EDPB - Binding Decision 3/2022 - 'Meta (Facebook)'
| EDPB - Meta Platforms Ireland Limited (Facebook) - Decision 3/2022 | |
|---|---|
 | |
| Authority: | EDPB |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 9 GDPR Article 12 GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR Article 56 GDPR Article 58 GDPR Article 60 GDPR Article 65 GDPR Article 77 GDPR Article 79 GDPR Article 83 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | 25.07.2022 |
| Decided: | 05.12.2022 |
| Published: | 11.01.2023 |
| Fine: | n/a |
| Parties: | Austrian Facebook user (represented by noyb - European Centre for Digital Rights) Meta Platforms Ireland Limited (Facebook) |
| National Case Number/Name: | Meta Platforms Ireland Limited (Facebook) - Decision 3/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | noyb website (in EN) |
| Initial Contributor: | LR |
Following a referral under the Article 60 GDPR procedure, the EDPB issued a binding decision finding Meta IE’s processing of personal data for behavioural advertising to be unlawful.
English Summary
Facts
In order to access Facebook, an online social network and media platform operated in the EU by “Meta IE”, a prospective user had to create a Facebook account and was required to accept a series of terms and conditions (the “Terms of Service”) and a privacy policy.
In accordance with the GDPR, Facebook was obliged to have a lawful basis for the processing of any personal data they undertook. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to the purposes of any data processing and the legal basis for such processing. To continue to access the Facebook platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Facebook account.
An Austrian Facebook user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Facebook platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Austrian DPA (DSB), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.
Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.
Secondly, the use of the Facebook service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the data controller seeks to rely is invalid.
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.
The Austrian DPA (DSB) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.
Following the circulation of the DPC’s Preliminary Draft Decision, Meta IE responded to the complainant’s assertions. Meta IE submitted, among other points, that it “…did not request or require the data subject’s consent to processing described in the Data Policy, nor did it seek the data subject’s consent to the processing described in, or otherwise performed for the purposes of, the Terms of Service, and as a consequence that the data subject did not in fact consent in this manner” (Facebook Submissions on Preliminary Draft Decision, paragraph 1.7(B). See also paragraph 3.1).
On 6 October 2021, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, FI, FR, IT, NL, NO, PL, PT, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 25 July 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.
Holding
Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. The EDPB identified six issues in the case at hand, addressing each one in turn before issuing the Binding Decision.
Please note: When describing Issues 1-3, it is necessary to explain the proposals in the Irish DPA’s Draft Decision, in order to provide the context for the EDPB decision.
Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis/Unlawful Data Processing
This issue concerns whether Meta IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”.
In its Draft Decision, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “the core functions of the contract must be assessed in order to determine what processing is objectively necessary”. However, the DPC added that “necessity is to be determined by reference to the particular contract” (4.31) and “it is not for an authority such as the [DPC], tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible” (4.48). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “the nature of the services provided and agreed upon by the parties” (4.53). The DPC observed that “it seems that the core of the Facebook model… is an advertising model” (4.42) and “proposed to conclude that Facebook may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data” (4.53).
Nine DPAs objected to this proposed conclusion from the DPC, and the matter was referred to the EDPB.
In its binding decision, the EDPB sought to emphasise "the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Facebook service" (96). With regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:
"The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model” (105).
"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR... Otherwise, the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not" (109).
"...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (116).
Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Facebook. Firstly, "Meta IE promotes... the perception that the main purpose of the Facebook service serves and for which it processes its users' data is to enable them to communicate with others" (117). The EDPB also takes into account Article 21(2) and (3) GDPR, "the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes." Because this right exists, "the processing cannot be necessary to perform a contract [as the] subject has the possibility to opt out from it at any time, and without providing any reason" (122). The EDPB continues, outlining the inherent risk of a finding in the DPC Decision that Meta IE can process personal data on the basis of Article 6(1)(b):
“...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of Article 6(1)(b) GDPR, pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject" (130). "As a result, owing to the number of users, market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the complainant and the millions of users of Facebook service in the EEA and affect the protection of hundreds of millions of people covered the GDPR" (131).
In light of all of the above, the EDPB directed the following:
“behavioural adveritising performed by Meta in the context of the Facebook service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Facebook service and is not an essential or core element of it" (132). "Meta has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data in the context of the Facebook terms of service and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Facebook Terms of Service for the purpose of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (133).
