Meta – DPC & EDPB Decisions on lawful basis of processing and transparency

Written By

ruth boardman module
Ruth Boardman

Partner
UK

I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues.

On 5 December 2022, the European Data Protection Board issued binding decisions under the Art.65 dispute resolution process to the Irish Data Protection Commission. The DPC adopted associated decisions on 31 December 2022 and 12 January 2023. The Facebook and Instagram decisions concluded that Facebook and Instagram were processing personal data for certain behavioural advertising activities without a lawful basis and that such processing was unfair; in addition, there were failings of transparency in relation to privacy notices. Fines of €210M and €180 M were imposed respectively. The WhatsApp decision found that WhatsApp was processing personal data for service improvement and safety and security purposes without a lawful basis and unfairly; a fine of €5.5M was imposed.

The Facebook and Instagram decisions make clear that controllers cannot argue that serving targeted ads is necessary to fulfil a contract with the data subject. Controllers will, instead, need to look to consent or to legitimate interests (for targeting which is sufficiently non-intrusive as to satisfy the requirements for this legal basis) for such processing. Or they will need to look to non-targeting based methods of advertising: the EDPB referred favourably to contextual advertising as an alternative.

In many ways the WhatsApp decision may turn out to be the more disruptive. EDPB held that WhatsApp could not argue that processing of user data to improve its service or for safety and security purposes was necessary for it to fulfil a contract with the user. Many SaaS providers argue that the delivery of a constantly developed service is a key feature of the SaaS model; the decision clashes with this. Many platforms and service providers would also have considered that they have a (contractual) obligation to ensure safety – for example, that content posted by other users is safe; that goods and services offered by users to each other are provided lawfully; or that those playing games respect common rules and do not cheat. Consent (or legitimate interests) could be an alternative legal basis for use of data for service development. For security and safety, some controllers (for example, regulated payment services) may be able to look to compliance with an EU or Member State law. The Digital Services Act would also be relevant here. For controllers who cannot point to a relevant EU or Member State law, the alternative would be legitimate interests. For any controllers who process personal data for this purpose making use of entirely automated individual decisions, there is a further catch. Art.22 GDPR prohibits such processing unless it is either contractually necessary, authorised by EU or Member State law (which must lay down suitable safeguards), or based on consent. The decision may, therefore, have an impact on automated processing for purposes of safety and security.

There is further commentary on the decisions below. Both the DPC and the EDPB decisions are long. To assist readers in finding key sections of the decisions to which they may wish to refer later, paragraph references from the DPC’s decisions are included in [], and from the EDPB’s decisions are in {}.

Facebook

When GDPR became applicable, Facebook asked its users to accept its ToS, or to cease using the service & to delete Facebook. The ToS explained that the service included service of personalized content and ads. They included a section on how Facebook used information and a link to its privacy notice.

The complainant claimed that this showed that Facebook was relying on consent to process personal data for personalized advertising, but that this consent was unlawful (because it was forced by way of acceptance of the ToS). Facebook argued that the lawful basis was contractual necessity, not consent.

The DPC, as lead supervisory authority (SA), agreed with Facebook, but did find that Facebook had breached transparency obligations. Multiple other SAs objected to this decision, which was remitted to the EDPB for dispute resolution.

The EDPB instructed the DPC to find that Facebook could not rely on contractual necessity as its lawful basis for processing and that, as a result, Facebook had no lawful basis for processing. The EDPB instructed the DPC to find that Facebook’s processing breached the fairness principle, in addition to breaching transparency obligations. The EDPB also considered that the fine proposed by the DPC would not be effective or dissuasive and instructed the DPC to impose a larger fine. The DPC imposed a fine of €210M in total as well as ordering corrective measures requiring Facebook to remediate breaches within 3 months.

The EDPB also found that the complainant had asserted that Facebook processed special category data without meeting a condition under Art.9; that the DPC had not investigated this; but that a finding on this point would be material to whether consent was the only feasible lawful basis for processing. The EDPB decided that the DPC shall carry out a new investigation into whether special category data was processed by Facebook in compliance with GDPR {198}. The DPC has stated that the EDPB does not have power to instruct it to carry out an investigation and that it will appeal this part of the EDPB’s decision.

The table at the end of this note contains more detailed comments on the Facebook decision.

Instagram

The facts are very similar to those set out in the Facebook case. Again, a user was presented with a requirement to accept new ToS or to cease using and to delete Instagram, although the user flow and UI was slightly different. Again, the DPC’s decision was referred to the EDPB, which instructed the DPC to make certain findings on lawfulness, fairness and on the approach to fining.

The final decision of the DPC concluded that the Instagram service breached identical provisions of the GDPR to those mentioned in the Facebook decision. The total fine imposed was €180M, split as to €70M for sufficiency of information; €60M for transparency of information; and €50M for failure to have a lawful basis for processing. A corrective order was also imposed. The EDPB also instructed the DPC to assess processing of special category data.

WhatsApp

This decision is slightly different to the other two. The complainant was again asked to accept WhatsApp’s updated ToS and privacy policy, the alternative being to cease using the service, or to uninstall WhatsApp. Again, the complainant argued that this demonstrated that WhatsApp was forcing users to give consent to personal data processing and that the consent was, consequently, invalid. The complainant also argued that there was a lack of transparency over the lawful basis used.

