395.5 million reasons why Data Protection is Important

By Peter Kouwenberg

Partner – Head of Commercial

01 February 2023

Article Insights

Meta, the parent company of popular social media websites Facebook and Instagram and the widely used messaging app, WhatsApp has, again, been on the receiving end of significant privacy fines from the European Data Protection Board (EDPB) and the Irish Data Protection Commissioner (DPC). The fines, which total €395.5 million (€210 million for Facebook, €180 million for Instagram and €5.5 million for WhatsApp) are a result of complaints lodged by Max Schrems and relate to the legal basis on which Facebook and Instagram rely to serve behavioural advertisements to their users.

The Complaints:

Max Schrems, the now well-known privacy activist and chairman of noyb (an abbreviation of none of your business) brought complaints against Facebook, Instagram and WhatsApp on behalf of users based in Austria, Belgium and Germany on the day the General Data Protection Regulation (GDPR) came into force, 25^th May 2018. The subject of the Facebook and Instagram complaints were that Meta had, following a change to their terms and conditions on the aforementioned date, tried to rely on Article 6(1)(b) of the GDPR to process data of its users for the purpose of providing behavioural ads.

Article 6(1) of the GDPR sets out the six legal bases on which data can be lawfully processed with Article 6(1)(a) allowing processing where the data subject has provided their consent for the data to be processed and 6(1)(b), known as “contractual necessity”, confirming that processing can be carried out where the processing in question “…is necessary for the performance of a contract  to which the data subject is party…”.  Instead of obtaining user consent under Article 6(1)(a), Meta included a clause in the terms and conditions of service stipulating that behavioural advertising would be used, rendering users who disagreed unable to use the service.

Whilst WhatsApp does not include personal ads, the app is, according to noyb, used for the collection of “metadata” which is subsequently shared with Facebook and Instagram for the purpose of producing personalised ads. Similar to the complaints referred to above, the WhatsApp terms of service were amended on 25^th May 2018 with users having no option but to accept the amendments if they wished to continue using the service.

Findings and compliance obligations:

One of the most interesting aspects of these particular complaints was the divergence between the DPC and the EDPB. The former believed that the use of behavioural ads “…is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.” Whereas the EDPB found that Meta was not entitled to rely on contractual necessity as a lawful basis and, in doing so, held that Meta had not been processing personal data for these purposes in a lawful manner since May 2018, a factor that was taken into account when calculating the size of the fine. The final decision of the DPC is required to reflect that of the EDPB, which is binding on supervisory authorities based in the EU and, additionally, requires Meta to bring its processing operations into line with the GDPR within three months of the date of the decision.  Meta will undoubtedly be reluctant to do so given the significant amount of its annual revenue that comes from advertising.

The EDPB and the DPC also made different findings in relation to WhatsApp. However, the DPC was overruled resulting in a fine and an obligation on Meta to bring its processing activities in line with the GDPR within six months of the decision. However, the DPC pushed back on the EDPB’s request that they conduct a fresh investigation into WhatsApp’s processing operations with regard to the processing of special category data under Article 9 of the GDPR. The DPC, in its written decision, stated that the “EDPB does not have a general supervision role… and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation” signing off the statement by expressing its concerns regarding a potential overreach by the EDPB and a suggestion that they may bring an action against the EDPB before the Court of Justice of the European Union in an attempt to have the decision of the EDPB set aside.

Meta Response:

Meta, who released a statement in response to the Facebook and Instagram decisions on 4 January 2023, expressed their disappointment at the action taken by the EDPB and DPC as well as its intention to appeal “…both the substance of the rulings and the fines”.

The statement also confirmed Meta’s belief that their approach is in line with the GDPR, arguing that social media websites, including the ads thereon, are inherently personalised and that providing behavioural ads is a “…necessary and essential part of that service”.

Presumably, the company will also appeal the decision against WhatsApp.

Conclusions:

Whilst the decisions are likely to be welcomed by users, they should serve as a stark warning to companies, particularly those with data heavy business models, who are seeking to find loopholes that can utilised to circumvent the GDPR.

Whilst it is important to point out that Meta are not the only technology company whose practices have caught the attention of regulators for the wrong reasons with TikTok receiving a formal warning from Italy’s data protection watchdog last year when seeking to rely on the “legitimate interest” basis for using personalised ads. However, Meta are one of the most frequent culprits with privacy fines totalling €747 million being levied against the company in 2022.

We provide advice on a range of topics regarding Intellectual Property and Data Protection issues, including complaints to the Information Commissioner’s Office. If you need support or advice assessing your company’s data compliance, please contact us by email or call 01582 731161.

Disclaimer: General Information Provided Only
Please note that the contents of this article are intended solely for general information purposes and should not be considered as legal advice. We cannot be held responsible for any loss resulting from actions or inactions taken based on this article.