The decision by the Irish Data Protection Commission (DPC) that Meta has been misusing personal data is far from the end of the story.
The DPC announced this week that it was fining the company €390 million for violations of the EU’s General Data Protection Regulation (GDPR), and has ordered it to get its house in order within three months.
At issue is Meta’s justification for processing Facebook and Instagram users’ personal information. Under the GDPR, there are six valid reasons for doing so, including the consent of the user and necessity to the performance of a contract.
Before the GDPR came into force in May 2018, the company changed its terms of service for Facebook and Instagram. While it had previously relied on the consent of users to justify the collection of data for behavioral advertising, it now asked users to click ‘I accept’ for the new terms of service.
This, claimed the company, meant that users were entering into a contract, with the processing of their data necessary for the performance of that contract. However, the complainants argued that users weren’t really given any choice in the matter.
The DPC initially ruled that this was reasonable – although it did fine Meta for failing to adequately explain the situation to users.
However, that decision’s now been reversed, following disagreement between the DPC and other European regulators that saw the matter referred to the European Data Protection Board (EDPB).
The EDPB concluded that, as a matter of principle, Meta Ireland was not entitled to rely on the ‘contract’ legal basis for its processing of personal data for behavioral advertising, and the DPC has now fallen into line.
But that’s by no means the end of the matter. First, naturally, Meta intends to appeal both the substance of the rulings and the fines.
“Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service,” the company says in a statement.
It says it is assessing a variety of options to allow it to continue its data processing, adding: “The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect.”
The DPC has long been seen as a friend to Meta, with Max Schrems – the Austrian activist who brought the case against Facebook – claiming that the company has been successfully lobbying the DPC for years.
And as part of its efforts to justify its challenge to the ruling, Meta is attempting to exploit the differences in opinion between the DPC and the EDPB.
“There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time,” says Meta.
“This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether. That’s why we strongly disagree with the DPC’s final decision.”
And there is still significant friction between the DPC and the EDPB. As part of its ruling, the EDPB ordered the Irish DPC to carry out new investigations covering all of Facebook and Instagram’s data processing operations and examining special categories of personal data that may or may not be processed in the context of those operations.
The DPC has called this an ‘overreach’ on the part of the EDPB and says it plans to ask the European Court of Justice to annul it. This is a move that will inevitably muddy the waters and almost certainly allow the process of reforming Meta’s practices to drag on for a lot longer than three months.