On transparency, by the time of the decision, the DPC had already issued its separate decision finding significant breaches of transparency requirements by WhatsApp (see link to article). Accordingly, there was no further finding on this. Instead, the investigation focused on the lawful basis for processing.

Again, the DPC concluded that WhatsApp in fact relied on contractual necessity and that WhatsApp was entitled to do this. Multiple SAs objected – in particular as regards WhatsApp’s ability to rely on this lawful basis to process personal data for service improvement and safety & security purposes. The EDPB interpreted security as relating to matters such as compliance with the ToS, or preventing harmful content, rather than processing in order to meet security obligations under Art.32 GDPR. The EDPB found that processing for these purposes was not objectively necessary to perform the contract {121}. Accordingly, EDPB directed the DPC to find that there was no lawful basis for the processing and that WhatsApp’s misrepresentation of the legal basis made the processing unfair {174}.

The DPC was required to order WhatsApp to bring the processing into compliance (i.e. to alter its legal basis); the DPC allowed WhatsApp 6 months to do this. The DPC also imposed a fine of €5.5M in relation to the breach.

The complainant also made various assertions that WhatsApp may process special category data, where the only lawful basis would be consent, or may process data for purposes of behavioural advertising. As there was no evidence of such processing and as WhatsApp confirmed that it did not undertake either of such processing activities, the DPC made no finding in this regard. However, the EDPB decision states that the DPC shall investigate further in order to determine if WhatsApp processes special category data, processing for purposes of behavioural advertising, or if it processes personal data in order to provide metrics to third parties, or to share data with affiliates so that they can improve services and to assess the compliance of any such processing; this decision was made notwithstanding WhatsApp’s statements that it did not undertake any of these activities {222}.

Table summarising useful points in the Facebook decision (the Instagram decision contains almost identical content. The WhatsApp decision contains similar comment on lawful bases of processing, albeit without the focus on behavioural advertising).

 Topic

Lawful basis
FB could not rely on 6(1)(b) contractual necessity as its lawful basis. Accordingly, it had no valid lawful basis and was in breach of Art.6(1)

Transparency
FB did not comply with Arts. 12, 13(1)c or Art. 5(1)(a) (transparent processing) 
Fairness
The processing was also unfair 
Key comments

The DPC accepted guidance in EDPB Opinions that merely referring to processing of personal data in a contract does not make the processing necessary for the contract. Further, OBA would not generally be necessary for a contract. However, for this specific contract, the DPC considered that the essence of the deal was that the consumer got free content and services in return for service of targeted ads [4.55].

EDPB rejected this:

  • Data protection is a fundamental right, so cannot be traded away; these rights generally override economic interests {101, citing Google Spain}
  • The fact OBA is central to Meta’s business model is not determinative; the business model must be compliant {105}
  • There was no obligation on Meta to serve personalised ads to users, so this could not be necessary {118}
  • Processing can only be necessary if it is the least intrusive method to achieve the ends; there are less intrusive methods; At, Pl and Se SAs suggested contextual ads based on geography, language and content, which would not involve profiling or tracking {121}
  • There is an absolute right to object to profiling for the purpose of direct marketing; this shows that such processing cannot be necessary for a contract {122}
  • The processing which is “necessary” to perform a contract should be judged by reference to the main purpose of the contract -here facilitating communication {124}
  • Allowing this would risk encouraging other controllers to argue that this justified processing data in breach of fundamental rights {131}
  • The processing undertaken is massive and relates to a very large number of data subjects [9.32, 9.34]
  • The EDPB appears to consider that data subjects have suffered damage in the form of loss of control [9.45]
Facebook’s privacy information was spread across different places. This was not itself fatal. However, the information was repetitive without adding clarity for the user and was all at too high a level. [5.6.4]

It was not possible for the user to identify what personal data processing operations were being carried out to fulfil the business objectives described [5.64, 5.72]

The notice must link the purposes of processing and lawful basis for processing to a description of the personal data processing being carried out [5.52]
EDPB upheld the It SA’s objection that, in addition to not being transparent, the processing was also unfair – in the sense of being not ethical or truthful {229}

“Fairness” addresses autonomy, individual expectations, power asymmetries, deception, ethical and truthful requirements {222}

The confusion over “acceptance” of the ToS and consent was an element of this {226}
 Fine €210M  €60M (also for fairness) €80M (insufficient information) + €70M (transparency, easily accessible)  
 
  • The breach was not intentional, but Facebook was seriously negligent in not ensuring compliance re: its lawful basis, given WP29 guidance on OBA and legitimate interests {461}
  • The proposed fine seemed low by comparison to the €746M imposed by the Lux SA on Amazon, also for lack of lawful basis for OBA (comment made by the Fr SA]
  • DPC considers transparency obligations a “cornerstone” of data subject’s rights under the GDPR [9.17]
 
Corrective measure Must bring notice and lawful basis into compliance within 3 months  

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
flower

NEWSFLASH - The UK’s New Consultation on AI and Copyright: Purr-suing Balance?

Dec 19 2024

Read More
laptop phone

EU/UK sanctions regarding Russia and Belarus (16-12-2024)

Dec 19 2024

Read More