Takea­ways (AI):
  • Iri­sche Daten­schutz­be­hör­de impo­sed Buses von EUR 210 Mio. für Face­book und EUR 180 Mio. für Insta­gram.
  • Legal basis für die Daten­ver­ar­bei­tung war umstrit­ten; die Behör­de sah Face­book nicht in der Pflicht zur Con­sent.
  • Das Feh­len von trans­pa­ren­ter Infor­ma­ti­on über die Ver­ar­bei­tung per­so­nen­be­zo­ge­ner Daten beein­träch­tigt die Benut­zer­rech­te.

On Decem­ber 31, 2022, the Irish data pro­tec­tion regu­la­tor, the Com­mis­si­on, published both its 188-page Decis­i­on i.S. Face­book as well as their 196-page Decis­i­on i.S. Insta­gram fel­led (see the Media release of the Com­mis­si­on). In it, Face­book and Meta, respec­tively, are orde­red to pay fines of EUR 210 mil­li­on (Face­book case) and EUR 180 mil­li­on (Insta­gram). On Janu­ary 12, 2023, the 112-page Decis­i­on i.S. Whats­App to this, with a fine of EUR 5.5 mil­li­on. As far as is known, the decis­i­ons are not legal­ly binding.

In all cases, the main issue was the Legal basis for per­so­nal adver­ti­sing acti­vi­ties and to pro­vi­de infor­ma­ti­on about the appli­ca­ble legal basis. In terms of con­tent, the decis­i­ons or the con­side­ra­ti­ons made the­r­ein are simi­lar, which is why the fol­lo­wing comm­ents are limi­t­ed to the Face­book decision.

Pre­ce­ded in each case Bin­ding decis­i­on of the Euro­pean Data Pro­tec­tion Com­mit­tee (EDSA), based on Art. 65(1)(a) GDPR, becau­se seve­ral Euro­pean aut­ho­ri­ties had objec­ted to Ireland’s draft order of Octo­ber 6, 2021, and an agree­ment among the aut­ho­ri­ties, inclu­ding the Irish aut­ho­ri­ty, had not been rea­ched. The decis­i­on of the Irish aut­ho­ri­ty now incor­po­ra­tes – by neces­si­ty – the decis­i­on of the EDSA (which it quo­tes in detail in each case). The cour­se of the pro­ce­e­dings is sum­ma­ri­zed in more detail in the order in Sche­du­le 1.

The start­ing point of the pro­ce­e­dings in rela­ti­on to the Face­book decis­i­on was a com­plaint against Face­book by a per­son repre­sen­ted by noyb, which was recei­ved in Austria on May 25, 2018. noyb has appea­led the order of the Com­mis­si­on cri­ti­cal­ly com­men­ted and was very aggres­si­ve in the pro­ce­e­dings in general:

Mini­mal fine for actu­al vio­la­ti­on of user rights? A rather shocking ele­ment con­cerns the ext­ent of the fines. While the EDPB deman­ded a “signi­fi­cant­ly hig­her” fine, the DPC deci­ded on the final num­bers. While the DPC issued a fine of over­all € 150 mil­li­on on Face­book over trans­pa­ren­cy issues, the DPC only fined Meta € 60 mil­li­on for their lack of any legal basis for the pro­ce­s­sing of mil­li­ons of Euro­pean user’s data for about five years.

Max Schrems: “Appar­ent­ly, the DPC is more con­cer­ned with scre­wing users in a trans­pa­rent man­ner, than not scre­wing them at all.“

Face­book also has the Order com­men­ted, albeit with restraint.

In the mat­ter at hand, the­re were two points in par­ti­cu­lar, which were Legal basis for Facebook’s or Meta’s pro­ce­s­sing acti­vi­ties, and whe­ther Face­book is pro­per­ly infor­med about the appli­ca­ble legal basis. informs had.

