The Irish Data Protection Authority, the DPC, has fined Meta
The Irish Data Protection Authority, the DPC, has fined Meta, parent company of Facebook, Instagram and WhatsApp, €265 million for violating the EU’s data protection regulation (GDPR). The decision, which comes following a year and a half long inquiry into Facebook Search, Messenger and Instagram, finds that Meta did not provide an adequate level of data protection by design and by default as required by the GDPR, which resulted in the leak of personal data of over 530 million Facebook users worldwide. Meta has three months to bring its data processing practices back in line with GDPR.
In 2021, the Irish DPC launched an inquiry into Meta following the leak of over 500 million Facebook users’ personal data worldwide (including email addresses and mobile phone numbers). This was reportedly caused by a technical vulnerability which allowed external third-parties to collect data through a process called ’scraping’. The decision of the DPC was taken in cooperation with all other data protection supervisory authorities within the EU, given the crossborder nature of the issue.
According to the DPC decision, Meta infringed:
1. Article 25(1) of the GDPR, which requires controllers to put in place appropriate technical and organisational measures to ensure that by design, personal data is protected and safeguarded. The Irish DPC noted that while Meta implemented rate limits and bot detection measures, it found that these measures were not effective or appropriate and that Meta could have implemented a range of other measures to mitigate the risk of harm to the rights of data subject; and
2. Article 25(2) of the GDPR, which requires controllers put in place appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary are processed. The Irish DPC found that Meta left the personal data such as phone number and email addresses of an indefinite number of users exposed to so-called ’scrapers’, thereby failing to implement appropriate measures to ensure that, by default, the personal data are not made accessible without the data subjects’ intervention.
The Irish DPC announced a series of corrective measures in response, including:
1. An order to bring its processing into compliance with the GDPR which must be complied with within three months. Meta must implement appropriate technical and organisational measures to ensure that, by design, only personal data which are necessary for each specific purpose of the processing are processed, and that by default personal data are not made publicly accessible. The Irish DPC states that it could potentially launch further inquiries to assess whether the measures adopted by Meta in response are appropriate.
2. An administrative fine of €265 million. The Irish DPC assessed the nature, gravity and duration of the GDPR infringements, action taken by Meta to mitigate the damage suffered by data subjects, previous infringements and implementation of technical and organisational measures and other factors to determine the appropriateness and sum of an administrative fine.
3. A formal reprimand of Meta as permitted under GDPR. These formal recognitions of the serious nature of the infringements are intended to dissuade similar non-compliance by Meta and other data controllers in future.
More recently, media reports surfaced that WhatsApp records containing the personal phone numbers of nearly 500 WhatsApp users have been leaked and are being sold online for malicious purposes such as phishing. Similarly to the Facebook data leak mentioned above, it has been claimed that this personal data has been extracted through scraping.
Decisions by the Irish DPC are also expected shortly with regards to several other ongoing inquiries into Meta’s data practices. Of most relevance to advertising are those which concern Meta’s reliance on the ’performance of a contract’ legal basis for processing of personal data, including for personalised advertising purposes. Complainants argue that this is not a legitimate legal basis for the processing of personal data. These decisions are expected over the next month, following consideration by European DPAs collectively earlier this month. Although there have been some reports that the decisions will side with the complainants, this is not certain and we will report further once there is clear information. Depending on the detail, such a development could have a significant impact on some platforms’ broader business models.
Meta has also recently been subject to legal action brought in the English courts by human rights campaigner Tanya O’Carroll, who claims that Meta’s advertising practices breach consumers’ ’right to object’ to the collection of personal data for direct marketing purposes established under the UK GDPR. O’Carroll has asked the High Court to rule on whether users can opt out of being profiled for advertising purposes. A final judgement is not expected before May 2023 at the earliest.
EU approves first GDPR certification mechanism
On 17 October 2022, the European Commission announced that the European Data Protection Board (EDPB), the European network of Data Protection Authorities, had approved ‘Europrivacy’, the first certification mechanism which can be used by data controllers and processors to assess and attest to their compliance with the EU’s data protection regulation, the GDPR.
This “European Data Protection Seal” was developed by the European Centre for Certification and Privacy (ECCP) in Luxembourg with funding from the European Research Programme Horizon. It is the only GDPR certification officially recognized in all EU Member States, which is why it needed the approval of the EDPB rather than a national regulator. Public authorities are required by GDPR to encourage certification schemes, seals and marks, although the Regulation is also clear that they do not reduce controllers’ and processors’ responsibility for compliance.
Europrivacy will assess and certify the compliance of data processing with the GDPR and complementary national data protection regulations. It is set to enable applicants to identify and reduce their risks, to demonstrate and value their compliance and to enhance their reputation and market access.
In practice, Europrivacy has a network of external official partners, such as law firms, consulting firms, expert partners and certification bodies. They provide consultancy services on compliance before the application for certification. A qualified certification body (SGS, BSI, DNV, Eurofins, TAM CERT or Certop) carries out the certification. Successful certification leads to an entry in the Europrivacy certification registry.
· WFA will reach out to Europrivacy with a view to a possible session exploring the certification mechanism in more detail.