Without cost real time breaking news alerts sent straight to your inbox join to our breaking news emails
Enroll to our free breaking news emails
Ireland’s data watchdog has fined Facebook’s parent company Meta Ireland 390 million euro as a row erupted over whether further investigation of the usage of people’s data is warranted.
Meta Ireland was fined 210 million euro for breaches of EU data privacy rules regarding Facebook, and 180 million euro for breaches on Instagram.
Meta said it was “disillusioned” by the choice and intends to appeal against “each the substance of the rulings and the fines”.
Ireland’s Data Protection Commission (DPC) can also be to hunt a court order to side-step a “problematic” direction from the European Data Protection Board to research Facebook and Instagram’s data processing operations further, which it said may very well be an “overreach”.
This comes after a disagreement between the Irish watchdog and the EU data authority on the extent of fines against Meta Ireland over a scarcity of transparency over how users’ data could be processed, and whether a contract was entered into between users and the corporate to permit their data for use for personalised ads.
Two complainants had argued that Meta Ireland was “forcing” them to consent to their personal data getting used for behavioural promoting and other services by making the usage of its social medias conditional on accepting its terms of service.
The complainants argued this was in breach of General Data Protection Regulation (GDPR).
Meta Ireland argued that on accepting the updated terms of service, a contract was entered into between it and the user, and that processing users’ data for its Facebook and Instagram services was mandatory for the performance of that contract.
The complainants maintained that contrary to Meta Ireland’s position, Meta Ireland was in actual fact still seeking to depend on consent to supply a lawful basis for its processing of users’ data.
The DPC’s draft decisions found that Meta Ireland was in breach of GDPR in that users’ personal data should be processed “lawfully, fairly and in a transparent manner”, and said users had “insufficient clarity as to what processing operations were being carried out on their personal data”.
However it also found the “forced consent” aspect of the complaints “couldn’t be sustained”, and GDPR “didn’t preclude” Meta Ireland’s reliance on the “contract” legal basis.
The draft decisions were submitted to its peer regulators within the EU, also often called Concerned Supervisory Authorities (CSAs).
On the query of whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions, but said the fines proposed by the DPC needs to be increased.
Ten of the 47 CSAs said Meta Ireland shouldn’t be permitted to depend on the contract as a legal basis as personalised promoting weren’t mandatory to perform the core elements of a far more limited type of contract.
“The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed look like premised on, the availability of a personalised service that features personalised or behavioural promoting,” the DPC said.
The DPC’s decisions naturally don’t include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions
Data Protection Commission
“In effect, these are personalised services that also feature personalised promoting.
“Within the view of the DPC, this reality is central to the cut price struck between users and their chosen service provider, and forms a part of the contract concluded at the purpose at which users accept the terms of service.”
The matter was referred to the EDPB, which ruled on December 31 that Meta Ireland was not entitled to depend on the contract as providing a lawful basis to process personal data for behavioural promoting.
“Accordingly, the DPC’s decisions include findings that Meta Ireland just isn’t entitled to depend on the ‘contract’ legal basis in reference to the delivery of behavioural promoting as a part of its Facebook and Instagram services, and that its processing of users’ data up to now, in purported reliance on the ‘contract’ legal basis, amounts to a violation of Article 6 of the GDPR,” the DPC said.
Meta Ireland has been directed to bring its data processing operations into compliance inside three months.
A Meta spokesperson said in a press release that it “strongly” believes its approach “respects GDPR” and it intends to appeal against the choice.
“These decisions don’t prevent targeted or personalised promoting on our platform,” it said. “The choices relate only to which legal basis Meta uses when offering certain promoting. Advertisers can proceed to make use of our platforms to achieve potential customers, grow their business and create recent markets.
“There was a scarcity of regulatory clarity on this issue, and the controversy amongst regulators and policymakers around which legal basis is most appropriate in a given situation has been ongoing for a while.
“That’s why we strongly disagree with the DPC’s final decision, and imagine we fully comply with GDPR by counting on contractual necessity for behavioural ads given the character of our services. In consequence, we are going to appeal the substance of the choice.”
The Data Protection Commission also said that it intends to take legal motion to annul an EDPB direction to look at data processing at Instagram and Facebook further.
It said: “Individually, the EDPB has also presupposed to direct the DPC to conduct a fresh investigation that may span all of Facebook and Instagram’s data processing operations and would examine special categories of private data that will or might not be processed within the context of those operations.
“The DPC’s decisions naturally don’t include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions.
“The EDPB doesn’t have a general supervision role akin to national courts in respect of national independent authorities and it just isn’t open to the EDPB to instruct and direct an authority to interact in open-ended and speculative investigation.
“The direction is then problematic in jurisdictional terms, and doesn’t appear consistent with the structure of the co-operation and consistency arrangements laid down by the GDPR.
“To the extent that the direction may involve an overreach on the a part of the EDPB, the DPC considers it appropriate that it might bring an motion for annulment before the Court of Justice of the EU with a purpose to seek the setting aside of the EDPB’s directions.”