About the legal basis

Effec­ti­ve May 25, 2018 – the ent­ry into force of the GDPR in the EU – Face­book had adapt­ed the terms of use for its Euro­pean users. The terms of use had to be accept­ed for fur­ther use by Face­book, and con­sent was also obtai­ned for cer­tain pro­ce­s­sing ope­ra­ti­ons. The main point of con­ten­ti­on in this con­text was whe­ther the legal basis of con­trac­tu­al neces­si­ty (Art. 6 (1) (b) DSGVO) was appli­ca­ble or whe­ther con­sent would have been required.

The atti­tu­de of the authority

The Irish aut­ho­ri­ty assu­mes that Face­book had not invo­ked con­sent and did not have to becau­se the Con­sent is not a legal basis of a hig­her orderbut the con­trol­ler is free to choo­se the basis on which to base its processing:

[…] it is important to empha­sise that GDPR does not set out any form of hier­ar­chy of lawful bases that can be used for pro­ce­s­sing per­so­nal data

Nor can it be argued that con­sent to a con­tract is always con­sent (to the pro­ce­s­sing ope­ra­ti­ons invol­ved), and the fact that the terms of the con­tract refer­red to a pri­va­cy state­ment did not make it part of the con­tract either:

In my view, the accep­tance in que­sti­on is not an act of con­sent but, on its terms, con­sti­tu­ted accep­tance of, or agree­ment to, a con­tract i.e. the Terms of Service.

The que­sti­on to be exami­ned in this case was whe­ther Face­book could invo­ke Art. 6 (1) (b) of the GDPR (con­trac­tu­al neces­si­ty). Initi­al­ly, the Irish aut­ho­ri­ty not com­pe­tent to assess the effec­ti­ve­ness of the con­tract:

Whe­re the GDPR refers to a con­tract, the Com­mis­si­on can­not deter­mi­ne the inter­pre­ta­ti­on and vali­di­ty of such a con­tract for the pur­po­ses of the law more gene­ral­ly. The Com­mis­si­on is no more empowered to do this by law than it would be to decla­re pro­ce­s­sing based on com­pli­ance with a legal obli­ga­ti­on under Artic­le 6(1)(c) GDPR to be unlawful sim­ply becau­se a com­plainant would argue that the legal obli­ga­ti­on being reli­ed on was uncon­sti­tu­tio­nal in their country.

The main que­sti­on in the case was whe­ther Sub­ject of the con­tract also per­so­na­li­zed ser­vices and the asso­cia­ted pro­ce­s­sing ope­ra­ti­ons were legi­ti­mi­zed accor­din­gly. The EDSA has com­men­ted on Art. 6(1)(b) GDPR in cor­re­spon­ding gui­de­lines (“Gui­de­lines 2/2019 on the pro­ce­s­sing of per­so­nal data under Artic­le 6(1)(b) GDPR in the con­text of the pro­vi­si­on of online ser­vices to data sub­jects„).

At issue here – and based on the­se rest­ric­ti­ve gui­de­lines – was, what can be con­side­red as a con­trac­tu­al ser­vice at allin this case rela­ted to the per­so­na­lizati­on of ser­vices. Face­book invo­ked, among other things, the free­dom of con­tract, while the com­plainant was of the opi­ni­on that only very limi­t­ed pro­ce­s­sing was neces­sa­ry for the contract.

The super­vi­so­ry aut­ho­ri­ty meant here, on the one hand, that not ever­ything that is writ­ten in a con­tract is also neces­sa­ry for the con­tract, but that at the same time it is based on a Test­ing of the con­cre­te Con­tract and not an abstract assess­ment of necessity:

In accordance with the EDPB Gui­de­lines, the pro­ce­s­sing in que­sti­on must be more than sim­ply the pro­ce­s­sing of per­so­nal data which is refe­ren­ced in the terms of the con­tract. Rather, it must be neces­sa­ry in order to ful­fill the cle­ar­ly sta­ted and under­s­tood objec­ti­ves or “core” of the con­tract. The “core func­tions” can­not, howe­ver, be con­side­red in iso­la­ti­on from the mea­ning of “per­for­mance”, the mea­ning of “neces­si­ty” as set out abo­ve, and the con­tent of the spe­ci­fic con­tract in que­sti­on. The que­sti­on is the­r­e­fo­re not what is neces­sa­ry to ful­fill the objec­ti­ves of “a social net­work” in a gene­ral sen­se, but what is neces­sa­ry to ful­fill the core func­tions of the par­ti­cu­lar con­tract bet­ween Face­book and Face­book users. In order to car­ry out this assess­ment, it is the­r­e­fo­re neces­sa­ry to con­sider the con­tract itself.

