Over the past sixteen months Meta has been fined more than €1 billion in penalties alone. The most recent fines have come from Ireland’s Data Protection Commission (“DPC”) amounting to over €390 million for GDPR violations (explored in our previous article – How the latest EDPB’s Binding Decision on Meta Platforms affects Facebook’s business model). The fines were the result of three separate inquiries into Facebook, Instagram and WhatsApp where it was found that Meta could not rely on a contractual relationship under Article 6(1)(b) of the GDPR as a legal basis for their behavioural targeting or the delivery of service improvement and security.
These fines are from the Irish DPC because Meta’s European headquarters are located in Ireland. But when an infringement occurs in more than one jurisdiction, Article 60 of the GDPR mandates cooperation between the lead national data protection authority and the other national data protection authorities that are concerned. Article 60 applied in these instances, so the DPC prepared draft decisions that were shared with the other Concerned Supervisory Authorities (“CSAs”). The DPC found that in each case, Facebook, Instagram and WhatsApp breached their obligations in relation to transparency, to which the other CSAs agreed. However, the DPC initially decided that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta’s reliance on a contract legal basis. Several of the CSAs did not agree that Meta should be able to rely on contract as a legal basis to deliver personalised advertising or service improvement as these services are not necessary to perform the core elements of a limited form of contract. These disputes led to consultations among the authorities but no consensus was reached in any case. Therefore, the DPC had to refer the points in dispute to the European Data Protection Board (EDPB), under Article 65(1)(a) of the GDPR.
The EDPB settled the disputes among the CSAs and the DPC and found that Meta was not entitled to rely on contract as a lawful basis to process personal data for the purpose of behavioural advertising in the cases for Facebook and Instagram nor for service improvement of WhatsApp. As such, its processing of users’ data to date was a contravention of Article 6 of the GDPR. These decisions of the EDPB are binding on the DPC, and the DPC had to adopt these three final decisions. On the instructions of the EDPB, the DPC increased the amount of the administrative fines to €210 million for Facebook and €180 million for Instagram. The DPC imposed an administrative fine of €5.5 million on WhatsApp, opting for this smaller fine because of the recent fines of €225 million imposed on WhatsApp in 2021 for similar transparency breaches.
DPC v EDPB
In all three inquiries the EDPB examined whether the complaints against the legality of Meta’s ads had been addressed with the proper due diligence by the DPC. The EDPB states that the DPC did not adequately assess the processing of sensitive data which was included in the original complaint. Since the DPC did not identify and separately assess processing of special categories, they did not have sufficient factual evidence to make any findings of infringement under Article 9 of the GDPR. The failure to assess Facebook, Instagram and WhatsApp’s processing of special category data led the EDPB to disagree with the conclusion that the DPC initially rendered, that Meta was not legally obliged to rely on consent for their processing activities. This conclusion could not be reached without further investigation. As a result, the EDPB directed the DPC to start a fresh investigation into all of Facebook, Instagram and WhatsApp’s data processing operations and examine special categories of data that may or may not be processed in those operations.
It is under these circumstances that the DPC has accused the EDPB of overstepping its jurisdictional boundaries. In its statements about Instagram, Facebook and WhatsApp, the DPC argues that:
“EDPB does not have a supervision role akin to national courts and it is not open to the EDPB to instruct and direct an authority to engage in an open-ended and speculative investigation. This direction is problematic in jurisdictional terms and does not appear consistent with the structure of the cooperation and consistency arrangements laid down in the GDPR.”
The DPC also considers that it may be appropriate to bring an action for annulment before the Court of Justice of the EU to set aside the directions from the EDPB. It is presumed that the DPC would bring an action for annulment under Article 263 of the Treaty on the Functioning of the European Union. Article 263 TFEU allows a complainant to challenge the legality of the actions of EU institutions, including decisions, regulations, directives and binding agreements. To be successful, a claimant must show that the act in question violates EU law. This statement, that the DPC will bring action against the EDPB is quite significant. The DPC is suggesting that their independence and that of the other data protection authorities is being threatened by the EDPB and the DPC is going to do something about it.
Just a matter of time?
The DPC has a history of disputes with other regulators and blurring the edges of GDPR complaints such as narrowing the enquiry from the original complaints. The DPC has been sued by the Irish Council for Civil Liberties for inaction and has faced allegations of criminal corruption by European privacy campaign group, NOYB, it may be possible that these past troubles affected the EDPB’s decision to direct the DPC to open an investigation, being unsatisfied with the scope of the DPC’s assessment. Privacy advocates have criticised the DPC in the past and this most recent decision, arguing that the fine of €390 million was not accurately calculated and should instead be €4.36 billion in line with 4% of Meta’s global turnover of the past year.
Recently, it seems that the DPC is at odds with other national data protection authorities as these most recent Meta decisions follow DPC decisions against Twitter and WhatsApp, Facebook and Instagram in 2020 that also had to be revised after EDPB intervention. Even with the past interventions from the EDPB the decision to order fresh investigations is intriguing since national data protection authorities are independent under Article 52 of the GDPR, but to what extent are they independent from their supervisory authorities.
Meta has clearly hit roadblocks from significant fines from the DPC for infringements of the GDPR in the past few years, this latest one hitting their central revenue generator, advertising. There is no doubt that Meta’s fines and appeals will continue to be in the headlines but the conflict between the DPC and the EDPB should be observed closely as it may have far-reaching impact. The DPC strongly believes that the EDPB overreached their authority by ordering a fresh investigation into Instagram, Facebook and WhatsApp. But maybe this direction taken by the EDPB is a necessary step to address the DPC’s past inadequacies. Ireland is the largest hub for big tech companies and strongly encourages their investment. The influx of major tech companies has fuelled Ireland’s economic growth but this growth and investment conflicts with the DPC’s obligation to enforce the GDPR against the big tech companies. If the DPC does indeed bring an action in court challenging the EDPB’s direction it would be a consequential decision that would affect all national supervisory authorities and put the dispute resolution mechanism under Article 65 of the GDPR into question. Meta has already decided that it will appeal this decision and the DPC has indicated that it will consider challenging their fellow regulators in court, regardless this is not the end of these disputes.
 EDPB – Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR). https://edpb.europa.eu/system/files/2023-01/edpb_bindingdecision_202203_ie_sa_meta_facebookservice_redacted_en.pdf