitimate interests are those of the controller or of a third party (and not those of the data subject).
    Therefore, when assessingthe necessity of the processing, the legitimate interests at stake have to be



    209
    210WP29 Opinion 06/2014 on the notion of legitimate interests, p. 29.
       EDPB Guidelines 3/2019 on video devices, paragraph 29.
    211Draft Decision, paragraph 429.
    212C-92/09 and C-93/09 Schecke and Eifert, paragraph 86.
    213
    214Draft Decision, paragraph 210.
       Draft Decision, paragraphs 210 and 238.
    215Draft Decision, paragraph 353.
    216Draft Decision, paragraph 119.
    217See paragraph 109 of this Binding Decision.



    Adopted                                                                                                 35    considered with regard to the controller and, if relevant, the third parties concerned (i.e., Meta IE and
    all Instagram users, in this case).


117.        Due to the approach adopted by the IE SA, it failed to justify in the Draft Decision why it
    considered the publication of contact details necessary for the attainment of the purposes of

    legitimateinterestsofMetaIEandotherInstagramusers.Infact,itisapparentfromtheDraftDecision
    that Instagram users had other means of communication with business account users that did not
    significantly diminish the possibility of engaging with those accounts. The availability of other means

    of communication with business account users is also shown by the fact that certain business account
    users even preferred to communicate with their audience via direct messaging within the platform

    anddidnotwanttheirinformationto bepublic.AstheIESAacknowledged“[i]tisalsoclearthatmany
    business account users did not require the publication of personal contact information in order to
                                                        218
    pursue their professional purposes on Instagram”        and that “the requirement to publish contact
    informationwasclearlynot‘appropriate’asofMay2018” .Thisproveswithsignificantcertaintythat
    Instagramuserscouldhaveachievedtheallegedlegitimateinterestofengagingwithbusinessaccount

    owners even if their contact details were not public and, therefore, Meta IE could also achieve its
    alleged legitimate interest to create, provide, support and maintain innovative products that enable

    children to express themselves, communicate and engage with others.

118.        Therefore,intheviewofthe EDPB,the IE SAfailedto take into accounttherelevant legitimate
    interestswhenperformingtheassessmentofnecessityoftheprocessingand,therefore,itshouldhave
                   220
    not concluded     that the processing may have been necessary in some circumstances.

119.        Forthereasonsdescribedabove,theEDPBconsidersthattherearesufficientelementstoraise
    significant doubts on the necessity of the publication of the contact information of child users for the

    purposes of the legitimate interests pursued.

120.        In any case, even if the necessity of the processing could be established under some
    circumstances,inorderto lawfully relyonArticle6(1)(f) GDPRasa legal basisforthe processing,there

    isaneedto ensurethattheinterestsandfundamentalrightsandfreedomsofthedatasubjects do not
    override the legitimate interests pursued.


    c. The balancing exercise
121.        WhenacontrollerintendstorelyonArticle6(1)(f)GDPR,ithastoevaluatetherisksofintrusion
    on the data subject’s rights. In this respect, the decisive criterion is the intensity of the intervention
                                                 221
    fortherightsandfreedomsoftheindividual .TheEDPBhaspreviouslystatedthatintensity caninter
    alia be defined by the type of information that is gathered, the scope, the number of data subjects

    concerned, the situation in question, the actual interests of the group of data subjects, the existence
    of alternative means, as well as by the nature and scope of the data assessment . The reasonable

    expectations of the data subject at the time and in the context of the processing shall also be
    considered .Inthisregard,theEDPBrecallsthattheageofthedatasubjectmaybeoneofthefactors
    to take into account in the context of the balancing of interests .



    218Draft Decision, paragraph 429.
    219Draft Decision, paragraph 433.
    220
    221See Draft Decision, paragraph 119.
       EDPB Guidelines 3/2019 on video devices, paragraph 32.
    222EDPB Guidelines 3/2019 on video devices, paragraph 33.
    223EDPB Guidelines 3/2019 on video devices, paragraph 36.
    224Case C-13/16 Rīgas, paragraph 33; and WP29 Opinion 06/2014 on the notion of legitimate interests, p. 40.




    Adopted                                                                                              36122.        Theobjectiveofthebalancingofinterestsistounderstandtheimpactoftheprocessingonthe

    data subjects, in order to properly conclude whether their interests or fundamental rights and
    freedoms override the legitimate interests of the controller. The purpose is not to prevent any
                                                                                             225
    negative impact on the data subject, but to prevent a disproportionate impact . Such impact
    encompasses the different ways in which an individual may be affected - positively or negatively - by

    the processing, and should address any possible (potential or actual) positive and negative
    consequences of such processing . These consequences may include potential or future decisions or

    actions by third parties or fear and distress that the data subject may experience when losing control
    over personal information, for example through exposure on the internet . The key elements to

    assess the impact are the likelihood that the risk materialises, on one hand, and the severity of the
    consequenceson theotherone . The EDPB underlines that safeguards play aspecial role in reducing

    any undue impact on the data subject. In order to ensure that the interests and fundamental rights
    and freedoms of data subjects do not override the legitimate interests pursued, the safeguards in

    question must be adequate and sufficient, and must unquestionably and significantly reduce the
    impact on data subjects .229


123.         The assessment should also take into account themeasures thatthe controller plans to adopt
    in order to comply with its obligations, including in terms of proportionality and transparency . The0

    relationship between the balancing test, transparency and the accountability principle has already
    been underlined bythe WP29,which considered it“crucial” in thecontext ofArticle 6(1)(f)GDPR . In     231

    this regard, the EDPB recalls that, if the controller hides important information to the data subject, it
    will not fulfil the requirements of reasonable expectations of the data subject and an overall
                                     232
    acceptable balance of interests .

124.        In the Draft Decision, the IE SA disagreed with Meta IE’s analysis of the adequacy of the
    information provided to child users and the security and safety measures implemented, which, in the

    view of the IE SA, did not mitigate all relevant risks for child users . In fact, the insufficiency of the

    measures led the IE SA to conclude that “there are possible and severe risks associated with the two
    forms of processing which are the subject of this Inquiry; these risks are primarily related to possible
    communicationbetweenchildusersanddangerousindividuals,bothonandofftheInstagramplatform

    (...). I am also satisfied that the measures and safeguards implemented by [Meta IE] (in the form of
    account options, tools and information) were not adequate with regard to the specific processing

    operations at issue” since they “did not adequately mitigate the risk of communication between
    dangerous individuals and child users. Accordingly, I do not share [Meta IE]’s view that the processing

    at issue did not result in high risks to the rights and freedoms of child users” . The IE SA also
    considered that the changes to the processing in July and September 2019 “reduced but did not

    adequately mitigate the risks for child users in connection with the processing” . Meta IE argued that
    neither the CSAs nor the IE SA gave “due weight to the other half of the balancing test to mitigate


    225WP29 Opinion 06/2014 on the notion of legitimate interests, p. 41.
    226
       WP29 Opinion 06/2014 on the notion of legitimate interests, p. 37.
    227WP29 Opinion 06/2014 on the notion of legitimate interests, p. 37.
    228WP29 Opinion 06/2014 on the notion of legitimate interests, p. 38.
    229WP29 Opinion 06/2014 on the notion of legitimate interests, p. 31.
    230
       WP29 Opinion 06/2014 on the notion of legitimate interests, p. 33 and 41.
    231WP29 Opinion 06/2014 on the notion of legitimate interests, p. 43.
    232See WP29 Opinion 06/2014 on the notion of legitimate interests, p. 44.
    233
    234Draft Decision, paragraph 120.
       Draft Decision, paragraph 356
    235Draft Decision, paragraph 389.




    Adopted                                                                                                 37    and/or negate” the risks to the data subjects . Therefore, the EDPB disagrees with the view of Meta

    IE and considersthattheIESA onthe assessmentofthe riskis accurate. TheEDPBalso underlinesthat
    it is possible to accommodate the objective of effectively reducing the risk for children while ensuring
                                                                                                     237
    their right to freedom of expression, by implementing appropriate safeguards and measures .

125.        TheIESAalsoaddressedthelackoftransparencyregardingtheinformationonthepublication

    of the contact details. In this respect, the IE SA stated in the Draft Decision that “[Meta IE] facilitated
    thepublicationofphoneandemailcontactinformationforchildrenasyoungas13,usingastreamlined
    account switching process which automatically completed certain information for the user, without

    warning child users that publication of their personal contact information may result in high risks to
    their rights and freedoms”  238. Therefore, taking into account both the assessment of the risk and the

    mitigatingmeasures,aswellasthelackofinformationprovided,theIESAconcludedthat“thecontact
    informationprocessingby[MetaIE](bothbeforeSeptember2019,andafter)resultsinhigh riskstothe
                                                                                  239
    rights and freedoms of child users, for the purposes of Article 35(1) GDPR” .

126.        As mentioned above, the transparency of the information provided has an impact on the

    reasonable expectations of the data subjects. Likewise, adequate and sufficient additional safeguards
    are those that unquestionably and significantly reduce the impact on data subjects. These are

    important elements to take into account in the assessment of the balancing of interests. However,
    despite acknowledging the lack of proper measures and information, and the severe risks that this

    creates for child users, when analysing the balancing exercise to verify whether Meta IE could rely on
    Article 6(1)(f) GDPR the IE SA only concluded that, in some circumstances, it is possible that the

    legitimate interests would not be overridden by the interests or fundamental rights and freedoms of
    the child user . In addition, despite the lack of proper information, the IE SA concluded that
                                                                                           241
    technicallyliterate usersmay haveexpected the publication, regardlessoftheirage . TheEDPB finds
    particularly problematic that, despite the risks of the processing, recognised by Meta IE itself , the
    publication ofcontact details of child users was mandatoryuntil 4 September2019. In fact,child users

    were not even informed of such publication, since the Option Screen only stated that “these contact
    options will be linked to your business profile” . Even though the screen included a note at the end

    statingthat“peoplewillbeabletoemail,callandgetdirectionstoyourbusiness[...]”, itdidnotspecify
    that it was because of the publication of the information. In the view of the EDPB, it is not reasonable

    to expect that a normal user, let alone a child, even if technically literate, could deduce from such a
    vague statement that publication of their information would take place and that it would allow any

    typeofperson(includingpersonswithwhomtheyhadhadnocontactorlink)tocontactthemdirectly.
    In fact, as the IE SA noted, the term “will be able” may have been understood by the child users as a

    conditional indication thatan additional contact-publication feature could be implemented optionally
    by the user .44





    236Meta IE Article 65 Submissions, paragraph 10.
    237See Draft Decision, paragraph 353.
    238Draft Decision, paragraph 389 (emphasis added).
    239
       Draft Decision, paragraph 389 (emphasis added).
    240Draft Decision, paragraph 123. In particular, the IE SA referred to situations “where the processing occurred
    in the context of well-considered professional activities”.
    241Draft Decision, paragraph 122.
    242
       Draft Decision, paragraph 381; Meta IE Article 65 Submissions, Appendix 5, sections 4.2.a and 4.2.b.
    243Draft Decision, paragraph 42, Figure 1.
    244Draft Decision, paragraphs 184 and 185.




    Adopted                                                                                                 38127.        Taking the above into consideration, the EDPB is of the view that the IE SA did not properly
    assess the impact of the processing when performing the balancing exercise. In fact, the IE SA only
                                                                       245
    took into account the positive consequences of the processing , whereas it failed to give proper
    weight to all the other relevant elements and the risks it had itself identified.

128.        Therefore, the EDPB considers that, regarding the publication of the contact information of

    child users prior to 4 September 2019, the legitimate interests pursued were overridden by the
    interestsandfundamentalrightsandfreedomsofchildusers.TheEDPBcomestothisconclusiongiven

    the severe risks identified by the IE SA, the lack of appropriate measures to address those risks, the
    lack of proper information to data subjects regarding publication and its consequences and the
    impossibilitytoopt-outfrom the publication. Alltheseelements combined tipthebalance infavourof

    the interests and fundamental rights and freedoms of the data subjects.