On the basis of this spe­ci­fic con­tract, it must then be deter­mi­ned what the Main pur­po­se (“the core func­tion”). Here, the Irish aut­ho­ri­ty reco­gnizes that per­so­na­li­zed adver­ti­sing is core to the con­tract and its com­mer­cial basis, which had to be clear to users:

Appling the prin­ci­ples set out abo­ve to the par­ti­cu­lar cir­cum­stances of this case, it seems to me that the core of the Face­book model, par­ti­cu­lar­ly in cir­cum­stances whe­re users do not pay for the ser­vice, is an adver­ti­sing model. The EDPB has, of cour­se, set out that pro­ce­s­sing can­not be ren­de­red lawful by Artic­le 6(1)(b) GDPR “sim­ply becau­se pro­ce­s­sing is neces­sa­ry for the controller’s wider busi­ness model”. The core of the ser­vice, howe­ver, as set out in the spe­ci­fic con­tract with the data sub­ject in this case, cle­ar­ly inclu­des (and inde­ed appears to be pre­mi­sed upon) the pro­vi­si­on of per­so­na­li­sed adver­ti­sing. […] […] this adver­ti­sing the­r­e­fo­re appears to be part of the sub­stance and fun­da­men­tal object of the con­tract. It is, in fact, the core ele­ment of the com­mer­cial tran­sac­tion as bet­ween Face­book and Face­book users. It fol­lows that this is a com­mer­ci­al­ly essen­ti­al ele­ment of the contract.

The dis­sen­ting posi­ti­on of the EDSA

The Irish aut­ho­ri­ty had advo­ca­ted the abo­ve in the draft order. Unsur­pri­sin­gly, the EDSA did not take the same view:

  • The super­vi­so­ry aut­ho­ri­ties have a Impli­cit power to exami­ne the vali­di­ty of a con­tract on a preli­mi­na­ry basis;
  • the neces­si­ty of pro­ce­s­sing for a con­tract is a term to be inter­pre­ted auto­no­mously of the GDPR, which can­not under­mi­ne the pro­tec­tion of the GDPR and the EU Charter;
  • per­so­na­li­zed adver­ti­sing is not neces­sa­ry for the agree­ment bet­ween Face­book and the users. This is evi­dent, among other things, from the fact that the user does not recei­ve any con­trac­tu­al entit­le­ment to such adver­ti­sing. In addi­ti­on, it would con­tra­dict the right to object to pro­fil­ing accor­ding to Art. 21(2) DSGVO;
  • it also con­tra­dicts user expec­ta­ti­ons:

    the EDPB finds it extre­me­ly dif­fi­cult to argue that an avera­ge user can ful­ly grasp it, be awa­re of its con­se­quen­ces and impact on their rights to pri­va­cy and data pro­tec­tion, and rea­son­ab­ly expect it sole­ly based on the Face­book Terms of Service

  • Also to be taken into account is the Mar­ket power from Facebook:

    the EDPB con­siders that the domi­nant posi­ti­on of Face­book also plays an important role in the assess­ment of Meta IE’s reli­ance on Artic­le 6(1)(b) GDPR for its Face­book ser­vice and its risks to data sub­jects, espe­ci­al­ly con­side­ring how defi­ci­ent­ly Meta IE informs the Face­book users of the data it strict­ly needs to pro­cess to deli­ver the service.