Accordingly, the EDPB instructed the DPC to “alter Finding 2 of its Draft Decision, which concludes that Meta IE may rely on Article 6(1)(b) GDPR in the context of its offering of the Facebook Terms of Service, and to include an infringement of Article 6(1) GDPR” (Para 133).
Issue 2 – On whether the LSA’s (DPA's) Draft Decision Includes Sufficient Analysis and Evidence to Conclude that Meta IE is not Obliged to rely on Consent to Process the Complainant’s Personal Data
In its Draft Decision, the DPC sought to consider whether clicking the “consent” button constitutes or should be considered consent for the purposes of the GDPR. According to the DPC, this question consists of two parts, firstly, whether Facebook sought to rely on consent as a legal basis at all and, secondly, whether the controller must rely on consent for the purposes of the GDPR.
On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “as a matter of fact, Facebook did not rely, or purport to rely, on the Complainant’s consent as a legal basis for the processing of personal data” (3.13).
Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasised that “there is no hierarchy of lawful bases that can be used for processing personal data” (3.17) and that no provision of the GDPR requires that the processing of personal data “must necessarily be based on consent” (3.18).
However, five DPAs raised objections to this proposed finding by the DPC. In its binding decision, the EDPB stated:
“The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (104). “[The DPC] cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve” (197).
As a result, the EDPB instructed the DPC to remove its proposed finding regarding consent as a basis for lawful processing. The EDPB also decided that the DPC shall carry out a new investigation into Meta IE’s processing operations in its Facebook service to determine if it processes special categories of personal data (Article 9 GDPR), and complies with the relevant obligations under the GDPR (Para 198).
Issue 3 – On the Potential Infringement of the Principle of Fairness
During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. The DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Facebook was not afforded the opportunity to be heard in response to a particularised area of wrongdoing” (5.78). The matter was referred to the EDPB, who determined as follows:
"...the principle of fairness has an independent meaning and... an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too" (220).
"...the concept of fairness stems from the EU Charter of Fundamental Rights" (221).
“Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject… [it] underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (221, 222).
"The combination of factors, such as the asymmetry of the information created by Meta IE with regard to Facebook service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages Facebook service users, limits their control over the processing of their personal data and undermines the exercise of their rights” (231).
Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (232).
Issue 4 – On the Potential Additional Infringement of the Principles of Purpose Limitation and Data Minimisation
During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision, on account of Meta IE’s failure to comply with the purpose limitation and data minimisation principles.
The Italian DPA argued that the DPC should not have confined its assessment to only the purpose of personalised advertising (while Facebook’s services would actually be composed of several processing activities pursuing several purposes). Accordingly, the fact Meta inappropriately based its multifarious processing activities only on Article 6(1)(b) GDPR entails an infringement of the purpose limitation and data minimisation principles (Para 236). Furthermore, “the failure to specify and communicate the purposes of the processing to the data subject creates a risk of artificially expanding the types of processing or the categories or personal data considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would nullify the safeguards afforded to data subjects under data protection law” (237). In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned.
In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it related to specific parts of the DPC’s Draft Decision and the DPC could have made a finding of an infringement of the principles of purpose limitation and data minimisation. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “substantial and plausible” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy Article 4(24) GDPR.
Issue 5 – On Corrective Measures other than Administrative Fines
In its Draft Decision, the DPC proposed the imposition of an order to bring processing in compliance with Articles 5(1)(a), 12(1) and 13(1) GDPR within three months of the date of notification of any final decision. This concerned the DPC’s finding that Meta had breached its transparency obligations under the GDPR, a conclusion which was not objected to by any DPAs and thus was not referred to the EDPB.
However, under the Article 60 GDPR process, a range of objections were made to the proposed order to bring Meta’s processing activities into compliance. These objections proposed: the imposition of corrective measures other than administrative fines (see “Issue 6” below and EDPB decision paras 253, 254); a temporary ban on processing (251); measures to remedy the infringement of Article 6(1)(b) GDPR (Para 252); and to delete any unlawfully processed data (255).
