6th February 2023
In the latest EU decision against the social media giant, the Irish Data Protection Commission (DPC) fined Meta Ireland a total of €390 million for data protection breaches relating to its Facebook and Instagram services. As a result, in a blow to its business model, Meta can no longer rely on the contract legal basis under the GDPR to process personal data for behavioural advertising purposes. Walker Morris data protection expert and Head of Regulatory & Compliance Jeanette Burgess explains.
Under the GDPR those who process personal data must have a valid legal basis for doing so. Otherwise, the processing will be unlawful. There are six legal bases for processing personal data set out under Article 6 of the GDPR. These include: the consent of the data subject; the legitimate interests of the data controller or a third party; and contractual necessity. This is where the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at their request prior to entering into such a contract.
On the day the GDPR came into force, on 25 May 2018, a complaint was filed on behalf of Austrian and Belgian data subjects by Max Schrems about Facebook and Instagram services, including behavioural advertising. This involves tailoring advertising messages to users based on their personal web-browsing history. Until shortly prior to the introduction of the GDPR, Meta had relied on users’ consent to the processing of their personal data as the appropriate legal basis for data processing activities required to deliver the services. However, shortly before GDPR came into force, Meta changed its Terms of Service to rely instead on contractual necessity as its legal basis for most of its processing operations. Users who didn’t click “I accept” would not be able to access Facebook and Instagram services.
The complainants argued that Meta was in fact forcing users to consent to processing of their data for those purposes, by making access to its services conditional on users accepting the new Terms.
The DPC initially took the view that the processing in connection with the delivery of the services was necessary for the performance of the contract, including the provision of personalised services and behavioural advertising. It found that the processing was therefore lawful under the contract legal basis. Nonetheless it also concluded that Meta was in breach of its obligations in relation to transparency, because users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC proposed substantial fines on Meta Ireland as a result of these breaches.
However, the DPC changed its position in respect of the application of contractual necessity as a legal basis for processing after its draft decision was sent to the European Data Protection Board (EDPB).
The DPC had argued that Facebook’s and Instagram’s services included, and appeared to be based on, the provision of a personalised service that included tailored behavioural advertising; and that this reality was central to the bargain struck between users and their chosen service provider, forming part of the contract concluded when the user accepted the Terms. However, some of Europe’s other data protection authorities argued that Meta should not be allowed to rely on contractual necessity as the legal basis because delivery of personalised advertising itself (as part of the suite of personalised services offered) was not necessary to perform the core elements of what was a much more limited form of contract.
As well as adding breach of the GDPR’s ‘fairness’ principle, and directing that the DPC’s proposed fines of €28 million and €36 million be increased significantly to the €390 million finally levied, the EDPB disagreed with the DPC’s conclusion that Meta was entitled to rely on the contract legal basis for processing.
In line with the revised DPC decision, Meta must bring its data processing operations into compliance within 3 months. It has already announced its intention to appeal the final decision.
The decision is indicative of a wider trend we are seeing with increased scrutiny of Big Tech by governments, regulators and consumers as they seek to crack down on online harm and alleged anti-competitive and other practices, including in relation to data protection compliance. In the week following its Meta decision, the DPC announced the conclusion of a similar inquiry into WhatsApp Ireland, this time in relation to WhatsApp’s processing of personal data for the purposes of service improvement and security.
In terms of processing personal data for behavioural advertising purposes, it seems increasingly unlikely that controllers will be able to rely on anything other than consent as a legal basis, although as Meta noted in its announcement: “There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time”.
More generally, this ruling serves as a reminder to all organisations of the fundamental requirement to process all personal data lawfully, fairly and transparently. This includes being clear, open and honest from the outset about how you will use individuals’ personal data. Spell out in a privacy notice the purposes of the processing and what legal basis you are relying on. Document your reasons for relying on it. There is no hierarchy, with one legal basis being better or more important than any of the others. How you decide on which legal basis to deploy will depend on your specific purposes and the context of the processing. As a starting point, the ICO has an interactive guidance tool to assist.
As the ICO points out in its guidance, many of the legal bases for processing, including the contract legal basis and legitimate interests, depend on the specific processing being “necessary”. This doesn’t mean it has to be absolutely essential, but it must be more than just useful, and more than just standard practice. Is the processing objectively necessary for the stated purpose? The legal basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data. If your purposes change, you need to consider whether a new legal basis is applicable.
Contractual necessity can be invoked as a valid legal basis where you need to process an individual’s personal data to deliver a contractual service to them, or they’ve asked you to do something before contracting (such as providing a quote). Note that the processing must be necessary to perform the contract with the particular individual, and not a third party. If the purposes of the processing go beyond delivering the contractual service, the contract legal basis will not apply. This is the crux of the issue in Meta’s case. Its argument, which will be further tested on appeal, is that Facebook and Instagram are inherently personalised, and providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service.
We’ve referred in this briefing to the ‘GDPR’. Meta was fined for breaching the EU GDPR, but similar considerations apply in relation to UK GDPR compliance.
Our Regulatory & Compliance specialists, together with our Technology & Digital colleagues, have a great deal of experience advising businesses on all aspects of data protection compliance. For advice or assistance with your data processing operations, including relying on the contract legal basis, or if you have queries about data protection compliance generally, please contact Jeanette, who will be very happy to help.