Privacy watchers eager to elaborate on the legal reasoning underlying two major decisions against Meta earlier this month — which upheld Facebook and Instagram’s claim of contractual necessity as a valid legal basis to target European Union ads to users in the European Union to post – have now rejected the detail after the complainant, privacy rights group noyb, published the decision documents online.
You can find the 188-page Facebook decision here and the 196-page Instagram decision here – both of which contain editorials from Meta as it was allowed to remove commercially sensitive information, so some juicy details are missing.
(For example, a paragraph in the Facebook document where the company estimates how long it will take to apply the compliance orders has been blacked out, along with another sentence from this section describing the work. So we can only speculate whether words are actually covered here – or just a line of screaming emojis.)
Meta’s lead data protection regulator, the Irish Data Protection Commission (DPC), made the final decisions, but only after more than a year of litigation with more than EU data protection authorities who disagreed with the draft decision (which did not object to Meta claiming contractual necessity to microtarget ads); and, finally, after the inclusion of a binding decision by the European Data Protection Board (EDPB) — which settled the dispute by forcing the DPC to reject Meta’s claim of contractual necessity.
The EDPB also demanded that Meta significantly increase the size of the financial penalty imposed on Meta for violating the EU’s General Data Protection Regulation (GDPR).
So while the Irish DPC’s name and brand appear on these documents, they are the product of a co-regulatory process baked into the GDPR, through a collaborative mechanism for handling cross-border cases.
Details in the document are already sparking fresh attacks against the DPC over its much-criticized approach to GDPR enforcement – with noyb questioning why the Irish regulator changed the (binding) EDPB decision – which it says was requested onThree-month period for compliance with the warrant from when the warrant was served (i.e. sometime in December) — to the service of the DPC decision (sometime in January). “This deviation of the DPC from the EDPB decision appears to be illegal,” argues noyb.
It also objects to the fact that the DPA apparently narrows the scope of the EDPB decision – to limit it to processing only for advertisements.
“It appears that other aspects of the complaint have not been addressed by the DPC, which in itself may be illegal,” it suggests.
noyb also expresses concern about the level of financial sanctions imposed by the Irish regulator – which was required to reassess and substantially increase the DPC by the EDPB in line with its binding decision that there had been a breach of the legal basis (and of the fairness principle of the GDPR). ), not just of transparency as the DPC initially decided.
The privacy group points out that the Irish regulator has opted to apply the smallest sanction in relation to “the actual unlawful processing of personal data of millions of EU users” – just €60 million in the case of Facebook and €50 million in the case of Instagram , which represents a small portion of the revenue that Meta was able to generate during this period by unlawfully processing people’s data.
noyb further warns that the DPC’s decisions may not end a case that has dragged on for more than 4.5 years since the original “coerced consent” complaints were filed in May 2018 – as it claims that the regulator’s findings seems to be incomplete addresses his complaints as the decisions focus on personalized advertising and do not cover issues such as the use of personal data to improve the Facebook platform or for personalized content (which also has a valid legal basis under EU law is required).
Another issue that noyb is highlighting is the DPC’s refusal to conduct additional research requested by the EDPB – something the DPC is challenging as a breach of authority and is seeking to annul, as we reported earlier this month.
It also signals another conflict that it says could lead to an appeal against the decision – pointing out under Austrian or German law (also known as the law applicable to noyb), the complaint defines the scope of the proceeding – while according to the DPC it considers that under Irish law it can limit the scope of a complaint, and adds: “no may appeal against the decision on these grounds.”
The DPC has been contacted for comment.