Irish Data Protection Commission Rules Meta Exploited Contract Provision of GDPR to Illegally Coerce Users Into Personalized Ads
Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).
The complainants contended that, contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of the GDPR.
The Data Protection Commission has fined Meta a total of €390 million and requires its services to be compliant within three months. Perhaps just as important is that it appears the GDPR logjam is slowly beginning to loosen.
Noyb, which helped bring these complaints to the attention of regulators, has responded on its blog, as did Meta. The latter’s response is interesting to me because it appears to be tying its increased personalization push to targeted advertising. That is, Meta’s services are now TikTok-like algorithmically tailored feeds and it is impossible to disentangle that personalization from the way the ads are delivered. Cheeky. It is obviously planning to appeal the DPC’s ruling.