  • If one were to allow an invo­ca­ti­on of Art. 6 (1) a DSGVO here, this would be a slip­pery slo­pe:

    This pre­ce­dent could encou­ra­ge other eco­no­mic ope­ra­tors to use the con­trac­tu­al per­for­mance legal basis of Artic­le 6(1)(b) GDPR for all their pro­ce­s­sing of per­so­nal data

    As a result, Face­book could for per­so­na­li­zed adver­ti­sing does not rely on the legal basis of con­trac­tu­al neces­si­ty appointed:

the EDPB deci­des that Meta IE has inap­pro­pria­te­ly reli­ed on Artic­le 6(1)(b) GDPR to pro­cess the Complainant’s per­so­nal data in the con­text of the Face­book Terms of Ser­vice and the­r­e­fo­re lacks a legal basis to pro­cess the­se data for the pur­po­se of beha­vi­oral advertising.

This left the Irish aut­ho­ri­ty with no choice but to sta­te the same in its order:

I find that Face­book was not entit­led to rely on Artic­le 6(1)(b) GDPR to pro­cess the Complainant’s per­so­nal data for the pur­po­se of beha­vi­oral adver­ti­sing in the con­text of the Face­book Terms of Service.

For infor­ma­ti­on on, among other things, the appli­ca­ble legal basis

The que­sti­on here was, among other things, how far the duty to inform goes on this point and, in par­ti­cu­lar, whe­ther the respon­si­ble par­ty must inform, which data for which pur­po­ses on which legal basis are pro­ce­s­sed or whe­ther such a link is not mandatory.

The Aut­ho­ri­ty affirms that:

Howe­ver, what Artic­le 13 does cle­ar­ly requi­re is that the pur­po­ses and legal bases must be spe­ci­fi­ed in respect of the inten­ded pro­ce­s­sing. Pur­po­ses and legal bases can­not sim­ply be cited in the abstract and detached from the per­so­nal data pro­ce­s­sing they concern.
[…] First­ly, the absence of any level of spe­ci­fi­ci­ty as to what the data con­trol­ler is doing with the data, and more fun­da­men­tal­ly what data they are pro­ce­s­sing at all, would ren­der infor­ma­ti­on on the pur­po­ses of this unspe­ci­fi­ed pro­ce­s­sing almost use­l­ess to a data subject.
[…] the­re should be a clear link bet­ween the spe­ci­fi­ed category/categories of data, the purpose(s) of the spe­ci­fi­ed operation(s), and the legal basis being reli­ed on to sup­port the spe­ci­fi­ed operation(s).

Face­book infor­med users at the rele­vant time about a gene­ral state­ment in its pri­va­cy poli­cy that lin­ked in seve­ral stages to fur­ther details – in the result in a way that was not under­stan­da­ble for the user:

If the user wis­hes to learn more, they must view the Terms of Ser­vice and also review the sec­tions of the Data Poli­cy to which they are direc­ted. When all of the available infor­ma­ti­on has been acce­s­sed, it beco­mes appa­rent that the texts pro­vi­ded are varia­ti­ons of each other, in that they re-ite­ra­te the goals and objec­ti­ves of Face­book in car­ry­ing out data pro­ce­s­sing (for exam­p­le, per­so­na­li­sa­ti­on, com­mu­ni­ca­ti­on, ana­ly­tics, pro­duct impro­ve­ment, etc.) rather than ela­bo­ra­ting on this or pro­vi­ding infor­ma­ti­on con­cer­ning pro­ce­s­sing ope­ra­ti­ons. This approach lacks cla­ri­ty and con­cis­i­on, and makes it dif­fi­cult for the user to access meaningful infor­ma­ti­on as to the pro­ce­s­sing ope­ra­ti­ons that will be groun­ded on Artic­le 6(1)(b) GDPR or on other legal bases.