129.        Withregardtotheprocessingofpersonaldataofchildusersafter4September2019,theEDPB
    notes that the Option Screen stated that the contact information would be displayed publicly in the
                                                    246
    profileoftheusers“sopeoplecancontactyou” .Thischangeinthewordingcouldhaveallowedchild
    users to understand that any person couldcontact them as their detailswould be publicly available .  247

    In addition, child users were given the option to opt-out from the publication of their contact details.
    The availability of a well-designed opt-out option without the need for any justification to exercise it
    andtherelationshipbetweenthebalancingtestandtransparencyarecrucialforthebalancingexercise

    under Article 6(1)(f) GDPR. In fact, in those cases in which the balance is difficult to strike, a well-
    designed and workable mechanism for opt-out could play an important role in safeguarding the rights
                                       248
    and interests of the data subjects . In this regard, it is relevant to bear in mind the finding of the IE
    SA in the Draft Decision that the information provided to child users by Meta IE after 4 September

    2019 in the course of the business account switching process was in compliance with Articles 12(1),
    13(1)(c) and 13(1)(e) GDPR (Finding 3 in the Draft Decision) .49

  130.      This being said, the EDPB finds that these elements are not sufficient to change the outcome

    of the balancing test in light of the aforementioned considerations. This is especially the case because
    of the high risk resulting from the publication of contact details as explained above in paragraph 124
    andofthefactthatchildrenwerenotwarnedaboutsuchrisks.Thesecircumstanceswerenotaffected

    by the changes brought as of 4 September 2019 and thus these changes were not sufficient to change
    the outcome of the balancing test.

131.        Onthebasisoftheabove,thepublicationofthecontactinformationofchildusers priortoand

    after 4 September 2019 did not meet the requirements under Article 6(1)(f) GDPR, since the interests
    and fundamental rights and freedoms of the data subjects overrode the alleged legitimate interests

    pursued.

132.        Considering the EDPB’s conclusion in paragraphs 118-119 and, especially, 131 above, it is the
    view of the EDPB that Meta IE could not rely on Article 6(1)(f) GDPR for the contact information

    processing since the processing was either unnecessary or, if it were to be considered necessary, it
    did not pass the balancing test.


    245
       See Draft Decision paragraph 121, where the IE SA assessed the potential negative consequences if the
    processing didn’t take place.
    246Draft Decision, paragraph 42, Figure 2.
    247See also Draft Decision, paragraph 206.
    248WP29 Opinion 06/2014 on the notion of legitimate interests, p. 45.
    249
       Draft Decision, paragraph 206.



    Adopted                                                                                               39    5.4.2.3. Conclusion regarding the lack of legal basis
133.        Considering the conclusions in paragraphs 100 and 132 of this Binding Decision, i.e. that Meta
    IE could rely neither on Article 6(1)(b) GDPR, nor on Article 6(1)(f) GDPR for the contact information

    processing, and bearing in mind that Meta IE relied on these two legal bases alternatively for the
    processing at stake , the EDPB finds that Meta IE processed the personal data unlawfully . As a  251
    consequence, to that extent Meta IE infringed Article 6(1) GDPR. Accordingly, the EDPB instructs the

    IE SA to change its Draft Decision in order to establish the relevant infringement.

134.        Considering the nature and gravity of the infringement, as well as the numberof data subjects
    affected, the EDPB further instructs the IE SA to re-assess its envisaged action in accordance with the

    conclusionsreachedbytheEDPBinorderto considertheadditionalinfringementofArticle6(1)GDPR.
    In this respect, the additional infringement of Article 6(1) GDPR shall be considered in the compliance
    order, to the extent that the processing is ongoing, in order to ensure that full effect is given to Meta

    IE’s obligations under Article 6(1) GDPR.

135.        With regard to the imposition of an administrative fine for the infringement of Article 6(1)
    GDPR, the EDPB refers to section 7.4.2.4 of this Binding Decision for its assessment.



        6 ON POTENTIAL FURTHER (OR ALTERNATIVE) INFRINGEMENTS

            IDENTIFIED BY THE CSAs

        6.1.    On potential infringements of Article 6(1)(a), Article 7 and Article 8(1) GDPR

                regarding contact information processing


        6.1.1. Analysis by the LSA in the Draft Decision

136.        In its inquiry and the Draft Decision, with regard to the legal basis for the contact information
    processing,the IE SA solely consideredwhetherMeta IE could rely on Articles6(1)(b) and alternatively
    on 6(1)(f) GDPR as the legal bases    252(as summarized above in paragraphs 25-31 of this Binding

    Decision).

        6.1.2. Summary of the objection raised by the CSAs

137.        The DE SAs raised an objection whereby the only applicable legal basis for the contact

    informationprocessing is consentunder Article6(1)(a) GDPR. Accordingto theDE SAs,MetaIE should
    haveadditionallyobtainedparental consent forminorusers under16 yearsofage, unlessthenational
    legislator has regulated this differently . The DE SAs also objected to the LSA having not found an

    infringements of Articles 7 and 8(1) GDPR regarding contact information processing as a consequence
    of the infringement of Article 6(1)(a) GDPR. In the view of the DE SAs, Meta IE should have complied
    with the requirements for consent under Article 7 GDPR and the conditions applicable to a child’s

    consent under Article 8(1)GDPR. However, Meta IE had neither fulfilled the conditions under Article 7
    GDPR, nor obtained parental consent with regard to children below the age of 16 years as required


    250Draft Decision, paragraphs 105 and 108; Meta IE Article 65 Submissions, Appendix 6 (Meta IE Response to
    Request for Information), paragraphs 17-19.
    251Art. 6(1) GDPR: “Processing shall be lawful only if and to the extent that at least one of the following applies:

    252.]”.
       Draft Decision, paragraphs 100-125.
    253DE SAs objection, p. 8-9.



    Adopted                                                                                                40    under Article 8 GDPR . The DE SAs also requested the LSA to take specific additional corrective
    measures as a consequence of the possible infringements . 255


        6.1.3. Position of the LSA on the objections

138.        TheIESAconfirmedthatitdoesnotproposeto“follow”theobjectionsthatwereraisedbythe
    CSAs and/or does not consider the objections to be relevant and reasoned . 256


        6.1.4. Analysis of the EDPB

139.        The EDPB observes that in the Draft Decision the IE SAanalysed if Meta IE could rely on Article

    6(1)(b) and alternatively on Article 6(1)(f) GDPR for the contact information processing. The EDPB
    notesthattheCSAscanraisearelevantandreasonedobjectiononadditionalinfringementsinrelation
    the conclusions to be drawn from the findings of the investigation , or on whether the LSA has
                                                                    258
    sufficientlyinvestigatedthe relevantinfringementsoftheGDPR . TheDESAs’objection requeststhe
    LSA to find infringementsof Article6(1)(a) GDPRand,consequently,of Article7 and Article8(1) GDPR.

    In this regard, the potential infringements of Article 7 and Article 8(1) GDPR is a consequence of the
    potential infringement of Article 6(1)(a) GDPR. However, the EDPB firstly considers that the objection
    regarding the infringement of Article 6(1)(a) GDPR fails to establish a direct connection with the

    specific legal and factual content of the Draft Decision, thus lacking relevance. As the EDPB finds that
    the DE SAs objection, insofar it concerns Meta IE’s compliance with Article 6(1)(a) GDPR, is not

    relevant, this also affects the relevance of the DE SAs objection, insofar it concerns Meta IE’s
    compliance with Article 7 and Article 8(1) GDPR. Consequently, the EDPB finds that the DE SAs

    objection on the potential infringements Article 6(1)(a), Article 7 and Article 8(1) GDPR are not
    “relevant”.

140.        The EDPB further observes that it remains unclear from the DE SAs objection if in the present

    casetheinfringementsofArticle7andArticle8(1)GDPRcanbeestablishedonthebasisofthefindings
    in the Draft Decision or the LSA’s inquiry. Moreover, the EDPB finds that the DE SAs objection in
    relation to Article 7 and Article 8(1) GDPR does not provide sufficiently precise and detailed legal

    reasoningregardinginfringementofeachspecificprovisioninquestion.Inaddition,theobjectiondoes
    not put forward sufficient arguments to demonstrate the significance of the risk posed by the Draft

    Decision for the rights and freedoms of the data subjects or the free flow of data within the EU.
    Therefore, the objection is also not sufficiently “reasoned” in light of the Guidelines on RRO .

141.        Considering the above, the EDPB finds that the DE SAs objection, insofar it concerns Article

    6(1)(a),Article7andArticle8(1)GDPRdoesnotmeetthethresholdofArticle4(24)GDPR.Withregard
    to the potential infringement of Article 6(1)(a) GDPR, the DE SAs objection is not “relevant” and,
    regarding Article 7 and Article 8(1) GDPR, the DE SAs objection is neither “relevant”, nor “reasoned”.

    Consequently, there is no need for the EDPB to further analyse the merits of this objection.


        6.2.    On potential infringements of Article 5(1)(a) and Article 5(1)(b) GDPR
                regarding contact information processing


    254
    255DE SAs objection, p. 8-10.
       DE SAs objection, p. 10.
    256Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
    257EDPB Guidelines on Article 65(1)(a), paragraphs 73-76; EDPB Guidelines on RRO, paragraphs 26-28.
    258EDPB Guidelines on Article 65(1)(a), paragraphs 77-81.
    259
       EDPB Guidelines on RRO, paragraphs 19 and 25 and 35-48.



    Adopted                                                                                             41        6.2.1. Analysis by the LSA in the Draft Decision

142.        In its Draft Decision, the IE SA considered whether Meta IE could rely on Article 6(1)(b) GDPR
                                                                                   260
    oralternativelyonArticle6(1)(f)GDPRforthecontactinformationprocessing             (assummarizedabove
    in paragraphs 25-31 of this Binding Decision).


        6.2.2. Summary of the objection raised by the CSAs

143.        The DE SAs objected to the IE SA not finding that an infringement of Articles 5(1)(a) and (b)
    GDPR occurred. In the view of the DE SAs, the IE SA should have found an infringement of Articles
                                                                                          261
    5(1)(a) and (b) GDPR stemming from Meta IE’s lack of legal basis for the processing .

144.        The DE SAs considered that as a consequence of Meta IE not validly relying on any of the legal

    bases of Article 6(1) GDPR, Meta IE violated the principle of lawfulness under Article 5(1)(a) GDPR.
    Moreover, by disregarding the special requirements for consent under Article 7 and Article 8(1) GDPR
    as proposed by the DE SAs (see section 6.1 of this Binding Decision), Meta IE processed personal data

    in an unlawful manner that breached Article 5(1)(a) GDPR .  262

145.        In the context of Article 5(1)(b) GDPR, the DE SAs argued that the lack of legal basis for

    processing undermined the principle of purpose limitation. The DE SAs argued that Meta IE did not
    definespecificpurposesofprocessingforallgroupsofchildren,butratherexpressedtheperformance

    of a contract as a common purpose for all processing. As the purpose of processing was the
    performanceofacontract,MetaIEcouldnotsimultaneouslyclaimthatthepurpose forcertaingroups
    of minors was legitimate interest as this would have been against the controller’s duty to collect
                                                                  263
    personal data for specified, explicit and legitimate purposes .


        6.2.3. Position of the LSA on the objections

146.        TheIESAconfirmedthatitdoesnotpropose to“follow”theobjectionsthatwereraisedbythe
    CSAs and/or does not consider the objections to be relevant and reasoned .   264


        6.2.4. Analysis of the EDPB

147.        The EDPB observes that in the Draft Decision the LSA analysed if Meta IE could rely on Article
    6(1)(b) and alternatively on Article 6(1)(f) GDPR for the contact information processing. As noted

    above, the CSAs can raise a relevant and reasoned objection on additional infringements in relation
    the conclusions to be drawn from the findings of the investigation , or on whether the LSA has
                                                                      266
    sufficiently investigated the relevant infringements of the GDPR . However, the EDPB considers that
    in this specific case the DE SAs objection insofar as it requests the IE SA to find the infringements of

    Article 5(1)(a) and Article 5(1)(b) GDPR fails to establish a direct connection with the specific legal and




    260
    261Draft Decision, paragraphs 100-125.
       DE SAs objection, p. 10. The EDPB observes that, although on page 2 of their objection the DE SAs referred to
    Art. 5(1)(a) and 5(1)(c), on page 10 of their objection the DE SAs referred to Art. 5(1)(a) and 5(1)(b), thus the
    EDPB has considered that the DE SAs raised an objection with regard to Art. 5(1)(a) and 5(1)(b) GDPR.
    262DE SAs objection, p. 9.
    263
       DE SAs objection, p. 9.
    264Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
    265EDPB Guidelines on Article 65(1)(a), paragraphs 73-76; EDPB Guidelines on RRO, paragraphs 26-28.
    266EDPB Guidelines on Article 65(1)(a), paragraphs 77-81.




