The Irish CNIL sued the EDPS
Published on 01/11/2023 through
– 0 views
The Irish Data Protection Commission (DPC) imposed two fines on Meta: one for Facebook (210 million) and one for Instagram (180 million). Due to the binding opinion issued in December by the EDPS, the DPC has no choice but to fight: in addition to the (low) amount of fines, it takes the EDPS decision to court. The conflict risks eroding the trust on which the “leader” mechanism created by the GDPR is based.
The DPC issued two rulings regarding Meta Platforms Ireland Limited (“Meta Ireland”), imposing fines of €210 million (for GDPR violations related to its Facebook service) and €180 million (for violation linked to its Instagram service).
CPD also issued a compliance injunction for 3 months.
These decisions are the result of complaints filed on May 25, 2018, the date GDPR came into effect. Five years of process…
The main problem: what legal basis for behavioral advertising?
Until the entry into force of the GDPR, Meta based its processing of personal data, including behavioral advertising, on user “consent”.
Before May 25, 2018, when the GDPR came into effect, Meta Ireland changed its terms of service, indicating that it was changing the basis of legality from consent to “contractual” performance for most (but not all) of treatment.
Purpose of the maneuver: the GDPR no longer seriously allows to consider that the consent was properly collected (free, specific, informed, etc.), it is necessary to switch to another legal basis or to stop advertising on behavior Meta therefore deems behavioral advertising “necessary” for the performance of the Network User Agreement. At the same time, Meta removed all barriers related to consent (withdrawal, etc.) and regained full control over its processing.
In May 2018, if they wish to continue to have access to Facebook and Instagram services after the introduction of the GDPR, existing users (and new ones) were asked to click on “I accept” to indicate their acceptance in the updated terms of service . Otherwise, the services will no longer be accessible.
We have already assigned a news item to the main problem and refer to it.
Essentially, complaints filed on the same day that GDPR kicks in are considered to:
- The provision of personalized services and behavioral advertising cannot be considered “necessary” for the execution of the contract concluded with the user of Facebook and Instagram;
- Neither can the provision of personalized services and behavioral advertising be consent-based because the updating procedure (accepting or stopping the use of the service) does not allow obtaining free and specific consent . In addition, due to the context, transparency (informed consent) was not sufficiently ensured.
The DPC conducted the investigation (very slowly) and came to the following conclusions:
- Violation of transparency obligations: information about the legal basis is not clearly exposed to users, who therefore do not clearly know what processing operations have been carried out on their personal data, for what (s) purpose(s) and by determining on what grounds of righteousness.
- Absence of violation of the principle of lawfulness: Meta may base the processing, including for behavioral advertising, on the performance of the contract concluded with the user. Processing is not necessarily based on consent.
That is why the DPC agreed with Facebook on important matters.
The binding decision of the EDPS
In accordance with the GDPR, the draft decision of the DPC was sent to the national authorities of the other countries involved, without reaching a consensus.
Due to the lack of consensus, the file came to the table of the European Data Protection Board (EDPS).
The EDPS issued its binding opinion on 5 December 2022:
- In violation of the obligation of transparency: EDPS confirms the finding of the DPC, but wants an increase in the amount of the fine.
- On the most important question related to the basis of lawfulness, the EDPS contradicts the DPC: Meta Ireland is not entitled to use the legal basis of “contract” as the legal basis for its processing of personal data. personally for behavioral advertising purposes.
DPC folds but takes EDPS to court
Since it was a binding decision, the DPC had to submit it… for now.
The DPC decisions therefore impose two fines on Meta Ireland: 210 million euros (in the case of Facebook) and 180 million euros (in the case of Instagram). Good totals, sure, but an amount out of line with the stakes.
Meta Ireland must also comply within 3 months.
Furthermore, the EDPS also asked the DPC to carry out a New survey of all data processing operations of Facebook and Instagram, and to examine the special categories of personal data that may or may not be processed in the context of these operations. The Irish DPC considers that the EDPS does not have the competence to request the opening of an investigation and has announced that it is seeking legal action to set aside the EDPB’s instructions.
The DPC’s criticism of the EDPS’s mandate is not without interest. Is there a place in the GDPR for this type of mandate, when the principle of lead authority is clearly laid out and entrusts an authority with the supervision of its “clients”? The question is valid. Perhaps the answer is in spirit more than in form: no, the EDPS cannot order (in the legal and binding sense) the authority to investigate, but the national authority has the duty to actively supervise the their “customers”, he must open an investigation if they have reason to suspect a GDPR violation. However, the EDPS request generates such suspicion.
However, the important thing is not there.
The real concern comes from the fact that the principle of lead authority depends on a founding condition sine qua non : mutual trust.
However, it is now known that:
Both in substance (its very isolated positions as well as the amount of fines) and in form (the way it handles inquiries and complaints), the DPC aims to make Ireland a paradise data-friendly for GAFAM, and it is ready to dig up the frog to achieve its ends.
The authorities of other member countries, as well as the European Parliament, have lost confidence in the DPC, which some want to put under supervision (see the statements of the European Ombudsman on this topic).
If the EDPS issues a request for an investigation, it is ultimately because the DPC does not do it itself and the way in which it manages complaints raises many questions (access to the file, transparency, deadlines, etc. ).
Did you say trust?