Ireland’s Data Privacy Commissioner (DPC) is the foremost European Union privacy regulator due to the location of their European headquarters in Ireland. To date, it has fined the company formerly known as Facebook (now Meta) a grand total of 1.3 billion euros with 10 additional inquiries into its services currently open. This is a considerable sum and reflects the ongoing conflict between the different regulators, data controllers, and privacy rights campaigners.
Central to these cases is the interpretation of the reliance on the performance of a contract as the basis for lawful processing of personal data. Ironically, while the DPC took a similar view to Meta – that it is lawful to process personal data in order to provide personalized ads as part of the service provided to data subjects who sign up (i.e. “contract”) to use social media platforms (including Facebook and Instagram) – nine national regulators and the European Data Protection Board took a different position. They agreed with privacy campaigners that personalized advertising could not be said to be objectively necessary to perform Meta’s contract with the data subjects to deliver Facebook services, nor is it a core or essential element of it.
The decision is subject to court proceedings where the precise scope of what is necessary for the performance of a contract in this context will be thrashed out. Should it be so broad as to mean whatever has been set out in such a contract (and effectively what platforms such as Meta choose to do, given the one-sided nature of the agreements)? Or should it be limited, as the EDPB wishes, to what is objectively necessary for a specific purpose and integral to the delivery of that contractual service to the data subject? Keep in mind at this point the central objective of the GDPR is the protection of an individual’s personal data. This is why Meta was slapped with a pair of fines totaling more than $400 million as the Irish privacy regulator concluded the company’s advertising and data handling practices were in breach of EU privacy laws, with a further 5.5 million Euros being added last week.
The DPC began investigating the company on May 25, 2018, the day the EU’s General Data Protection Regulations came into effect. The DPC fined WhatsApp 225 million Euros in September 2021 for breaches that occurred in May 2018, the same period of time as the complaint dealt with last week. WhatsApp is in the process of appealing that fine through the Irish courts. GDPR places strict requirements on firms regarding the processing of people’s information. Firms that run afoul of the rules risk facing penalties as high as 4% of global annual revenues.
Crucially, the DPC instructed WhatsApp to reassess how it uses personal data for service improvements. This follows hard on the heels of a similar order it issued this month to Meta’s other main platforms, Facebook and Instagram, which stated Meta must reassess the legal basis upon which it targets advertising through the use of personal data.
The allgram app ensures personal and business privacy for all your data and communications. Try it on Android or iPhone mobile devices today! Your data is yours!