Privacy & Information Security Law Blog

On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. (“Meta”) with respect to the company’s Instagram and Facebook platforms. As a result of the investigations, the DPC fined Meta a combined €390 million for breaches of the EU General Data Protection Regulation (“GDPR”) and, following consultation with the European Data Protection Board (“EDPB”), notably held that Meta can no longer rely on the GDPR’s “performance of a contract” legal basis for processing personal data in the behavioral advertising context, a decision that has broad implications for publishers engaged in behavioral advertising in the EU.

The DPC’s investigation began after None of Your Business (“NOYB”), a non-governmental organization co-founded by privacy activist Max Schrems, submitted complaints alleging that Facebook and Instagram “forced” users to consent to the processing of personal data for behavioral advertising and other services. In anticipation of the GDPR entering into force, Meta updated its Terms of Service and asked its users to accept the new terms before continuing to access its services. Meta asserted that when users accepted the new terms, they entered into a contract with the company that allowed the company to rely on the “performance of a contract” legal basis under the GDPR for the company’s processing of personal data. NOYB argued that, by requiring users to accept the updated Terms of Service as a condition to use Facebook and Instagram, Meta “forced” its users to provide consent, and therefore could not rely on the “performance of a contract” legal basis for processing.

The DPC’s investigation held that, although the GDPR does not preclude Meta’s reliance on the “performance of a contract” legal basis asserted by Meta, the company’s practices breached Article 5(1)(a), which requires personal data to be processed lawfully, fairly, and in a transparent manner. In particular, the DPC held that Meta’s Terms of Use did not clearly disclose the company’s data processing activities,  or the purposes and legal basis for the processing.

Following consultations with peer regulators in the European Union, the DPC submitted its findings to the EDPB. The EDPB agreed that Meta’s practices breached Article 5(1)(a), and, contrary to the DPC’s findings, notably  held that the company could not continue to rely on the “performance of a contract” legal basis to support its behavioral advertising activities. In addition, the EDPB directed the DPC to conduct a separate investigation into how Facebook and Instagram process special categories of data.

The DPC adopted the EDPB’s findings, issued a €390 million fine, and directed Meta to bring its data processing activities into compliance with the GDPR within three months.