The EDPB considered the objections raised in accordance with Article 4(24) GDPR, assessing whether they are “relevant” and “reasoned”. The EDPB also considered the need for any corrective measures applied by a supervisory authority to be “appropriate, necessary and proportionate in view of ensuring compliance with the regulation” (Article 58(2) GDPR) (Para 278).
Having considered the objections, the EDPB instructed the DPC to include in its final decision an order for Meta IE to bring its data processing for behavioural advertising into compliance with Article 6(1) GDPR within 3 months (288). In addition, the EDPB notes that the order should be modified to reflect the EDPB’s finding that Meta IE is not entitled to rely on Article 6(1)(b) GDPR for this data processing (289). Furthermore, the EDPB instructed the DPC to amend its order regarding transparency obligations to include data processed for the purpose of behavioural advertising, and not just data processed pursuant to Article 6(1)(b) (Para 290).
Issue 6 – On the Determination of the Administrative Fine
The EDPB considered the DPC’s assessment of the criteria in Article 83(2) GDPR in deciding whether to impose an administrative fine for the infringement of its transparency obligations under the GDPR (Paras 292 – 310). The EDPB also noted the objections raised by five DPAs, requesting a “significantly higher administrative fine with reference to the established infringements” (311). The EDPB found these objections to be relevant and reasoned in accordance with Article 4(24) GDPR and, after conducting its own assessment of the factors under Article 83(2) GDPR, found that the proposed fine “is not effective, proportionate and dissuasive, in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of doing business” (Para 391).
Therefore, the EDPB instructed the DPC to “set out a significantly higher fine amount for the transparency infringements identified, in comparison with the upper limit for the administrative fine envisaged in the Draft Decision” (394).
Furthermore, following a range of further objections by DPAs to the administrative fine proposed by the DPC, the EDPB instructed the DPC to impose an administrative fine for the additional infringement of Article 6(1) GDPR, and to take into account the additional infringement of the principle of fairness in Article 5(1)(a) GDPR in its adoption of corrective measures.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Adopted 112 legitimate interests explicitly states that “the fact that some data processing is covered by a contract does not automatically mean that the processing is necessary for its performance. For example, Article 7(b) is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his click-stream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example. Even if these processing activities are specifically mentioned in the small print of the contract, this fact alone does not make them ‘necessary’ for the performance of the contract”892. 453. It stems from the above that Meta IE had (or should have had) knowledge about the infringement of Article 6(1)(b) GDPR. However, this mere element is not sufficient to consider an infringement intentional, as stated above, since the “aim” or “wilfulness” of the action should be demonstrated. 454. The EDPB recalls that that having knowledge of a specific matter does not necessarily imply having the “will” to reach a specific outcome. This is in fact the approach adopted in the EDPB Guidelines on calculation of fines and WP29 Guidelines on Administrative Fines, where the knowledge and the “wilfulness” are considered two distinctive elements of the intentionality893. While it may prove difficult to demonstrate a subjective element such as the “will” to act in a certain manner, there need to be some objective elements that indicate the existence of such intentionality894. 455. The EDPB recalls that the CJEU has established a high threshold in order to consider an act intentional. In fact, even in criminal proceedings the CJEU has acknowledged the existence of “serious negligence”, rather than ‘intentionality’ when “the person responsible commits a patent breach of the duty of care which he should have and could have complied with in view of his attributes, knowledge, abilities and individual situation”895. In this regard, the EDPB confirms that a company for whom the processing of personal data is at the core of its business activities is expected to have sufficient measures in place for the safeguard of personal data896: this does not, however, per se change the nature of the infringement from negligent to intentional. 456. In this regard, the SE SA puts forward that Meta IE based its processing of personalised advertisement on consent until the GDPR came into force on 25 May 2018, and at this time switched to relying on Article 6(1)(b) GDPR for the processing in question instead. The timing and the logistics for this switch suggests this act was done with the intention of circumventing the new rights of users under Article 6(1)(a) GDPR. The SE SA adds that “[the] proposed finding of infringement concerning information deficits about the processing, namely on what legal basis it is based, further supports this conclusion, since it goes to show that Facebook was aware of the questionable legality of that basis and tried to conceal the infringement to avoid scrutiny by supervisory authorities and data subjects”897. 