Data PrivacyGDPR Violations: Meta Platform’s Data Transfer Practice and Regulatory Response

On 12.05.2023, the Data Protection Commission (hereinafter referred as “DPC”) imposed a fine of €1.2 billion, which is the largest till date, on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (hereinafter referred as “Meta”), for contravention of the provisions of the General Data Protection Regulation (hereinafter referred to as “GDPR”).

The decision revolves around a breach of Article 46(1) of the GDPR and Meta’s persistent transfer of data from EU/EEA users to the US, notwithstanding the ruling in the Court of Justice of the European Union’s decision of Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (hereinafter referred as “Schrems II”).

The Schrems II ruling affirmed the validity of Standard Contractual Clauses (hereinafter referred as “SCCs”) as a lawful mechanism for transferring data from the EU/EEA to third countries (those lacking an adequacy decision from the European Commission), on the condition that the non-EU/EEA recipient country ensures a level of data protection equivalent to that within the EU.

FACTS

The Irish DPC (hereinafter referred as “IDPC”) commenced its investigation following the submission of complaints by Mr. Schrems against Meta for allegedly unlawfully using user data, primarily for behavioral advertising. These complaints were sent to the IDPC, which became the Lead Supervisory Authority due to the cross-border nature of the processing and the presence of Meta’s main European establishments in Ireland.

The complaints against Meta Platforms namely, Facebook, Instagram, and WhatsApp highlighted a common issue: prospective users are required to agree to Terms of Service to create an account and access the services. Upon acceptance, these terms form a contractual agreement between the new user and the Meta Platforms.

In April 2018, Meta Platforms updated their Terms of Service and privacy policy to comply with the obligations of the GDPR, which would become enforceable from May 25, 2018. One of these obligations under Article 5 of the GDPR is the requirement to process personal data lawfully, fairly, and transparently.

Article 6(1) of the GDPR outlines six legal bases for processing personal data, including consent, contractual necessity, legal obligation, protection of vital interests, public interest or official authority, and pursuit of legitimate interests. Additionally, Article 13(1)(c) mandates controllers to provide users with clear and concise information about the purposes and legal basis of data processing.

The GDPR mandates a legal basis for processing personal data and requires transparency in communicating this information to users a significant departure from previous regulations.

To continue using Meta Platform’s services, users were required to consent to the updated Terms of Service and privacy policy before May 25, 2018. Existing users were informed of these updates through informational notices and options presented on the platforms, including links to access the full text of the Terms of Service and Data Policy.

ISSUES BEFORE THE IRISH DATA PROTECTION COMMISSION:

1. Whether Meta Ireland was acting lawfully, and in particular, compatibly with Article 46(1) GDPR, in making transfers (“the Data Transfers”) of personal data relating to individuals who are in the EU/ EEA, who visit, access, use or otherwise interact with products and services provided by Meta Ireland, each of whom is a “data subject” for the purposes of Article 4(1) GDPR (“Users”) to Meta US pursuant to standard contractual clauses (“the 2010 SCCs”) based on the clauses set out in the Annex to Commission Decision 2010/87/EU^ (“the 2010 SCC Decision”), following the judgment of the Court of Justice of the European Union, delivered on 16 July 2020, in Case C-311/18 ‘Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems EU:C:2020:559 (“the Judgment”)

2. Whether and/or which corrective power should be exercised by the DPC pursuant to Article 58(2) GDPR in the event that the conclusion is reached that Meta Ireland is acting unlawfully and infringing Article 46(1) GDPR.

3. Whether Meta Ireland complied with the GDPR concerning the transfer of personal data from the EU/EEA to the US?

4. Whether the data transfer mechanisms utilized by Meta Ireland, including the updated SCCs adopted by the European Commission in 2021, were effective in addressing risks to the fundamental rights and freedoms of data subjects.

5. Whether cooperation and dispute resolution mechanisms were effectively employed between the DPC and Concerned Supervisory Authorities (hereinafter referred to as “CSAs”) from other EU/EEA member states.

