GDPR Compliance

Point of view

The below discussion contains my personal point of view. I do not have any legal basis for my point of view other than my personal interpretation of the events and the GDPR. Errors and ommissions may be present and you are advised to seek independent legal advice.

On 4th January 2023, the Irish Data Protection Commission announced €390 million fines against Meta, the parent company to Facebook and Instagram. (€210 million against Facebook, and €180 million against Instagram).

According to the Irish Data Protection Commission, Facebook and Instagram had changed the Terms and Conditions to their service provision and denied service provision to those who did not accept the new T’s and C’s, and “that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of the GDPR.” 

While Meta argued from the point of view that it was complying with Recital 44 (Article 6(1)(b), that Facebook and Instagram users had entered into a contract, and that the Data being processed was necessary for the performance of the contract.

However, if you read between the lines, the reasons for the processing of the data (behavioural advertising etc.) were probably not necessary for the performance of the contract, and instead, the data was being processed under the “Legitimate Interest” of Meta, in which case, Recital 69 and 70 (Article 21(2)) give the Data subject the right to object.

It should be considered from a “lessons learned” point of view; the Primary reason for users to use Meta’s services was not to receive personalised advertising (Meta’s primary revenue stream) but to engage with other users in a Social Context. Rather than making service provision contingent on accepting the T’s & C’s, if Facebook and Instagram had instead made it possible for users to withdraw consent and still obtain the service with less personalised advertising, while making data processing using their legitimate interests the default, it’s likely this legal case would not have come about. It’s also probable that the subsequent drop in revenue would have been less than this fine, since, in my opinion, people are generally lazy, and tend to accept defaults.

While I cannot provide you with legal advice for your data processing, we can work together to do a gap analysis to understand where you are processing data protected by the GDPR, and you can then consider, with a legal representative, whether or not you are processing that data legally, and if not, what to do about it.

Remember, the maximum fines that can be levied under the GDPR Article 83(5) are €20million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

It’s not worth the risk. (It’s not meant to be)

Below is a reminder of the legal bases for data processing as per the GDPR:

    Legal Basis

    Definition

    Considerations

    Recitals

    Consent

    The data subject has freely given specific, informed and unambiguous consent to process data for one or more specific purposes

    Consent agreement must be “clearly distinguishable from the ther matters” and presented in “clear and plain language.” The data subject can withdraw consent at any time.

    32; 42; 43

    Contract

    Processing is necessary for the performance of a contract to which the data subject is a party.

    Processing must be necessary to deliver a contractual or requested service to a person.

    Legal obligation

    Processing is necessary for compliance with a legal obligation to which the controller is subject.

    Processing must be necessary to comply with a common law or statutory obligations. This does not apply to contractual obligations.

    Vital interests

    Processing is necessary to protect the vital interests of the data subject or another natural person.

    Processing must be necessary to protect someone’s life. This cannot be relied on for health or other special category data if the person can give consent.

    Public task

    Processing is necessary for the performance of a task carried out in the public interest or in the interest of an official authority vested in the controller.

    This applies to functions and powers set out in law and is mostly relevant to public authorities and organizations exercising official authority.

    45; 50; 54; 55; 56; 154

    Legitimate interests

    Processing is necessary for a legitimate interest pursued by the controller or a third party.

    This requires “balancing test.” It may be overridden by the fundamental rights and freedoms of the data subject, particularly when the data subject is a child.

    47; 48; 49; 69; 70