On December 31, the Irish Data Protection Authority issued its final decisions regarding Facebook and Instagram based on the binding decisions of the European Data Protection Board. Ireland fined Meta Ireland Limited, the parent company of Facebook and Instagram, a total of €390 million for violations related to the processing of personal data for behavioral advertising.
Based on the complaints it received, the Irish Data Protection Authority specifically investigated the legality and transparency of the processing of personal data for behavioral advertising on Facebook and Instagram. Meta received penalty payments of 210 million euros in the case related to Facebook and 180 million euros in the case of Instagram.
The issues were handled in cooperation between data protection authorities of the European Economic Area. Participating supervisory authorities raised objections to the Irish draft decisions, regarding, among other things, the legal basis of the processing, the violation of data protection principles and the use of remedial powers. The data protection commissioner’s office was also a party to the case as part of the data protection council.
The Data Protection Board’s binding decisions were made after the Irish Data Protection Authority, as the lead supervisory authority, had referred matters to the Data Protection Board’s dispute resolution procedure.
There is no legal basis for processing data for behavioral advertising
The Data Protection Council stated that Metal did not have a legal basis for processing personal data for behavioral advertising. Using the agreement as a legal basis in connection with the terms of use of Facebook and Instagram was not appropriate, as behavioral advertising is not part of the core functions of the services.
“The binding decisions of the Data Protection Council clarify that Meta has processed personal data illegally for behavioral advertising. The decisions can also have a significant impact on other platforms whose business model is based on behavioral advertising,” says Andrea Jelinek , chair of the European Data Protection Board .
The Irish Data Protection Authority made changes to its draft decisions based on the dispute resolution decisions of the Data Protection Council and, among other things, increased the amount of penalty payments considerably.
The final decisions included a finding of a violation of legality and a violation of the principle of reasonableness. Serious violations of transparency obligations affected the reasonable expectations of users regarding the processing of personal data. The Data Protection Council considered that Meta had presented its services to users in a misleading manner and considered the relationship between Meta and users to be unbalanced.
Ireland ordered Meta to make the legal basis for data processing in behavioral advertising legal within three months. Meta must also take appropriate corrective measures to comply with the principle of reasonableness.
The Data Protection Council considered that there was insufficient evidence to assess the legality of the processing of data belonging to Meta’s special personal data groups, which is why the Irish Data Protection Authority should conduct a new investigation.
Dispute resolution decisions on the website of the Data Protection Council:
On December 5, 2022, the European Data Protection Board also issued a binding decision on the investigation into WhatsApp Ireland Limited. The Irish Data Protection Authority has yet to issue its final decision on the matter.