- Irische Datenschutzbehörde imposed Buses von EUR 210 Mio. für Facebook und EUR 180 Mio. für Instagram.
- Legal basis für die Datenverarbeitung war umstritten; die Behörde sah Facebook nicht in der Pflicht zur Consent.
- Das Fehlen von transparenter Information über die Verarbeitung personenbezogener Daten beeinträchtigt die Benutzerrechte.
On December 31, 2022, the Irish data protection regulator, the Commission, published both its 188-page Decision i.S. Facebook as well as their 196-page Decision i.S. Instagram felled (see the Media release of the Commission). In it, Facebook and Meta, respectively, are ordered to pay fines of EUR 210 million (Facebook case) and EUR 180 million (Instagram). On January 12, 2023, the 112-page Decision i.S. WhatsApp to this, with a fine of EUR 5.5 million. As far as is known, the decisions are not legally binding.
In all cases, the main issue was the Legal basis for personal advertising activities and to provide information about the applicable legal basis. In terms of content, the decisions or the considerations made therein are similar, which is why the following comments are limited to the Facebook decision.
Preceded in each case Binding decision of the European Data Protection Committee (EDSA), based on Art. 65(1)(a) GDPR, because several European authorities had objected to Ireland’s draft order of October 6, 2021, and an agreement among the authorities, including the Irish authority, had not been reached. The decision of the Irish authority now incorporates – by necessity – the decision of the EDSA (which it quotes in detail in each case). The course of the proceedings is summarized in more detail in the order in Schedule 1.
The starting point of the proceedings in relation to the Facebook decision was a complaint against Facebook by a person represented by noyb, which was received in Austria on May 25, 2018. noyb has appealed the order of the Commission critically commented and was very aggressive in the proceedings in general:
Minimal fine for actual violation of user rights? A rather shocking element concerns the extent of the fines. While the EDPB demanded a “significantly higher” fine, the DPC decided on the final numbers. While the DPC issued a fine of overall € 150 million on Facebook over transparency issues, the DPC only fined Meta € 60 million for their lack of any legal basis for the processing of millions of European user’s data for about five years.
Max Schrems: “Apparently, the DPC is more concerned with screwing users in a transparent manner, than not screwing them at all.“
Facebook also has the Order commented, albeit with restraint.
In the matter at hand, there were two points in particular, which were Legal basis for Facebook’s or Meta’s processing activities, and whether Facebook is properly informed about the applicable legal basis. informs had.
Content
ToggleAbout the legal basis
Effective May 25, 2018 – the entry into force of the GDPR in the EU – Facebook had adapted the terms of use for its European users. The terms of use had to be accepted for further use by Facebook, and consent was also obtained for certain processing operations. The main point of contention in this context was whether the legal basis of contractual necessity (Art. 6 (1) (b) DSGVO) was applicable or whether consent would have been required.
The attitude of the authority
The Irish authority assumes that Facebook had not invoked consent and did not have to because the Consent is not a legal basis of a higher orderbut the controller is free to choose the basis on which to base its processing:
[…] it is important to emphasise that GDPR does not set out any form of hierarchy of lawful bases that can be used for processing personal data
Nor can it be argued that consent to a contract is always consent (to the processing operations involved), and the fact that the terms of the contract referred to a privacy statement did not make it part of the contract either:
In my view, the acceptance in question is not an act of consent but, on its terms, constituted acceptance of, or agreement to, a contract i.e. the Terms of Service.
The question to be examined in this case was whether Facebook could invoke Art. 6 (1) (b) of the GDPR (contractual necessity). Initially, the Irish authority not competent to assess the effectiveness of the contract:
Where the GDPR refers to a contract, the Commission cannot determine the interpretation and validity of such a contract for the purposes of the law more generally. The Commission is no more empowered to do this by law than it would be to declare processing based on compliance with a legal obligation under Article 6(1)(c) GDPR to be unlawful simply because a complainant would argue that the legal obligation being relied on was unconstitutional in their country.
The main question in the case was whether Subject of the contract also personalized services and the associated processing operations were legitimized accordingly. The EDSA has commented on Art. 6(1)(b) GDPR in corresponding guidelines (“Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects„).
