Ireland’s data protection watchdog has announced dramatically higher fines against Facebook and Instagram under instruction from Europe’s overarching privacy regulator. The Data Protection Commission (DPC) has also substantively revised two draft decisions it made against the Meta-owned platforms.
However, the Irish regulator – the main supervisory body for Meta in Europe – says it will appeal elements of the European Data Protection Board (EDPB’s) binding decision to the European Court of Justice. It will argue that the board’s direction for the DPC to conduct a wide-ranging investigation into the Facebook owner’s personal data processing operations is “problematic” and may constitute an “overreach”.
The DPC has fined Facebook and Instagram €210 million and €180 million respectively for related breaches of their transparency obligations under the EU’s General Data Protection Regulation (GDPR). The fines are a multiple of the figures originally proposed by the Irish regulator.
Originally, it had suggested fines of between €28 and €36 million for the breaches by Facebook and from €23 million in relation to Instagram. It was required by the European oversight board to increase the sums to reflect an additional GDPR breach that the board instructed the Irish watchdog to insert.
The combined €390 million fine brings to more than €1 billion the total amount of financial penalties the DPC has levied against Meta and its platforms. The regulator has a further 12 separate inquiries still open into the tech giant and its platforms.
Potentially of much greater consequence to the social media giant’s operations in Europe is the DPC’s adoption of the EDPB’s ruling that the two platforms are not entitled to rely on the legal basis they currently use to justify data collection of this variety under GDPR.
That decision, which requires Meta to bring its processing operations into compliance within three months, could substantially undermine Meta’s ability to gather information from its users to tailor and sell advertising, experts believe.
A third decision, based on a related complaint about WhatsApp, is expected over the coming days.
Meta Ireland said it was disappointed with the decisions.
“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” a spokeswoman said.
The announcement comes one month after the EDPB informed the Irish regulator that it had adopted three binding dispute resolution decisions concerning Meta Platforms Ireland. Those decisions related to a number of draft findings that the Irish regulator had issued to Meta’s Facebook, Instagram and WhatsApp platforms in 2021 and 2022 on foot of complaints made by Austrian privacy campaigner Max Schrems. He argued that Meta used “forced consent” to process personal data, specifically in relation to its terms of services.
Initially, the DPC had proposed fining Meta for breaches of its obligation under GDPR to be transparent with its users about data processing. However, the DPC also found that the social media giant does not necessarily require the consent of its users in order to process their data and that it can rely on the argument that it is fulfilling a contract with its users to provide personalised ads.
On Wednesday, the DPC said that it had submitted the decisions to its peer regulators in EU. While the other concerned supervisory authorities (CSAs) agreed that Meta had breached its transparency obligations, 10 of the 47 other bodies raised objections to other elements of the draft decision.
The DPC said: “In particular, this subset of CSAs took the view that Meta Ireland should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalised advertising ... could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.”
The DPC disagreed with this view, it said, “reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising”.
However, consensus could not be reached and the matter was referred to the EDPB, which took a “different view” on the question of legal basis, the DPC said, effectively overruling the Irish regulator. The commission has now adopted the decision and said it believes that Meta Ireland “is not entitled to rely on the contract legal basis”.
Speaking to The Irish Times, Mr Schrems, whose complaint triggered the investigation in 2018, called the ruling “another major blow to the DPC and its credibility”.
“They have gone to the EU level three times on this, trying to push their view through,” he said, adding that they had been dismissed each time. “They have been overturned again and again. All of this costs time and money, when all they needed to do was follow the European guidelines.”
He accused the DPC of breaking an agreement to share its ruling with him and suggested it was “trying to control the narrative by presenting themselves as a tough regulator”.
Separately, the DPC said it will take the EDPB to the European Court of Justice, seeking an annulment of one of its directions.
The DPC said the board had “purported to direct” it to “to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations”.
It said this direction is “problematic in a jurisdictional terms” because it is not open to the board “to instruct and direct an authority to engage in open-ended and speculative investigation”. As such, the Irish supervisory will appeal this element of the ruling, given that it “may involve an overreach on the part of the EDPB”.