The company Meta, which owns Facebook and Instagram, has been fined a total of EUR 390 million by the data protection authority in Ireland for breach of the General Data Protection Regulation. The Norwegian Data Protection Authority has actively contributed to the proceedings together with our European sister organisations.
The case concerns the processing of personal data for behavioural marketing on Facebook and Instagram. Most social media sites monitor what you like, what content you interact with and so on to find out what you are interested in. These analytics are used to customise which ads you see. This is a common business model in the digital ecosystems.
The question is whether Meta has a valid legal basis for its profiling and marketing practices. A legal basis for processing is necessary for the processing of personal data to be lawful. Meta believes that it has a legal basis for processing because, in its view, the marketing practices are necessary to fulfil the agreement with the users. The practices have been mentioned in the terms of service, and Meta therefore believes that they do not need to ask for consent or allow users to switch off profiling.
The European data protection authorities have concluded that the behavioural marketing is not necessary for the agreement with the users, and Meta has therefore processed personal data unlawfully. In addition, Meta has provided insufficient information about the basis for processing to the users.
- The conclusion is that Meta has violated the GDPR, and they are given three months to rectify the unlawful behaviour. In addition, they are fined more than NOK 4.1 billion. “This clearly shows how serious the breach is,” says Tobias Judin, Head of the International Section.
The relevant articles of the GDPR that have been violated are articles 5(1)(a), 6(1) 12 and 13(1)(c).
European cooperation
Since Meta has its European headquarters in Dublin, it is the data supervisory authority in Ireland that has held the case and has taken the decisions against Meta. The Norwegian Data Protection Authority welcomes the decisions from Ireland.
However, the case has been processed through the co-operation and consistency mechanism of the GDPR, as the case is cross-border. All data protection authorities in the EEA are so-called “supervisory authorities concerned” in the case, and many of the supervisory authorities have actively participated in the proceedings.
The case has raised complicated legal questions, and there have been demanding discussions about what the decision should entail. The case has therefore been raised for consideration by the Data Protection Board, also known as the EDPB. In the EDPB, we have decided what the decision should be based on.
We describe the European co-operation in a separate article.
The Norwegian Data Protection Authority prioritises providing input in major, significant cases, and we have done so here as well. The Data Protection Authority’s input has helped shape the outcome of the case.
The outcome also follows the EDPB’s guidelines on what is necessary to implement an agreement (edpb.europa.eu), for which the Norwegian Data Protection Authority has been the main rapporteur.
“The Norwegian Data Protection Authority has been involved in this legal issue for many years precisely because it has such major implications for the privacy of Norwegians,” says Judin.
The way forward
Meta has announced that it will appeal the decision in the Irish courts (about.fb.com), which have the option to refer the case to the European Court of Justice. Therefore, it will probably take several years before the case is finally decided. The Data Protection Authority understands that the decision will only become legally binding in Irish law when all possibilities of appeal have been exhausted. If so, this means that we are unlikely to see changes on Facebook or Instagram any time soon.
The decision states that Meta cannot base its profiling and marketing practices on contractual necessity. However, the decision does not address whether the practices can be based on one of the other processing bases. At the same time, the conditions for the other processing bases are different, which means that if the decision stands, Meta will most likely have to make changes to its business model.