knowledge 27 January 2023 |

Data Protection Commission fines Meta €395.5 million over GDPR infringements in Terms of Use

Background

The DPC began its investigations in 2018 after receiving several complaints against Facebook, Instagram and WhatsApp. Each platform had made similar updates to its “Terms of Use” in light of the introduction of the GDPR. Upon login, account holders were presented with a number of screens informing them of the new terms and were required to “accept” the new changes in order to continue using the relevant services. Although a button was presented that suggested “other options”, this consisted only of a recommendation that a person delete their account should they not wish to be bound by the new conditions.  

Prior to these updates, Meta had relied on the consent of its users as its basis for processing personal data in the context of providing its services. When updating its policies to comply with the GDPR, Meta had a choice of six legal bases to legitimise the various purposes for which it processes personal data under Article 6, including consent. Meta opted to rely on Article 6(1)(b) of the GDPR, with the new “Terms of Use” asserting that most processing was necessary for the performance of a contract.

Complaints

The complainants first took issue with the use of an “accept” button, arguing that it constituted an act of consent under the GDPR and Meta sought to obtain it in “deceptive” fashion through its updated agreement with users. The European Data Protection Board (“EDPB”), however, instructed the DPC to exclude this issue from the scope of its decision on the basis that a fresh investigation was required into the processing operations of Meta, and in particular, the processing of special category data (e.g. relating to race, ethnicity, political opinions and religious beliefs). 

Secondly, the complainants alleged that users were misled into believing that certain data processing operations conducted by Meta (for example, the form of personalised advertising provided by both Facebook / Instagram and the security provided on WhatsApp) was a contractual obligation. In their view, the personalisation of posts and communication services provided by the platforms was “core” to the contract with the platform, but delivering personalised behavioural advertising and service improvement was not. They felt that Meta was relying on “forced consent” to process personal data and display personalised ads, as users were not provided with a “genuine choice to decline the updated terms without suffering detriment”. The detriment, from their perspective, was losing out on the ability to communicate with the millions of other users on Meta’s platforms. Reference was made to Recital 42 GDPR, which states that “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”. They argued therefore that Meta should not be permitted to rely on Article 6(1)(b), because providing ads and service improvement is not strictly necessary to perform the contract for the supply of social media and communication services.

This naturally linked to an additional complaint that Meta failed to provide the necessary information as to the legal bases in respect of each processing operation, a requirement under the GDPR that was clarified by the DPC in its previous decision against WhatsApp in 2021 (see our briefing here). The complainants alleged that it was unclear which legal basis applied to each processing operation, as Article 5 of the GDPR requires data subjects to be informed as to “what data is processed, for which exact purpose and on which legal basis”.

Reliance on Article 6(1)(b) GDPR

The main point of disagreement (which resulted in a binding determination by the EDPB under Article 65 of the GDPR) between the Irish DPC, other European concerned supervisory authorities (“CSAs”) and the EDPB related to Meta’s reliance on the existence of a contract as a basis for processing personal data in its Terms of Use. Article 6(1)(b) provides a legal basis for processing data insofar as it is necessary for the performance of a contract to which the data subject is party.

The DPC believed that behavioural advertising is “central to the bargain between users and their chosen service provider”. It pointed towards language used in the terms of service, which focused on providing “a personalized experience”. The DPC considered that it was widely understood by the public that Facebook and Instagram were services funded by personalised advertising. In the case of WhatsApp, the DPC believed that the app’s service offering clearly included maintaining sufficient security and abuse standards.

The EDPB disagreed with this analysis. In particular, it observed that Facebook states on its homepage that its aim is to “connect [you] with friends and the world around you” and omits any reference to personalised ads. Similarly, Instagram presents its mission as “to bring you closer to the people and things you love”. It instructed the DPC to change its decisions in this regard, as it believed that a controller does not have “absolute discretion to choose the legal basis that suits better its commercial interests” and may only rely on “one of the legal basis… if it is appropriate for the processing at stake”.

