EU & Ireland: Meta’s legal basis for targeted ads found to breach GDPR

New decisions narrow ‘contractual necessity’ as a ground for processing data—and highlight divisions among EU privacy regulators

Authors: James Sullivan, John Magee & David Brazil

Ireland’s Data Protection Commission (DPC) announced on January 4, 2023, that it has fined Meta a total of €390 million after finding that the company’s Facebook and Instagram platforms lacked proper legal grounds for processing millions of Europeans’ personal data for targeted advertising.

In addition to posing challenges for Meta’s business model, the DPC’s two decisions reflect growing disagreement among European data protection authorities (DPAs) on two fronts.  The first relates to the use of ‘contractual necessity’ as an appropriate legal basis under the GDPR for providing personal advertisements.  The second involves the legal authority of the European Data Protection Board (EDPB) to order DPAs to bring new investigations.

While we await the full decision of the DPC and EDPB, in this blog post we set out the key facts related to these cases and outline our initial takeaways.

Background

  • Complaint

In advance of the GDPR’s effective date on May 25, 2018, Meta changed the Terms of Service for its Facebook and Instagram services.  In contrast to its previous reliance on the consent of users, the company sought to use ‘contractual necessity’ as the lawful basis for processing users’ personal data under the GDPR.

Meta took the position that, upon accepting the updated Terms of Service, the user entered into a contract with the company.  Meta considered that its processing of the user’s data to provide personalized advertising in connection with the delivery of its Facebook and Instagram services was necessary to its performance of that contract.

Once the GDPR went into effect, two EU complainants alleged that Meta was still relying on consent as the lawful basis for its processing of user data.  They argued that by conditioning its Facebook and Instagram services on acceptance of the updated Terms of Service, Meta was effectively “forcing” users to consent to such processing for personalized advertising.

  • Draft DPC Decision

In its subsequent draft decisions, the DPC made two key findings.  As an initial matter, it held that, by not outlining clearly to users its legal basis for processing personal data, Meta had violated its transparency obligations and its obligation to process personal data in a lawful, fair and transparent manner under the GDPR.  The DPC claims in its press release that it proposed “very substantial fines” on Meta in relation to these breaches, which is understood to have been between €28 million and €36 million.

Importantly, however, the DPC sided with Meta in concluding that the GDPR did not preclude the company from relying on ‘contractual necessity’ as an appropriate legal basis for processing the data needed to provide personalized advertisements.  In the view of the DPC, Meta’s provision of personalized advertising was central to the bargain struck between users and the company’s Facebook and Instagram services.

Thereafter, 10 DPAs from across Europe contested the determination in the DPC’s draft decisions that Meta should be able to rely on the ‘contractual necessity’ legal basis.  According to the concerned DPAs, Meta’s delivery of personalized advertising was not necessary to the company’s provision of its Facebook and Instagram services to users. In their view, the contract with users contained certain core elements and the delivery of personal advertising could not be said to be necessary to perform that much more limited form of contract.

  • EDPB Binding Decision

On December 5, 2022, the EDPB issued a binding determination on the dispute between the DPC and its peer DPAs.  In partially reversing the DPC’s draft decision, the EDPB found that Meta was not entitled to rely on the ‘contractual necessity’ legal basis.  In addition, the EDPB ordered the DPC to conduct a new investigation into all of Facebook’s and Instagram’s data processing operations.

In its final decisions on December 31, 2022, the DPC incorporated the EDPB’s binding determination that Meta’s reliance on the ‘contractual necessity’ legal basis to process users’ data violated the GDPR.[1]  In announcing those final decisions on January 4, 2023, however, the DPC characterised the EDPB’s order to initiate a new “open-ended and speculative investigation” of Meta as overreach. The DPC noted that this direction is not included in its decisions and indicated that it will bring an annulment action before the Court of Justice of the EU to set aside this element of the EDPB’s ruling.

Next Steps & Implications

  • The future of ‘contractual necessity’ for personalized advertising

Following the DPC’s decisions, Meta announced its intention to appeal both the substance of the decisions and the fines imposed thereunder.  As a result, the issue of whether ‘contractual necessity’ constitutes an appropriate legal basis for personalized advertising is certain to be litigated for years to come.

  • Alternative legal basis for personalized advertising

The DPC’s final decisions require Meta to bring Facebook’s and Instagram’s processing operations into compliance within three months, however, Meta’s stated intention to appeal the decision means that it may continue to rely on the same approach to legal basis pending the final determination of an appellate process.  As the decisions did not prohibit personalized advertising on the two platforms, Meta could potentially pivot to another available legal basis under GDPR, such as consent or ‘legitimate interest.’  As a general matter, ‘legitimate interest’ tends to be an appropriate ground when companies process personal data in a way users would reasonably expect; however, where legitimate interest is relied upon, users have the right under GDPR to object to processing. This right to object would potentially undermine Meta’s ability to conduct personalized advertising on all of its users if it elected to rely on this legal basis instead of ‘contractual necessity’.

  • The EDPB’s legal authority to order investigations

Finally, an action to annul part of the EDPB’s determination before the Court of Justice of the European Union would mark the DPC’s first legal challenge of the Board’s directions.  The DPC’s claim would hinge on whether the EDPB—a body charged with resolving disputes between DPAs and ensuring the consistent enforcement of the GDPR across the EU—has the legal authority to order DPAs to bring new investigations.

  • Wider Implications of the Decision

While the fine imposed is eye-catching and continues a trend of increased enforcement by the DPC in the course of the past year, the potential commercial implications of this decision for Meta and other businesses relying on digital platforms are more significant than a mere fine. As noted in a previous post, Meta suffered a significant 6.2% fall in share price on the day that the position of the EPDB in these cases was reported on. Following this decision, it will be increasingly difficult for Meta to justify its existing approach: providing personalized ads to all of its users without any option to opt-out. This business model has been a crucial driver of growth and revenue at Meta and for many other digital platforms. The anticipated appeal by Meta will be closely observed by many and we will continue to provide our comments as it progresses.

If you have questions or need additional information, please contact one of the authors and/or your DLA Piper relationship attorney.

[1] A third DPC decision regarding Meta’s WhatsApp service is due imminently.  Unlike the Facebook and Instagram decisions, however, the DPC’s WhatsApp inquiry concerned the lawfulness of Meta’s processing of personal data for the purpose of improving services.