Meta is set to appeal the €390 million fine it received earlier this month after it was found guilty of several GDPR (General Data Protection Regulation) breaches.
The errors relate to the consent practices used by the Meta-owned platforms Facebook and Instagram.
Under the GDPR, consent is one of six lawful bases that organisations can use to process personal data. Meta previously relied on it to process information for the purposes of behavioural advertising, but subsequently changed its practices to rely on another basis, contractual necessity.
Meta’s change in approach effectively meant users that wanted to access Facebook ad Instagram services were forced to accept a lengthy new Terms of Service agreement. This caught the eye of two users, who made complaints against Meta and triggered a regulatory investigation.
The same day, the privacy activist group NOYB also issued a complaint, accusing Facebook and Instagram of trying to “bypass” the GDPR’s consent requirements by switching its lawful basis for processing.
This in itself wouldn’t trigger a GDPR breach. Organisations don’t need to obtain users’ consent if they use a different lawful basis to process personal information. The issue is how Meta made that switch, and the legitimacy of its new lawful basis.
What rules did Meta break?
Ireland’s DPC (Data Protection Commission), which oversaw the probe, issued the fine after concluding that Meta had not been transparent enough with its users in outlining the legal basis under which their information had been processing.
In a statement, the DPC explained: “The complainants contended that, contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data.
“They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact ‘forcing’ them to consent to the processing of their personal data for behavioural advertising and other personalized services.”
Another wrinkle to this case is whether Meta’s use of contractual necessity as a legal basis was justified.
This basis can be used when an organisation needs the information to deliver the terms outlined in a contractual agreement, or when the information is required before entering a contract – for example, to provide a quote for a service.
Meta stated that targeted advertising was part of the service that it contractually owes to users. But after consulting with the EDPB (European Data Protection Board), the DPC determined that this was not the case.
The tech giant has stood by its position, arguing that its practices comply with the GDPR and that it had always been transparent with regulators about its use of contractual necessity as a legal basis for data processing.
“There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time,” Meta said in a statement.
“This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether.
“That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioral ads given the nature of our services.
“As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticized for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”