457. The EDPB considers the timing of the changes made by Meta IE to its Facebook Terms of Service as an objective element; however, this alone does not indicate intention. Around this time period, many controllers updated their data protection policies. The objection suggests that the conclusion on intentionality is corroborated by the shortcomings to the transparency obligations: in the EDPB’s view, 892 WP29 Opinion 06/2014 on the notion of legitimate interests, p. 16-17. 893 EDPB Guidelines on calculation of fines, paragraph 56, and EDPB Guidelines on Administrative Fines, p. 11. 894 See EDPB Guidelines on calculation of fines, paragraphs 56 and 57, and EDPB Guidelines on Administrative Fines, p. 12. 895 Judgement of the Court of Justice of 3 June 2008, The Queen, on the application of International Association of Independent Tanker Owners (Intertanko) and Others v Secretary of State for Transport, C-308/06, ECLI:EU:C:2008:312), paragraph 77. 896 Binding Decision 01/2020, adopted on 9 November 2020, paragraph 195. 897 SE SA Objection, p. 4. Adopted 113 the combination of the timing of the change of legal basis with the lack of transparency is not sufficient to indicate intention either. 458. Therefore, on the basis of the available information, the EDPB is not able to identify a will of Meta IE to act in breach of the law, as it cannot be concluded that Meta IE intentionally acted to circumvent its legal obligations. 459. Therefore, the EDPB considers that the arguments put forward by the SE SAs do not meet the threshold to demonstrate the intentionality of the behaviour of Meta IE. Accordingly, the EDPB is of the view that the Draft Decision does not need to include this element. 460. At the same time, the EDPB notes that, even establishing that the infringement was committed negligently, a company for whom the processing of personal data is at the core of its business activities should have in place sufficient procedures for ensuring compliance with the GDPR898. 461. The EDPB does not accept Meta IE’s claim of “good faith”, but is of the view that Meta IE was certainly seriously negligent in not taking adequate action, within a reasonable time period, following the adoption of Guidelines 2/2019 on 9 April 2019. Even before that date, the EDPB considers there was at the very least negligence on Meta IE’s part considering the contents of WP29 Opinion 02/2010 on online behavioural advertising and WP29 Opinion 06/2014 on the notion of legitimate interests (see paragraphs 452 - 453 above), which mean Meta IE had (or should have had) knowledge about the infringement of Article 6(1)(b) GDPR, the fact that processing of personal data is at the core of its business practices, and the resources available to Meta IE to adapt its practices so as to comply with data protection legislation. The degree of responsibility of the controller taking into account technical and organisational measures implemented pursuant to Articles 25 and 32(Article 83(2)(d) GDPR) 462. The EDPB considers the degree of responsibility of Meta IE’s part to be of a high level, on the same grounds as set in the Draft Decision with regard to the transparency infringements899. The manner in which the infringement became known (Article 83(2)(h) GDPR) 463. The DE SAs identify an aggravating factor in the fact that the “infringement became known by a complaint of a data subject, not by chance or report by the controller itself”900. 464. The EDPB considers that, as a rule, the circumstance that the infringement became known to the LSA by way of a complaint should be considered neutral901. The DE SAs do not put forward reasons that would justify a departure from the rule in the present case. 465. Therefore, the EDPB is of the view that the Draft Decision does not need to include this element as an aggravating or mitigating factor. 898 See Binding Decision 01/2020, paragraph 195. 899 Draft Decision, paragraphs 9.32 - 9.33. 900 DE SAs Objection, p. 19. 901 EDPB Guidelines on calculation of fines, paragraph 99. The EDPB Guidelines on Administrative Fines (p. 15) do not identify this element as being, as a rule, an aggravating element. Adopted 114 The financial benefit obtained from the infringement (Article 83(2)(k) GDPR) 466. The DE SAs and SE SA argue Meta IE gained financial benefits from their decision to rely on contract as legal basis for behavioural advertising, rather than obtaining consent from the users of Facebook902. The DE SAs engaged in a detailed calculation to justify their estimation of the benefit, although acknowledging it was based on assumptions903. While not providing an estimate of its size, the SE SA considers the existence of financial benefit sufficiently proven on the basis of “the self-evident fact that Facebook has made significant financial gain from being able to provide personal advertisement as part of a whole take it or leave it offer for its social media platform service, as opposed to establishing a separate legal basis for it. By also being unclear in the information to data subjects, it is a reasonable assumption that more data subjects have been misled into being subject to the processing, thus increasing the financial benefits gained by Facebook pursuant to personal advertisement”904. 