Loading...

Personalized advertisements without express user consent declared illegal

topic

On 4/1/2023 the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”), operating the well-known Facebook and Instagram social networking services. The decision can be read here.

Meta Ireland was fined €210,000,000 (for breaches relating to its Facebook service) and €180,000,000 (for breaches in relation to its Instagram service). Meta Ireland was also directed to bring its data processing operations into compliance within a period of 3 months.

The complaints assessed the changes made in Meta Ireland’s Terms of Service for access to the social media platforms by effect of the introduction of the General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) in 2018, in an attempt to legitimise the processing of users’ personal data to include the provision of personalised services and behavioural advertising. Such changes sought to rely on the “contract” legal basis for most of the processing operations and thus being regarded as lawful by reference to Article 6(1)(b) of the GDPR.

To the contrary, the complainants argued that, by making the accessibility of services conditional, Meta Ireland was “forcing” them to consent to the processing of personal data, which constitutes a breach of the GDPR.

The draft decisions prepared by the Irish DPC were submitted to other Concerned Supervisory Authorities and the points in dispute among them were accordingly referred to the European Data Protection Board (“EDPB”), an independent European body established by the GDPR for purposes of ensuring the correct and consistent application of the GDPR in individual cases.

The EDPB ultimately found that Meta Ireland was not entitled to rely on the “contract” legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising.

According to the statement issued by the Irish DPC, the final decisions adopted on 31/12/2022 reflect the EDPB’s binding determinations and include findings of breach of Article 6 of the GDPR.

Whilst the above outcome will potentially lead to lengthy litigation procedures before the European Courts, the matter is noteworthy as Meta Ireland now needs to reconfigure its advertising practices and declarations of consent (i.e. by inserting a “yes/no” option) without limiting the services if users choose not to consent, and other providers will be led by example.

The content of this article is valid as at the date of its first publication. It is intended to provide a general guide as to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on your specific matter before acting on any information provided. For further information or advice, please contact Constantina Zantira, Senior Associate at Tel +357 25363685 or email constantina.zantira@kyprianou.com