As a result, Face­book had not pro­vi­ded suf­fi­ci­ent infor­ma­ti­on. The pro­blem was pri­ma­ri­ly that a Link miss­ing bet­ween the ser­vices and objec­ti­ves and the pro­ce­s­sing operations:

It is not that the pre­sence of varia­ti­ons of the same infor­ma­ti­on in seve­ral docu­ments is of its­elf non-com­pli­ant, but rather that it is not com­pli­ant when it amounts, in prac­ti­ce, to state­ments about ser­vices and objec­ti­ves that are not lin­ked to spe­ci­fi­ed pro­ce­s­sing ope­ra­ti­ons and and do not pro­vi­de meaningful infor­ma­ti­on to the data sub­ject on the core issues iden­ti­fi­ed in Artic­le 13 GDPR.
[…] Put sim­ply, it impos­si­ble to iden­ti­fy what pro­ce­s­sing ope­ra­ti­ons will be car­ri­ed out in order to ful­fill the objec­ti­ves that are repea­ted throug­hout the docu­ments and the legal basis for such ope­ra­ti­ons. In the absence of such infor­ma­ti­on, the user is left to guess as to what pro­ce­s­sing is car­ri­ed out on what dataon foot of the spe­ci­fi­ed lawful bases, in order to ful­fill the­se objec­ti­ves. For the rea­sons set out abo­ve in rela­ti­on to the cor­rect inter­pre­ta­ti­on of Artic­le 13(1)(c) GDPR, this is insuf­fi­ci­ent information.

The Repe­ti­ti­on of infor­ma­ti­on is not inad­mis­si­ble in its­elf, but it may ent­ail risks:

The way in which the infor­ma­ti­on has been spread out on mul­ti­ple sub­sec­tions and has been draf­ted in simi­lar­ly worded (and hyper­lin­ked) text means that a user could easi­ly over­look any new ele­ments available within the lin­ked text.

On the prin­ci­ple of fairness

In its bin­ding decis­i­on, the EDSA had, among other things and in clear terms, expres­sed the opi­ni­on that Face­book had also vio­la­ted the prin­ci­ple of fair­ness (Art. 5(1)(a) GDPR):

The EDPB notes that in this par­ti­cu­lar case the breach of Meta IE’s trans­pa­ren­cy obli­ga­ti­ons is of such gra­vi­ty that it cle­ar­ly impacts the rea­sonable expec­ta­ti­ons of the Face­book users by con­fu­sing them on whe­ther clicking the “Accept” but­ton results in giving their con­sent to the pro­ce­s­sing of their per­so­nal data. The EDPB notes in this regard that one of the ele­ments of com­pli­ance with the prin­ci­ple of fair­ness is avo­i­ding decep­ti­on i.e. pro­vi­ding infor­ma­ti­on “in an objec­ti­ve and neu­tral way, avo­i­ding any decep­ti­ve or mani­pu­la­ti­ve lan­guage or design”.
[…] The com­bi­na­ti­on of fac­tors, such as the asym­me­try of the infor­ma­ti­on crea­ted by Meta IE with regard to Face­book ser­vice users, com­bi­ned with the “take it or lea­ve it” situa­ti­on that they are faced with due to the lack of alter­na­ti­ve ser­vices in the mar­ket and the lack of opti­ons allo­wing them to adjust or opt out from a par­ti­cu­lar pro­ce­s­sing under the con­tract with Meta IE, syste­ma­ti­cal­ly dis­ad­van­ta­ges Face­book ser­vice users, limits their con­trol over the pro­ce­s­sing of their per­so­nal data and under­mi­nes the exer­cise of their rights under Chap­ter III of the GDPR.

The Irish aut­ho­ri­ty could only con­firm this – sin­ce the decis­i­on of the EDSA is bin­ding – one has the impres­si­on, cont­re coeur.

