Meta imposed fine of EUR 390 million due to insufficient legal basis for behavioral advertising

| Insight

On January 4th 2023, Meta, the parent company of Facebook and Instagram, was imposed a historic fine of a total EUR 390 million by the Irish Data Protection Authority for breach of the GDPR. Meta has announced that they are looking to appeal the decision, which they believe undermines the company's business model of financing the two social network platforms through behavioral advertising.

After a several year long investigation into the marketing practice of Facebook and Instagram, both of whom are owned by Meta Platforms Ireland Limited (Meta), the Irish Data Protection Authority have concluded that both platforms are fundamentally in breach of the GDPR. The investigation has been ongoing since the GDPR came into force May 25th 2018, after the well-known privacy activist Max Schrems and a Belgian activist submitted complaints against Facebook and Instagram regarding illegal use of personal data for behavioral advertising.

The complaints came after Meta in 2018 made changes to their service agreement and privacy policy for both Facebook and Instagram in connection with the GDPR coming into effect. The changes in short entailed amongst other a transition from consent to relying on the platforms service agreement as the legal basis for its behavioral advertising. Meta relied on the fact that the processing of personal data is necessary to deliver personalized services in line with the service agreement that the user have agreed to. Both existing and new users were required to accept these terms if they wished to use the platforms, including the collection and processing of their personal data for behavioral advertising to fund the platforms.

The precursor to the final decision was the draft decision dated October 6th 2021 by the Irish Data Protection Authorities where they made two key findings. Firstly, they found that Metas marketing practice in relation to behavioral advertising did not meet the requirements set out by the GDPR regarding transparency. In the inspectorate’s view, Meta had not given the user sufficient opportunity to get informed and understand which personal data was being processed, how they were being processed and for what purpose. Secondly, the inspectorate concluded that Meta in fact did have a suitable legal basis as it was permissible to rely on the service agreement and that Meta therefore did not strictly need to obtain consent for behavioral advertising.

In accordance with the consultation rules set out by the GDPR, the draft decision was then sent to the concerned supervisory authorities in other EU/EEA countries (CSAs) for review. The CSAs all agreed with the Irish Data Protection Authorities in that the marketing practice breached with the GDPR requirements for transparency. However, most of the CSAs found the suggested fines in this regard to be too low. Furthermore, most of the CSAs disagreed with the draft decision in relation to the view that the service agreement was a suitable legal basis for behavioral advertising. Several authorities expressed that advertising as part of a personalized service did not amount to a necessity for the delivery and performance of the core elements of Facebook and Instagram’s services.

As agreement between the CSAs could not be reached, the draft decision was sent to the European Data Protection Board (EDPB) for a final assessment and decision. The EDPB agreed that the marketing practice was in breach of the transparency requirements and added that the practice also breached with the fairness principle under the GDPR. The EDPB therefore believed that the fines should be increased to also reflect this breach. Regarding the question of legal basis, the EDPB concluded that Meta fundamentally could not use the service agreement as legal basis for the processing of personal data for behavioral advertising. This conclusion is in line with the EDPB’s earlier position in «Guidelines 8/2020 on the targeting of social media users» adopted April 13th 2021, where the EDPB in essence believe that behavioral advertising through social media platforms is an important part of the economic basis for the service, but should under no circumstance be considered necessary to fulfill the contract with the platforms users.

Following the decision from the EPDB on December 5th 2022, the Irish Data Protection Authority issued its final decisions against Meta. The decision is in all aspects In line with that of the EDPB and concludes that Metas marketing practice is in breach with the GDPR and that Meta can not rely on its service agreement as legal basis for behavioral advertising on Facebook and Instagram. The fine against Facebook was increased to EUR 210 million and to EUR 180 million for Instagram.

Meta has been given a three-month deadline to change its practice and ensure the requirements set out by the GDPR are met. However, they do not intent on giving up without a fight. Meta have unsurprisingly publicly stated that the company intent to appeal the decision. The decision will have enormous practical and financial consequences for the company if it stands. If the requirement to obtain consent is upheld, it will be challenging to get users to consent to the marketing practice or refrain from withdrawing the consent at a later point. Meta can continue marketing but will have to stop the more effective behavioral advertising which will likely mean significantly lower advertising revenue which today constitutes the dominant portion of Metas income.

At the same time, the decision, if upheld, may impact other businesses with similar business models. The principled aspect of the decision may entail that social media platforms that rely on their service agreements as legal basis for behavioral advertising will have to change legal basis to not risk breach of the GDPR and large fines such as that Meta now is facing.