    Adopted                                                                                                42    factualcontentoftheDraftDecision.Therefore,theEDPBfindsthattheDESAsobjectiontotheextent
    it concerns the potential infringements Article 5(1)(a) and Article 5(1)(b) GDPR is not “relevant”.


148.        The EDPB further finds that the DE SAs objection does not put forward sufficiently precise and
    detailed legal, as well as factual reasoning in relation to infringement of each specific provision in
    question. In addition, the objection does not provide sufficient arguments to demonstrate the

    significance of the risk posed by the Draft Decision for the rights and freedoms of the data subjects or
    the free flow of data within the EU. Therefore, the objection is also not sufficiently “reasoned” in light
                              267
    of the Guidelines on RRO .

149.        Considering the above, the EDPB finds that the DE SAs objection regarding the infringements
    of Article 5(1)(a) and (b) GDPR does not meet the threshold of Article 4 (24) GDPR, as it is neither

    “relevant”, nor “reasoned”. Consequently, there is no need for the EDPB to further analyse the merits
    of this objection.


        6.3.    On legal basis regarding public-by-default processing


        6.3.1. Analysis by the LSA in the Draft Decision

150.        In its Draft Decision, the IE SA considered whether the default account settings for child users
    by Meta IE were contrary to the GDPR, particularly Article 5(1)(c), Article 12(1), Article 24(2), Articles
    25(1) and (2) GDPR. As explained by the IE SA in its Draft Decision , public-by-default processing

    refers to Instagram having a default setting which allowed the social media content of an Instagram
    account to be viewed by any Instagram user,or by persons who had not registered as Instagram users

    if the latter were accessing the web-browser version of Instagram (hereinafter, “public-by-default
    processing”).Incontrast,ifauseraccountwassetasprivate,thecontentpostedontheaccountcould
    be accessed only by users approved by the account holder personally . To make a user account

    private, the account holder had to change the default settings after registration as an Instagram
    user .70

151.        The IE SA identified that Meta IE had two separate purposes for processing the personal data

    of its Instagram users in relation to the public-by-default setting. In case of a public profile, Meta IE
    processed personal data for the purpose of sharing social media content with anyone, including

    persons who had not registered as Instagram users. In case of a private profile, the purpose of
    processing was to share content only with Instagram users who had been approved by the account
    holder .71


152.        Meta IE informed its child users of the public-by-default account settings in its 2018 and 2020
    Data Policies under a section titled “Sharing on Facebook Products”, which stated that “When you

    share and communicate using our Products, you choose the audience for what you share”. The section
    further stated the following :72

                    “Public information can be seen by anyone, on or off our Products, including if they

                    don't have an account. This includes your Instagram username; any information you

    267
    268EDPB Guidelines on RRO, paragraphs 19 and 25, and paragraphs 35-48.
       The specific processing as described in the Draft Decision, paragraph 43.
    269Draft Decision, paragraph 43.
    270Draft Decision, paragraph 44.
    271Draft Decision, paragraph 153.
    272
       Draft Decision, paragraph 132.



    Adopted                                                                                               43                     share with a public audience; information in your public profile on Facebook; and

                     content you share on a Facebook Page, public Instagram account or any other public
                     forum, such as Facebook Marketplace”.

153.TheDataPolicy containedahyperlinkto asectiontitled “How doIsetmy Instagram accounttoprivate

    so that only approved followers can see what I share?” included in Instagram’s support webpage. The
    section stated the following :73


                     “By default, anyone can see your profile and posts on Instagram. You can make your
                     account private so that only followers you approve can see what you share. If your

                     account is set to private, only your approved followers will see your photos or videos
                     on hashtag or location pages.”

154.The instructions on how to switch the account from public to private were included in a section on the

    support webpage titled “How do I set my Instagram account to private so that only approved followers
    can see what I share?” and in additional informational resources created by Meta IE for its child users

    and their parents. In addition to the above contents, the Data Policy 2018 included another hyperlink
    to a support webpage titled “Controlling Your Visibility”. This webpage included informationon how to
                                274
    switch to a private account .

 155.        With respect to the compatibility with Article 12(1) GDPR, the IE SA concluded that Meta IE
     infringed this provision because it did not inform the child users of Instagram of the purposes of the
                                                                      275
     public-by-default processing in a clear and transparent manner .

 156.        Assessing the public-by-default processing in the context of Article 5(1)(c) and Article 25(2)

     GDPR, the IE SA noted that the public-by-default processing was not necessary or proportionate for
     thetwopurposesofthisprocessingthatwereidentifiedbytheIESA.Inparticular,theIESAconsidered
     that child users may have a reduced ability to change the privacy settings of their account. Moreover,
                                                             276
     the public-by-default processing was global in extent . The IE SA found that Meta IE had failed to
     implement technical and organisational measures to ensure that, by default, only personal data that

     was necessary for the relevant purpose of processing was collected. Particularly considering that the
     child users’ accounts were by default made visible to an indefinite number of natural persons, the IE
                                                                                         277
     SA found that the processing had infringed Article 5(1)(c) and Article 25(2) GDPR .

 157.        The IE SA also concluded that Meta IE infringed Article 25(1) GDPR by not implementing
     appropriate technical and organisational measures to implement the data protection principles in an

     effective manner and integrate the necessary safeguards to protect child users from the severe risks
     that the public-by-default processing posed .278


 158.        Further, the IE SA found that the safeguards and measures implemented by Meta IE did not
     properly take into account the specific risks to the rights and freedoms of child users . The IE SA
                                                           280
     concluded that Meta IE infringed Article 24(1) GDPR .


     273
     274raft Decision, paragraph 132.
       Draft Decision, paragraph 132.
     27Draft Decision, Finding 1.
     27Draft Decision, paragraph 450.
     277
     278raft Decision, Finding 10.
       Draft Decision, Finding 11.
     27Draft Decision, paragraph 456.
     28Draft Decision, Finding 12.




     Adopted                                                                                               44159.        The IE SA’s findings in the Draft Decision regarding Article 5(1)(c), Article 12(1), Article 24(1),

    Articles25(1)and (2) GDPRin relation withpublic-by-default processing are notsubject to the present
    dispute.


        6.3.2. Summary of the objection raised by the CSAs

160.        The NO SA first considered that the IE SA’s findings and assessment in the Draft Decision
    logically led to the conclusion that the requirement of necessity under Article 6(1)(b) and (f) were not
        281
    met . The NO SA noted that the IE SA found that Meta IE carried out processing beyond what was
    necessary for the purposes of the processing, such as in paragraph 450 of the Draft Decision, and

    identified considerable risks for child users. Based on these findings, the NO SA concluded that Meta
    IE did not fulfil the necessity requirement under Article 6(1)(b) and (f) GDPR . The NO SA suggested
    that the IE SA should have carried out a legal analysis on the processing to verify if it could rely on

    Article 6(1)(b) and (f) . The NO SA suggested that the scope of the inquiry allowed the investigation
    of whether the lawfulness obligations under Article 6 GDPR were met. This was based on the fact that

    the Draft Decision included an assessment of Article 6 GDPR and conclusions that were relevant for
    the assessment of lawfulness .284


161.        Specifically on the public-by-default processing, the NO SA stated that the fact that the IE SA
    found that the public-by-default processing was not necessary or proportionate on several grounds
    indicated that there was a violation of Article 6(1) GDPR. Such grounds were that Meta IE’s child users

    may have had reduced ability to apply Instagram’s privacy settings, the processing of public accounts
    was global and the processing was not necessary for such child users who did not wish to have their

    Instagram account public. The NO SA concluded that the public-by-default processing was not
    necessaryfortheperformanceofacontractorthepurposesofthelegitimateinterestspursuedbythe
              285
    controller .

162.        Finally, the NO SA asked the IE SA to conclude that the legal bases under Article 6(1)(b) and (f)
    GDPR were not applicable legal bases for the public-by-default processing and to exercise corrective

    powers under Article 58(2) GDPR: (1) to order the controller to identify a valid legal basis for the
    processing in question, or from now on abstain from such processing activities; and (2) to impose an

    administrativefine for unlawfully processing personaldata, erroneouslyrelying on Articles6(1)(b)and
    (f) GDPR .86


        6.3.3. Position of the LSA on the objections

163.        TheIESAconfirmedthatitdoesnotproposeto“follow”theobjectionsthatwereraisedbythe
    CSAs and/or does not consider the objections to be relevant and reasoned .   287









    281NO SA objection, p. 2.
    282NO SA objection, p. 3.
    283NO SA objection, p. 3.
    284
       NO SA objection, p. 2.
    285NO SA objection, p. 4.
    286NO SA objection, p. 7.
    287Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.




    Adopted                                                                                                45        6.3.4. Analysis of the EDPB

164.        The EDPBobserves that, although the public-by-default processingwasexaminedby the IE SA
                          288
    in the Draft Decision , the question of compliance of the public-by-default processing with Article 6
    GDPR was neither within the scope of the inquiry of the IE SA, nor it was addressed by the IE SA in the

    Draft Decision. At the same time, the EDPB recalls that the CSAs can raise a relevant and reasoned
    objection on additional infringements in relation the conclusions to be drawn from the findings of the
                  289
    investigation , or on whether the LSA has sufficiently investigated the relevant infringements of the
    GDPR . However, the EDPB considers that in this specific case the NO SA objection fails to establish

    a direct connection with the specific legal and factual content of the Draft Decision, thus it is not
    “relevant”.

165.        Furthermore, the EDPB considers that, given the legal and factual elements available in the

    Draft Decision and the arguments presented by the NO SA, the objection does not explain sufficiently
    clearly, nor substantiate in sufficient detail how the conclusion regarding Meta IE’s compliance with

    Article 6 GDPR in relation to the public-by-default processing could be reached on that basis.
    Therefore, the EDPB finds that this NO SA objection is not “reasoned”.


166.        Consideringtheabove,theEDPBfindsthattheNOSAobjectionregardingthepublic-by-default
    processing does not meet the threshold of Article 4(24) GDPR and consequently there is no need for
    the EDPB to further analyse the merits of this objection.



        7 ON THE DETERMINATION OF THE ADMINISTRATIVE FINE


        7.1.     Analysis by the LSA in the Draft Decision

167.        In the Draft Decision, the IE SA analysed the criteria in Article 83(2) GDPR in deciding whether
                                                                      291
    to impose an administrative fine and determine its amount . The IE SA also specified that the
    “decision as to whether to impose an administrative fine in respect of each infringement, and the

    amount of that fine where applicable, is independent and specific to the circumstances of each
    particular infringement” . As regards the calculation of the fine, in the Draft Decision the IE SA
                                                                                                         293
    considered the nature, gravity and duration of the infringement, as per Article 83(2)(a) GDPR . In
    terms of nature, the infringements of Article 12(1) GDPR in respect of both the public-by-default
                                                                                                     294
    processing and the contact information processing were found to be most serious in nature . The IE
    SA found that the infringement of Article 5(1)(a) GDPR regarding the contact information processing
                           295                                                           296
    was serious in nature     and that the infringements of Article 35(1), 24(1), 25(1) , 5(1)(c) and 25(2)
    GDPR  297were serious in nature in respect of both the public-by-default processing and the contact
    information processing. In terms of gravity, the LSA considered that the gravity of infringements of



    288See section 6.3.1 of this Binding Decision for the summary of the main relevant conclusions in the Draft
    Decision.
    289EDPB Guidelines on Article 65(1)(a), paragraphs 73-76; EDPB Guidelines on RRO, paragraphs 26-28.
    290
    291EDPB Guidelines on Article 65(1)(a), paragraphs 77-81.
       Draft Decision, paragraphs 485-564.
    292Draft Decision, paragraph 486.
    293Draft Decision, paragraphs 487-526.
    294
    295Draft Decision, paragraphs 503-504.
       Draft Decision, paragraph 505.
    296Draft Decision, paragraph 506.
    297Draft Decision, paragraph 507-508.




