Meta: 390-million euro data protection fine and how we advertise in the future (1/2)

The decisive factor for the penalty now imposed were two complaints that had already been submitted to the Irish data protection authority in 2018. The two complaints originated in Austria and Belgium and affected the Facebook and Instagram platforms. However, both complaints raised the same fundamental question: Which legal principles can be applied without hesitation, as in the case of a social network that can be used free of charge and is financed by advertising?

Why the complaint?

To answer this question, it is necessary to take a look at 2018. On May 25, 2018, the GDPR finally became legally binding in the European Union. Here, final means that a two-year grace period for data controllers ended on this date, during which the GDPR applied but did not yet have to be complied with without exception.

As part of this effective date, Meta (then still Facebook) changed the terms of use of its “Facebook” and “Instagram” services. In each case, Meta also indicated that it was changing the legal basis on which it relied to legitimize the processing of its users’ personal data.

Until 2018, Meta Ireland was relying on users’ consent to the processing of their personal data in connection with the provision of Facebook and Instagram services (including behavioral advertising) as the legal basis. With the change to the Terms of Service, Meta now attempted to rely on the legal basis of “contract” for most (but not all) of its processing.

Meta considered that the acceptance of the updated terms of use creates a contract between them and the user. In addition, they considered that the processing of user data in connection with the provision of Facebook and Instagram is necessary for the performance of this contract, including, of course, the provision of personalized services and behavioral advertising. Meta hereby meant to apply Article 6(1)(b) of the GDPR (the “contractual” legal basis for the processing).

However, in addition to this change, Meta placed a kind of roadblock at the time. If you wanted to continue to access Facebook and Instagram services after the GDPR was implemented, existing (and new) users were asked to click “I accept” to indicate their agreement to the updated terms of service. (The services would no longer have been accessible until the users accepted).

The two complaints, however, said this caused users to be forced to accept, since the entire interface was no longer accessible. There was no way to “unlock” the service without accepting the new terms of service. On top of that, there was no additional way to object to the processing of personal data for behavioral advertising. Here Meta switched to stubborn and put on this record of a German pop singer (Wolfgang Petry). It means something like ” ALL OR NOTHING, GO OR STAY. ALL OR NOTHING, YOU HAVE TO DECIDE”.

The complainants argued that this was a violation of the General Data Protection Regulation.

In addition to this, by “accepting”, the terms of use, no contract is concluded, but rather consent to something. This, in turn, pointed to another legal basis under the GDPR that had already been used by Meta before, the “consent”.

What is the punishment, Your Honor?

After reviewing the facts, the DPC concluded the following:

• Meta Ireland breached the obligation of transparency by not clearly explaining to users the legal basis on which it relied, so that users did not know clearly enough under which of the six legal bases of the GDPR the processing of their data was carried out. It was felt that a lack of transparency on such fundamental questions violated Articles 12 and 13(1)(c) of the GDPR. They also found that there was also a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC planned to impose very heavy fines on Meta Ireland in connection with the breach, as well as an admonition to the company to bring its processing operations into compliance within a specified, short period of time.
• But it was not determined that Meta Ireland was relying on users’ consent as a lawful basis for processing their personal data. Therefore, the aspect of ” forced consent ” could not be recognized in the complaints.
• The DPC then considered whether Meta Ireland could rely on a “contract” as a legal basis for processing users’ personal data in connection with the provision of its personalized services (including personalized advertising). In doing so, however, it was found that Meta Ireland was not required to rely on consent. Indeed, the General Data Protection Regulation does not in principle exclude the possibility of relying on the legal basis of a contract in such a case. In a sense, they agreed with Meta.

The DPC acknowledged that Meta had misled users, but would not have pursued charges against Meta for “locking out” users from its service until they accepted the new rules.

Fortunately, the GDPR requires the implementation of a prescribed procedure in which the Irish data protection authority, must first communicate its decisions to other data protection authorities for evaluation before they can be enforced. This can be thought of as a kind of jury that has to make a clear decision. And this is where the discussion started.

“We agree to disagree!”

On the question of whether Meta Ireland had breached its transparency obligations, the other regulators agreed, but wanted to impose a significantly higher fine than the DPC. In addition, the other regulators disagreed with the DPC on the legal basis. In particular, they considered that Meta Ireland should not be allowed to rely on the legal base of the contract, as the provision of personalized advertising (as part of the broader range of personalized services, in the two Meta services) should not be considered necessary for the fulfillment of the core elements.