467. The EDPB recalls that financial benefits from the infringement could be an aggravating circumstance if the case provides information about profit obtained as a result of the infringement of the GDPR905. 468. In the present case, the EDPB considers that it does not have sufficiently precise information to evaluate the specific weight of the financial benefit obtained from the infringement. 469. Nonetheless, the EDPB acknowledges the need to prevent that the fines have little to no effect if they are disproportionally low compared to the benefits obtained with the infringement. The EDPB considers that the IE SA should ascertain if an estimation of the financial benefit from the infringement is possible in this case. Insofar as this results in the need to increase the amount of the fine proposed, the EDPB requests the IE SA to increase the amount of the fine proposed. The profitability of the undertaking - other factor (Article 83(2)(k) GDPR) 470. For the reasons stated above (paragraphs 378 - 381), the EDPB is of the view that the Draft Decision does not need to include this element as aggravating or mitigating factor as put forward by the DE SAs906. Competitive advantage - other factor (Article 83(2)(k) GDPR) 471. The NO SA identifies an aggravating factor in that “that the unlawful processing of personal data in all likelihood has contributed to the development of algorithms which may be harmful on an individual or societal level, and which may have considerable commercial value to FIL. The algorithms may have contributed to giving FIL a competitive advantage vis-à-vis its competitors”907. 472. On principle, the EDPB agrees that a competitive advantage could be an aggravating factor if the case provides objective information that this was obtained as a result of the infringement of the GDPR908. In the present case, the EDPB considers that it does not have sufficiently precise information to evaluate the existence of a competitive advantage resulting from the infringement. The EDPB considers that the IE SA should ascertain if an estimation of the competitive advantage derived from 902 DE SAs Objection, p. 19 in conjunction with p. 2-10; SE SA Objection, p. 4. 903 DE SAs Objection, p. 19. 904 SE SA Objection, p. 4. 905 EDPB Guidelines on calculation of fines, paragraph 110. See also paragraphs 370 - 377. 906 DE SAs Objection, p. 19. 907 NO SA Objection, p. 9 908 EDPB Guidelines on calculation of fines, paragraph 109. See also paragraphs 367-369. Adopted 115 the infringement is possible in this case. Insofar as this results in the need to increase the amount of the fine proposed, the EDPB requests the IE SA to increase the amount of the fine proposed. *** 473. Taking into account the nature and gravity of the infringement as well as other aspects in accordance with Article 83(2) GDPR, the EDPB considers that the IE SA must exercise its power to impose an additional administrative fine. Also, covering this additional infringement with a fine would be in line with the IE SA’s (proposed) decision to impose administrative fines in this case for the transparency infringements relating to processing carried out in reliance on Article 6(1)(b) GDPR909. The EDPB underlines that, in order to be effective, proportionate and dissuasive, a fine should reflect the circumstances of the case. Such circumstances not only refer to the specific elements of the infringement, but also those of the controller or processor who committed the infringement, namely its financial position. 9.2.4.2.2 Assessment of whether an administrative fine should be imposed for the infringement of the fairness principle under Article 5(1)(a) GDPR 474. The EDPB recalls its conclusion in this Binding Decision on the infringement by Meta IE of the fairness principle under Article 5(1)(a) GDPR910 and that the objection raised by the IT SA, which was found to be relevant and reasoned, requested the IE SA to exercise its power to impose an administrative fine911. 475. The EDPB takes note of Meta IE’s view that the IT SA objection is not relevant and reasoned912 and also notes that Meta IE does not provide further arguments on the content of the IT SA objection in this regard913. 476. The EDPB recalls that the decision to impose an administrative fine needs to be taken on a case-by- case basis in light of the circumstances and is not an automatic one914. In the same vein, the EDPB’s assessment of Meta IE’s compliance with the principle of fairness is carried out by taking into account the specificities of the case, of the particular social networking service at hand and of the processing of personal data carried out, namely for the purpose of online behavioural advertising915. 