Last week, the Irish Data Protection Commission (“Irish DPC”) issued a decision against META, the parent company of Facebook and Instagram, finding that their advertising practices violated the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) and imposed a fine of $390 Million Euros (approximately US$414 million). Further, the decision requires that META bring its data processing activities into compliance with the GDPR within three months.
Two complaints, filed on May 25, 2018, gave rise to this most recent decision against META. The complaints argued that META’s use of contractual necessity as the lawful basis to process users' personal data on both the Facebook and Instagram platforms violates the GDPR. Prior to the GDPR, Meta changed the lawful basis it relied on from user consent to contractual necessity. In short, META contended that users were entering into a contract when the user accepted the Terms of Service. However, if a user refused to accept the Terms of Service, the user would be refused access to the platform.
On December 5, 2022, the European Data Protection Board (“EDPB”) issued a decision which held that META was not entitled to rely on the contract's legal basis as a lawful basis for its processing of personal data for the purposes of behavioral advertising. The Irish DPC decision aligns with the EDPB determination and found that META cannot rely on contractual necessity as the lawful basis for its behavioral advertising practices, resulting in the most recent fines.
The Irish DPC’s decision comes on the heels of a year of increased attention on major U.S. technology companies, and increased attention on the Irish DPC as the European home to many of those U.S. technology companies. And, it is not over yet as META already signaled its intention to appeal the decision.
For businesses subject to the GDPR, this decision provides a key reminder that identifying the lawful basis for the collection and processing of personal data is a key part of GDPR compliance. Article 6 of the GDPR provides for six different lawful bases for the processing of personal data, including contractual necessity and consent, and all personal data processed must fall into one of these six categories. Conducting a data map can be a good first step toward meeting this requirement.
Octillo’s experienced team of privacy professionals routinely works with companies to evaluate data privacy concerns that may emerge as part of their technology platforms, including ad targeting technology. If you have any questions or concerns regarding the privacy implications of ad targeting tools or similar technology, please contact a member of our team.
*Attorney advertising: Prior results do not guarantee a similar outcome.