Privacy watchers keen to dig into the regulatory reasoning underpinning two major decisions against Meta earlier this month — which struck down Facebook and Instagram’s claim of contractual necessity as a valid legal basis to run behavioral advertising on users in the European Union — can now sift through the detail after the complainant, privacy rights group noyb, published the decision documents online.
You can find the 188-page Facebook decision here and the 196-page Instagram decision here — both of which feature redactions made by Meta as it was allowed to remove commercially sensitive information so some juicy details are missing.
(For example, a paragraph in the Facebook document where the company provides an estimate of how long it will take it to apply the compliance orders has been blacked out, along with another sentence from this section in which it details the work involved. So we can only speculate whether words have actually been covered here — or just a line of screaming emojis.)
Meta’s lead data protection regulator, the Irish Data Protection Commission (DPC), issued the final decisions but only after more than a year of dispute with over EU DPAs who disagreed with its draft decision (which did not object to Meta claiming contractual necessity to microtarget ads); and, at the last, after incorporating a binding decision by the European Data Protection Board (EDPB) — which settled the dispute by forcing the DPC to reject Meta’s claim of contractual necessity.
The EDPB also required Meta to substantially increase the size of the financial penalty issued to Meta for breaching the EU’s General Data Protection Regulation (GDPR).
So while the Irish DPC’s name and branding is on these documents they are a product of a co-regulatory process that’s baked into the GDPR, via a cooperation mechanism for dealing with cross-border cases.
Details in the document are already powering fresh attacks on the DPC over its much critized approach to GDPR enforcement — with noyb questioning why the Irish regulator has amended the (binding) EDPB decision — which it says requested a three month period for compliance with the order from the time its order was served (aka some time in December) — to the serving of the DPC decision (some time in January). “This departure of the DPC from the EDPB decision seems to be unlawful,” noyb argues.
It also takes issue with the DPC apparently narrowing the scope of the EDPB decision — to limit it to processing for advertisement only.
“It seems that other aspects of the complaint were not dealt with by the DPC, which in itself may be illegal,” it suggests.
noyb also raises concerns over the level of financial sanction imposed by the Irish regulator — which the DPC was required by the EDPB to reassess and increase substantially in line with its binding decision that there was a breach of legal basis (and of the GDPR’s fairness principle), not only of transparency as the DPC initially decided.
The privacy group points out that the Irish regulator has opted to apply the smallest sanction in relation to “the actual unlawful processing of personal data of millions of EU users” — just €60M in the case of Facebook and €50M in the case of Instagram, which represents a tiny fraction of the revenues Meta has been able to generate over this period while unlawfully processing people’s data.
noyb goes on to warn that the DPC’s decisions may not end a case which has already racked up more than 4.5 years since the original “forced consent” complaints were filed back in May 2018 — as it argues the regulator’s findings don’t appear to fully deal with its complaints as the decisions focus on personalized ads and don’t cover issues like the use of personal data for improving the Facebook platform or for personalized content (which also require a valid legal basis under EU law).
Another issue noyb highlights is the DPC’s refusal to carry out additional investigations asked for by the EDPB — something the DPC is challenging as jurisdictional overreach and seeking to annul, as we reported earlier this month.
It also flags a further conflict which it says could lead it to appeal the decision — pointing out that under Austrian or German law (aka, the law that applies to noyb), the complaint defines the scope of the procedure — whereas it says the DPC believes that under Irish law it may limit the scope of a complaint, adding: “noyb may have to appeal the decision on these grounds.”
The DPC has been contacted for comment.
Major EU privacy decisions against Meta’s legal basis for ads raise fresh complaints by Natasha Lomas originally published on TechCrunch