477. As previously established, the principle of fairness under Article 5(1)(a) GDPR, although intrinsically linked to the principles of lawfulness and transparency under the same provision, has an independent meaning916. It underpins the whole data protection framework and plays a key role for securing a balance of power in the controller-data subject relationship917. 478. Considering the EDPB’s findings in Section 6 that Meta IE has not complied with key requirements of the principle of fairness as defined by the EDPB, namely allowing for autonomy of the data subjects as to the processing of their personal data, fulfilling data subjects’ reasonable expectation, ensuring power balance, avoiding deception and ensuring ethical and truthful processing918, as well as the 909 Draft Decision, paragraphs 9.45 - 9.51. 910 Section 6.4.2 of this Binding Decision. 911 Paragraph 214 of this Binding Decision. 912 See paragraphs 207 - 208 above. 913 See paragraphs 212 - 213 above. 914 See paragraph 441 above. 915 See paragraph 225 above. 916 See paragraph 220 above. 917 See paragraph 223 above. 918 See paragraphs 222-230 above. Adopted 116 overall effect of the infringement by Meta IE of the transparency obligations and of Article 6(1) GDPR, the EDPB reiterates its view that Meta IE has infringed the principle of fairness under Article 5(1)(a) GDPR and agrees with the IT SA that this infringement should be adequately taken into account by the IE SA in the calculation of the amount of the administrative fine to be imposed following the conclusion of this inquiry. 479. Therefore, the EDPB instructs the IE SA to take into account the infringement by Meta IE of the fairness principle enshrined in Article 5(1)(a) GDPR as established above when, re-assessing the administrative fines for the transparency infringements and the determination of the fine for the lack of legal basis. If, however, the IE SA considers an additional fine for the breach of the principle of fairness is an appropriate corrective measure, the EDPB requests the IE SA to include this in its final decision. In any case, the IE SA must take into account the criteria provided for by Article 83(2) GDPR and ensuring it is effective, proportionate and dissuasive in line with Article 83(1) GDPR. Adopted 117 10 BINDING DECISION 480. In light of the above, and in accordance with the task of the EDPB under Article 70(1)(t) GDPR to issue binding decisions pursuant to Article 65 GDPR, the EDPB issues the following Binding Decision in accordance with Article 65(1)(a) GDPR. 481. The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in accordance with Article 65(2) GDPR. On the objections concerning whether the LSA should have found an infringement for lack of appropriate legal basis/unlawful data processing 482. The EDPB decides that the objections of the AT, DE, FR, IT, NL, NO, PL, PT and SE SAs regarding Meta IE’s reliance on Article 6(1)(b) GDPR in the context of its offering of the Facebook Terms of Service meet the requirements of Article 4(24) GDPR. 483. On the parts of the DE SAs objection requesting the finding of an infringement of Article 5(1)(a) GDPR, and the parts of the DE, IT and NO SAs objections requesting specific corrective measures under Article 58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the imposition of an administrative fine, a ban of the processing of personal data for the purpose of behavioural advertising, an order to delete personal data processed under Article 6(1)(b) GDPR, and an order to identify a valid legal basis for future behavioural advertising or to abstain from such processing activities, the EDPB decides that these parts of their objections do not meet the threshold of Article 4(24) GDPR. 484. The EDPB instructs the IE SA to alter its Finding 2 of its Draft Decision, which concludes that Meta IE may rely on Article 6(1)(b) GDPR in the context of its offering of the Facebook Terms of Service, and to include an infringement of Article 6(1) GDPR, on the basis of the conclusion reached by the EDPB in this Binding Decision. On the objections concerning whether the LSA’s Draft Decision includes sufficient analysis and evidence to conclude that Meta IE is not obliged to rely on consent to process the Complainant’s personal data 485. The EDPB decides that the objections of the AT, DE, FR, NL, and PT SAs regarding the LSA’s Finding 1 that Meta IE is not legally obliged to rely on consent to process personal data to deliver the Facebook Terms of Service meet the requirements of Article 4(24) GDPR. 486. On the part of the NL SA objection asking the IE SA to include in its Draft Decision the elements concerning the need to rely on consent for the placing of tracking technology on end users devices under ePrivacy legislation, the EDPB decides that this part falls outside the scope of the EDPB’s mandate. 