On January 4, 2023, the Irish Data Protection Commission (the “DPC”) announced it issued two decisions that have wide relevance for the adtech industry. The decisions focus on the extent to which businesses can rely on the GDPR legal basis of ‘performance of a contract’ to justify delivering behavioural advertising to users without separately seeking their consent.
The DPC concluded two investigations into certain data processing operations carried out by Meta Platforms Ireland Limited (“Meta”, previously known as “Facebook”) and decided to fine Meta €210 million (in connection with its Facebook service) and €180 million (in connection with its Instagram service).
The investigations were launched as a result of two complaints that the DPC received on May 25, 2018, the date on which the GDPR took effect.
Background:
Under the GDPR, organisations processing personal data must rely on an appropriate ‘legal basis’ to justify their processing, and there are only a limited number of legal bases. Of relevance to the DPC’s decisions, they include: ‘consent of the individual’ and ‘processing that is necessary for performance of a contract with the individual’.
Prior to the GDPR coming into took effect, according to the decisions, Meta had relied on its users’ consent to deliver Facebook and Instagram services (including any ‘behavioural advertising’ contained in those services). With GDPR coming into force, it was reported (in the DPC’s decisions) that Meta switched its legal basis from ‘consent’ to ‘contractual necessity’ for most of its processing operations.
The change in Meta’s practice re legal basis for processing meant that users who wished to continue to have access to Facebook or Instagram were now required to accept the Terms of Service which Meta updated to reflect its new position that the processing of users’ data was necessary for Meta to deliver its services (including the personalized services and behavioral advertising). Note that, per current guidance from the European Data Protection Board (“EDPB”), a body consisting of all EU data protection authorities, agreement to Terms of Service does not mean consent, as consent should be unbundled and obtained separately from the agreement; and provision of services cannot be made conditional on users’ consent.
The plaintiff filed two complaints the day the GDPR came into effect, and the issue escalated to the DPC (which is Meta’s lead authority in the EU). The complaints argued that, contrary to Meta’s stated position, Meta was in fact still relying on consent as a lawful basis for its processing of users’ data and, by making the accessibility of its services conditional on users accepting the updated Terms of Service, it was forcing them to consent to the processing of their personal data for behavioural advertising and other personalised services in breach of the GDPR.
The Decisions:
The DPC carried out investigations and issued preliminary draft decisions on May 14, 2022 that found that:
- Meta did not provide clear information on the legal basis applicable to data processing carried out through its Facebook and Instagram services, and as a result did not comply with its transparency obligations under the GDPR (‘First Finding’); however:
- Meta was not required to rely on consent as the GDPR did not explicitly preclude controller’s reliance on the “contractual necessity” legal basis (‘Second Finding’).
EDPB’s guidelines have consistently taken a strict interpretation of the ‘contractual necessity’ legal basis and contended that ‘a contract cannot artificially expand the … types of processing operation that the controller needs to carry out for the performance of contract’ and that the intended processing should not go beyond what is ‘objectively necessary for the performance of contract’ (see EDPB Guidelines on processing of personal data in the context of online services here).
Under a procedure mandated by the GDPR, the DPC then submitted its draft decisions to the other concerned EU data protection authorities for their consideration. While those other authorities in principle agreed with the DPC’s First Finding, with respect to the Second Finding, some authorities raised objections, most significantly on the basis that delivery of personalised advertising could not be considered ‘necessary’ to perform the core elements of the contract.
The consultation between the DPC and those authorities did not resolve the disagreement and the DPC referred the issue to the EDPB.
Upon reviewing the case, the EDPB however seemed to have sided with the other concerned authorities on the Second Finding, i.e., the question around Meta’s reliance on ‘contractual necessity’ (see EDPB’s determinations here). In addition, the EDPB also directed the DPC to conduct a new investigation into all of Meta’s data processing operations.
The EDPB adopted its final decision on December 31, 2022, which was binding on the DPC.
Subsequently, the DPC announced its final decisions on January 4, 2023 which adopted the EDPB’s recommendations.
Next steps:
In addition to the monetary fines, the DPC’s final decisions require Meta to bring its data processing operations into compliance with the decisions within a period of 3 months, which means that reliance on ‘contractual necessity’ to deliver behavioural advertising may no longer be an option available to Meta in the EU.
However Meta said that it intends to appeal the substance of the decision and the fines. Meta notes that it uses a combination of legal bases under the GDPR to provide its services, including contractual necessity (see Meta’s announcement here).
In its press release, the DPC also expressed its frustration with certain elements of the EDPB’s determinations. In particular, the DPC considers that the EDPB’s direction to the DPC to conduct a fresh investigation into all of Meta’s activities is an overreach on part of the EDPB as, in the DPC’s words, ‘the EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation’.
The DPC also stated that it will bring an action for annulment before the Court of Justice of the EU in order to seek to set aside the EDPB’s requirement that the DPC launch a fresh investigation.
Overall, the decision represents one of the most significant enforcement decisions under the GDPR, as it has a direct impact on how adtech services can be delivered in the EU and also surfaced the tension between the DPC and some of the other EU data protection authorities that has been going on for some time[1]. Furthermore it is a major development that has the potential to have wider ramifications for the entire adtech industry, who may need to rely on consent in order to provide its services but may not have the ability or capacity to obtain those consents effectively[2].
[1] Note, for example, an article noting discrepancies between the two entities at https://www.politico.com/news/2019/12/27/europe-gdpr-technology-regulation-089605.
[2] According to guidance, for consent to be valid, all third parties on whose behalf ads are delivered need to be specified in the consent by name. This means that when adtech companies collect consent (or ask a website publisher to collect consent for them) such consent should as a general rule and according to relevant guidance, include the names of all third parties (e.g. other publishers / advertisers) on whose behalf the ads will be delivered. Also, consent should be obtained for each distinct processing activity and service. This means a consent cannot be obtained in a blanket fashion and consents cannot be future-proofed for future processing activities. Consent can also be withdrawn at any time. So if a user has given their consent and the company have started to use that consent to deliver ads on behalf of third parties, they will need to stop such marketing immediately once the user has withdrawn consent – this is operationally difficult to do.