Following the European Data Protection Board’s (EDPB’s) binding decisions adopted at the EDPB meeting on 5 December 2022 , the Irish Data Protection Authority has now made final decisions in the Authority’s two cases against Meta Platforms Ireland Limited. One decision is about Facebook, where the supervisory authority issued a fine of 210 million euros, and the other about Instagram, where the supervisory authority issued a fine of 180 million euros. The total fine for Meta thus amounts to 390 million euros – corresponding to approx. 2.9 billion Danish kroner. In addition, the Irish supervisory authority has issued orders to Meta to bring its processing activities in line with the GDPR.
With the decisions, the Irish Data Protection Authority states, among other things, that the performance of a contract is not an appropriate lawful basis (legal basis for processing) when the purpose of the processing is behavioural marketing.
The EDPB made a binding decision following objections from supervisory authorities
According to the GDPR, the EDPB can adopt so-called binding decisions if one or more supervisory authorities make a relevant objection to the lead supervisory authority’s (in this case Ireland’s) proposal for a decision in cross-border cases, i.e. cases like this one that affect citizens of several European countries. The objections to the Irish supervisory authority’s proposed decision were, among other things, about the authority for the processing of personal data and the size of the fine.
In order to reach an agreement on a binding decision in the EDPB, the Irish Data Protection Authority initiated the so-called dispute resolution procedure. The case was then submitted to the EDPB, where i.a. the Danish Data Protection Authority has helped shape the binding decisions.
The Irish supervisory authority also issued a fine to Meta in September 2022 on the basis of a case which, among other things, was about Instagram’s publication of email addresses and phone numbers of minors who had so-called Instagram Business accounts, and a “public-by-default” setting for minors’ personal Instagram profiles.