Point of view
The below discussion contains my personal point of view. I do not have any legal basis for my point of view other than my personal interpretation of the events and the GDPR. Errors and ommissions may be present and you are advised to seek independent legal advice.
On 4th January 2023, the Irish Data Protection Commission announced €390 million fines against Meta, the parent company to Facebook and Instagram. (€210 million against Facebook, and €180 million against Instagram).
According to the Irish Data Protection Commission, Facebook and Instagram had changed the Terms and Conditions to their service provision and denied service provision to those who did not accept the new T’s and C’s, and “that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of the GDPR.”
While Meta argued from the point of view that it was complying with Recital 44 (Article 6(1)(b), that Facebook and Instagram users had entered into a contract, and that the Data being processed was necessary for the performance of the contract.
However, if you read between the lines, the reasons for the processing of the data (behavioural advertising etc.) were probably not necessary for the performance of the contract, and instead, the data was being processed under the “Legitimate Interest” of Meta, in which case, Recital 69 and 70 (Article 21(2)) give the Data subject the right to object.
It should be considered from a “lessons learned” point of view; the Primary reason for users to use Meta’s services was not to receive personalised advertising (Meta’s primary revenue stream) but to engage with other users in a Social Context. Rather than making service provision contingent on accepting the T’s & C’s, if Facebook and Instagram had instead made it possible for users to withdraw consent and still obtain the service with less personalised advertising, while making data processing using their legitimate interests the default, it’s likely this legal case would not have come about. It’s also probable that the subsequent drop in revenue would have been less than this fine, since, in my opinion, people are generally lazy, and tend to accept defaults.
While I cannot provide you with legal advice for your data processing, we can work together to do a gap analysis to understand where you are processing data protected by the GDPR, and you can then consider, with a legal representative, whether or not you are processing that data legally, and if not, what to do about it.
Remember, the maximum fines that can be levied under the GDPR Article 83(5) are €20million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
It’s not worth the risk. (It’s not meant to be)
Below is a reminder of the legal bases for data processing as per the GDPR:
Legal Basis
Definition
Considerations
Recitals
Consent
The data subject has freely given specific, informed and unambiguous consent to process data for one or more specific purposes
Consent agreement must be “clearly distinguishable from the ther matters” and presented in “clear and plain language.” The data subject can withdraw consent at any time.
Contract
Processing is necessary for the performance of a contract to which the data subject is a party.
Processing must be necessary to deliver a contractual or requested service to a person.
Legal obligation
Processing is necessary for compliance with a legal obligation to which the controller is subject.
Processing must be necessary to comply with a common law or statutory obligations. This does not apply to contractual obligations.
Vital interests
Processing is necessary to protect the vital interests of the data subject or another natural person.
Processing must be necessary to protect someone’s life. This cannot be relied on for health or other special category data if the person can give consent.
Public task
Processing is necessary for the performance of a task carried out in the public interest or in the interest of an official authority vested in the controller.
This applies to functions and powers set out in law and is mostly relevant to public authorities and organizations exercising official authority.