Data protection enforcement power struggles highlighted in Meta case

In a statement issued on Wednesday, the DPC confirmed that it fined Meta Platforms Ireland Limited a total of €390 million in respect of data protection issues identified in connection with the company’s Facebook and Instagram services. Meta has said it is disappointed by the DPC’s decisions and that it intends to appeal.

The DPC’s decisions in respect of the two Facebook and Instagram inquiries were finalised following interventions by other national data protection authorities based across the EU, which culminated in the EDPB – an umbrella body that draws together national data protection authorities from across the EU – ordering the DPC to amend the enforcement action it proposed to take. It used its powers to do so under a regulatory cooperation mechanism that operates under the EU’s General Data Protection Regulation (GDPR).

In its statement, however, the DPC also referred to further action EDPB has called on it to take in relation to data processing by Meta. The DPC said that intervention went beyond the limits of the EDPB’s powers.

The DPC said: “The EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions.”

“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR,” it said.

“To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions,” the DPC said.

The GDPR provides a so-called 'one stop shop' mechanism of regulation and enforcement, designed to allow businesses to deal with one data protection authority in respect of their EU operations instead of multiple different authorities across all 27 EU member states. However, the GDPR makes provision for the cooperation of national data protection authorities in cases where alleged infringement occurs in more than one jurisdiction.

In cross-border enforcement cases, the lead supervisory authority – that being the authority in the country where a business has its European headquarters or, failing that, where its EU representative is based – must enter into dialogue with the other data protection authorities in the countries where data subjects have been impacted. While the responsibility for investigation alleged infringement sits with the lead authority, the GDPR gives the other DPAs scope to input to the enquiries and to raise 'relevant and reasoned' objections against proposed decisions of the lead authority.

The powers of the EDPB to issue a binding decision in cross-border enforcement cases arise under Article 65(1)(a) of the GDPR and apply where the lead authority rejects the objections raised but another data protection authority continues to stand behind them.

The DPC’s Facebook and Instagram inquiries centred on the question of whether Meta was entitled to process users’ data for the purposes of delivering personalised services and behavioural advertising on the basis that the users had agreed to such processing when accepting the terms of service. Meta had argued that the processing was necessary for the performance of that contract – one of the legal bases for processing personal data under the GDPR.

While the DPC originally found that Meta had breached some of its data protection obligations, it initially concluded that, in principle, the GDPR did not preclude the company from relying on the contract legal basis. However, 10 other data protection authorities took issue with that finding and, when consensus could not be reached, the DPC referred the matter for a binding decision of the EDPB.

The EDPB held that Meta was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising. The DPC subsequently adopted its final decisions in the two cases, increasing the level of fines it had originally proposed to impose on Meta – to €210m in the case of Facebook, and €180m in the case of Instagram. Meta has also been ordered to “bring its processing operations into compliance with the GDPR” within three months.

In its statement, Meta said it “strongly believe[s]” its approach “respects GDPR”.

Meta said: “GDPR allows for a range of legal bases under which data can be processed. The rules of GDPR are clear: there is no hierarchy between these legal bases – none should be considered better or more legitimate than any other. Which basis is most appropriate to use depends on the specific situation. Like many companies, Meta uses a combination of legal bases to provide various services.”

“Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service. To date, we have relied on a legal basis called ‘contractual necessity’ to show people behavioural advertisements based on their activities on our platforms, subject to their safety and privacy settings. It would be highly unusual for a social media service not to be tailored to the individual user,” it said.

A DPC spokesperson told Out-Law that the final decision relating to its separate inquiry into WhatsApp, another Meta-owned service – a case that the EDPB has also intervened in – is due to be issued next week.

In November 2022, the DPC imposed fines totalling €265 million against Meta after determining infringements of EU rules on data protection by design and default. The action taken in that case came after the Irish regulator investigated the ‘scraping’ and subsequent disclosure of “a collated dataset of Facebook personal data” on the internet that was reported in 2019.

In a separate case, Meta has lodged an appeal before the Irish courts against a €405m fine imposed by the DPC under the GDPR over children’s data protection issues it said it had identified with Instagram.