The Irish Data Protection Commission (DPC) announced a €390 million fine against Meta this week over allegations that the company did not use an appropriate legal basis to collect and process user data for behavioral advertising on Facebook and Instagram under the General Data Protection Regulation (GDPR). This controversial decision shows that the GDPR has introduced tremendous regulatory uncertainty for businesses over arcane legal issues that are completely divorced from the everyday concerns of Internet users.
Under Article 6 of the GDPR, companies must have a lawful basis for processing personal data. The GDPR provides six lawful bases: to comply with legal obligations, to protect the vital interests of individuals, for the legitimate interests of the company, when given consent by users, and for the performance of a contract. When the GDPR went into effect in May 2018, Meta chose to use the contractual basis for its legal basis for its data collection. As a result, the company presented users on Facebook and Instagram with new terms of service that they would have to accept to continue using the platforms.
Meta’s rationale for its choice was straightforward: Facebook and Instagram entered into an agreement to provide a personalized social media experience to its users, including by serving targeted ads, and therefore collecting data was a “necessary and essential” part of performing its contracted service. Indeed, without data, Facebook and Instagram would not be able use personalized ads to monetize its services and provide its platforms to users for free.
The DPC reviewed a complaint that argued that Meta had violated the GDPR by conditioning access to its services on users agreeing to its terms of service. Ironically, the DPC agreed with Meta that it was following the GDPR. In its draft decision, the DPC found that “the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis.” But a minority of other EU data regulators objected and, after failing to reach consensus, the European Data Protection Board (EDPB)—an independent body created by the EU to ensure consistent enforcement of the GDPR—overruled the Irish regulator and imposed its own binding decision.
The end result is that the EU compelled the Irish DPC to impose a hefty fine against Meta consisting of two parts, a €210 million for a complaint against Facebook and a €180 million fine for a similar complaint against Instagram. Given that the European data protection regulators themselves were divided on whether Meta even violated the GDPR and that the company clearly intended to comply with the spirit of the regulation, it is shockingly unfair that the EDPB would order such a significant fine. While Meta still has the option to challenge the fine, and the decision may rightly be overturned on appeal, the message it sends to the private sector is that EU regulators are making up the rules as they go along.
The GDPR was supposed to create a clear set of harmonized rules for the European digital single market to make it easier to do business. Unfortunately, after spending millions on compliance and hiring additional data protection officers, not only has the law imposed significant damage to the European digital economy but businesses are still operating in a regulatory minefield.
The GDPR was written by human hands in Brussels, it was not handed down on a stone tablet from Mount Sinai. It is time for European policymakers to admit the GDPR has many faults and start the difficult conversation of how to make revisions.
Image credit: Brett Jordan