At issue here – and based on these restrictive guidelines – was, what can be considered as a contractual service at allin this case related to the personalization of services. Facebook invoked, among other things, the freedom of contract, while the complainant was of the opinion that only very limited processing was necessary for the contract.
The supervisory authority meant here, on the one hand, that not everything that is written in a contract is also necessary for the contract, but that at the same time it is based on a Testing of the concrete Contract and not an abstract assessment of necessity:
In accordance with the EDPB Guidelines, the processing in question must be more than simply the processing of personal data which is referenced in the terms of the contract. Rather, it must be necessary in order to fulfill the clearly stated and understood objectives or “core” of the contract. The “core functions” cannot, however, be considered in isolation from the meaning of “performance”, the meaning of “necessity” as set out above, and the content of the specific contract in question. The question is therefore not what is necessary to fulfill the objectives of “a social network” in a general sense, but what is necessary to fulfill the core functions of the particular contract between Facebook and Facebook users. In order to carry out this assessment, it is therefore necessary to consider the contract itself.
On the basis of this specific contract, it must then be determined what the Main purpose (“the core function”). Here, the Irish authority recognizes that personalized advertising is core to the contract and its commercial basis, which had to be clear to users:
Appling the principles set out above to the particular circumstances of this case, it seems to me that the core of the Facebook model, particularly in circumstances where users do not pay for the service, is an advertising model. The EDPB has, of course, set out that processing cannot be rendered lawful by Article 6(1)(b) GDPR “simply because processing is necessary for the controller’s wider business model”. The core of the service, however, as set out in the specific contract with the data subject in this case, clearly includes (and indeed appears to be premised upon) the provision of personalised advertising. […] […] this advertising therefore appears to be part of the substance and fundamental object of the contract. It is, in fact, the core element of the commercial transaction as between Facebook and Facebook users. It follows that this is a commercially essential element of the contract.
The dissenting position of the EDSA
The Irish authority had advocated the above in the draft order. Unsurprisingly, the EDSA did not take the same view:
- The supervisory authorities have a Implicit power to examine the validity of a contract on a preliminary basis;
- the necessity of processing for a contract is a term to be interpreted autonomously of the GDPR, which cannot undermine the protection of the GDPR and the EU Charter;
- personalized advertising is not necessary for the agreement between Facebook and the users. This is evident, among other things, from the fact that the user does not receive any contractual entitlement to such advertising. In addition, it would contradict the right to object to profiling according to Art. 21(2) DSGVO;
- it also contradicts user expectations:
the EDPB finds it extremely difficult to argue that an average user can fully grasp it, be aware of its consequences and impact on their rights to privacy and data protection, and reasonably expect it solely based on the Facebook Terms of Service
- Also to be taken into account is the Market power from Facebook:
the EDPB considers that the dominant position of Facebook also plays an important role in the assessment of Meta IE’s reliance on Article 6(1)(b) GDPR for its Facebook service and its risks to data subjects, especially considering how deficiently Meta IE informs the Facebook users of the data it strictly needs to process to deliver the service.
- If one were to allow an invocation of Art. 6 (1) a DSGVO here, this would be a slippery slope:
This precedent could encourage other economic operators to use the contractual performance legal basis of Article 6(1)(b) GDPR for all their processing of personal data
As a result, Facebook could for personalized advertising does not rely on the legal basis of contractual necessity appointed:
the EDPB decides that Meta IE has inappropriately relied on Article 6(1)(b) GDPR to process the Complainant’s personal data in the context of the Facebook Terms of Service and therefore lacks a legal basis to process these data for the purpose of behavioral advertising.
This left the Irish authority with no choice but to state the same in its order:
I find that Facebook was not entitled to rely on Article 6(1)(b) GDPR to process the Complainant’s personal data for the purpose of behavioral advertising in the context of the Facebook Terms of Service.
For information on, among other things, the applicable legal basis
The question here was, among other things, how far the duty to inform goes on this point and, in particular, whether the responsible party must inform, which data for which purposes on which legal basis are processed or whether such a link is not mandatory.