487. The EDPB instructs the IE SA to remove from its Draft Decision its conclusion on Finding 1. The EDPB decides that the IE SA shall carry out a new investigation into Meta IE’s processing operations in its Facebook service to determine if it processes special categories of personal data (Article 9 GDPR), and complies with the relevant obligations under the GDPR, to the extent that this new investigation complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding Decision, and based on the results of this investigation, issue a new draft decision in accordance with Article 60(3) GDPR. Adopted 118 On the objection concerning the potential additional infringement of the principle of fairness 488. The EDPB decides that the objection of the IT SA regarding the infringement by Meta IE of the principle of fairness under Article 5(1)(a) GDPR, meets the requirements of Article 4(24) GDPR. 489. The EDPB instructs the IE SA to find in its final decision an additional infringement of the principle of fairness under Article 5(1)(a) GDPR by Meta IE. On the objection concerning the potential additional infringement of the principles of purpose limitation and data minimisation 490. On the objection by the IT SA concerning the possible additional infringements of the principles of purpose limitation and data minimisation under Article 5(1)(b) and (c) GDPR, the EDPB decides this objection does not meet the requirements of Article 4(24) GDPR. On the objections concerning corrective measures other than administrative fines 491. The EDPB decides that the objections of the AT and NL SAs requesting additional and/or alternative specific corrective measures to be imposed meet the requirements of Article 4(24) GDPR. 492. On the objection by the PL SA concerning the order to bring processing into compliance with the GDPR, the EDPB decides that this objection does not meet the requirements of Article 4(24) GDPR. 493. The EDPB instructs the IE SA to include in its final decision an order for Meta IE to bring its processing of personal data for behavioural advertising purposes in the context of the Facebook service into compliance with Article 6(1) GDPR within three months. 494. The EDPB also instructs the LSA to adjust its order to Meta IE to bring its Facebook Data Policy and Terms of Service into compliance with Articles 5(1)(a), 12(1) and 13(1)(c) GDPR within three months, to refer not only to information provided on data processed pursuant to Article 6(1)(b) GDPR, but also to data processed for the purposes of behavioural advertising in the context of Facebook service (to reflect the finding of the EDPB that for this processing the controller cannot rely on Article 6(1)(b) GDPR). On the objections concerning the determination of the administrative fine for the transparency infringements 495. The EDPB decides that the objections of the DE, FR, NL, NO and PL SAs regarding the determination of the administrative fine for the transparency infringements, meet the requirements of Article 4(24) GDPR. 496. Regarding the turnover of the undertaking, the EDPB instructs the IE SA to take into consideration the total turnover of all the entities composing the single undertaking (i.e. consolidated turnover of the group headed by Meta Platforms, Inc.) for the financial year preceding the date of the final decision. 497. On the number of data subjects affected (Article 83(2)(a) GDPR), the EDPB finds that the IE SA is not required to amend its Draft Decision in this regard. 498. Concerning any action taken by the controller to mitigate the damage suffered by data subjects (Article 83(2)(c) GDPR), the EDPB finds the IE SA does not provide sufficient justification for the mitigating factor identified, and instructs the IE SA to modify its Draft Decision on this matter by considering this criterion as neither aggravating nor mitigating. Adopted 119 499. Regarding the financial benefit gained from the infringements (Article 83(2)(k) GDPR), the EDPB instructs the IE SA to ascertain if further estimation of the financial benefit from the infringement of transparency obligations is possible in this case. Insofar as further estimation of the financial benefit from the infringement is possible in this case and results in the need to increase the amount of the fine proposed, the EDPB requests the IE SA to increase the amount of the fine proposed. 500. Concerning the relevance of the profit of the undertaking (Article 83(2)(k) GDPR), the EDPB finds that in the present case the IE SA does not have to amend its Draft Decision to additionally consider the annual profit of the undertaking pursuant to Article 83 GDPR. 501. The EDPB instructs the IE SA to modify its Draft Decision to elaborate on the manner in which the turnover of the undertaking concerned has been taken into account for the calculation of the fine, as appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Article 83(1) GDPR. 502. The EDPB considers that the proposed fine does not adequately reflect the seriousness and severity of the infringements nor has a dissuasive effect on Meta IE. Therefore, the fine does not fulfil the requirement of being effective, proportionate and dissuasive in accordance with Article 83(1) and (2) GDPR. In light of this, the EDPB directs the IE SA to set out a significantly higher fine amount for the transparency infringements identified, in comparison with the upper limit for the administrative fine envisaged