The Irish Data Protection Commission (DPC) has issued decisions about three Meta companies since late December 2022. Each decision considers whether Meta can use its terms of service to “force” unnecessary data processing on its users.
These recent decisions are among the most important regulatory developments since the General Data Protection Regulation (GDPR) took effect in May 2018. And they expose a fundamental rift between Ireland and other EU data protection authorities (DPAs).
This article will look at the background behind these decisions, explore the two main interpretations of the GDPR’s rules on contracts, and consider how controllers should be thinking about legal bases for processing following the decisions.
Meta has made billions from its users’ personal data. But when the EU passed the GDPR, it wasn’t clear whether the company’s business model would survive.
Before the GDPR came into effect on 25 May 2018, Meta (then called simply “Facebook”) relied on its users’ consent for certain data processing activities across its platforms, including ad-targeting, security, and service improvement.
Pre-GDPR, users were supposedly assumed to have consented to these activities when they set up an account. Under the Data Protection Directive, the GDPR’s predecessor, Meta believed that this was acceptable.
But the GDPR changed the EU’s definition of “consent”. Controllers would now have to obtain consent via an “unambiguous”, “clear” and “affirmative” action, among other requirements.
Meta was concerned that its consent request would not meet the EU’s new standard. The company also didn’t want to adopt the new standard of consent—as this would mean its users had a genuine choice as to how their data was processed.
Advice from the Regulator
As the GDPR compliance deadline approached, Meta sought advice from the Irish DPC about how to handle these new consent rules.
The regulator suggested that Meta stop relying on “consent”, and instead switch to “contract”. This change would mean incorporating these practices into its terms of service.
At midnight on the day the GDPR took effect, Meta made the change. Facebook, Instagram and WhatsApp users were asked to agree to new terms of service—term that required them to eiter agree to certain data processing activities, or stop using the platform.
Shortly after, privacy campaign group “noyb” lodged complaints against Facebook, Instagram, and WhatsApp, arguing that these new terms were illegal under the GDPR. And four and a half years later, the complaints were resolved against Meta and in favour of noyb.
The Bare Necessities
So what was wrong with the Irish DPC’s advice?
The regulator gave its advice to Meta based on its interpretation of the GDPR, particularly Article 6 (1) (b), which provides the legal basis of “contract”:
“Processing shall be lawful (if it) is necessary for the performance of a contract to which the data subject is party…”
The key question: What does “necessary for the performance of a contract” mean?
Here’s a simple example. If you buy a shirt from an online store, the store needs some of your personal data (e.g., your address) in order to send you the shirt. The store needs the data to perform its contractual obligation.
The Irish DPC took a broader interpretation. The regulator argued that “necessary” could mean necessary to support a controller’s business model. This is supposedly the case with Meta, which profits from monetising its users’ data and targeting them with ads.
The DPA Debate
Some disagreed with the Irish DPC’s interpretation—most notably, Ireland’s fellow data protection regulators at the European Data Protection Board (EDPB).
The debate between Ireland and other EU countries plays out in an October 2018 document, in which EDPB members discuss some upcoming guidelines about relying on “contract” to provide online services.
The other regulators claimed that the DPC’s interpretation of “contract” was “too biased towards business interests” and “contrary to everything (they) believe in”.
When the final guidelines were published a year later, it was clear that Ireland had lost the debate. The guidelines state that “necessary” means “necessary for the individual services provided by the data subject”—not “necessary for the controller’s wider business model”.
But the Irish DPC was still not persuaded by the EDPB guidelines.
The Meta Decisions
The decisions teach us a lot about when controllers can rely on “contract” for processing personal data—in other words, the sorts of activities that can be included in a controller’s “terms of service” agreement.
In the Facebook and Instagram decisions, Meta relied on “contract” for ad-targeting. The WhatsApp decision was about “service improvements” and “security”. In all three decisions, the Irish regulator ordered Meta to find a new legal basis for these activities.
But the DPC was very reluctant to make this order against Meta and initially stuck to its own interpretation of the GDPR. The Irish regulator would have allowed Meta to continue “forcing” users to agree to these types of data processing through its terms of service.
The EDPB intervened. After several other regulators raised objections to the DPC’s position, the EDPB issued three “binding decisions” to force the Irish regulator to change its decision.
That’s why the DPC—eventually—ended up ordering Meta to stop relying on “contract”.
When Does ‘Contract’ Apply?
Which activities are “necessary” for performing a contract?
In its guidelines, the EDPB explores some data processing activities and considers whether they might be “necessary” for performing a contract in the context of delivering online services.
Here’s a summary of this section of the guidelines:
|Processing activity||Is relying on “contract” valid?||Possible alternative legal basis|
|Service improvement||Generally no||Legitimate interests or consent|
|Fraud prevention||Generally no||Legitimate interests|
|Behavioural advertising||Generally no||Consent|
|Personalisation of content||Possibly yes, if integral to the service|
All of these examples are context-dependent. The GDPR generally leaves controllers to determine which legal basis is appropriate for a given situation.
When thinking whether “contract” is the right legal basis for a given activity, consider whether the activity is one of your “core functions”. In other words, is this what your users are signing up for?
For example, Facebook’s terms allow Meta to:
- Collect personal data about a user from other services, third-party websites, apps, cookies, and other technologies that have been placed on the user’s device.
- Link that data to that user’s Facebook account.
- Use the data to enable third parties to target ads at the user.
Is this what people reasonably expect when they sign up to Facebook? The EDPB argues that it is not. This suggests that such activities are not a “core function” of the platform.
Would it be possible to deliver Facebook’s “core functions” without using people’s personal data in this way (regardless of whether it would be profitable to do so)? The EDPB argues that it would be. This suggests that the activities are not “necessary” for the performance of the contract.
On balance, the more appropriate basis for this sort of activity is likely to be consent: Ask people whether they accept or refuse targeted advertising, and let them change their minds.
But what about activities considered in the WhatsApp case, such as “security” and “service improvements”? Again—these are not “core functions”, according to the EDPB.
That doesn’t mean you can’t use personal data for service improvements or security purposes. You might not even need people’s consent for these activities if you determine that they are in your legitimate interests.
A Question of Fundamental Rights
Data protection and privacy are fundamental rights in the EU. The rights to data protection and privacy are not absolute—but a controller must be very careful before infringing on people’s rights.
This respect for rights and freedoms is at the heart of the GDPR.
For example, under the legal basis of “legitimate interests”, controllers can process personal data without permission. But in order to do so, the controller must assess the risk that the processing might create harm, and carefully consider people’s objections.
Under “consent”, individuals can make a fully-informed, free choice to have their personal data processed in a way that might not primarily benefit them. And they can change their minds at any time—without suffering any detriment.
The problem with putting data unnecessary data processing activities under a “terms of service” agreement is that these careful considerations and protections don’t apply. Individuals simply have to submit to data processing, or they can’t use the service.
This goes against the vision of the GDPR. Or at least, that’s how the EDPB sees it. Meta is appealing, and the Court of Justice of the European Union (CJEU) will get the final say.
If you’re curious about how your organization stacks up against industry benchmarks for privacy, test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!