DP News – Week 2. Irish supervisory authority (DPC) hits Meta as a follow-up to the EDPB’s decision.

As DPOrganizer reported on week 50 last year (please check DP News – Week 50 release), the EDPB ruled that personalised ads run through Facebook, Instagram and WhatsApp are illegal due to the lack of users’ consent, while Meta cannot require users to accept personalised ads through their terms. On the basis of the EDPB binding decisions, the Irish supervisory authority (DPC) was expected to adopt final decisions addressed to Meta.

On 31 December 2022 (press release published on 4 January 2023), the DPC took the long-anticipated decision reflecting binding determinations made by the EDPB. While the decision itself is yet to be published soon, the press release states that “Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR”.

Meta Ireland was also fined €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).

In addition to the above, Meta Ireland was also required ​to bring its data processing operations into compliance within a period of 3 months, meaning that Meta will not be legally able to exploit users’ personal data for ads any longer.

Interestingly, the DPC’s press release seems to reveal a sort of unsettled disagreement between the DPC and the EDPB in regards to the DPC’s independence, on one hand, and the EDPB’s powers, on the other hand. Possibly, this will be brought before the EU General Court. The press release describes the disagreement in the following way: “Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions”.