    Adopted                                                                                                 46    Article 12(1) GDPR in respect of both the public-by-default processing and the contact information
                                   298
    processing was highly serious . The IE SA found that the gravity of the infringement of Article 5(1)(a)
    GDPR regarding the contact information processing was serious           299 and that the gravity of the
                                                  300                         301
    infringements of Articles 35(1), 24(1), 25(1) , 5(1)(c) and 25(2) GDPR       in respect of both the public-
    by-default processing and the contact information processing was serious. In terms of duration of the

    infringement, the IE SA considered that the period of infringement was the period between the
    entering into application of the GDPR on 25 May 2018 and the commencement of the inquiry on 21
                       302
    September 2020 . The IE SA found the aforementioned period to be the duration of the
    infringements apart from the infringement of Article 12(1) GDPR regarding contact information

    processing, which the IE SA found to have ended on 4 September 2019, the infringement of Article
    5(1)(a) GDPR concerning contact information processing, which the IE SA found to have commenced

    from4September2019andtheinfringementofArticle35(1)GDPRregardingbothcontactinformation
    andpublic-by-defaultprocessing,whichtheLSAfoundtohavecommencedon25July2018.Moreover,

    the LSA found that the duration of the infringement of Articles 5(1)(c) and 25(2) GDPR concerning the
    contactinformationprocessingendedonNovember2020anddidnotincludetheperiodbetweenJuly
                          303
    2019 to August 2020 .

168.        In relation to the intentional or negligent character of the infringements, as per Article

    83(2)(b) GDPR, the IE SA concluded that certain Meta IE’s infringements were intentional and others
    negligent in character . The LSA found that the infringements of Article 12(1) GDPR regarding both

    public-by-defaultprocessingandcontactinformationprocessingwerenegligentandtheinfringements
    of Articles 24(1) and 25(1) GDPR regarding both public-by-default processing and contact information
                                          305
    processing were highly negligent . As for the other infringements, the LSA found that the
    infringements of Article 5(1)(a) GDPR regarding contact information processing and Articles 35(1),

    5(1)(c) and 25(2) GDPR in respect of both public-by-default processing and contact information
    processing were intentional . 306


169.        With regard to other aggravating or mitigating factors, as per Article 83(2)(k) GDPR, the Draft
    Decisionassessedthefinancialbenefit gainedbyMetaIEfromtheinfringements.TheIESAconcluded
    that the infringement of Article 12(1) GDPR resulted in a financial benefit to Meta IE and considered

    this to be an aggravating factor . Regarding the infringement of Article 24 GDPR, the IE SA stated
    that this infringement was considered separately to other infringements and it was not considered to

    be an aggravating factor with regard to theother infringementsat issue,or an issue which is pertinent
    to the calculation of the administrative fines .08


170.        The assessment by the IE SA of the criteria in Article 83(2)(a) and (c) to (j) GDPR is not subject
    to the present dispute.




    298Draft Decision, paragraphs 511-512.
    299
       Draft Decision, paragraph 513.
    300Draft Decision, paragraph 514.
    301Draft Decision, paragraph 515-516.
    302Draft Decision, paragraph 526.
    303
       Draft Decision, paragraphs 518-525.
    304Draft Decision, paragraphs 527-544.
    305Draft Decision, paragraphs 531-534 and 537.
    306
    307Draft Decision, paragraphs 535-536 and 538-539.
       Draft Decision, paragraph 564.
    308Draft Decision, paragraphs 486 and 568.




    Adopted                                                                                                  47171.         In the Draft Decision, the IE SA considered the criteria outlined in Article 82(2)(a)-(k) GDPR

    cumulativelyinrespectofeachinfringement,whendecidingwhetherto imposeanadministrativefine
    and when deciding the amount of each administrative fine . The IE SA concluded that an
    administrative fine for each of the infringements was appropriate and necessary to dissuade non-

    compliance in the case at hand and similar future cases of Meta IE and other controllers or processors
    carrying out similar processing activities. Here, the IE SA considered the seriousness of the

    infringements in nature and gravity, the proportionality of the fines with regard to the nature, gravity
    anddurationoftheinfringements,theintentionalornegligentcharacteroftheinfringements, thefact

    that the infringements related to personal data of children, the financial benefit gained from the
    public-by-default processing and the lack of previous relevant infringements of Meta IE . Based on310

    these circumstances, the IE SA determined a range for each of the fines that it considered to be
    effective, proportionate and dissuasive in accordance with Article 83(1) GDPR .        311

172.         The IE SA proposed in the Draft Decision to impose nine administrative fines within the total
                                               312
    range of EUR 202 million to 405 million .


         7.2.     Summary of the objections raised by the CSAs

173.         The DE SAs objected to the amount and calculation of the administrative fine which the LSA
    proposed to impose in the Draft Decision. In the view of the DE SAs, the LSA’s Draft Decision did not

    ensure a consistent application of administrative fines, and the envisaged amount of the fines were
    not effective, proportionate or dissuasive . The DE SAs argued that fines could only be effective,
    proportionate and dissuasive if the profitability of the undertaking was taken into account in their

    calculation. This was based on the argument that the undertaking’s sensitivity to administrative fines
    was significantly influenced by profitability, not only turnover. According to the DE SAs, the LSA did

    not explain in its Draft Decision how the element of profitability was taken into account in the



    309Draft Decision, paragraph 565.
    310
    311Draft Decision, paragraph 567.
       Draft Decision, paragraphs 570-572.
    312Draft Decision, paragraphs569 and 627(3). Specifically, on the basis of the LSA’s findingsin the Draft Decision,
    the following fine amount ranges were envisaged in respect of the infringements:
         1) For the infringement of Art. 12(1) GDPR regarding the public-by-default processing (Finding 1), a fine of

             between EUR 55 million and 100 million;
         2) For the infringement of Art. 12(1) GDPR regarding the contact information processing (Finding 2), a fine
             of between EUR 46 million and 75 million;
         3) For the infringement of Art. 5(1)(a) GDPR regarding the contact information processing (Finding 4), a
             fine of between EUR 9 million and 28 million;

         4) For the infringement of Art. 35(1) GDPR regarding the contact information processing (Finding 5), a fine
             of between EUR 28 million and 45 million;
         5) Infringement of Art. 35(1) GDPR regarding the public-by-default processing (Finding 6), a fine of
             between EUR 28 million and 45 million;

         6) For the infringement of Art. 5(1)(c) and 25(2) GDPR regarding the contact information processing
             (Finding 7), a fine of between EUR 9 million and 28 million;
         7) For the infringement of Art. 25(1) GDPR regarding the contact information processing (Finding 8), a fine
             of between EUR 9 million and 28 million;
         8) For the infringement of Art. 5(1)(c) and 25(2) GDPR regarding the public-by-default processing (Finding

             10), a fine of between EUR 9 million and 28 million;
         9) For the infringement of Art. 25(1) GDPR regarding the public-by-default processing (Finding 11), a fine
             of between EUR 9 million and 28 million.
    313DE SAs objection, p. 15.




    Adopted                                                                                                      48    calculation of the fine . The DE SAs also found that the envisaged amount of fines were too low to
                                                                      315
    create special and general preventive effect and to be effective . According to the DE SAs, in view of
    the nature, gravity and duration of the infringement and the number of data subjects concerned, it

    was necessary to issue a fine that has noticeable impacts for the undertaking. Based on this, the DE
    SAs suggested that, in order to create a preventive effect and impose an effective fine, the amount of
                                                                                                           316
    fine should generate an impact of approximately one percent of the annual profit of Meta IE .
    Furthermore, with regard to the Draft Decision, the DE SAs stated that: “the envisaged fine could not
    have a general preventive effect. Rather, it will likely have the opposite effect” .


174.        Additionally, the DE SAs was of the view that the LSA did not consider appropriately the
    financial benefit that Meta IE gained from the infringement. Based on publicly available data, the DE

    SAs proposed an estimation of the financial benefit gained by Meta IE from the public-by-default
    processing and argued that it should be further considered when calculating the fine .  318

175.        Regarding the calculation criteria in Article 83(2) GDPR, the DE SAs argued that the facts

    identified by the IE SA pointed towards intentional, not negligent behaviour and therefore disagreed
    with the IE SA’s assessment in the Draft Decision in this respect. According to the DE SAs, Meta IE

    wilfullydecidedonthecontentofitsswitchingprocessandtheirDataPolicyandwilfullyusedlanguage
    thatwasexcessivelygeneralandmadeitdifficultforchildrento understandtheconsequencesoftheir

    choice; moreover, Meta IE as a global data processing company had enough resources to be aware of
    the problem beforehand .  319

176.        As for aggravating factors, the DE SAs stated that the LSA should have considered the

    infringement of Article 24 GDPR as an aggravating factor in respect of the other infringements under
    Article 83(2)(k) GDPR. In the view of the DE SAs, although the infringement of Article 24 GDPR is not

    itself subject to an administrative fine under the GDPR, it must be reflected in the decisions of
    supervisory authorities, since the scope of Article 83(2)(k) GDPR, which is necessarily open-ended,
                                                                                                        320
    should include all the reasoned considerations, including the infringement of Article 24(1) GDPR .

177.        Furthermore, according to the DE SAs, the calculation criteria of Article 83(2) GDPR were
    wrongly weighted resulting in a fine which is too low. The DE SAs stated that, considering the

    circumstances of the particular case, including the nature and gravity of the infringements, as well as
    the sensitivity of the data subjects affected, a fine in the upper range of the possible level of4% of the

    turnover would be expected. However, the envisaged fines in the Draft Decision, which amount to
    about 0.58% of the turnover, are significantly lower .321


178.        In addition, the DE SAs stated that the IE SA should use the turnover figure of 2021 instead of
    that of 2020 .22

179.        Finally, the DE SAs elaborated on the risks posed by the Draft Decision to the fundamental

    rights and freedoms of the data subjects: as the Draft Decision did not promote a consistent


    314DE SAs objection, p. 16-17.
    315
    316DE SAs objection, p. 17-18.
       DE SAs objection, p. 17.
    317DE SAs objection, p. 18.
    318DE SAs objection, p. 18.
    319
    320DE SAs objection, p. 19-20.
       DE SAs objection, p. 20-21.
    321DE SAs objection, p. 21.
    322DE SAs objection, p. 21-22.




    Adopted                                                                                                49    application of administrative fines, this would result in a significant risk to the rights and fundamental

    freedoms of data subjects, since the undertaking and other controllers could orientate their abidance
    of data protection law on such a barely noticeable fine ; the summed up proposed fines for the

    infringements were not able to create a deterrent effect and thus would lead to a lesser protection of
    thefundamentalrightsandfreedomsofthedatasubjects;andtheeffectiveenforcementoftheGDPR,

    which is the precondition for the protection of the fundamental rights and freedoms of the data
    subjects, would not be ensured . 324

                                                       ***


180.        As already referred in section 5.2 of this Binding Decision, the NO SA in its objection asked the
    IE SA to change its exercise of corrective powers in order to impose an administrative fine for the
    additional infringement regarding the lackof legal basis for the contact information processing. The IT

    SAandFRSAalsospecifically requestedanadditionalcorrectivemeasureintermsof anadministrative
    fine for the additional infringement .25


        7.3.    Position of the LSA on the objections

181.        TheIESAconfirmedthatitdoesnotproposeto“follow”theobjectionsthatwereraisedbythe
                                                                                 326
    CSAs and/or does not consider the objections to be relevant and reasoned .

182.        TheIESAdidnotagreewiththeDESAs’viewthatMetaIEactedwithknowledgeandwilfulness

    taking into account the objective elements of conduct gathered from the facts of the inquiry, except
    in thosepartsoftheDraftDecisionwhere theIE SAfound thatMetaIEactedintentionally.In addition,

    theIESAdisagreedthatArticle24GDPRhadtobetakenintoaccountasanaggravatingfactorpursuant
    to Article 83(2)(k) GDPR .27

183.        The IE SA further noted that the Draft Decision appropriately concluded that the infringement

    resulted in a financial benefit to Meta IE, which is an aggravating factor for the purpose of Article
    83(2)(k) GDPR. The IE SA also reiterated that the Draft Decision took into account the undertaking’s

    turnover in the context of Article 83 GDPR, in the manner described in paragraphs 624 and 625 of the
    Draft Decision .28

184.        In view of the IE SA, paragraph 569 of the Draft Decision presented a thorough, detailed and

    specific formulation of the amount of each of the nine fines which allows for the CSAs to properly
    consider whether the fines are effective, dissuasive and proportionate. According to the IE SA, the

    overall fining range reflected a number of smaller and larger proposed fines, which have been
    calculated pursuant to the EDPB’s interpretation of Article 83(3) GDPR in Binding Decision 1/2021 ,   329

    and that, when each of the proposed fines is considered on an individual basis, the proposed fining
    ranges are sufficiently clear to determine whether they are effective, dissuasive and proportionate . 330




    323DE SAs objection, p. 18, 20, 22.
    324
    325DE SAs objection, p. 22.
       See section 5.2 of this Binding Decision, in particular paragraphs 41, 45 and 48. Only the NO SA objection in
    this respect is considered to be relevant and reasoned, see paragraph 76 of this Binding Decision.
    326Letter of the IE SA to the EDPB Secretariat dated 12 May 2022.
    327
    328Composite Response, p. 4.
       Composite Response, p. 4.
    329EDPB, Binding Decision 1/2021, adopted on 28 July 2021 (hereinafter, “Binding Decision 1/2021”).
    330Composite Response, p. 3.