The Authority affirms that:
However, what Article 13 does clearly require is that the purposes and legal bases must be specified in respect of the intended processing. Purposes and legal bases cannot simply be cited in the abstract and detached from the personal data processing they concern.
[…] Firstly, the absence of any level of specificity as to what the data controller is doing with the data, and more fundamentally what data they are processing at all, would render information on the purposes of this unspecified processing almost useless to a data subject.
[…] there should be a clear link between the specified category/categories of data, the purpose(s) of the specified operation(s), and the legal basis being relied on to support the specified operation(s).
Facebook informed users at the relevant time about a general statement in its privacy policy that linked in several stages to further details – in the result in a way that was not understandable for the user:
If the user wishes to learn more, they must view the Terms of Service and also review the sections of the Data Policy to which they are directed. When all of the available information has been accessed, it becomes apparent that the texts provided are variations of each other, in that they re-iterate the goals and objectives of Facebook in carrying out data processing (for example, personalisation, communication, analytics, product improvement, etc.) rather than elaborating on this or providing information concerning processing operations. This approach lacks clarity and concision, and makes it difficult for the user to access meaningful information as to the processing operations that will be grounded on Article 6(1)(b) GDPR or on other legal bases.
As a result, Facebook had not provided sufficient information. The problem was primarily that a Link missing between the services and objectives and the processing operations:
It is not that the presence of variations of the same information in several documents is of itself non-compliant, but rather that it is not compliant when it amounts, in practice, to statements about services and objectives that are not linked to specified processing operations and and do not provide meaningful information to the data subject on the core issues identified in Article 13 GDPR.
[…] Put simply, it impossible to identify what processing operations will be carried out in order to fulfill the objectives that are repeated throughout the documents and the legal basis for such operations. In the absence of such information, the user is left to guess as to what processing is carried out on what dataon foot of the specified lawful bases, in order to fulfill these objectives. For the reasons set out above in relation to the correct interpretation of Article 13(1)(c) GDPR, this is insufficient information.
The Repetition of information is not inadmissible in itself, but it may entail risks:
The way in which the information has been spread out on multiple subsections and has been drafted in similarly worded (and hyperlinked) text means that a user could easily overlook any new elements available within the linked text.
On the principle of fairness
In its binding decision, the EDSA had, among other things and in clear terms, expressed the opinion that Facebook had also violated the principle of fairness (Art. 5(1)(a) GDPR):
The EDPB notes that in this particular case the breach of Meta IE’s transparency obligations is of such gravity that it clearly impacts the reasonable expectations of the Facebook users by confusing them on whether clicking the “Accept” button results in giving their consent to the processing of their personal data. The EDPB notes in this regard that one of the elements of compliance with the principle of fairness is avoiding deception i.e. providing information “in an objective and neutral way, avoiding any deceptive or manipulative language or design”.
[…] The combination of factors, such as the asymmetry of the information created by Meta IE with regard to Facebook service users, combined with the “take it or leave it” situation that they are faced with due to the lack of alternative services in the market and the lack of options allowing them to adjust or opt out from a particular processing under the contract with Meta IE, systematically disadvantages Facebook service users, limits their control over the processing of their personal data and undermines the exercise of their rights under Chapter III of the GDPR.
The Irish authority could only confirm this – since the decision of the EDSA is binding – one has the impression, contre coeur.
Decision and fine amount
Remedy of the defects and deadline
As a result, the agency ordered Facebook to fix the deficiencies, with a Period of three monthswhich Facebook had described as too low. One of the decisive factors was that Facebook is a large company – this did not lead to more time, but to less:
Facebook is a large multinational organization with significant financial, technological and human resources at its disposal. Moreover, the interim period, prior to any such rectification to the current lack of information being provided to data subjects, will involve a serious ongoing deprivation of their rights (as articulated in Section 9 below). Moreover, the Commission has provided specific analysis to Facebook in relation to the correct interpretation of the provisions in question and the requisite information that is absent from the relevant user-facing documents. This specificity should negate any need for extensive engagement with the Commission during the period of implementation, and provides clarity for Facebook as to what objective its very significant resources should be directed towards in order to comply with this order. As such, I am not satisfied that it would be impossible or indeed disproportionate to make an order in these terms, having regard to the importance of the data subject rights involved, the specificity of the order and Facebook’s resources.
