Brussels, 12 January – Following the EDPB’s binding dispute resolution decisions of 5 December 2022, the Irish Data Protection Authority (IE DPA) has adopted its decisions regarding Facebook and Instagram (Meta Platforms Ireland Limited, ‘Meta IE’). These decisions are the result of complaint-based inquiries into Facebook’s and Instagram’s activities in particular concerning the lawfulness and transparency of processing for behavioural advertising. Meta IE was fined €210 million in the Facebook decision and €180 million in the Instagram decision by the IE DPA.
The IE DPA’s final decisions of 31 December 2022 incorporate the legal assessment expressed by the EDPB in its binding decisions of 5 December 2022. These binding decisions were adopted on the basis of Art. 65(1)(a) GDPR, after the IE DPA as lead supervisory authority (LSA) had triggered two dispute resolution procedures concerning the objections raised by concerned supervisory authorities (CSAs) from ten countries in each case. Among others, CSAs issued objections concerning the legal basis for processing (Art. 6 GDPR), data protection principles (Art. 5 GDPR), and the use of corrective measures including fines.
EDPB Chair Andrea Jelinek said: “The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model.”
The EDPB instructed the IE DPA to include, in its final decisions, an order for Meta IE to bring its processing of personal data for behavioural advertising in the context of the Facebook and Instagram services into compliance with Art. 6(1) GDPR within three months.
Next, the EDPB examined whether the complaints had been addressed with due diligence. The complainant had raised the fact that sensitive data is processed by Meta IE. However, the IE DPA did not assess processing of sensitive data and therefore, the EDPB did not have sufficient factual evidence to enable it to make findings on any possible infringement of the controller’s obligations under Art. 9 GDPR. As a result, the EDPB disagreed with the IE DPA’s proposed conclusion that Meta IE is not legally obliged to rely on consent to carry out the processing activities involved in the delivery of its Facebook and Instagram services, as this could not be categorically concluded without further investigations. Therefore, the EDPB decided that the IE DPA must carry out a new investigation.
In addition, the EDPB instructed the IE DPA to include in both final decisions a finding of infringement of the principle of fairness and to adopt the appropriate corrective measures. The EDPB noted that the grave breaches of transparency obligations impacted the reasonable expectations of the users, that Meta IE had presented its services to users in a misleading manner, and that the relationship between Meta IE and users was imbalanced.
With respect to the administrative fines, the EDPB directed the IE DPA to impose an administrative fine for the additional infringements of Article 6(1) GDPR (lack of legal basis for the processing of personal data) and to issue significantly higher fines for the transparency infringements identified, as it found the fines proposed did not fulfil the requirement of being effective, proportionate and dissuasive. This led to the IE DPA significantly increasing the fines in its final decisions (from a maximum of €36 and €23 million for the Facebook and Instagram draft decisions, to €210 million and €180 million in the final decisions respectively).
The final decisions taken by the IE DPA are available in the Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
The EDPB also adopted another binding decision, on 5 December 2022, on the dispute arising on an inquiry relating to WhatsApp Ireland Limited. The final decision of the IE DPA still has to be adopted.
For further information regarding the Art. 65 GDPR procedure, please consult the Art. 65 FAQ