    Adopted                                                                                                50185.         Finally,withrespectto thedeterminationoftheyearofturnover,IESAagreedwiththeDESAs

    that the relevant year is the year immediately preceding the date of the final decisionand confirmed
    that this will be accounted for in the final decision .331


         7.4.    Analysis of the EDPB


         7.4.1. Assessment of whether the objections were relevant and reasoned

186.         In its objection on the proposed calculation of the fine, the DE SAs considered the fine

    proposed in the Draft Decision to be ineffective, disproportionate and non-dissuasive and outlined
    several arguments why they disagreed with the Draft Decision in this respect . The EDPB considers
                                                                                     333
    that the DE SAs’ objection related to the content of the Draft Decision              and included sufficient
    reasoning  334as to why, if accepted, it would lead to a different conclusion. The EDPB notes that this
                                                                                                               335
    objection concerned “whether the action envisaged in the Draft Decision complies with the GDPR” .
    Therefore, the EDPB considers the objection to be “relevant”.


187.         In its objection, the DE SAs set out legal and factual arguments in relation to each element
    raised in the objection, in particular its reasoning on how the Draft Decision should assess the criteria

    of Articles 83(1) and (2) GDPR considering the facts of the specific case and how this would lead to a
    different conclusion in theDraftDecision . The DE SAsprovided detailed reasoning that a higher fine
                                                                                                               337
    ought to be imposed, considering the profitability and the global turnover of the undertaking .
    Furthermore, the DE SAs considered that without amendment the Draft Decision would set a

    dangerous precedent with regard to deterrence and clearly demonstrated its view on the significance
    of the risks posed by the Draft Decision . Therefore, the EDPB considers the objection to be

    “reasoned”.

188.         The EDPB is not swayed by Meta IE’s submissionthat the objection at issue is neither relevant,

    nor reasoned. In this regard, Meta IE failed to explain why the threshold of Article 4(24) GDPR is not
    met in relation to this specific objection . In addition, the EDPB recalls that the assessment of the
           340
    merits    of the objection is made separately, after it has been established that the objection satisfies
    the requirements of Article 4(24) GDPR .   341



    331Composite Response, p. 5.
    332
    333DE SAs objection, p. 15-22.
       In particular, sections M and N of the Draft Decision (paragraphs 481-627).
    334See section 7.2 of this Binding Decision, paragraphs 173-179.
    335EDPB Guidelines on RRO, paragraph 32.
    336
       DE SAs objection, p. 16-22.
    337DE SAs objection, p. 16-17.
    338DE SAs objection, p. 15-22, in particular p. 22. The DE SAs considered, inter alia, that the lack of a deterrent
    effect due to the low fine would entail a significant risk to the rights and freedoms of data subjects, since the

    controller and other companies would not be dissuaded to comply with data protection law.
    339Meta IE Article 65 Submissions, paragraphs 8-10, 95-102 and Annex A, p. 43-45.
    340Although Meta IE stated that this DE SAs objection does not meet the Art. 4(24) GDPR threshold (Meta IE
    Article 65 Submissions, Annex A, p. 43) and alleged that the DE SAs failed to demonstrate the significance of the

    risk (Meta IE Article 65 submissions, Annex A, p. 45, subparagraph ‘sixth’), no further reasoning in this respect
    wasprovidedinMetaIE’ssubmissions.TheEDPBnotesthatMetaIE’sreasoninginMetaIEArticle65Submissions
    (paragraphs 8-10, 95-102 and Annex A, p. 43-45) relating to the DE SAs objection under sub-section “Objections

    in relation to the calculation of the administrative fines” mostly concerned the merits of the objection, i.e.
    whether the proposed fines were compliant with Art. 83(1) and (2) GDPR.
    341EDPB Guidelines on Article 65(1)(a), paragraph 63.




    Adopted                                                                                                     51189.        Considering the above, the EDPB finds that the DE SA objection, insofar it concerns the

    determination of the administrative fine, is a “relevant and reasoned” objection in accordance with
    Article 4(24) GDPR.

                                                       ***


190.        With regard to the NO SA objection on the imposition of an administrative fine in relation to
    thefindingsonArticle6(1)(b)andArticle6(1)(f)GDPRonthecontactinformationprocessing,theEDPB
                                                                                     342
    recallsthatitis“relevantandreasoned” inaccordancewithArticle4(24)GDPR .Onthecontrary,the
    relevant parts of the objections of the IT and FR SAs on the specific matter of an administrative fine

    for the additional infringement do not meet the threshold under Article 4(24) GDPR, as analysed by
    the EDPB in section 5.4.1 of this Binding Decision .43


        7.4.2. Assessment on the merits

191.        The EDPB recalls that the consistency mechanism may also be used to promote a consistent
    application of administrative fines : where a relevant and reasoned objection challenges the

    elements relied upon by the LSA to calculate the amount of the fine, the EDPB can instruct the LSA to
    engageinanewcalculationoftheproposedfinebyeliminatingtheshortcomingsintheestablishment

    of causal links between the facts at issue and the way the proposed fine was calculated on the basis
    of the criteria in Article 83 GDPR and of the common standards established by the EDPB . A fine 345

    should be effective, proportionate and dissuasive, as required by Article 83(1) GDPR, taking account
    of thefacts of thecase . In addition, whendeciding onthe amountofthe fine,theLSA shall take into

    consideration the criteria listed in Article 83(2) GDPR.

    7.4.2.1. Preliminary matters: the relevant year for the turnover
192.        TheDESAscontestedtheturnoverfigurecited intheDraftDecision.ThoughtheIE SAdeemed

    the objection not relevant and/or not reasoned, in the Composite Response the IE SA agreed with the
    DE SAs on the determination of the year of the turnover when calculating the administrative fine .   347


193.        On the notion of “preceding financial year”, the EDPB recalls the decision taken in its Binding
    Decision 1/2021  348and takes note of the IE SAs intention  349to take the same approach in the current
    case.


194.        The EDPB agrees with the approach taken by the IE SA for the present case to include in the
    Draft Decision a provisional turnover figure based on the most up to date financial information

    available at the time of circulation to the CSAs pursuant to Article 60(3) GDPR. The EDPB recalls that
    when issuing its final decision in accordance with Article 65(6) GDPR, the IE SA shall take into account

    the undertaking’s annual turnover corresponding to the financial year preceding the date of its final
    decision, i.e. the turnover of Meta Platforms Inc. in 2021.




    342Paragraphs 74 of this Binding Decision.
    343
       Paragraphs 62-63 and 70-71 of this Binding Decision.
    344Recital 150 GDPR.
    345EDPB Guidelines on RRO, paragraph 34.
    346Article 29 Working Party, Guidelines on the application and setting of administrative fines for the purposes of

    the Regulation 2016/679, WP 253, adopted on 3 October 2017 and endorsed by the EDPB on 25 May 2018
    (hereinafter, “WP29 Guidelines on Administrative Fines”), p. 7.
    347Composite Response, p. 5.
    348Binding Decision 1/2021, paragraph 298.
    349
       Also, as stated in the Draft Decision, paragraph 625.


    Adopted                                                                                                52    7.4.2.2. The application of the criteria under Article 83(2) GDPR

    a. The intentional or negligent character of the infringement (Article 83(2)(b) GDPR)
195.        Article 83(2) GDPR considers, among the factors to be taken into account when deciding the

    imposition and amount of an administrative fine, “the intentional or negligent character of the
    infringement”. In the same sense, Recital 148 GDPR states that “[i]n order to strengthen the

    enforcement of the rules ofthis Regulation, penalties including administrative fines should be imposed
    for any infringement of this Regulation [...]. Due regard should however be given to the nature, gravity
    and duration of the infringement, the intentional character of the infringement, actions taken to

    mitigate the damage suffered, degree of responsibility [...]” (emphasis added).

196.        The characterisation of the infringement as intentional or negligent may therefore have a

    direct impact on the amount of the fine proposed. The main elements to be taken into account in this
    regard were already established in the WP29 Guidelines on Administrative Fines, endorsed by the
    EDPB. The EDPB Guidelines on the calculation of administrative fines under the GDPR        350 rely heavily

    on the WP29 Guidelines on Administrative Fines in this respect.

197.        As the EDPB recalls in its Guidelines on Administrative Fines, “intentional infringements,
                                                                                                        351
    demonstratingcontemptfor theprovisionsofthelaw,aremoreseverethanunintentionalones”                     and
    therefore, the supervisory authority is likely to attribute weight to this circumstance. This is likely to
    warrant the application of a (higher) fine.


198.        As the IE SA noted in the Draft Decision, “the GDPR does not identify the factors that need to
    be present in order for an infringement to be classified as either ‘intentional’ or ‘negligent’” . The

    EDPB Guidelines on Administrative Fines, quoting the WP29 Guidelines on Administrative Fines, refer
    to the fact that “in general, ‘intent’ includes both knowledge and wilfulness in relation to the

    characteristics of an offence, whereas ‘unintentional’ means that there was no intention to cause the
    infringement although the controller/processor breached the duty of care which is required in the
    law” . In other words, the EDPB Guidelines on Administrative Fines confirm that there are two

    cumulative elements on the basis of which an infringement can be considered intentional: the
    knowledgeofthebreachandthewilfulnessinrelationtosuchact.Ontheotherhand,aninfringement

    is “unintentional” when there was a breach of the duty of care, without having intentionally caused
    the infringement. The EDPB takes note of Meta IE’s position that it did not act intentionally with the
                              354
    aim to infringe the GDPR .

199.        The characterisation of an infringement as intentional or negligent shall be done on the basis
    of objective elements of conduct gathered from the facts of the case . The EDPB Guidelines on

    Administrative Fines refer to someexamplesof conduct thatmay demonstrate the existenceof intent
    and negligence . It is worth noting the broader approach adopted with respect to the concept of

    negligence,sinceitalsoencompassessituationsinwhichthecontrollerorprocessorhasfailedtoadopt


    350EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 1.0, adopted on

    351May 2022 (hereinafter “EDPB Guidelines on Administrative Fines”).
       EDPB Guidelines on Administrative Fines, paragraph 57 and WP29 Guidelines on Administrative Fines, p. 12.
    352Draft Decision, paragraph 527.
    353EDPB Guidelines on Administrative Fines, paragraph 56 and WP29 Guidelines on Administrative Fines, p. 11
    (emphasis added).
    354
       Meta IE Article 65 Submissions, paragraph 100 and Annex A, p. 44.
    355EDPB Guidelines on Administrative Fines, paragraph 57 and WP29 Guidelines on Administrative Fines p. 12.
    356 EDPB Guidelines on Administrative Fines, paragraph 56 (Example 4). See also WP29 Guidelines on
    Administrative Fines, p.12.




    Adopted                                                                                                 53    the required policies, which presumes a certain degree of knowledge about a potential
                  357
    infringement .

200.        In this case, the IE SA considered that the infringements of Article 12(1) GDPR with regard to

    thecontactinformationprocessingandwithregardtothepublic-by-defaultprocessingwerenegligent
    as they fell “short of the standard required” . Regarding the public-by-default processing, the IE SA

    took into consideration that at the relevant time, the information that the accounts were public by
    default and on how to switch to a private account was available in several sources and hyperlinked in

    the Data Policy. The IE SA considered that these objective elements suggested an intention to provide
    the information with clarity and transparency . Considering this, the IE SA concluded that the

    infringement was not intentional, even though Meta IE should have been aware that the information
    provided was not clear and transparent enough. Consequently, the IE SA considered that Meta IE was
              360
    negligent . Likewise, with respect to the contact information processing, the IE SA considered that
    the language used did not suggest a deliberate attempt from Meta IE to avoid its transparency
                361
    obligations . Considering this, the IE SA concluded that the infringement was not intentional, but it
    considered it negligent since Meta IE should have been aware that the way in which the information
                                               362
    was provided did not meet the standards .

