Data Protection Authority of Ireland-Meta Platforms Ireland Limited (1/4/2023)

Meta had updated its terms of service shortly before the GDPR came into force. In its new terms of service, Meta informed its users to click ‘Agree and Continue’ to indicate their agreement with the new terms of service. This was required for further access to the services. Meta assumed that the acceptance of the updated terms of use constituted a contract between Meta and the user, since the processing of the data would be necessary for the provision as well as the improvement of the services. According to Meta, the data processing was therefore lawful pursuant to Art. 6 (1) b) GDPR. However, the complainant argued that Meta was actually trying to rely on consent as a legal basis for processing users’ data. By making the access to its services conditional on users’ consent to the updated terms of service, Meta was actually forcing users to consent to the processing of their personal data.

Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The DPC found that Meta did not rely on user consent as a legal basis, and did not consider ‘coerced consent’ in this case. It also did not rule out the possibility that Meta relied on a contractual legal basis. In response, the DPC received objections from different supervisory authorities. However, the DPC found that Meta had breached its transparency obligations under the GDPR, by not clearly explaining to users for what purpose and on what legal basis their personal data would be processed.

As no agreement could be reached on the disputed points, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR. In its decision, the EDPB confirmed the violation of transparency obligations by Meta. However, the EDPB took a different position than the DPC on the issue of the legal basis and found that Meta was not entitled to rely on a contractual legal basis. The EDPB therefore found that Meta had violated Art. 6 (1) GDPR. The DPC agreed in its final decision and imposed the fine and also required Meta to bring its data processing into compliance within three months.