Irish DPC fines global social media company €390 million over targeted ads
On January 4, the Irish Data Protection Commission (DPC) announced the conclusion of two inquiries into the data processing practices of a global social media company’s European operations. Collectively, the DPC imposed fines totaling €390 million against the company for allegedly requiring users to accept targeted ads when accepting the company’s social media platform terms of service. Complaints were raised in 2018 by data subjects in Austria and Belgium, claiming that the company violated the GDPR by conditioning access to its services on users’ acceptance of the company’s updated terms of service, thereby “forcing” them to consent to the processing of their personal data for behavioral advertising and other personalized services. The company maintained that once a user accepted the updated terms of service, a contract was formed, and that processing user data in connection with the delivery of its social media services was necessary for the performance of that contract (including the provision of personalized services and behavioral advertising). According to the company, “such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the ‘contract’ legal basis for processing).”
The DPC issued draft decisions, finding that (i) the company breached its transparency obligations because the “contract” legal basis for processing was not clearly disclosed to users, but that, (ii) in principle, the GDPR did not preclude the company’s reliance on such basis.
In accordance with the GDPR, the draft decisions were submitted to DPC’s EU peer regulators (Concerned Supervisory Authorities or “CSAs”). Regarding the question of whether the company had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions but concluded that higher fines should be imposed. Ten of the 47 CSAs, however, concluded that the company “should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalized advertising . . . could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.” The DPC disagreed, arguing that personalized advertising is “central to the bargain struck between users and their chosen service provider” as part of the contract that is established when a user accepts the terms of service. The dispute was referred to the European Data Protection Board (EDPB) after the regulators were unable to reach a consensus.
The EDPC determined that, “as a matter of principle,” the company “is not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioral advertising.” The DPC adopted the EDPC’s determination and issued final decisions, finding, among other things, that the company’s processing of users’ data in purported reliance on the “contract” legal basis amounts to a contravention of Article 6 of the GDPR. The decisions require the company to bring its processing operations into compliance with the GDPR within a three-month period and impose administrative fines higher than those originally proposed, in line with the EDPC’s direction to increase the fines.
The company released a statement following the decisions. According to the company, “[t]here has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time. This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether.” The company added that “we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”