Privacy watchers keen to dig deeper into the regulatory reasoning behind two major rulings against Meta earlier this month — which struck down Facebook and Instagram’s assertion of contractual necessity as a valid legal basis to broadcast behavioral advertising on users in the European Union – can now sift through the detail after the plaintiff, privacy rights group noyb, published the ruling documents online.
You can find the 188-page Facebook ruling here and the 196-page Instagram ruling here — both of which feature redactions made by Meta because it was allowed to remove commercially sensitive information, so some juicy details are missing.
(For example, a paragraph in the Facebook document where the company provides an estimate of how long it will take to enforce compliance orders has been blacked out, along with another sentence in that section where it details the work involved. We can only speculate if any words were actually covered here – or just a line of screaming emojis.)
Meta’s main data protection regulator, the Irish Data Protection Commission (DPC), issued the final rulings, but only after more than a year of dispute with EU DPAs who were not agreeing with its draft decision (which did not object to Meta’s claiming contractual necessity to microtarget the ads); and, finally, after incorporating a binding decision from the European Data Protection Board (EDPB) — which settled the dispute by forcing the DPC to dismiss Meta’s contractual necessity claim.
The EDPS also asked Meta to significantly increase the amount of the financial penalty imposed on Meta for breaching the EU General Data Protection Regulation (GDPR).
So while the Irish DPC name and branding is on these documents, they are the product of a co-regulatory process built into the GDPR, through a co-operative mechanism to deal with cross-border cases.
The details of the document are already fueling fresh attacks on the DPC over its much-criticized approach to GDPR enforcement – with noyb wondering why the Irish regulator changed the (binding) EDPB ruling – which it says has was asked tothree month period to comply with the order from the time his order was served (i.e. sometime in December) – until the DPC’s decision is served (sometime in January ). “This derogation by the DPC from the decision of the EDPB seems illegal,” argues noyb.
He also takes issue with the fact that the DPC apparently narrows the scope of the EDPB’s decision – to limit it to processing for advertising purposes only.
“It appears that other aspects of the complaint were not dealt with by the DPC, which in itself may be illegal,” he suggests.
noyb is also concerned about the level of financial sanction imposed by the Irish regulator – which the DPC was required by the EDPS to reassess and increase significantly in line with his binding decision that there was a breach of the legal basis (and of the GDPR principle of fairness), not just transparency as the DPC initially decided.
The privacy group points out that the Irish regulator has chosen to apply the smallest penalty when it comes to “the actual unlawful processing of the personal data of millions of EU users” – only 60 million. euros in the case of Facebook and 50 million euros in the case of Instagram, which represents a tiny part of the revenue that Meta was able to generate during this period while illegally processing people’s data.
noyb goes on to warn that the DPC’s rulings may not end a case that has already racked up more than 4.5 years since the initial ‘forced consent’ complaints were filed in May 2018 – as it argues that the regulator’s findings do not appear to fully address its complaints as the rulings focus on personalized ads and do not cover issues such as the use of personal data to improve the Facebook platform or for personalized content (which also require a valid legal basis under EU law).
Another issue highlighted by the noyb is the DPC’s refusal to carry out additional investigations requested by the EDPB – which the DPC disputes as a jurisdictional overreach and seeks to overturn, as we reported earlier this month. -this.
He also points to another conflict which he believes could lead him to appeal the decision – pointing out that under Austrian or German law (aka, the law that applies to the noyb), the complaint defines the scope of the proceedings – while it states that the DPC believes that under Irish law it can limit the scope of a complaint, adding: “nob may have to appeal the decision on these grounds.
The DPC has been contacted for comments.