Original content provided by BDO Netherlands.
The Irish DPC has recently imposed two hefty fines on Meta: €210 million for breaches of the GDPR relating to its Facebook service and €180 million for breaches in relation to its Instagram service. Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months. An important reason for these fines is that Meta Ireland was not entitled to rely on the “contract” between its platforms and their users as a lawful basis for the processing of personal data for the purpose of behavioural advertising.
Core of the decision
Why can serving ads not be part of a contract?
The Irish DPC considered that (also considering the nature of the services provided and agreed upon by the parties), Meta IE could in principle rely on “necessity for the performance of a contract” as a legal basis of the processing of users’ data necessary for the provision of its Facebook/Instagram service.
This would also include the provision of behavioural advertising insofar as this forms a core part of its service offered to and accepted by its users, also because a distinguishing feature and commercially essential element of the contract between Meta IE and the user is that the Facebook service is funded by targeted or personalised advertising to the user.
The EDPB decision on Facebook is 121 pages long and the Instagram decision covers 116 pages so we can only mention a few elements from the EDPB decisions here. The EDPB considers that the main purpose for which users use Facebook and accept the Facebook Terms of Service is to communicate with others, not to receive personalised advertisements.
Furthermore, the fact that Meta IE briefly refers to this processing in the Facebook Terms of Service is not sufficient for a reasonable user to expect that their personal data is being processed for behavioural advertising. The EDPB furthermore points out that there is no contractual obligation for Meta IE to offer personalised advertising to its users (which would normally be the case if servings ads would really be an essential part of the contract) and that users can (based on the GDPR) opt out of direct marketing anytime. The EDPB argues that the processing cannot be necessary to perform a contract if a data subject has the possibility to opt out from it at any time, and without providing any reason.
The EDPB recalls that is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, and that the concept of necessity cannot be interpreted in a way that undermines this article of the GDPR and the GDPR’s general objective of protecting the right to the protection of personal data.
A controller (such as Meta) does not have absolute discretion to choose the legal basis that suits better its commercial interests; it may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake.
This may also have an important impact on other platforms that have behavioural ads at the centre of their business model and consider these ads as a part of their service to the users.
The EDPB does not consider processing data for behavioural advertising to be an essential part of the contract and therefore decides that Meta IE has inappropriately relied on Article 6(1)(b) GDPR (processing is necessary for the performance of a contract) to process personal data in the context of the Facebook Terms of Service and therefore lacks a legal basis to process these data for the purpose of behavioural advertising.
The fact that Metas services can only be used upon acceptance of a terms of service which include behavioural advertising and the fact that it is doubtful whether the data subjects are provided with sufficient information to know that they are signing a contract, the processing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessary to perform the services delivered does not help either.
As a controller, you should be able to justify the necessity of your processing by reference to the fundamental and mutually understood contractual purpose. This depends not only on the controller’s perspective, but also on the reasonable data subject’s perspective when entering into the contract.
The EDPB decisions also cover the transparency and fairness principles; organisations should ensure that their services and the processing are not presented to users in a misleading manner.
So, any organisation that uses behavioural advertising in its services and relies on a contract basis for processing data related to that advertising should examine its privacy notices and verify whether it is meeting the transparency standards that the EDPB expects and whether “performance of a contract” is appropriate for the processing that it is undertaking.
BDO Legal’s Privacy Week
This article is written for the BDO Legal’s Privacy Week Series 2023, a global BDO Legal campaign. Please visit our global partners in Belgium, Germany, Spain and Switzerland for more Privacy Week publications.