Decis­i­on and fine amount

Reme­dy of the defects and deadline

As a result, the agen­cy orde­red Face­book to fix the defi­ci­en­ci­es, with a Peri­od of three monthswhich Face­book had descri­bed as too low. One of the decisi­ve fac­tors was that Face­book is a lar­ge com­pa­ny – this did not lead to more time, but to less:

Face­book is a lar­ge mul­ti­na­tio­nal orga­nizati­on with signi­fi­cant finan­cial, tech­no­lo­gi­cal and human resour­ces at its dis­po­sal. Moreo­ver, the inte­rim peri­od, pri­or to any such rec­ti­fi­ca­ti­on to the cur­rent lack of infor­ma­ti­on being pro­vi­ded to data sub­jects, will invol­ve a serious ongo­ing depri­va­ti­on of their rights (as arti­cu­la­ted in Sec­tion 9 below). Moreo­ver, the Com­mis­si­on has pro­vi­ded spe­ci­fic ana­ly­sis to Face­book in rela­ti­on to the cor­rect inter­pre­ta­ti­on of the pro­vi­si­ons in que­sti­on and the requi­si­te infor­ma­ti­on that is absent from the rele­vant user-facing docu­ments. This spe­ci­fi­ci­ty should nega­te any need for exten­si­ve enga­ge­ment with the Com­mis­si­on during the peri­od of imple­men­ta­ti­on, and pro­vi­des cla­ri­ty for Face­book as to what objec­ti­ve its very signi­fi­cant resour­ces should be direc­ted towards in order to com­ply with this order. As such, I am not satis­fied that it would be impos­si­ble or inde­ed dis­pro­por­tio­na­te to make an order in the­se terms, having regard to the importance of the data sub­ject rights invol­ved, the spe­ci­fi­ci­ty of the order and Facebook’s resources.

Ano­ther point was also that Face­book had to expect such an out­co­me based on the draft injunction.

Buses

The Aut­ho­ri­ty had pro­po­sed a total fine of EUR 28 – 36 mil­li­on in the draft decis­i­on. The Aut­ho­ri­ty has now set the fine at EUR 210 million.

In doing so, the EDSA had spe­ci­fi­ed the fol­lo­wing fac­tors, wher­eby the GDPR expli­ci­t­ly no nume­rus clau­sus rele­vant factors:

  • the Total sales of the enti­re Group, both as an upper limit of the buses (cap) and as a design factor:

    the EDPB ins­tructs the IE SA to take into con­side­ra­ti­on the total tur­no­ver of all the enti­ties com­po­sing the sin­gle under­ta­king, i.e. the con­so­li­da­ted tur­no­ver of the group of com­pa­nies hea­ded by Meta Plat­forms, Inc.

  • the Num­ber of per­sons affec­ted;
  • the with the inju­ries achie­ved pro­fit (which EDSA was unable to determine);
  • the Com­pa­ny size gene­ral, becau­se the fines would have to be effec­ti­ve deterr­ents, not only for Meta, but also in general;
  • the deter­rent effect of the fine, which must effec­tively redu­ce the likeli­hood of a repe­ti­ti­on, and in the pre­sent case also in view of the fact that per­so­na­li­zed adver­ti­sing is part of the core of Facebook’s busi­ness model:

    By bea­ring the admi­ni­stra­ti­ve fine, the under­ta­king can avo­id bea­ring the cost of adju­sting their busi­ness model to one that is com­pli­ant as well as any future los­ses that would fol­low from the adjustment.

  • gene­ral­ly the Seve­ri­ty of the inju­ry, wher­eby it is also rele­vant here that the lawful­ness of the pro­ce­s­sing is a basic requi­re­ment. In addition:

    The EDPB con­siders that the­se gene­ral descrip­ti­ons signal by them­sel­ves the com­ple­xi­ty, mas­si­ve sca­le and intru­si­ve­ness of the beha­viou­ral adver­ti­sing prac­ti­ce that Meta IE con­ducts through the Face­book ser­vice. The­se are rele­vant facts to con­sider to assess the appro­pria­ten­ess of Artic­le 6(1)(b) GDPR as a legal basis for beha­vi­oral adver­ti­sing and to what ext­ent rea­sonable users may under­stand and expect beha­vi­oral adver­ti­sing when they accept the Face­book Terms of Ser­vice and per­cei­ve it as neces­sa­ry for Meta IE to deli­ver its services.

