On January 12, 2023, the Irish Data Protection Commission (“Irish DPC”) adopted decisions regarding Facebook and Instagram following the European Data Protection Board’s (“EDPB”) binding dispute resolution decisions of December 5, 2022. We originally wrote about the fines that the Irish DPC levied against Meta in these two investigations in an earlier blog post.
One week later, on January 19, 2023, the Irish DPC announced that it had concluded its inquiry into WhatsApp.
In today’s blog post, we provide a brief overview of the Irish DPC’s decisions regarding Facebook and Instagram as well as its findings in the WhatsApp investigation.
The Irish DPC’s Decision Regarding Facebook
The Irish DPC’s decision regarding Facebook considered the following three issues:
- Whether clicking on the “accept” button constitutes or must be considered consent for the purposes of the General Data Protection Regulation (“GDPR”).
- Reliance on Article 6(1)(b) as a lawful basis for personal data processing.
- Whether Facebook provided the requisite information on the legal basis for processing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent manner.
Article 6(1)(b) of the GDPR identifies processing for the performance of a contract as one of the lawful bases for processing. The Irish DPC found that Facebook was not entitled to rely on Article 6(1)(b) – performance of a contract as a lawful basis for processing – to process personal data for the purpose of behavioral advertising in the context of the Facebook Terms of Service.
Article 5(1)(a) of the GDPR states that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Article 12(a) of the GDPR requires controllers to take appropriate measures to provide information and communication relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form. Furthermore, Article 13(1)(c) of the GDPR requires controllers to provide the data subject with the purposes of the processing for which the personal data are intended as well as the legal basis for the processing. With respect to Issue 3, the Irish DPC found that Facebook had infringed all three of the above-mentioned articles.
The Irish DPC also found that Facebook had infringed the Article 5(1)(a) principle of fairness in the context of its approach to the provision of information as part of the presentation of its Terms of Service to the complainant.
In addition to imposing substantial fines, the Irish DPC urged Facebook to bring its Data Policy and Terms of Service into compliance with Articles 5(1)(a), 12(1), and 13(1)(c) of the GDPR on data processed pursuant to performance of a contract and data processed for the purposes of behavioral advertising. Additionally, the Irish DPC ordered Facebook to take necessary action to bring its processing of personal data for the purposes of behavioral advertising in the context of the Facebook Terms of Service into compliance with Article 6(1) of the GDPR (which may include identification of the appropriate alternative legal basis).
The Irish DPC’s Decision Regarding Instagram
The Irish DPC’s decision regarding Instagram considered the following three issues:
- Whether clicking on the “Agree to Terms” button constitutes or must be considered consent for the purposes of the GDPR and, if so, whether it is valid consent for the purposes of the GDPR.
- Whether Meta Ireland could rely on Article 6(1)(b) GDPR as a lawful basis for processing of personal data in the context of the Terms of Use and/or Data Policy.
- Whether Meta Ireland provided the requisite information on the legal basis for processing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent manner.
Similar in manner to its decision regarding Facebook, the Irish DPC found that Meta was not entitled to rely on performance of a contract as the lawful basis for processing personal data for the purpose of behavioral advertising in the context of the Instagram Terms of Use.
Also similar in manner to its decision regarding Facebook, the Irish DPC found that Meta had infringed Articles 5(1)(a), 12(1), and 13(1)(c) of the GDPR. Again, Meta had infringed the Article 5(1)(a) principle of fairness in the context of its approach to the provision of information as part of the presentation of its Terms of Use to the complainant.
In addition to imposing substantial fines, the Irish DPC urged Meta to bring processing into compliance within a period of 3 months. Meta is required to bring the Data Policy and Instagram Terms of Service into compliance with Articles 5(1)(a), 12(1), and 13(1)(c) of the GDPR on data processed pursuant to performance of a contract and data processed for the purposes of behavioral advertising. Meta is also required to take the necessary action to bring its processing of personal data for the purposes of behavioral advertising in the context of Instagram’s Terms of Use into compliance with Article 6(1) of the GDPR (which, again, may include identification of the appropriate alternative legal basis).
The Irish DPC Announces Conclusion of Inquiry into WhatsApp
After concluding its inquiry into the processing carried out by WhatsApp Ireland, the Irish DPC announced that it is issuing a fine of €5.5 million against the company.
The Irish DPC found that information in relation to the legal basis relied on by WhatsApp Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data and for what purpose.
The Irish DPC has not yet adopted this decision.
Key Takeaways
Overall, the decisions highlight the increasing regulatory scrutiny into behavioral advertising and the extent to which companies are transparent to consumers about it. Businesses impacted by the GDPR should closely evaluate their marketing and advertising practices and related privacy disclosures. The decisions also spotlight the growing tension between the Irish DPC, the EDPB, and other EU data protection authorities on consequential European privacy matters.
Octillo’s experienced team of privacy professionals routinely works with companies to evaluate data privacy concerns that may emerge as part of their technology platforms, including ad targeting technology. If you have any questions or concerns regarding the privacy implications of ad targeting tools or similar technology, please contact a member of our team.
*Attorney advertising: prior results do not guarantee a similar outcome.