One of the biggest tech giants, Meta (formerly the Facebook company) has been struck once again with a significant fine regarding their compliance with the EU’s GDPR (General Data Protection Regulation). On January 4, 2023, Ireland’s data protection authority Data Protection Commission (DPC) announced its decision regarding Meta’s use of data for targeted advertisement. The company was fined 390 million euros in total, of which 210-million-euro is a penalty directed at the social networking service Facebook, and a 180-million-euro penalty applies to Instagram’s services.
You must be wondering what Meta did to deserve this punishment. The core of the problem lies in the legal basis of data processing. Namely, the Terms of Service for Facebook and Instagram users claimed that data processing activities which led to personalized advertisement, are necessary for Meta to perform its services.
This fine is a big blow to Meta since it hasn’t been long since it was previously fined for its non-compliance with GDPR. In 2021 and 2022 DPC issued the following GDPR fines to it:
- €225 million fine for infringements of transparency of the messaging service WhatsApp;
- €405 million fine for the unlawful processing of children’s personal data;
- €265 million fine concerning data leak that made the personal information of more than 500 million Facebook users available online.
Reaching a total cost of 1285 million euros for penalties, Meta, as well as all other entities that process personal data, should be very careful while collecting and processing the data of their users.
Legal Basis for Processing Data
According to GDPR, for a data processing activity to be lawful it needs to have one of the following six legal bases:
- Performance of a contract
- Legal obligation
- Vital interest
- Public interest
- Legitimate interest
When the purpose for which data collection is necessary is determined, the legal basis on which the processing will be performed must also be decided because the processing rules depend on it. If the processing for the desired purpose cannot be based on any of the available legal bases, then such processing is unlawful.
What Did Meta Do Wrong?
As mentioned before, DPC decided that Meta did not have a proper legal basis to process personal data, specifically to utilize user data for personalized advertisement. Meta attempted to bypass legal requirements necessary for the use of consent as one of the legal bases and tried to present targeted ads as an essential element for the Performance of the Contract.
Essentially, this maneuver allowed Meta to avoid the yes or no option (also known as an opt-in option) for personalized advertisement when users are being asked to agree to the processing of their personal data for the purpose mentioned above. Instead of that, the consent clause was just injected into the Terms of Service.
Instagram and Facebook users were asked to accept the Terms of Service by clicking the button underneath the notification about the update of that controversial document. If the users would not agree, further use of the services would be disabled.
Irish supervisory authority for the GDPR decided that this meant that Meta was applying too much pressure on its users to give consent, which is against GDPR’s conditions for consent, as a legal basis. Namely, the consent must be unconditional, which among other things means that it can’t depend on the acceptance of other services or conditions. This provision implies that consent for the processing of one person’s data can’t be combined with the acceptance of the entire terms of service.
Meta’s Point of View
On the other hand, Meta stated that they disagree with DPC’s decision and that they believe they were compliant with GDPR bearing in mind the nature of their services. Meta argued that targeted ads are an essential part of their service and that social media services in general are tailored to the individual user.
They believe that the Performance of the Contract is a valid legal basis in this case since it would be impossible for their platforms to work without using data for advertising.
Also, they pointed out how certain regulators even disagreed among themselves on this matter up until DPC’s final decision, so it is unfair for them to be criticized for their approach.
A New Attempt To Circumvent Regulations?
From April 5, 2023, Meta changed the legal basis that they use to process certain user data in Europe from ‘Contractual Necessity’ to ‘Legitimate Interests’. However, it may be that this is the case of one unlawful option being replaced with another unlawful option, and Meta’s new attempt to circumvent regulations.
Legitimate interest as the legal basis also presents its conditions that need to be fulfilled. It is true that the data controller, a subject that determines the purposes for which and how personal data is processed, can base the data processing on one of its legitimate interests, but not if that interest is overridden by the interests or fundamental rights and freedoms of the people whose personal data is being used.
A non-profit organization, NOYB, which has filed complaints that led to Meta being fined with previously mentioned penalties, has announced that it will also take legal action to prevent Meta from using this legal basis and that Meta needs to have a yes/no option, which requires an active role of the users when they are giving up their fundamental right to privacy.
It Could’ve Been Worse
Even if it sounds surreal, Meta’s fine for providing behavioral ads on Facebook and Instagram could have been several billion dollars bigger. European Data Protection Board (EPDB) gave instructions to DPC on calculating the fine. If the DPC had implemented these instructions, Meta’s fine could have been the maximum possible under the GDPR which is 4% of the firm’s entire global turnover of the preceding fiscal year (around €4 billion in Meta’s case!).
Checklist If You Are Collecting and Processing Personal Data
Based on Meta’s case, it is clear that the consequences of non-compliance with GDPR can be disastrous. Whether you have a website, platform, or application, if you process personal data and carry out marketing activities, these rules apply to you and you should take measures to comply with the GDPR and the applicable data protection laws.
Before advancing to collecting and processing personal data, you need to think about these steps:
- Weigh up what data you need. Collecting, storing, and processing data that is not necessary for your business is just a financial and technical burden and it will also be hard to find a valid legal basis for it.
- Think about the purpose – Why do you need to process certain information? This will set you up for the next step.
- Determine the legal basis – Lawfulness of data processing is hanging on the fact that you choose one of the 6 options mentioned earlier in this text.
- Make sure that all legal basis requirements and conditions are met, depending on the legal basis you chose in the previous step.
- Notify users of your services in a transparent, simple, and clear way about what data you process, for what purposes, what is the basis of processing, and for how long are you keeping that data, along with all other necessary information.
Even if you are coming from a country outside of the EU, that doesn’t mean that you get a free pass. Many national legislations have copied GDPR’s provisions into their national laws, including Serbian Law on Personal Data Protection.
Besides that, all data controllers should be aware of the GDPR’s extra-territorial scope, which means that its provisions can apply to non-EU natural persons and legal entities as well. For example, even if you’re just offering goods or services to individuals whose data is processed in the EU, you might be subject to GDPR’s provisions and potentially to multi-million fines, in the case you fail to comply with General Data Protection Regulation.
If you think the costs of GDPR compliance are too expensive, think again because they are certainly not nearly as expensive as 4% of your firm’s global annual revenue.