The EDPB relied heavily on the concept of necessity found throughout the GDPR, noting that as the processing of personal data engages fundamental rights, such data processing must be necessary for the objective and purposes pursued. Conversely, if there are realistic, less intrusive methods of achieving the objective, then the processing in question is not necessary and therefore unlawful. The EDPB contended that Article 6(1)(b) does not cover “processing that is useful, but not objectively necessary for performing a contract”, even if it is necessary for the controller’s other business purposes (such as personalised advertising). The EDPB referred to “contextual advertising” as being one such realistic, less intrusive alternative in this instance – this form of advertising would rely on the geography and language of users, instead of profiling and tracking.

The EDPB found that the GDPR bestows on supervisory authorities a limited competence to assess a contract’s validity as it relates to data protection. Otherwise, the EDPB felt that the DPC and other CSAs would be unable to monitor and enforce the GDPR properly when assessing the validity of data processing under Article 6(1)(b). For example, it noted that Facebook’s Terms of Service did not provide for a contractual obligation on Meta to offer personalised advertising, nor did it provide penalties if Meta failed to do so. This, in the EDPB’s opinion, showed that behavioural advertising processing was not “necessary” to perform the contract.

The EDPB disagreed with the DPC’s assertion that a Facebook or Instagram user would be able to opt out of a particular processing operation that is part of the contract. In their view, data subjects can either (1) contract away their right to freely determine the processing of their personal data for the “obscure and intrusive purpose of behavioural advertising which they can neither expect, nor fully understand, based on insufficient information Meta IE provides to them”, or (2) decline the terms of service and be excluded from a service that has few realistic alternatives. 

Ultimately, the EDPB was concerned that a precedent here could encourage other businesses to use the contractual performance legal basis for all of their processing of personal data, “at the expense of the safeguards of data subjects”.

Transparency

Even though the EDPB, DPC and other CSAs disagreed in relation to whether Meta was permitted to rely on Article 6(1)(b) in its data processing operations, there was no dispute as to whether Meta was lacking in its transparency requirements. In fact, the DPC felt that the basis of the complaints relating to “forced consent” was proof that the Terms of Use of both platforms lacked the required clarity under GDPR.

Meta submitted that their data policies were drafted in such a way to make it easy-to-read for users, and that GDPR “allows considerable discretion for the controller as to the mode of compliance”. However, the DPC concluded that only minimal information was being provided to the reader when processing operations were prefaced by “such as” and “things like”. It criticised the fact that information was disjointed and provided over several documents which cross refer to each other in a circular manner (rather than a single composite text or clearly layered path).

The DPC reiterated that a link must be drawn between (1) the categories of personal data, (2) the purposes of processing and (3) the legal basis relied on to ensure that the data subject has “meaningful information”, as established previously in the WhatsApp decision. It was not satisfied that sufficient detail had been provided, as Meta had provided generalised language and did not link any core data uses with specific processing operations. In the absence of this, the user is “left to guess as to what processing is carried out on what data, on foot of the specified lawful bases, in order to fulfil these objectives”.

Comment

Five years on from the adoption of GDPR, these decisions clearly illustrate that the DPC, EDPB and other European data supervisory authorities continue to differ in their interpretation and application of the GDPR. It remains to be seen whether the courts will uphold the interpretation put forward by the EDPB in the inevitable challenges to these decisions.

Meta’s Terms of Use and data protection compliance is likely to be subject to future scrutiny and discussion. In addition and as noted above, the DPC was prevented from coming to a conclusion on whether legal consent of users was obtained in a “deceptive” fashion. The EDPB (and other CSAs across Europe) held that the DPC had not sufficiently investigated and analysed the processing of special categories of personal data by Meta, and that this was required for a determination on the issues to be reached. In its press release, the DPC stated that it believes that the EDPB is not permitted to instruct an authority to “engage in an open-ended and speculative investigation” and that it is “not consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR”. The DPC will now seek to set aside the EDPB’s direction in the Court of Justice of the EU.

Also contributed to by Ruth Hughes