The Data Protection Commission (DPC) is to mount a legal challenge against the European Data Protection Board (EDPB), after it called on the Irish watchdog to carry out a fresh investigation into how the social-media platforms Facebook and Instagram process users’ personal data.
The direction from the EDPB came after it stepped in to resolve a dispute between the DPC and other European regulators over aspects of the Irish regulator’s findings in relation to an inquiry into breaches of the EU’s GDPR data-privacy rules by Meta, the parent company of Facebook and Instagram.
The watchdog today (4 January) announced its final decisions on two inquiries carried out after complaints about how Facebook and Instagram processed users’ data, particularly for the purposes of behavioural advertising.
The DPC has fined Meta Ireland €210 million for GDP breaches linked to Facebook, and €180 million for breaches related to Instagram.
Under GDPR procedures, the DPC had submitted its original determination to other European data regulators, known as Concerns Supervisory Authorities or CSAs, who asked for the fines to be increased.
The final decision also reflects a binding determination by the European Data Protection Board (EDPB) on a dispute between the DPC and a number of other European regulators about aspects of the Irish watchdog’s draft decision.
Meta Ireland has been given three months to bring its processing operations into compliance with the GDPR.
Meta has said that it will appeal the decisions, with a spokesperson saying that it intended to appeal both the substance of the rulings, and the fines.
Terms of service
The tech giant had changed its terms of service for Facebook and Instagram ahead of the introduction of GDPR in 2018.
Having previously relied on the consent of users to the processing of their personal information, Meta sought to rely on the ‘contract’ legal basis for most of its processing operations.
The complainants had argued that, by asking users to accept updated terms of service – and making the services unavailable if users declined to accept – Meta was “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services, in breach of GDPR.
Meta Ireland had argued that processing users’ data was necessary for the performance of the contract entered into when users accepted the revised terms.
Dispute referred to EDPB
The DPC’s draft decision found that Meta was in breach of its transparency obligations, as information on the legal basis relied on by the tech giant to process data was not clearly outlined to users.
The regulator also decided that the ‘forced consent’ aspect of the complaints could not be sustained, and that GDPR rules did not preclude Meta’s reliance on the ‘contract’ legal basis.
Ten of the 47 CSAs, however, took a different view on the issue of the legal basis for processing data, and the dispute was referred to the European Data Protection Board (EDPB).
The board, while upholding the DPC’s position on Meta’s transparency obligations, found that the company was not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising.
The EDPB determination is reflected in the DPC’s final decisions and fines.
‘Problematic’ direction
The Irish regulator has, however, decided to mount a legal challenge to an EDPR call for it to conduct a fresh investigation that would span all of Facebook and Instagram’s data-processing operations, and would examine special categories of personal data that may or may not be processed in the context of those operations.
“It is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation,” the commission said, adding that the board’s call was “problematic in jurisdictional terms”.
The DPC is to bring an action for annulment before the Court of Justice of the EU, in order to seek the setting aside of the EDPB’s directions.