Meta is set to contest a massive €390m ($413m) fine imposed on it by the Irish Data Protection Commission (DPC) for breaches of the General Data Protection Regulation (GDPR).
The DPC fined Meta Ireland €210m for breaches related to Facebook and €180m for its Instagram service, although some other supervisory bodies consulted during the process disagreed with its decision and argued for higher fines.
The issue revolved around the social media giant’s choice of legal basis on which it relied to process users’ personal information.
Under the GDPR, firms have six clearly defined legal bases to choose from. However, while previously Meta relied on user consent (one of these legal bases) for processing of personal data such as behavioral advertising, it subsequently changed this to another, known as “contractual necessity.”
Effectively, this meant that if users wanted to access Facebook and Instagram services, they would need to accept a lengthy new Terms of Service agreement displayed to them. This led to complaints from one Belgian and one Austrian user, according to the DPC.
“The complainants contended that, contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data,” it explained.
“They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact ‘forcing’ them to consent to the processing of their personal data for behavioral advertising and other personalized services. The complainants argued that this was in breach of the GDPR.”
The DPC issued the fines after concluding that Meta had not been transparent enough with its users in outlining the legal basis under which personal data was processed.
After consulting with GDPR guidance body the European Data Protection Board (EDPB), it was also decided that Meta Ireland “was not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioral advertising.”
However, Meta hit back almost immediately, arguing that its approach respects the GDPR and that it has always been transparent with “regulators and courts” about its use of contractual necessity as a legal basis for data processing.
“There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time. This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether,” the social media giant said.
“That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioral ads given the nature of our services. As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticized for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”
Editorial credit icon image: Sergei Elagin / Shutterstock.com