201.        It stems from the above that Meta IE had (or should have had) knowledge about the

    infringement of Article 12(1) GDPR. However, this mere element is not sufficient to consider an
    infringement intentional, as stated above, since the “aim” or “wilfulness” of the action should be

    demonstrated. In this respect, the IE SA has not found out that Meta IE wilfully disregarded its
    obligations.

202.        In this regard, the DE SAs argued that Meta IE had enough resources to identify the problem

    beforehand, and that it wilfully decidedon the contentof theswitching process, using a language that
    was excessively general . The DESAs consideredthatMeta IEwas infact awareofthe problem given

    thattheinformationwasprovidedintheInstagramHelpCentreandotherancillarysources.Therefore,
    theDESAswasoftheviewthatMetaIEactedatleastwith“recklessdisregardfortheinfringement” .                  364

    The DE SAs also argued that the level of care required must be determined taking into account the
    size, economic activities and data processing processes of the company .   365


203.        The EDPB recalls that that having knowledge of a specific matter does not necessarily imply
    having the “will” to reach a specific outcome. This is in fact the approach adopted in the EDPB and

    WP29 Guidelines on Administrative Fines, where the knowledge and the “wilfulness” are considered
    two distinctive elements of the intentionality . While it may prove difficult to demonstrate a


    357
       The EDPB Guidelines on Administrative Fines, paragraph 56 (Example 4) quote the WP29 Guidelines on
    AdministrativeFines,whichmention,amongthecircumstancesindicativeofnegligence,“failuretoadoptpolicies
    (ratherthansimplyfailuretoapplythem)”.Thisprovidesan indicationthatnon-complianceinsituationsinwhich
    the controller or processor should have been aware of the potential breach (in the example provided, due to the

    lack of the necessary policies) may amount to negligence.
    358Draft Decision, paragraphs 531 and 533.
    359Draft Decision, paragraph 531.
    360Draft Decision, paragraph 532.
    361
       Draft Decision, paragraph 533.
    362Draft Decision, paragraphs 533 and 534.
    363DE SAs objection, p. 19.
    364
    365DE SAs objection, p. 20.
       DE SAs objection, p. 20.
    366EDPB Guidelines on Administrative Fines, paragraph 56, and WP29 Guidelines on Administrative Fines, p. 11.




    Adopted                                                                                                54    subjective element such as the “will” to act in a certain manner, there need to be some objective
                                                                 367
    elements that indicate the existence of such intentionality .

204.        The EDPB recalls that the CJEU has established a high threshold in order to consider an act
    intentional. In fact, even in criminal proceedings the CJEU has acknowledged the existence of “serious

    negligence”,ratherthan“intentionality”when“thepersonresponsiblecommitsapatentbreachofthe
    duty of care which he should have and could have complied with in view of his attributes, knowledge,
                                       368
    abilities and individual situation” . In this regard, the EDPB confirms that a company for whom the
    processing of personal data is at the core of its business activities is expected to have sufficient
    measures in place for the safeguard of personal data : this does not, however, per se change the

    nature of the infringement from negligent to intentional.

205.        It shall be underlined that, in the context of the assessment of Article 83(2)(c) GDPR, the IE SA

    noted that the provision of the information in the Instagram Help Centre and other ancillary sources,
    hyperlinked in theDataPolicy, suggested that Meta IEdid not intentionally intendto “deny child users
                                                                            370
    of Instagram an understanding of the purposes of the processing” , with regard to the public by
    default processing. Regarding the contact information processing, the IE SA considered that “older
    Instagram users may have understood the consequences of providing their contact information” and

    that the language used “does not suggest a deliberate attempt on the part of Meta IE to avoid its
    obligations” . The EDPB notes that, with respect to the contact information processing, the

    assessment carried out by the IE SA is general and could have been more nuanced and detailed.
    However, the EDPB agrees with the IE SA that the objective elements of the case would indicate the

    absenceofwilfulnesstoactinbreachofthelawwithregardtotheinfringementsofArticle12(1)GDPR.
    Therefore, on the basis of the available information, the EDPB is not able to identify a will of Meta IE

    to act in breach of the law as it cannot be concluded that Meta IE intentionally acted to circumvent its
    legal obligations.

206.        Therefore, the EDPB considers that the arguments put forward by the DE SAs fail to provide

    objective elements that indicate the intentionality of the behaviour of Meta IE. Accordingly, the EDPB
    is of the view that the Draft Decision does not need to be changed with respect to the findings on the

    character of the infringements of Article 12(1) GDPR.

    b. Other aggravating factors - relevance of the infringement of Article 24(1) GDPR
207.        Article 83(2)(k) GDPR gives the supervisory authority room to take into account any other

    aggravating or mitigating factors applicable to the circumstances of the case, in order to ensure that
    the sanction applied iseffective, proportionateand dissuasive in each individualcase . The provision

    isopen-endedanditentailsthatthesocio-economic,legalandmarketcontextsinwhichthecontroller
    or processor operates should be taken into account .  373




    367See EDPB Guidelines on Administrative Fines, paragraphs 56 and 57, and WP29 Guidelines on Administrative

    368es, p. 12.
       The Queen, on the application of International Association of Independent Tanker Owners (Intertanko) and
    Others v Secretary of State for Transport (Case C-308/06, judgement delivered on 3 June 2008,
    ECLI:EU:C:2008:312), paragraph 77.
    369EDPB Binding Decision 01/2020, adopted on 9 November 2020, paragraph 195.
    370
       Draft Decision, paragraph 531.
    371Draft Decision, paragraph 533.
    372EDPB Guidelines on Administrative Fines, paragraph 107.
    373EDPB Guidelines on Administrative Fines, paragraph 109.




    Adopted                                                                                                 55208.        In this regard, the DE SAs considered that, even though the infringement of Article 24 GDPR is
    notsubjectto thepossibilityofimposing anadministrativefine,becauseit is notlisted inArticle83(4)-

    (6) GDPR, it should have been considered as an aggravating factor under Article 83(2)(k) GDPR, since
    it is part of the assessment of the legal context in which Meta IE operates .374

209.        The EDPB firstly notes the reference to other infringements in Article 83(2)(e) GDPR, which

    states that when considering whether to impose a fine and its amount, due regard should be given to
    “anyrelevantpreviousinfringementsbythecontrollerorprocessor”.However,theprovisiondealswith

    previous infringements, but does not make any reference to other current infringements as
    aggravating factors.

210.        In this respect, the IE SA disagreed with the DE SAs and considered that Article 83(2)(k) GDPR

    does not aim at being a “catch all provision” but at requiring the LSA “to account for any special loss
    or damage which arose due to the conduct (or omission) of the controller” .   375

211.        The EDPB disagrees with the IE SA on the nature of Article 83(2)(k) GDPR and underlines that

    this open-ended provision aims at ensuring that the considerations regarding the context (be it the
    socio-economic, legal, or market context) in which the controller or processor operates are taken into
    account, so as to impose a fine that is effective, proportionate and dissuasive. At the same time, the

    EDPB agrees with the IE SA that the infringement of Article 24 GDPR cannot be considered an
    aggravating factor under Article 83(2)(k) GDPR. In this respect, the EDPB notes that it seems to be a

    consciouschoicebythelegislatornotto subjectinfringementsofthatprovisiontoadministrativefines
    under the GDPR . If such infringements were taken into account under Article 83(2)(k) GDPR,
    infringementsofArticle24GDPRwouldindirectlybesubjectto anadministrativefine, despitethefact

    that the co-legislators did not provide for the possibility of sanctioning this infringement by means of
    an administrative fine.

212.        The EDPB also notes that, albeit not subject to an administrative fine, infringements of Article

    24 GDPR can be subject to other corrective powers of the SA as per Article 58(2) GDPR or to other
    penalties, as established in Article 84 GDPR.


213.        Finally, the EDPB emphasises that Article 24 GDPR is an expression of the accountability
    principle enshrined in Article 5(2) GDPR. In this respect, the accountability of the controller is taken
    into account by the supervisory authorities when deciding whether to impose an administrative fine
                                                                                          377
    and its amount, since Article 83(2) GDPR includes several provisions in that regard .

    7.4.2.3. The effectiveness, proportionality and dissuasiveness of the administrative fine

    a. Weighing of the financial benefit obtained from the infringement
214.        As explicitlystated inArticle83(2)(k)GDPR, financial benefitsgained directlyor indirectly from
    the infringement can be considered an aggravating element for the calculation of the fine. The EDPB

    considersthisprovision“offundamentalimportanceforadjustingtheamountofthefinetothespecific
    case” and that “it should be interpreted as an instance of the principle of fairness and justice applied
                           378
    to the individual case” .


    374
    375DE SAs objection, p. 20-21.
       Composite Response, section 2.f.iii.
    376Earlier draft versionsof the proposal for the GDPR had included Article 24 GDPR among the provisions subject
    to administrative fines, but this was eventually removed in the version of the GDPR agreed by the co-legislators.
    377See, for example, Article 83(2)(d) and (j) GDPR.
    378
       EDPB Guidelines on Administrative Fines, paragraph 108.



    Adopted                                                                                                 56215.        The scope of Article 83(2)(k) GDPR should include all the reasoned considerations regarding
                                                                                                    379
    the socio-economic, legal and market contexts in which the controller or processor operates . When
    taking account of these considerations, the supervisory authorities must “assess all the facts of the
                                                                   380
    case in a manner that is consistent and objectively justified” . Therefore, financial benefits from the
    infringement could be an aggravating circumstance if the case provides information about profit
                                                           381
    obtained as a result of the infringement of the GDPR .

216.        Theaim ofArticle83(2)(k)istoensurethatthesanctionappliediseffective,proportionateand
                                          382
    dissuasive in each individual case . With regard to the financial benefits obtained from the
    infringement, the EDPB considers that when there is a benefit, the sanction should aim at

    “counterbalancing the gains from the infringement” while keeping an effective, dissuasive and
    proportionate fine .83


217.        The financial benefit obtained by Meta IE was considered by the IE SA in the Draft Decision
    with regard to Finding 1 (i.e. the infringement of Article 12(1) GDPR for the public-by-default
               384
    processing ). In particular, the IE SA considered that “the objective of switching new accounts to
    ‘public’ was clearly also intended to drive the creation of more public user-generated content for

    consumption, increasing engagement and creating favourable commercial conditions for the sale of
    targeted advertising by [Meta IE]”  385and, therefore, the IE SA concluded that Meta IE benefited from
                                                                  386
    the infringement and considered this an aggravating factor .

218.        In this respect, the DE SAs considered that the IE SA did not properly weigh this factor, since
    the fine proposed in the Draft Decision for the infringement of Article 12(1) GDPR was less than the

    DE SAs’ estimation of the financial benefit obtained with the infringement. The DE SAs engaged in a
    very detailed calculation to justify the estimation of the benefit, although they acknowledged that it
                                387
    was based on assumptions .

219.        The relevance of the financial benefit gained with the infringement for the calculation of the

    fine amount has been addressed by the CJEU in competition law cases. In fact, the CJEU has stated
    that the benefits obtained from the infringement are among the factors that may be taken into

    account in order to determine the amount of the fine, but there is no obligation to ensure that the
    fine is directly proportional to the benefits achieved by that undertaking or “that it does not exceed
                   388
    those profits” . Nonetheless, the CJEU has made clear that the amount of the fine must be
    proportionate to “the duration of the infringement and the other factors capable of affecting the

    assessment ofthe gravity of the infringement, including the profitthat itwas ableto derive from those
    practices” . In fact, the CJEU has clearly accepted that the amount of the fine can be increased on


    379
       EDPB Guidelines on Administrative Fines, paragraph 109.
    380WP29 Guidelines on Administrative Fines, p. 6 (emphasis added), quoted in Binding Decision 1/2021,
    paragraph 403.
    381EDPB Guidelines on Administrative Fines, paragraph 110.
    382
       EDPB Guidelines on Administrative Fines, paragraph 107.
    383EDPB Guidelines on Administrative Fines, examples 7c and 7d.
    384Draft Decision, paragraph 563.
    385Draft Decision, paragraph 563.
    386
       Draft Decision, paragraph 564.
    387DE SAs objection, p. 17-18.
    388 Donau Chemie AG v European Commission (Case T-406/09, judgement delivered on 14 May 2014

    389I:EU:T:2014:254), paragraph 258.
       Ibidem, paragraph. 257. See also KME Germany AG and others v European Commission (Case C-272/09 P,
    judgement delivered on 8 December 2011, ECLI:EU:C:2011:810), paragraph 96 and the case law quoted therein.




