Regulator complains of a lack of agency in GDPR enforcement
Anyone hearing the announcement by the Data Protection Commission (DPC) of increased fines against Meta Ireland following investigations into breaches of the General Data Protection Regulation (GDPR) by Facebook and Instagram could be forgiven for believing it had achieved a great victory for the European consumer.
At first sight, the imposition of fines totalling €390 million seems a hefty punishment, especially when it is framed in the context of contributing to a grand total of €1.2 billion in fines against the tech giant to date.
But contrary to the old adage, first impressions can often be incorrect. In the DPC press release providing a context and timeline for the inquiries, it notes that one of the complaints related to Meta Ireland’s decision to change the legal basis for its terms of service from ‘consent’ to ‘contract’.
As the DPC explained, this meant that people wishing to continue to have access to Facebook and Instagram services following the introduction of GDPR, would have to click ‘I accept’ to indicate their acceptance of the updated terms of service. (The services would not be accessible if users declined to do so).
“Meta Ireland considered that, on accepting the updated terms of service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract.”
The argument put forward by the complainants to the DPC was that Meta Ireland was forcing users “to consent to the processing of their personal data for behavioural advertising and other personalised services” by making accessibility of its services conditional on users accepting the updated terms of service.
The DPC disagreed. It essentially agreed that Meta was able to rely on contract as providing a legal basis for the processing of users’ personal data to deliver personalised services, including personalised advertising. “The DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis,” it stated.
Legal argument
This was not an argument that a number of peer regulators in the EU/EEA were prepared to accept. Ten of the 47 argued Meta Ireland could not rely on the contract legal basis because the delivery of personalised advertising “could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract”.
The DPC took Meta’s side again, arguing that the delivery of personalised services, including personalised advertising, “is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the terms of service”.
The issue was sent to the European Data Protection Board (EDPB) which found that “as a matter of principle, Meta Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising”.
Look at that sentence again. Read the words “as a matter of principle” and consider just how fundamental they are and remember how the DPC claimed “in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis”?
That’s the DPC, which describes itself as “the national independent authority in Ireland responsible for upholding the fundamental right of individuals in the European Union (EU) to have their personal data protected” and “the Irish supervisory authority responsible for monitoring the application of the General Data Protection Regulation (GDPR)”.
That’s the DPC which appeared to believe “in principle” the GDPR allowed something which the EDPB said was not permitted “as a matter of principle”. How on earth did that happen? How could the DPC argue against something the EDPB maintains is a matter of principle, choosing instead to side with an organisation seeking to circumvent it?
Why did it require the intervention of the EDPB for the DPC to uphold “the fundamental right of individuals in the European Union (EU) to have their personal data protected”?
Remember, it was only after the EDPB’s “binding determinations” that the DPC concluded Meta Ireland was “not entitled to rely on the ‘contract’ legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services”. Only then did it agree that Meta Ireland’s “processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR”.
With regard to Article 6, the EDPB produced an informative set of guidelines in 2019: Sections 2.5, 3.3 and 3.4 seem particularly relevant.
For its part, Meta has challenged the ruling, claiming it is fully compliant with GDPR “by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision”.
The DPC also intends to challenge some of the jurisdictional elements of the EDPB’s decision before the Court of Justice of the EU. Data Protection Commissioner Helen Dixon told Politico: “We cannot create a scenario where we simply have no agency in our own role as a lead supervisory authority, where you have an entity assign itself a role in telling us what to do and indeed how to do it.”
She probably didn’t notice the unintentional irony in those words when the EDPB seems to have done exactly that in order for the DPC to finally reject Meta Ireland’s reliance on the contract legal basis.
Subscribers 0
Fans 0
Followers 0
Followers