DECISION AND FINDINGS

A. Decisions and Finding by IDPC

In 2021, following its investigations, the DPC issued three preliminary draft decisions against Meta Platforms. Each decision concluded that Meta Platforms could rely on Article 6(1)(b) GDPR as a legal basis for their data processing activities related to service provision, including behavioral advertising for Facebook and Instagram, and service improvement and security maintenance for WhatsApp, as long as these activities formed a core part of their services.

In the Preliminary Draft Facebook Decision, the DPC stated that Article 6(1)(b) GDPR does not necessitate the impossibility of performing the contract without the data processing operations in question. It asserted that behavioral advertising is integral to the service accepted by Facebook users and concluded that Meta could, in principle, rely on Article 6(1)(b) GDPR for processing user’s data necessary for providing the Facebook service, including behavioral advertising.

Despite acknowledging significant transparency failings, the IDPC maintained that behavioral advertising is an inherent aspect of Facebook’s service. The IDPC found infringements of Articles 5(a), 12(1), and 13(1)(c) GDPR due to transparency failings in Facebook and Instagram’s Terms of Service and privacy policies.

Before adopting the preliminary draft decisions against Facebook and Instagram, the IDPC had already issued a similar preliminary draft decision against WhatsApp, resulting in a €225 million fine and an order for WhatsApp to align its privacy policy with the GDPR.

Following the cooperation procedure outlined in Article 60 GDPR, the IDPC shared the Preliminary Draft Decisions with CSAs. Some CSAs raised reasoned objections under Article 60(4) GDPR, leading to an impasse. Consequently, the matter was referred to the European Data Protection Board (hereinafter referred as “EDPB”), initiating the dispute resolution procedure under Article 65(1)(a) GDPR.

B. Decisions and Findings by EDPB

Under the dispute resolution process outlined in the GDPR, the EDPB is tasked with resolving disputes between CSAs and the IDPB regarding preliminary draft decisions. The CSAs raised objections to the Preliminary Draft Decisions, primarily concerning whether the IDPC correctly identified an infringement of Article 6(1) GDPR due to a lack of lawful basis for data processing. The CSAs expressed concerns that the IDPC’s interpretation of Article 6(1)(b) could undermine data protection principles and jeopardize data subjects’ rights.

The EDPB emphasized the importance of lawfulness in data processing, noting that a restrictive interpretation should be applied to ensure personal data protection. It stated that data processing must be objectively necessary and integral to fulfilling the contractual service to be deemed necessary under Article 6(1)(b) GDPR.

The EDPB assessed whether the provision of behavioral advertising was objectively necessary for Meta Platforms to deliver its services to users based on the Terms of Service and the nature of the service provided.

Referring to its guidance on Article 6(1)(b) GDPR, the EDPB highlighted that necessity must be evaluated based on the mutually understood contractual purpose from both the controller’s and a reasonable data subject’s perspective.

The EDPB concluded that users cannot reasonably expect their data to be processed for behavioral advertising solely based on the Terms of Service or general awareness of such practices. It emphasized the intrusive nature of behavioral advertising and the difficulty for users to fully comprehend its impact on their privacy rights.

Similar conclusions were drawn regarding Meta Platforms’ reliance on Article 6(1)(b) GDPR for processing WhatsApp users’ data for service improvements and security features. The EDPB noted that users are effectively compelled to accept the Terms of Service, including data processing requirements, to use WhatsApp, leaving them no practical option to opt-out.

Consequently, the EDPB determined that Meta Platforms incorrectly relied on Article 6(1)(b) GDPR as the lawful basis for data processing, resulting in infringements of transparency obligations under Articles 5(1)(a), 12(1), and 13(1)(c) GDPR in each Binding Decision.  Infringement of Article 46(1) and Article 9 has been observed:

• Article 46(1): Transfers subject to appropriate safeguards
• Article 9: Processing of special categories of personal data.

Penalties imposed on Meta:

1. Suspension of Future Data Transfers: Meta Ireland was ordered, pursuant to Article 58(2)(j) GDPR, to suspend any future transfer of personal data to the US within five months from the date of notification of the DPC’s decision.