    Adopted                                                                                                57    the basis of the financial benefit obtained with the infringement, in order to reinforce the deterrent
    effect of such fine . It is an accepted practice in EU competition law to increase the amount of the

    fine in order to exceed the amount of the gain obtained as a result of the infringement, where it is
    possible to estimate that amount .391

220.        Consideringtheneedto havefinesthatareeffective,proportionateanddeterrent,andinlight

    of common accepted practice in the field of EU competition law, which inspired the fining framework
    undertheGDPR,theEDPBisoftheviewthat,whencalculatingtheadministrativefine,thesupervisory
    authority could take account of the financial benefits obtained from the infringement, in order to

    impose a fine that exceeds that amount.

221.        In the presentcase,theIE SA has explicitlyconsideredthe financial benefitsobtained from the
    infringement as an aggravating factor. However, the IE SA has not provided any estimation of the

    amount gained by Meta IE with the specific infringement and the DE SAs’ calculation is still largely
    basedonassumptions.Duetothis,theEDPBdoesnothavesufficientlypreciseinformationtoevaluate
    the specific weight of the financial benefit obtained from the infringement.


222.        Therefore, the EDPB considers that it does not have objective elements to conclude whether
    the fine envisaged in relation to Finding 1 takes sufficient account of the financial benefit obtained
    from the infringement and, therefore, has a deterrent effect.


223.        Nonetheless,theEDPBacknowledgestheneedto preventthatthefineshavelittletonoeffect
    if they are disproportionally low compared to the benefits obtained with the infringement. The EDPB
    considers that the IE SA should have elaborated in more detail the weight given to this element in

    paragraphs 563, 564 and 567 of its Draft Decision. Therefore, the EDPB requests the IE SA to further
    elaborate its reasoning on this aspect and, if further estimation of the financial benefit from the

    infringement is possible in this case and results in the need to increase the amount of the fine
    proposed, the EDPB requests the IE SA to increase the amount of the fine proposed.

    b. Weighing of other criteria under Article 83(2) GDPR and assessment of the fine in light of Article

                 83(1) GDPR
224.        In its objection, the DE SAs claimed that the elements of Article 83(2) GDPR were not weighed
    correctly by the LSA when calculating the administrative fines in the present case, in light of the

    requirements of Article 83(1) GDPR. The DE SAs argued that the mitigating circumstances were few,
    therefore a fine in the upper range of the possible level would be expected. Also, according to the DE
    SAs, the amount of the proposed fines did not reflect the nature and gravity of the infringements, in

    particular,whenitcomestotheseriousnessoftheinfringements,inlightofthenumberandsensitivity
    of the data subjects (children) affected . Furthermore, the DE SAs argued that the proposed fines

    were ineffective, disproportionate and non-dissuasive and they provided for neither special, nor
    general preventive effect, especially considering the total profit and the total turnover of the specific
    undertaking .93




    390
       SA Musique Diffusion française and others v Commission of the European Communities (Joined Cases 100-
    103/80, judgement delivered on 7 June 1983, ECLI:EU:C:1983:158)(hereinafter, “Joined Cases 100-103/80,
    Musique Diffusion”), paragraph 108.
    391European Commission Guidelines on the method of setting fines imposed pursuant to Article 23(2)(a) of
    Regulation No 1/2003, C210/02, 1.9.2006, paragraph 31.
    392DE SAs objection, p. 21.
    393
       DE SAs objection, p. 16-17.



    Adopted                                                                                              58225.        In this regard, the EDPB notes that theDraftDecision contained an assessment bythe IE SA on

    the different elements in relation to each infringement . The EDPB further notes that in the Draft

    Decision the IE SA explained why it considered the proposed fines to be effective, proportionate and
    dissuasive in relation to each infringement, taking into account all the circumstances of the IE SA’s
            395
    inquiry . Finally, the EDPB observes the differences in the level of ranges of the envisaged fines by
    theIESA,wherethehigherrangesareenvisagedfortheinfringementsofArticle12(1)GDPRregarding

    both the public-by-default processing and the contact information processing, as well as for the
    infringements of Article 35(1) GDPR regarding both the public-by-default processing and the contact
                                                                                                  396
    information processing compared to the envisaged fines for the remaining infringements .

226.        The EDPB takes note of the position of Meta IE that the fines set out in the Draft Decision are
    excessive and disproportionate and therefore any objections aiming to increase the quantum of fines

    arenotcompatiblewithArticle83 GDPR .AccordingtoMetaIE,anycallsbytheobjectionsto further

    increase the proposed fines would need to be supported by compelling evidence of a serious and
    intentional infringement and consequential harm, however, no such evidence was ever provided by
                         398
    theLSAor the CSAs . Furthermore,according to Meta IE, Article83(2)GDPRdoesnot identifyannual
    profit as a factor to which the LSA should have regard in calculating the amount of the administrative

    fine and selecting one percent of annual profit would be arbitrary, punitive and undermining the
    discretion and independence of the LSA in making its fine assessment . Also, it is the view of Meta IE

    that there is no basis in the GDPR for concluding that the amount of the fine must have a general
    preventive effect .00

227.        TheEDPBreiteratesthatitisincumbentuponthesupervisoryauthoritiestoverifywhetherthe

    amount of the envisaged fines meets the requirements of effectiveness, proportionality and
    dissuasiveness, or whetherfurther adjustmentsto theamount are necessary, considering the entirety

    of the fine imposed and all the circumstances of the case, including e.g. the accumulation of multiple

    infringements, increases and decreases for aggravating and mitigating circumstances and
    financial/socio-economic circumstances . Further, theEDPBrecallsthatthe settingof a fineis not an
                                     402
    arithmetically precise exercise , and supervisory authorities have a certain margin of discretion in
    this respect .03

228.        TheEDPBrecallsthat,whendeterminingwhetherafinefulfilstherequirementsofArticle83(1)

    GDPR, due account must be given to the elements identified on the basis of Article 83(2) GDPR . In    404


    394
    395Draft Decision, paragraph 567.
       Draft Decision, paragraphs 570-576.
    396Draft Decision, paragraph 627(3).
    397Meta IE Article 65 Submissions, paragraphs 95-97, as well as Annex A, p. 43-44.
    398
       Meta IE Article 65 Submissions, paragraph 101.
    399Meta IE Article 65 Submissions, Annex A, p. 43.
    400Meta IE Article 65 Submissions, Annex A, p. 43-44.
    401EDPB Guidelines on Administrative Fines, paragraph 132, and WP29 Guidelines on Administrative Fines, p. 6,

    specifying that ”administrative fines should adequately respond to the nature, gravity and consequences of the
    breach, and supervisory authorities must assess all the facts of the case in a manner that is consistent and
    objectively justified”.
    402
        See Altice Europe NV v Commission (Case T-425/18, judgment delivered on 22 September 2021,
    ECLI:EU:T:2021:607), paragraph 362; Romana Tabacchi v Commission (Case T‑11/06, judgment delivered on 5
    October 2011), ECLI:EU:T:2011:560), paragraph 266.
    403 See, inter alia, Caffaro Srl v Commission (Case T-192/06, judgment delivered on 16 June 2011,

    ECLI:EU:T:2011:278), paragraph 38. See also EDPB Guidelines on Administrative Fines, p. 2.
    404Binding Decision 1/2021, paragraph 416.




    Adopted                                                                                                  59    the present case, the EDPB notes that in the Draft Decision the LSA considered all the infringements
                         405
    as serious in nature , and that the gravity of infringements of Article 12(1) GDPR in respect of both
    thepublic-by-defaultprocessingandthecontactinformationprocessingwashighlyserious,thegravity

    of the infringement of Article 5(1)(a) GDPR regarding the contact information processing was serious
    and that the gravity of the infringements of Articles 35(1), 24(1), 25(1), 5(1)(c) and 25(2) GDPR in

    respect of both the public-by-default processing and the contact information processing was
    serious . Furthermore, the EDPB underlines that, as established by the IE SA, each infringement

    related to processing of personal data of a significant number of vulnerable individuals (children) and
    related to significant damage to those vulnerable individuals . The EDPB also observes that each
                                                                          408
    infringement carried either an intentional or negligent character . In addition, the IE SA did not
    attribute significant weight to any mitigating factor .09

229.        The EDPB reiterates that all these elements need to be given due regard when determining

    the proportionality of the fine. In other words, a fine must reflect the gravity of the infringement,
    taking into account all the elements that may lead to an increase (aggravating factors) or decrease of

    the amount (mitigating factors). The EDPB further assesses in the following paragraphs whether the
    envisaged fines in the Draft Decision meet the requirement of being effective, proportionate and

    dissuasive in accordance with Article 83(1) GDPR.

230.        In its objection, the DE SAs argued that the proposed fines, which were well below the

    envisaged maximum under Article 83 GDPR, would be insignificant to Meta IE, considering the global
    turnover of the undertaking, and they would be neither effective, nor sufficiently dissuasive .  410

231.        The EDPB takes note that in its objection, the DE SAs also requested the IE SA to additionally
                                                                                                            411
    consider the annual profit of the undertaking at hand in its assessment under Article 83 GDPR .
    Regarding this specific issue, the EDPB recalls that, when it comes to the determination of

    administrative fines under Article 83 GDPR, this determination is to be based on the total worldwide
    annual turnover of the undertaking, which “gives an indication, albeit approximate and imperfect, of
                                                               412
    the size of the undertaking and of its economic power” . Therefore, the EDPB does not find that in
    the case at hand the LSA should be requested to amend its Draft Decision to additionally consider the

    annual profit of the undertaking. At the same time, the EDPB reiterates that the imposition of an
    appropriate fine cannot bethe resultof a simple calculation basedon the totalturnover       413and that as

    stated above all the circumstances of the specific case have to be considered in order to assess if the
    administrative fine is effective, proportionate and dissuasive as required by Article 83(1) GDPR.

232.        With regard to effectiveness of the fines, the EDPB recalls that the objective pursued by the

    corrective measure chosen can be to re-establish compliance with the rules or to punish unlawful
    behaviour(orboth) .Inaddition,theEDPBnotesthattheCJEUhasconsistentlyheldthatadissuasive


    405Draft Decision, paragraphs 501-509, 567(1).
    406
    407Draft Decision, paragraphs 510-517, 567(1)-(2).
       Draft Decision, paragraphs 487-500, 567(2) and (4).
    408Draft Decision, paragraphs 527-544, 567(3).
    409Draft Decision, paragraph 567(6).
    410
    411DE SAs objection, p. 17, including concrete calculations presented therein.
       DE SAs objection, p. 16-17.
    412Joined Cases 100-103/80, Musique Diffusion, paragraph 121.
    413See, inter alia, Altice Europe NV v Commission (Case T-425/18, judgment delivered on 22 September 2021,

    ECLI:EU:T:2021:607), paragraph 362; Romana Tabacchi v Commission (Case T‑11/06, judgment delivered on 5
    October 2011), ECLI:EU:T:2011:560), paragraph 266.
    414WP29 Guidelines on Administrative Fines, p. 6.




    Adopted                                                                                                 60    penalty is one that has a genuine deterrent effect. In that respect, a distinction can be made between
    general deterrence (discouraging others from committing the same infringement in the future) and

    specific deterrence (discouraging the addressee of the fine from committing the same infringement
    again) . Therefore, in order to ensure deterrence, the fine must be set at a level that discourages

    both the controller or processor concerned as well as other controllers or processors carrying out
    similar processing operations from repeating the same or a similar unlawful conduct, while not going
                                                          416
    beyond what is necessaryto attain that objective . In this respect,the EDPB disagrees with Meta IE’s
    views that there is no basis to conclude that the amount of the fine must have a general preventive
           417
    effect .

