Earlier this month, the Irish Data Protection Commission (DPC) and European Data Protection Board (EDPB) released the findings in two investigations into Meta’s advertising terms of service. The DPC imposed a combined €390 million fine for violations of GDPR and gave the company three months to bring its practises into legal compliance. The decision and accompanying fines have received global media attention and are under appeal.
While the findings apply directly to Meta, there are important consequences for all organisations. We have outlined the key points below.
Background
The findings are the culmination of a process which began on 25 May 2018, the very day that GDPR came into operation.
Immediately prior to the onset of GDPR, Meta had changed the terms of service for its Facebook and Instagram. Up until this point Facebook and Instagram relied upon users’ consent to collect data used to provide personalised advertising. Under the changed terms of service this data would now be collected as part of the standard contract which users must agree to in order to use Facebook and Instagram. In response to these changes the privacy advocacy group NOYB (None of Your Business) filed two separate complaints with the Irish DPC addressing both Facebook and Instagram. The rulings dealt with two issues:
Issue 1: Lawful Basis for Processing Personal Data
Under European Data Protection Law, a legal basis is required to process any personal information. The six acceptable bases are listed under Article 6(1) of the GDPR and include consent, contract, and vital interest.
NOYB alleged that Meta had attempted to bypass GDPR’s consent requirement for personal advertising by claiming that the advertising is part of a service that is contractually owed to users.
The EDPB concluded that as the main purpose for which users “use” Facebook and Instagram and “accept” their Terms of Service is to “communicate with others” and “not to receive personalised advertisement” performance of a contract was not an acceptable lawful basis. As such, Meta had unlawfully processed personal data for behavioural advertising.
Issue 2: Transparency and Fairness
Beyond having a lawful basis, Article 5 of GDPR outlines core principles which must be adhered to for all processing of personal data. These include the requirement for all personal data to be processed “fairly” and in a “transparent” manner.
In their decisions, the EDPB and DPC agreed that Meta “presented its services to users in a misleading manner” and that the relationship between the company and its users was “imbalanced.” Moreover, insufficient detail had been provided to users on what data would be collected and how it would be used.
Practical Implications – What Should I Know and What Should I Do Now?
Clarifying Legal Bases for Processing Data
In its findings the EPDB has made it clear that data processing cannot be justified “simply because processing is necessary for the controller’s wider business model”. As such, we recommend all clients review their listed legal bases for processing personal data and ensure that these are appropriate.
Reviewing Privacy Notices
The findings highlight the importance of transparency and fairness when dealing with data subjects. It is also clear that imprecise language will no longer be acceptable in privacy policies. This excludes open ended phrases including “such as” or “things like…” when listing data usage categories.
We recommend all clients review their privacy notices to ensure that they meet the level of precise, clear, and plain language required. We know that this is not easy to balance precision and clarity and we are here to assist in this process.