Meta Platforms Ireland Ltd, formerly Facebook Ireland, is seeking to bring High Court proceedings to quash a record €405 million in fines for violating children’s privacy on its Instagram service.
Last September, the Data Protection Commission (DPC) imposed the fine over breaches of GDPR whereby mobile phone numbers and email addresses of teenage Instagram users were published automatically under default settings on the app’s “business account” service. This default setting has since been changed by Instagram.
Meta claims the DPC decision is in breach of the Charter of Fundamental Rights of the EU and, therefore, invalid.
It seeks a number of High Court declarations including that certain parts of the 2018 Data Protection Act, under which the fines were made, are invalid under the Constitution and incompatible with the European Convention on Human Rights.
It also wants the hearing of its High Court proceedings to be heard “otherwise than in public”.
Meta says it also intends to apply to the Court of Justice of the EU for an annulment of a decision of the European Data Protection Board (EDPB), which instructed Ireland’s DPC to ensure the fines imposed were “effective, proportionate and dissuasive”.
The DPC is the lead supervisory authority in the EU as Meta has its European headquarters in Dublin while the EDPB coordinates the work of national and regional data regulators in the EU and a handful of countries outside the union.
The case against the DPC, Ireland and the Attorney General, was briefly mentioned before Mr Justice Charles Meenan on Monday by Declan McGrath SC, for Meta, in an application where only the plaintiff was represented.
The judge deemed as open Mr McGrath’s application for leave to bring the proceedings for the purpose of ensuring it is brought within time limits for judicial reviews. He adjourned the application to January.
In its action, Meta says the DPC’s decision is unlawful, vitiated by errors of law and/or outside its powers by reason of the fact that her original decision was amended on the basis of the EDPB decision. It says the DPC erred in treating what were “non-binding views” of the EDPB as binding.
The DPC also took into account irrelevant considerations, namely the views expressed by other European data regulators which Meta says “were not expressed by way of relevant and reasoned objection”.
There was also, Meta says, a breach of fair procedures by the DPC and the EDPB including both bodies’ failure to consider expert evidence submitted by the social media company.
The DPC also failed to give adequate reasons for the decision, Meta says.
It further claims there was manifest error of assessment in her “misinterpretation and misapplication” of certain articles of the GDPR regulations.