233.         Moreover,thesizeoftheundertakingconcernedanditsfinancialcapacity                 418areelementsthat

    should be taken into account in the calculation of the amount of the fine in order to ensure its
    dissuasive nature . Taking into consideration the size and global resources of the undertaking in

    question is justified by the impact sought on the undertaking concerned, in order to ensure that the
    fine has sufficient deterrent effect, given that the fine must not be negligible in the light, particularly,
                              420
    of its financial capacity . The EDPB recalls that a fine to be imposed on an undertaking may need to
    be increased to take into account a particularly large turnover of the undertaking, so the fine is

    sufficiently dissuasive . In this respect, the EDPB further notes that in order to ensure a sufficiently
    deterrent effect, the global turnover of the undertaking can be considered also in light of the

    undertaking’s ability to raise the necessary funds to pay its fine .  422

234.         The EDPB takes note of the IE SA’s determination on the administrative fines in the present

    case 423 and of the proposed amounts of the fines in the Draft Decision . While, in this Binding
    Decision, the EDPB does not address as such the use of fine ranges in draft decisions, it notes that the

    proposed ranges in the Draft Decision in the case at hand are wide .      425



    415
       See, inter alia, Versalis Spa v European Commission (Case C-511/11 P, judgment delivered on 13 June 2013,
    ECLI:EU:C:2013:386), paragraph 94.
    416  MT v Landespolizeidirektion Steiermark (Case C‑231/20, judgment delivered 14 October 2021,

    ECLI:EU:C:2021:845), paragraph 45 (“the severity of the penalties imposed must […] be commensurate with the
    seriousness of the infringements for which they are imposed, in particular by ensuring a genuinely deterrent
    effect, while not going beyond what is necessary to attain that objective”).
    417Meta IE Article 65 Submissions, Annex A, p. 43.
    418
       Lafarge v European Commission (Case C-413/08 P, judgment delivered on 17 June 2010, ECLI:EU:C:2010:346)
    (hereinafter, “C-413/08 P Lafarge”), paragraph 104.
    419Binding Decision 1/2021, paragraphs 408-412.
    420
        YKK and Others v Commission (Case C‑408/12 P, judgment delivered on 4 September 2014,
    ECLI:EU:C:2014:2153), paragraph 85; C-413/08 P Lafarge, paragraph 104. In addition, the EDPB recalls that in
    some circumstances the imposition of a deterrence multiplier can be justified and that the exceptional financial
    capacity of an undertaking may be one such circumstance (see EDPB Guidelines on Administrative Fines,

    paragraph 144; and Showa Denko v Commission (C-289/04 P, judgement delivered on 29 June 2006,
    ECLI:EU:C:2006:431), paragraphs 29, 36-38).
    421 The same approach is suggested in the European Commission Guidelines on the method of setting fines

    imposed pursuant to Article 23(2)(a) of Regulation No 1/2003, C210/02, 1.9.2006, paragraph 30.
    422C-413/08 P Lafarge, paragraph 105.
    423See section 7.1 of this Binding Decision.
    424
    425Draft Decision, paragraphs 569 and 627.
        Draft Decision, paragraph 627(3). Specifically, on the basis of the LSA’s findings in the Draft Decision, the
    following fine amount ranges were envisaged in respect of the infringements:

         1) For the infringement of Art. 12(1) GDPR regarding the public-by-default processing (Finding 1), a fine of
             between EUR 55 million and 100 million;




    Adopted                                                                                                      61235.         Taking into account the serious nature and gravity of the infringements, their duration, and

    that each of the infringements related specifically to children’s personal data, aswell as the economic
    power and the global resources of the undertaking, the EDPB considers that in the present case each

    fine should fall within the higher segment of the envisaged fine amount ranges, in order to be
    sufficiently effective and dissuasive in accordance with Article 83(1) GDPR.

236.         The EDPB therefore asks the IE SA to ensure that the final amount of the administrative fines

    in the IE SA’s final decision meets the requirements of Article 83(1) GDPR.

    7.4.2.4. Administrative fine for the additional infringement of Article 6(1) GDPR

237.         TheEDPBrecallsitsconclusioninthisBindingDecisionontheadditionalinfringementofArticle
    6(1) GDPR regarding the contact information processing . The EDPB also recalls that the NO SA
    requested the IE SA to impose an administrative fine for this additional infringement .      427


238.         The EDPB takes note of Meta IE’s views that, even if an infringement is found, no additional
    fine is warranted given the significance of other administrative fines already imposed for the same

    processing.Moreover,MetaIEclaimedthat anyadditionalfinewoulddisregardMetaIE’scooperation
    and mitigation efforts and would further make the totality of the administrative fine disproportionate
                  428
    and punitive .
                                                                                                    429
239.         The EDPB however agrees with the reasoning of the NO SA in its objection . The EDPB
    reiterates that lawfulness of processing is one of the fundamental pillars of the data protection law

    and considers that processing of personal data without a legal basis is a clear violation of the data
    subjects’ fundamental right to data protection . Taking into account the nature and gravity of the

    infringement in accordance with Article 83(2) GDPR, the EDPB considers that an administrative fine
    shouldbeimposedforthisinfringement.Inthisrespect,theEDPBrecallsthattheinfringementatissue
                                                                             431
    relates to the processing of personal data of a significant number          of children and that the level of
    damage affecting them       432 has to be considered. Further, the EDPB notes that the identified


         2) For the infringement of Art. 12(1) GDPR regarding the contact information processing (Finding 2), a fine
             of between EUR 46 million and 75 million;
         3) For the infringement Art. 5(1)(a) GDPR regarding the contact information processing (Finding 4), a fine

             of between EUR 9 million and 28 million;
         4) For the infringement of Art. 35(1) GDPR regarding the contact information processing (Finding 5), a fine
             of between EUR 28 million and 45 million;
         5) Infringement of Art. 35(1) GDPR regarding the public-by-default processing (Finding 6), a fine of

             between EUR 28 million and 45 million;
         6) For the infringement of Art. 5(1)(c) and 25(2) GDPR regarding the contact information processing
             (Finding 7), a fine of between EUR 9 million and 28 million;
         7) For the infringement Art. 25(1) regarding the contact information processing (Finding 8), a fine of
             between EUR 9 million and 28 million;

         8) For the infringement Art. 5(1)(c) and 25(2) GDPR regarding the public-by-default processing (Finding
             10), a fine of between EUR 9 million and 28 million;
         9) For the infringement of Art. 25(1) GDPR regarding the public-by-default processing (Finding 11), a fine
             of between EUR 9 million and 28 million.
    426
    427Section 5.4.2.3 of this Binding Decision.
       Paragraphs 48 and 180 of this Binding Decision. The EDPB found that in this respect the NO SA objection is
    relevant and reasoned, see paragraph 74 of this Binding Decision.
    428Meta IE Article 65 Submissions, paragraph 98 and Annex A, p. 48.
    429
    430NO SA objection, p. 8.
       Article 8(2), EU Charter of Fundamental Rights.
    431Draft Decision, paragraph 489.
    432Draft Decision, paragraphs 499-500.




    Adopted                                                                                                      62    infringement lasted at least from 25 May 2018 until the commencement of the IE SA’s inquiry in the
    present case on 21 September 2020 . Finally, the EDPB takes note of the position of the IE SA in the
    Draft Decision that administrative fines in respect of each of the other infringements envisaged in the

    Draft Decision, relating to the contact information processing, are appropriate, necessary and
    proportionate in view of ensuring compliance with the GDPR .   434

240.        Therefore, the EDPB instructs the IE SA to consider the identified infringement of Article 6(1)
    GDPR in its determination on the administrative fines, by imposing a fine for the additional

    infringement, which is effective, proportionate and dissuasive in accordance with Article 83(1) and (2)
    GDPR.


        8 BINDING DECISION


241.        In light of the above and in accordance with the task of the EDPB under Article 70(1)(t) GDPR
    to issue binding decisions pursuant to Article 65 GDPR, the EDPB issues the following binding decision

    in accordance with Article 65(1)(a) GDPR:

242.        On the objections concerning legal basis for the contact information processing:

    1. The EDPB decides that theobjections of the DE SAs, FI SA, FR SA, IT SA, NL SA andNO SA regarding
        Meta IE’s reliance on Article 6(1)(b) GDPR and alternatively Article 6(1)(f) GDPR, meet the

        requirements of Article 4(24) GDPR.

    2. The EDPB finds that the objection of the NO SA regarding the imposition of an administrative fine
        for the proposed additional infringement, meets the requirements of Article 4(24) GDPR. On the
        contrary, the EDPB decides that the relevant parts of the objections of the FR SA and IT SA on the

        specific matter relating to an administrative fine for the additional infringement do not meet the
        threshold of Article 4(24) GDPR.

    3. The EDPB instructs the IE SA to find in its final decision that there has been an infringement of
        Article 6(1) GDPR, on the basis of the conclusion reached by the EDPB in this Binding Decision.


    4. The EDPB instructs the IE SA to consider the additional infringement of Article 6(1) GDPR in the
        compliance order, to the extent that the processing is ongoing, in order to ensure that full effect
        is given to Meta IE’s obligations under Article 6(1) GDPR.

243.        On the objections relating to the possible further (or alternative) infringements of the GDPR

    identified by the CSAs:

    5. With regard to the objection by the DE SAs concerning the possible additional infringements of
        Article 6(1)(a), Article 7 and Article 8(1) GDPR in relation to the contact information processing,
        the EDPB decides this objection does not meet the requirements of Article 4(24) GDPR and,

        therefore, the IE SA is not required to amend its Draft Decision in this regard.

    6. With regard to the objection by the DE SAs concerning the possible additional infringements of
        Article 5(1)(a) and Article 5(1)(c) GDPR in relation to the contact information processing, the EDPB

        decides this objection does not meet the requirements of Article 4(24) GDPR and, therefore, the
        IE SA is not required to amend its Draft Decision in this regard.



    433Draft Decision, paragraph 39.
    434Draft Decision, paragraph 565.


    Adopted                                                                                                63     7. With regard to the objection by the NO SA concerning the legal basis for the public-by-default

         processing,theEDPB decides thisobjection does notmeet the requirementsofArticle4(24)GDPR
         and, therefore, the IE SA is not required to amend its Draft Decision in this regard.

 244.        On the objections concerning the administrative fine:

     8. The EDPB decides that the DE SAs objection regarding the calculation of the administrative fine
         meets the requirement of Article 4(24) GDPR.

     9. In relation to consideration of the infringement of Article 24 GDPR under Article 83(2)(k) GDPR as
         proposed in theDE SAsobjection, theEDPBdoes not find that theinfringementof Article24 GDPR

         can be considered an aggravating factor under Article 83(2)(k) GDPR and, therefore, the IE SA is
         not required to amend its Draft Decision in this regard.

     10. In relation to intentionality under Article 83(2)(b) GDPR, the EDPB considers that the arguments
         put forward by the DE SAs in their objection fail to provide objective elements that indicate the

         intentionalityof thebehaviour ofMeta IE. Accordingly, the IE SA is not required to amend itsDraft
         Decision with respect to the findings on the character of the infringements of Article 12(1) GDPR.

     11. Regarding the relevance of profit of the undertaking as argued in the DE SA objection, the EDPB
         finds that in the present case the IE SA does not have to amend its Draft Decision to additionally
         consider the annual profit of the undertaking pursuant to Article 83 GDPR.

     12. The EDPB instructs the IE SA to re-assess its envisaged corrective measure in terms of the

         administrative fine in accordance with Article 83(1) and (2) GDPR, namely:

             12.1. to further elaborate its reasoning concerning the weight given to the financial benefit
                    obtained by Meta IE fromthe infringement referred to in Finding 1 of the Draft Decision
                    and, if further estimation of the financial benefit from the infringement is possible in

                    this case and results in the need to increase the amount of the fine proposed, the EDPB
                    requests the IE SA to increase the amount of the fine proposed.

             12.2. to ensure that the final amounts of the administrative fines are effective, proportionate
                    and dissuasive.

             12.3. to consider the identified infringement of Article 6(1) GDPR in the IE SA’s determination

                    on the administrative fines and impose an administrative fine for the additional
                    infringement, which is effective, proportionate and dissuasive.


         9 FINAL REMARKS


245.This Binding Decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on
     the basis of this Binding Decision pursuant to Article 65(6) GDPR.

246.Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the
     EDPB does not take any position on the merit of any substantial issues raised by these objections. The

     EDPB reiterates that itscurrent decision iswithout any prejudice to any assessments the EDPBmay be
     called upon to make in other cases, including with the same parties, taking into account the contents
     of the relevant draft decision and the objections raised by the CSAs.

247.According to Article65(6)GDPR, theIE SA shallcommunicate itsfinal decision to the Chair oftheEDPB
     within one month after receiving this Binding Decision.




     Adopted                                                                                                64248.Once such communication is done by the IE SA, this Binding Decision will be made public pursuant to

     Article 65(5) GDPR.

249.PursuanttoArticle70(1)(y)GDPR,theIESA’sfinaldecisioncommunicatedtotheEDPBwillbeincluded
     in the register of decisions which have been subject to the consistency mechanism.



     For the European Data Protection Board

     The Chair



     (Andrea Jelinek)


















































     Adopted                                                                                           65