Irish DPC’s decision on Meta's illegal ad practices

BACKGROUND: The case against Meta Platforms Ireland Limited (“Meta”) was initiated by an Austrian activist Max Schrems on behalf of two users from Austria (in relation to Facebook) and Belgium (in relation to Instagram) on 25th May 2018. The case was filed with the Data Protection Commission of Ireland (“DPC”) as Meta’s headquarters are based in Ireland.

On January 4th, 2023 the DPC made the final decision on these two issues, in which it imposed a fine of €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service). The decision seems to be very consequential as it will have a huge impact on the personalized advertising model in the EU.

ISSUES: The main issue that was alleged against Meta is the legal basis they relied on for collecting the data from the users. Art.6 of the GDPR, lists six (6) legal bases upon which alone data processing can be carried on. Meta has sought to rely on ‘contract’ as the legal basis for its data processing operations. Meta provides lengthy Terms of Service to be accepted by the users in order to use the Facebook or Instagram services. Meta claimed that the processing of data for behavioral advertising forms a necessary part of the performance of the contract. Meta put forth that Facebook and Instagram are inherently personalized and as part of it, they had to provide personalized advertising. The complainants on the other hand argued that Meta was obtaining ‘forced consent’ from the users for processing their data for behavioral and other personalized advertising.

The other issue pertaining to the collection of data of the users was that Meta was not engaging in any transparent and fair practices. Meta has failed to clearly outline to the users what processing operations they might undertake while providing behavioral and personalized advertising.

DECISION OF DPC: Both the DPC and European Data Protection Board (“EDPB”) was of a similar opinion that Meta has violated the transparency obligation under GDPR while intimating the legal basis and purpose for processing the personal data of users.

The DPC has held in its final decision that Meta has violated Art.12, and 13(1)(c) of the GDPR, since Meta has failed to communicate to the users in a transparent and clear manner the purpose for processing their personal data through their Terms of Service.

The DPC in its draft decision had a different view that Meta can process the personal data of users with ‘contract’ as the legal basis for processing. But, in its final decision, it has conceded to the decision of EDPB and has held that Meta has violated Art 6 of the GDPR. Meta cannot use ‘contract’ as the legal basis for processing the personal data of users for behavioral advertising. It is so held as the processing of personal data for behavioral advertising does not form the necessary part of the performance of the contract. The Facebook and Instagram services are not solely dependent on providing behavioral advertising. DPC has given three months period for Meta to make substantial changes to its model of collecting personal data from its users, through which users need to be given a ‘yes’ or ‘no’ option to opt-in for processing of their personal data for this purpose and also the option to change their mind at any time.

IMPACT OF THE DECISION: Meta now has to obtain consent from the users before processing their personal data for behavioral advertising. This can have a very huge impact on Meta’s advertising revenue as, if given a choice many users might choose not to share their personal data for this purpose. This can potentially put five to seven percent of Meta’s advertising revenue at risk. As of now, it can be seen that it’s going to be a huge challenge for Meta to change its approach in seeking clear and explicit consent from the users while at the same time trying to maintain the status quo of its advertising revenue.