Meta’s Use of Personal Data in the EU for Behavioural Advertising Found to Breach GDPR

Following two Binding Decisions from the European Data Protection Board (EDPB), the Irish Data Protection Commission (DPC) has announced the results of its two investigations into the operation of Meta’s Facebook and Instagram services. The DPC’s decisions were made available by privacy advocacy group noyb (None of Your Business), the original complainant, on 11 January 2023.  

The DPC fined Meta a total of €390 million: €210 million in relation to Facebook and €180 million in relation to Instagram. The DPC also gave Meta three months to bring its data processing operations into compliance.

What was the decision, and what’s next for Meta?

The DPC found that Meta breached the GDPR by processing personal data of EU users for the purpose of providing behavioural advertising, after incorrectly stating (via its terms and conditions) that this was performed on the legal basis that the processing was necessary for the performance of a contract with the user.  The DPC’s decisions also state that Meta breached the GDPR’s principles of transparency and fairness.

Two of the key findings of the EDPB in its Binding Decision in relation to Facebook, and reflected in the DPC’s final decisions, were that:

1. “The main purpose for which a user uses the Facebook service is to communicate with others”, not receiving personalised advertising. As such, “as a general rule, the processing of personal data for behavioural advertising is not necessary to perform a contract”, in part because less intrusive alternatives exist.

2. It would be “extremely difficult to argue that an average user can fully grasp it, be aware of its consequences and impact on their rights to privacy and data protection, and reasonably expect it solely based on the Facebook Terms of Service”, which lead to the conclusion that Meta had not been duly transparent with its users.

Meta responded: “we strongly believe our approach respects GDPR” and that they “intend to appeal both the substance of the rulings and the fines.” Meta further stated that the decisions: “do not prevent personalised advertising on our platform.”.

Noyb has stated that the only option left is for Meta to obtain freely-given, informed, express and withdrawable consent from users for use of their personal data for behavioural advertising.  However, Meta’s statement indicates that they believe other legal bases might be available. One such possibility is that Meta may seek to establish a legal basis based on their legitimate interest for the processing, which would require Meta to demonstrate a balance between their legitimate interest to provide advertisers with behavioural advertising tools on the free-to-use platforms and their users’ rights and freedoms.

Meta has been given three months to implement changes, so it is likely that further information will be made available before the end of March 2023.  However, Meta has indicated that they intend to appeal the decision and any actions will the subject of the outcome of any appeal.

Final thoughts

There are potential knock-on effects of these decisions on Meta.  Other jurisdictions with comparable data protection regimes to the EU (such as the UK) could potentially look to the DPC’s decisions as a benchmark. There is also an open question about whether Meta may be liable to users directly for damages in respect of the processing they performed over the past five years.

Additionally, noyb has stated that it views aspects of the DPC’s published decisions as inadequate, on the grounds that the decisions do not address all of Meta’s use of personal data (these decisions related specifically to behavioural advertising).

Finally, the EDPB has purported to direct a more general investigation into Meta’s processing of users’ sensitive personal data, like health data or data revealing a person’s religious beliefs (known as ‘special category data’).  The DPC has said it will contest this direction from the EDPB on jurisdictional grounds.

Andrew's article was published, 20 January 2023 in UK Tech News here, 27 January 2023 in Law360 here, and 30 January 2023 in Datacenter Dynamics here. It was also translated and republished in Spanish in Datacenter Dynamics on 1 March 2023, which can be found here.