The DPC disagreed with the objecting regulators and continued to hold that Facebook’s and Instagram’s services would involve the provision of a personalized service with personalized or behavioral advertising and that they would indeed be based on that.  Thus, they are personalized services that also include personalized advertising. According to the DPC, this fact is central to the business relationship between users and their chosen service provider and is part of the contract concluded at the time the user accepts the terms of use of the service.

The DPC but also the other regulators stood firm in their views and it became clear that no consensus could be reached. So, if the children quarrel then mom or dad come, mediate the dispute and speak a power word. In this case, the GDPR has a similar plan. In accordance with its obligations, the DPC has referred the disputed issues to the European Data Protection Board (“EDPB”).

The EDPB ruled that the DPC was correct in its position regarding Meta Ireland’s breach of the transparency obligations. However, it was requested that a breach of the “fairness” principle be added and the fine must be increased.

On the question of “legal basis”, the EDPB opposed the DPC. Meta should not be allowed to rely on the “contract” legal basis in this matter.

Consequences:

1. Meta Ireland has no right to rely on the legal basis “contract” in connection with the provision of behavioral advertising as part of its Facebook and Instagram services. Its past processing of user data in claimed reliance on the “contract” legal basis thus violates Article 6 of the GDPR.
2. Meta has to pay a fine of 210 million euros (in the case of Facebook) and 180 million euros (in the case of Instagram) for the established breach of the GDPR.
3. Meta Ireland must bring its processing operations into compliance with the GDPR within 3 months.

Meta says “Nope, we’re not paying!”

Already on the same day, Meta spoke out about the matter in its newsroom.

„The debate over the legal bases has been going on for some time, and companies lack legal clarity in this area,” Facebook writes, addressing other companies rather than its users? 🤔

„We strongly believe that our approach respects the GDPR. Therefore, we are disappointed by these decisions and intend to challenge both the content of the judgments and the fines.“

And at the next sentence it becomes clear that this statement is not for the users, but for Meta’s advertising customers only.

„These decisions do not prevent personalized advertising on our platform. Advertisers can continue to use our platforms to reach potential customers, grow their business and enter new markets.“

So translated: “We just keep doing what we’re doing, don’t worry, everything will be fine!😳”

So you can be curious how it will turn out in court. And that is not the only lawsuit that can arise from this fine, because:

It boils in Ireland

The Irish data protection authority has always been an outsider in Europe. At times, it has been called lazy or even accused of purposely implementing data protection at the speed of a sloth in order not to discredit Ireland, the European tax haven for big tech companies. This is putting the DPC under increasing pressure, which is now becoming apparent. When reading their statement on this matter, I had the feeling that I was reading the punishment essay of a child who had been fighting in the schoolyard.

The statement is littered with attempts to explain the agency’s thought process and how it came to be that almost all of their suggestions were shot down by other involved parties. The statement SCREAMS between the lines “Sorry, but it wasn’t our fault. It was the fault of the others.” And so another discussion is brewing in European data protection. That is, the answer to the question “Who wears the pants?”

„Who wears the pants?“

The European Data Protection Board has instructed the DPC to conduct a further investigation into Meta. The investigation should cover all of Facebook’s and Instagram’s data processing operations and whether or not special categories of personal data could be processed as part of them. However, according to the DPC, the EDPB “does not have a general oversight role as national courts have over independent national authorities and may not direct and guide an authority to conduct open-ended and speculative investigations.” The DPC finds the instruction highly problematic and To the extent that it may involve overstepping on the part of the European Data Protection Board, they believe it would be appropriate to bring what is literally an action for annulment to the European Court of Justice in order to have the instruction annulled.

Sounds like the DPC is feeling a little bit upset right now.

Interim summary

It happened, one of the most important proceedings in European data protection now has a judgment for the first time. A ruling with a huge bubble that says: “Personalized advertising must not be a core element in social media or other free ad-supported services.” I am of course happy about this decision, but on the other hand it makes me very thoughtful.

At this point I interrupt the article, because it is too long. In the second part we will deal more with the philisophical aspect of this decision, because the ruling has more impact than it seems at first sight.

---