in the Draft Decision. In doing so, the IE SA must remain in line with the criteria of effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR in its overall reassessment of the amount of the administrative fine. On the objections concerning the imposition of an administrative fine for the lack of legal basis 503. The EDPB decides that the objections of the AT, DE, FR, NO, and SE SAs regarding the imposition of an administrative fine for the infringement of Article 6(1) or Article 6(1)(b) GDPR meet the requirements of Article 4(24) GDPR. 504. The EDPB decides that the relevant parts of the objections of the IT and PL SAs specifically relating to an administrative fine for the lack of legal basis do not meet the threshold of Article 4(24) GDPR. 505. In relation to intentionality under Article 83(2)(b) GDPR, the EDPB considers that the arguments put forward by the SE SA in their objection do not contain sufficient objective elements to demonstrate the intentionality of the behaviour of Meta IE. 506. Concerning the manner in which the infringement became known (Article 83(2)(h) GDPR), the EDPB decides the IE SA has no cause to amend the Draft Decision. 507. Regarding the possible financial benefit obtained from the infringement as well as the competitive advantage (Article 83(2)(k) GDPR), the EDPB instructs the IE SA to ascertain if an estimation of the financial benefit from the infringement is possible in this case. Insofar as further estimation of the financial benefit from the infringement is possible in this case and results in the need to increase the amount of the fine proposed, the EDPB requests the IE SA to increase the amount of the fine proposed. 508. Concerning the relevance of profit of the undertaking (Article 83(2)(k) GDPR), the EDPB finds that in the present case the IE SA does not have to amend its Draft Decision to additionally consider the annual profit of the undertaking pursuant to Article 83 GDPR. 509. The EDPB instructs the IE SA to cover the additional infringement of Article 6(1) GDPR with an administrative fine that is effective, proportionate and dissuasive in accordance with Adopted 120 Article 83(1) GDPR. In determining the fine amount, the IE SA must give due regard to all the applicable factors listed in Article 83(2) GDPR, in particular the nature and gravity of the infringement, the number of data subjects affected and the seriously negligent character of the infringement. On the objection concerning the imposition of an administrative fine for the infringement of the fairness principle under Article 5(1)(a) GDPR 510. The EDPB decides that the objection of the IT SA regarding the imposition of an administrative fine for the infringement of Article 5(1)(a) GDPR meets the requirements of Article 4(24) GDPR. 511. The EDPB instructs the IE SA to factor the additional infringement of the principle of fairness enshrined in Article 5(1)(a) GDPR into its adoption of appropriate corrective measures. In this respect, the IE SA is instructed to take due account of this infringement when re-assessing the administrative fines for the transparency infringements and the determination of the fine for the lack of legal basis. If, however, the IE SA considers an additional fine for the breach of the principle of fairness is an appropriate corrective measure, the EDPB requests the IE SA to include this in its final decision. In any case, the IE SA must take into account the criteria provided for by Article 83(2) GDPR and ensuring it is effective, proportionate and dissuasive in line with Article 83(1) GDPR. On the objection concerning the imposition of an administrative fine for the infringement of Article 5(1)(b) and (c) GDPR 512. The EDPB decides that it does not need to examine the objection of the IT SA regarding the imposition of an administrative fine for the infringement of Article 5(1)(b) and (c) GDPR. 11 FINAL REMARKS 513. This Binding Decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on the basis of this Binding Decision pursuant to Article 65(6) GDPR. 514. Regarding the objections deemed not to meet the requirements stipulated by Article 4(24) GDPR, the EDPB does not take any position on the merit of any substantial issues raised therein. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs. 515. According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding Decision without undue delay and at the latest by one month after the Board has notified its Binding Decision. 516. The IE SA shall inform the Board of the date when its final decision is notified to the controller or the processor919. This Binding Decision will be made public pursuant to Article 65(5) GDPR without delay after the IE SA has notified its final decision to the controller920. 919 Article 65(6) GDPR. 920 Article 65(5) and (6) GDPR. Adopted 121 517. The IE SA will communicate its final decision to the Board921. Pursuant to Article 70(1)(y) GDPR, the IE SA’s final decision communicated to the EDPB will be included in the register of decisions that have been subject to the consistency mechanism. For the European Data Protection Board The Chair (Andrea Jelinek
