A Meta-morphosis in the lawful basis of processing personal data under GDPR?

Meta, the owners of Facebook, Instagram and WhatsApp, have just been fined €390m euros (£346m) by the Irish Data Protection Commission (“DPC”) for not having an appropriate lawful basis under GDPR for processing personal data in connection with the delivery of its services, including the delivery of personalised advertisements.

Article 6 of the GDPR (which is retained in UK law pursuant to the Data Protection Act 2018) sets out six “lawful bases” for processing personal data. At least one of these must apply in order for the data to be processed lawfully:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
2. Contract: the processing is necessary for the performance of a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interest: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

In advance of GDPR coming into operation, Meta had changed its terms of service for Facebook and Instagram. Having previously relied on the “consent” lawful basis, Meta now sought to rely on the “contract” lawful basis for most (but not all) of its processing operations. If users wished to continue to have access to Facebook and Instagram following the introduction of GDPR, they were asked to click “I accept” on the updated terms of service and those services would be unavailable if users refused to do so.

Meta considered that, on accepting the updated terms of service, users were entering into a contract with Meta and that, consequently, the processing of a user’s personal data in connection with the delivery of the services was necessary for the performance of the contract (including the provision of personalised services and behavioural advertising).

However, following their investigation, the DPC made the following notable findings:

1. Meta did not provide clear information about its processing of users’ personal data, resulting in users having had insufficient clarity as to the lawful basis under which their personal data was being processed.
2. Meta cannot rely on contractual necessity as a lawful basis for justifying its processing because the delivery of personalised advertising was not necessary to perform the core elements of the Facebook and Instagram services.
3. Meta were in fact still looking to rely on consent as the lawful basis of their processing, as by making the services conditional upon acceptance of the updated terms, Meta were in fact forcing users to consent to the processing of their personalised data and this consent was not “freely given, specific, informed or unambiguous” as required under GDPR.

Meta has made it clear that they will be appealing this decision, which will provide some much-needed guidance on lawful basis of processing personal data in this area. However, as it stands, the DPC’s decision has potentially huge ramifications for Meta’s business model. If it is indeed the case that Meta must now rely on users giving their consent to targeted advertising then under GDPR, users must be able to withdraw that consent at any time. If a large number of users were to do so, then Meta could be subject to huge losses in their advertising revenue on top of the already heavy fine they have received.

This matter highlights the importance of your business:

• having a legitimate lawful basis for processing personal data,
• ensuring that this lawful basis is clearly and effectively communicated to the relevant individuals in formal legal documentation such as a Privacy Policy, and
• the massive potential fines that could be levied if your processing is found to be unlawful in this regard.

What can we do to help?

For advice and assistance in drafting a compliant Privacy Policy for your business, on the lawful processing of personal data or advice on GDPR generally, please contact either James Sarjantson on 0113 201 0401 – ku.oc1701673883.fcl@1701673883nostn1701673883ajras1701673883j1701673883 or Thomas Taylor on 0113 204 0407 – ku.oc1701673883.fcl@1701673883rolya1701673883tt1701673883