Another point was also that Facebook had to expect such an outcome based on the draft injunction.
Buses
The Authority had proposed a total fine of EUR 28 – 36 million in the draft decision. The Authority has now set the fine at EUR 210 million.
In doing so, the EDSA had specified the following factors, whereby the GDPR explicitly no numerus clausus relevant factors:
- the Total sales of the entire Group, both as an upper limit of the buses (cap) and as a design factor:
the EDPB instructs the IE SA to take into consideration the total turnover of all the entities composing the single undertaking, i.e. the consolidated turnover of the group of companies headed by Meta Platforms, Inc.
- the Number of persons affected;
- the with the injuries achieved profit (which EDSA was unable to determine);
- the Company size general, because the fines would have to be effective deterrents, not only for Meta, but also in general;
- the deterrent effect of the fine, which must effectively reduce the likelihood of a repetition, and in the present case also in view of the fact that personalized advertising is part of the core of Facebook’s business model:
By bearing the administrative fine, the undertaking can avoid bearing the cost of adjusting their business model to one that is compliant as well as any future losses that would follow from the adjustment.
- generally the Severity of the injury, whereby it is also relevant here that the lawfulness of the processing is a basic requirement. In addition:
The EDPB considers that these general descriptions signal by themselves the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Facebook service. These are relevant facts to consider to assess the appropriateness of Article 6(1)(b) GDPR as a legal basis for behavioral advertising and to what extent reasonable users may understand and expect behavioral advertising when they accept the Facebook Terms of Service and perceive it as necessary for Meta IE to deliver its services.
- the Severity of fault. In this regard, the EDSA states, among other things, that there have always been indications that Art. 6(1)(b) GDPR was not relevant and that the breach therefore occurred knowingly, but that it was not established that it was also committed willfully, but that gross negligence could certainly be assumed;
- the Severity of the consequences for those affected:
The data processing in question – behavioral advertising – entails decisions about information that data subjects are exposed to or excluded from receiving. The EDPB recalls that non-material damage is explicitly regarded as relevant in Recital 75 and that such damage may result from situations “where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data”. Given the nature and gravity of the infringement of Article 6(1) GDPR, a risk of damage caused to data subjects is, in such circumstances, consubstantial with the finding of the infringement itself.”
- Reputational damagewhich may lead to a reduction of the fine (although not in the present case):
On principle, the EDPB agrees that reputation costs could be taken into consideration to some extent, if credible arguments are put forward about the grave detriment that would ensue.
- that the principle of fairness had also been violated, i.e. also the legally broader Subject of the violation;
- if necessary a Advantage in competition from the violation:
On principle, the EDPB agrees that a competitive advantage could be an aggravating factor if the case provides objective information that this was obtained as a result of the infringement of the GDPR. In the present case, the EDPB considers that it does not have sufficiently precise information to evaluate the existence of a competitive advantage resulting from the infringement.
However, the following are not to be taken into account in the present case (not in principle) mitigating measures of Facebook – restoring compliance does not count as a mitigating circumstance.
On this basis – and supported by other factors such as the duration of the injury -. the Commission imposes a fine of EUR 210 million. The infringement was serious, the fault was also serious, and the processing concerned a wide database:
Having taken account of the Final Submissions, I remain of the view that the infringement of Article 6(1) GDPR falls within the upper range of the scale, in terms of seriousness, for the purpose of the assessment of the Article 83(2)(a) criterion.
[…] 6 As set out above, the EDPB determined the Article 6(1) infringement to be “seriously negligent” in character. In the circumstances, I proposed to treat this factor as an aggravating factor of significant weight.
[…] Given the nature of behavioral advertising, it appears to be beyond dispute that the processing of a broad range of personal data is required to be carried out to achieve the objectives of behavioral advertising. In the circumstances, I proposed to consider this to be an aggravating factor of moderately significant weight.