  • the Seve­ri­ty of fault. In this regard, the EDSA sta­tes, among other things, that the­re have always been indi­ca­ti­ons that Art. 6(1)(b) GDPR was not rele­vant and that the breach the­r­e­fo­re occur­red kno­wing­ly, but that it was not estab­lished that it was also com­mit­ted willful­ly, but that gross negli­gence could cer­tain­ly be assumed;
  • the Seve­ri­ty of the con­se­quen­ces for tho­se affected:

    The data pro­ce­s­sing in que­sti­on – beha­vi­oral adver­ti­sing – ent­ails decis­i­ons about infor­ma­ti­on that data sub­jects are expo­sed to or exclu­ded from recei­ving. The EDPB recalls that non-mate­ri­al dama­ge is expli­ci­t­ly regard­ed as rele­vant in Reci­tal 75 and that such dama­ge may result from situa­tions “whe­re data sub­jects might be depri­ved of their rights and free­doms or pre­ven­ted from exer­cis­ing con­trol over their per­so­nal data”. Given the natu­re and gra­vi­ty of the inf­rin­ge­ment of Artic­le 6(1) GDPR, a risk of dama­ge cau­sed to data sub­jects is, in such cir­cum­stances, con­sub­stan­ti­al with the fin­ding of the inf­rin­ge­ment itself.”

  • Repu­ta­tio­nal dama­gewhich may lead to a reduc­tion of the fine (alt­hough not in the pre­sent case):

    On prin­ci­ple, the EDPB agrees that repu­ta­ti­on costs could be taken into con­side­ra­ti­on to some ext­ent, if cre­di­ble argu­ments are put for­ward about the gra­ve detri­ment that would ensue.

  • that the prin­ci­ple of fair­ness had also been vio­la­ted, i.e. also the legal­ly broa­der Sub­ject of the vio­la­ti­on;
  • if neces­sa­ry a Advan­ta­ge in com­pe­ti­ti­on from the vio­la­ti­on:

    On prin­ci­ple, the EDPB agrees that a com­pe­ti­ti­ve advan­ta­ge could be an aggravating fac­tor if the case pro­vi­des objec­ti­ve infor­ma­ti­on that this was obtai­ned as a result of the inf­rin­ge­ment of the GDPR. In the pre­sent case, the EDPB con­siders that it does not have suf­fi­ci­ent­ly pre­cise infor­ma­ti­on to eva­lua­te the exi­stence of a com­pe­ti­ti­ve advan­ta­ge resul­ting from the infringement.

Howe­ver, the fol­lo­wing are not to be taken into account in the pre­sent case (not in prin­ci­ple) miti­ga­ting mea­su­res of Face­book – resto­ring com­pli­ance does not count as a miti­ga­ting circumstance.

On this basis – and sup­port­ed by other fac­tors such as the dura­ti­on of the inju­ry -. the Com­mis­si­on impo­ses a fine of EUR 210 mil­li­on. The inf­rin­ge­ment was serious, the fault was also serious, and the pro­ce­s­sing con­cer­ned a wide database:

Having taken account of the Final Sub­mis­si­ons, I remain of the view that the inf­rin­ge­ment of Artic­le 6(1) GDPR falls within the upper ran­ge of the sca­le, in terms of serious­ness, for the pur­po­se of the assess­ment of the Artic­le 83(2)(a) criterion.
[…] 6 As set out abo­ve, the EDPB deter­mi­ned the Artic­le 6(1) inf­rin­ge­ment to be “serious­ly negli­gent” in cha­rac­ter. In the cir­cum­stances, I pro­po­sed to tre­at this fac­tor as an aggravating fac­tor of signi­fi­cant weight.
[…] Given the natu­re of beha­vi­oral adver­ti­sing, it appears to be bey­ond dis­pu­te that the pro­ce­s­sing of a broad ran­ge of per­so­nal data is requi­red to be car­ri­ed out to achie­ve the objec­ti­ves of beha­vi­oral adver­ti­sing. In the cir­cum­stances, I pro­po­sed to con­sider this to be an aggravating fac­tor of modera­te­ly signi­fi­cant weight.

AI-gene­ra­ted takea­ways can be wrong.