by Philippe Vlaemminck & Valentin Ramognino

The end of 2022 and the beginning of 2023 is very interesting for privacy issues in the European Union law. Below are the most important judgments that have been made recently and which we are following closely.

Meta Platforms Ireland: The Irish Data Protection 

Commission adopted two final decisions and fined META for a total amount of 390 million euros.

In the past, Meta IE relied on users’ “consent” to process their personal data in Facebook and Instagram services, including for behavioral advertising. Before the GDPR came into force, Meta updated its Terms of Service (ToS), requiring users to click “I accept” while the services would not be accessible if users refused to do so. Meta nevertheless considered that the behavioral advertising of users was “necessary” for the performance of the contract for the use of the services, invoking the “contract” legal basis (Art. 6 (1) (b) GDPR).

The inquiries concerned two complaints made on 25 May 2018 about FB and Instagram services, each raising that Meta IE was in fact “forcing” users to consent to the processing of their personal data for behavioral advertising and other personalized services. Following investigations, the Irish Data Protection Commission (“DPC”) on its draft decisions (2) considered Meta IE’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalized services (including personalized advertising). Under a procedure mandated by the GDPR, the DPC’s draft decisions were submitted to its peer regulators in the EU (Concerned Supervisory Authorities or “CSAs”) who agreed in part with the DPC’s decisions on transparency obligations, albeit considering that the fines proposed by the DPC should be increased. However, ten of the 47 CSAs raised objections and took the view that Meta IE should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalized advertising (as part of broader personalized services offered by FB and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract. The DPC referred the points in dispute to the European Data Protection Board (“the EDPB”).

On 5 December, the EDPB ruled in Binding Decisions (3), that personalized advertising was “not a core element of the services” of Meta IE which inappropriately relied on contract as a legal basis to process personal data under Facebook’s ToS and Instagram’s ToS for this purpose. There are indeed some consequences related to each of the GDPR lawful grounds used and for instance, users cannot opt-out of the processing of their data with the use of a contract as a legal ground. Consequently, the EDPB instructed the Irish DPC to amend the finding in its draft decisions and include a higher infringement of Art. 6(1) GDPR.

On 31 December 2022, the Irish DPC’s final decisions (4) incorporate the legal assessment expressed by the EDPB and increased the fines of Meta twice: once for Facebook (€210 million) and once for Instagram (€180 million). The DPC considered, pushed by the EDPB and contrary to its draft decisions, that the fraudulent use of the legal basis is a means to bypass the need for consent. Meta Ireland has been directed to bring its data processing operations into GDPR compliance within a period of 3 months.

Impact of the binding decisions by the EDPB

The decisions have an impact on cross-border cooperation and the role of the EDPB.

First of all, the DPC press release highlights the fragmented approach regarding #dataprotection at an EU level and undermines the #trust with the ‘lead’ mechanism created by the GDPR, since the EDPB position was different from the Irish DPC as well as other national authorities. Secondly, nearly as important, the EPDB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. .

To the extent that the Irish DPC considers the direction may involve an overreach on the part of the EDPB, it finds it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.

 The EDPB also adopted another binding decision, on 5th December 2022, on the dispute arising on an inquiry relating to WhatsApp Ireland, which concerns notably the lawfulness of processing for the purpose of the improvement of services. The final decision of the Irish DPC still has to be adopted.

Ongoing cases in front of the European Court of Justice

At Vlaemminck.law, we are also following ongoing cases about privacy laws and GDRP and in particular the streaming of pleadings in front of the Grand Chamber of the Court:

On 16.01.2023 – Austrian case C-548/21 : we followed the hearing of the parties in an Austrian preliminary reference concerning (attempted) access by law enforcement authorities to data stored on a mobile phone. The subject of the debate was whether such access constitutes an interference with the privacy and data protection rights of the individual concerned which is so serious that it may only be done for combatting serious crimes. Another question was whether Union law precludes a national law that does not require the individual to be informed before, or at least, after the measure is taken. The case also raises issues on the applicability of the Law Enforcement Directive (Dir. 2016/680).

On 17.01.2023 – Lithuanian case (C-683/21) : we followed the hearing of parties in a case where the notion of “controller” in relation to data processing via a COVID tracing app (KARANTINAS) was debated. One of the questions was whether the governmental body that initiated and gave instructions to develop a COVID tracing app, is still the controller in relation to the data processed in the app, if the app developer put the app on the market without the app being formally acquired and approved by that governmental body. The hearing concentrated more on the question of whether a fine can be imposed by a supervisory authority, on the basis of art. 83 GDPR, only if the negligence of intent of the controller is established, or whether a breach of the GDPR is in itself sufficient for imposing a fine.

(1). see Facebook Ireland and Schrems C‑311/18

(2) Draft Decision for the purposes of Article 60 GDPR of the Data Protection Commission: https://noyb.eu/sites/default/files/2021-10/IN%2018-5-5%20Draft%20Decision%20of%20the%20IE%20SA.pdf

(3) https://edpb.europa.eu/our-work-tools/consistency-findings/binding-decisions_en

(4) https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-decisions_en