2. Administrative Fine: Meta Ireland was fined €1.2 billion, reflecting the EDPB’s determination that an administrative fine was necessary to sanction the infringement found to have occurred. The DPC determined the amount of the fine by referencing the assessments and determinations included in the EDPB’s decision.

3. Compliance Order: Meta Ireland was ordered, pursuant to Article 58(2)(d) GDPR, to bring its processing operations into compliance with Chapter V of the GDPR. This included ceasing the unlawful processing, including storage, in the US of personal data of European Union/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision.

FINAL DECISIONS AND FINDINGS BY IRISH DATA PROTECTION COMMISSION

In compliance with the EDPB’s Binding Decisions, the IDPC utilized its corrective authority and issued an order pursuant to Article 58(2)(d) GDPR, mandating Meta Platforms to rectify their data processing practices, which were found not to be justified under Article 6(1)(b) GDPR.

Additionally, Facebook and Instagram were instructed to align their Data Policy and Terms of Service with Articles 5(1)(a), 12(1), and 13(1)(c) GDPR concerning the provision of information on data processed under Article 6(1)(b) GDPR and for “behavioral advertising”. WhatsApp was granted six months to comply, while Facebook and Instagram were given three months.

Furthermore, the IDPC imposed administrative fines of €5.5 million on WhatsApp, and €210 million and €180 million respectively on Facebook and Instagram, pursuant to Articles 58(2)(i) and 83 GDPR. The fines imposed on Facebook and Instagram were divided into three components:

• €80 million and €70 million for inadequate provision of information regarding processing under Article 6(1)(b) GDPR (breaching Articles 5(1)(a) and 13(1)(c) GDPR);
• €70 million and €60 million for insufficiently transparent provision of required information (violating Articles 5(1)(a) and 12(1) GDPR); and
• €60 million and €50 million for infringement of Article 6(1) GDPR.

AMLEGALS REMARKS

The decision and subsequent regulatory actions taken by the DPC and EDPB underscore the seriousness with which violations of the GDPR are treated. Meta faced significant penalties and corrective measures for its breaches of GDPR provisions, particularly regarding the transfer of user data from the EU/EEA to the US without adequate safeguards.

The regulatory response highlights the importance of transparency, lawful data processing, and the protection of individuals’ privacy rights in the digital age. By imposing substantial fines and mandating corrective actions, the authorities aim to ensure accountability and compliance with GDPR standards, ultimately safeguarding the fundamental rights of data subjects within the EU and the EEA.

The case underscores the challenges faced by multinational companies in navigating the legal and regulatory landscape surrounding cross-border data transfers, particularly in light of evolving legal interpretations and standards set by the Court of Justice of the European Union. Meta Ireland’s reliance on SCCs and supplementary measures reflects the complexities involved in ensuring compliance with GDPR requirements, especially concerning data transfers to jurisdictions with differing data protection standards.

The inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021. Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022. Notably, it found that:

a) The data transfers in question were being carried out in breach of Article 46(1) GDPR; and

b) In these circumstances, the data transfers should be suspended.

Under a cooperation procedure mandated by the Article 60 of GDPR, the draft decision prepared by the DPC was submitted to its peer regulators in the EU/EEA, also known as CSAs.  The nature of the processing under examination by the inquiry was such that all other EU/EEA Supervisory Authorities were engaged as CSAs for the purpose of the cooperation procedure.

On the question of Meta Ireland’s non-compliance with the GDPR, and the DPC’s proposal to make an order to suspend the data transfers, the CSAs agreed with the DPC’s decision.

The disagreement among the CSAs, as defined by Article 4(22) of GDPR and the subsequent referral to the EDPB for resolution highlight the complexities of multinational data protection enforcement and the importance of harmonization and consensus-building among EU/EEA regulatory authorities. The significant administrative fine imposed on Meta Ireland, along with the other corrective measures, reflects the seriousness of the GDPR infringement and underscores the DPC’s commitment to enforcing GDPR standards and protecting the rights of EU/EEA data subjects.

– Team AMLEGALS assisted by Mr. Samarth Sheth

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com