The Irish Data Protection Commission (DPC) is expected to issue a revised decision over the coming days that could significantly limit Facebook and Instagram owner Meta’s ability to gather information from its users to tailor and sell advertising as well as lead to large-scale fines against the social media giant.
On December 6th, Europe’s overarching privacy body, the European Data Protection Board (EDPB), announced that it had adopted three binding dispute resolution decisions concerning Meta Platforms Ireland.
While precise details of the board’s decision have not yet been published, a source told The Irish Times in December that the resolutions relate to three decisions the DPC — the lead regulator for Facebook in the European Union because the company is headquartered in Dublin — has made against Meta platforms’ Facebook, Instagram and WhatsApp over the past year or so under the General Data Protection Regulation (GDPR).
Under GDPR, the DPC has until Friday, January 6th — one month from when the board issued its ruling to the Irish regulator — to adopt the dispute resolution decisions.
Parties to the ruling, including Meta or the DPC, may then seek to appeal or annul all or parts of the ruling to the Court of Justice of the European Union under article 65 of GDPR. Meta could also face further legal action from individual users over its use of their data.
It is understood that the EDPB’s December decision related to three separate draft decisions issued by the DPC: one against Facebook in October 2021 and the other two, against Instagram and WhatsApp, in April of last year.
A look ahead to 2023
All three decisions were based on 2018 complaints made by Austrian data privacy activist Max Schrems. He argued that Meta used “forced consent” to process personal data, specifically in relation to its terms of services.
In its original decisions, the Irish regulator had proposed fining each of the platforms for not being transparent with users about what Meta does with their data. However, it also found that the social media giant does not necessarily require the expressed consent of its users in order to process their data and that it can rely on the argument that it is fulfilling a contract with its users to provide ads that are personalised to them.
A number of other European regulators, including the Norwegian data authority, objected to this reasoning, which they said would undermine GDPR.
These objections were then submitted to the EDPB under its dispute-resolution mechanism.
The decision is yet to be published in full. Sources though have indicated that the EDPB ruled that EU privacy law does not allow the platforms to use the so-called “contract basis” for collecting data used to target, tailor and sell advertising.
If adopted, experts say the decision could upturn Meta’s tailored advertising model in Europe and could force the Irish DPC to significantly increase the fines it recommended against each of the three Meta platforms in its draft decisions.
Notifying staff in October of plans to shed 11,000 jobs globally — including roughly 350 in Ireland — Meta chief executive Mark Zuckerberg counted “ads signal loss” among the main factors driving the decline in revenues, alongside worsening macroeconomic conditions and increased market competition.
Consolidated accounts for Meta Platforms Ireland filed with the Companies Registration Office late last year indicated that the company set aside an additional €2 billion to cover the cost of potential fines, bringing to €3 billion its total regulatory provisions war chest.
The Irish DPC has so far recommended fines totalling in excess of €900 million against Meta for various breaches.