More privacy fines and corrective orders are beginning the New Year by affecting Meta’s operations in Europe. The most recent round of action comes in response to several EU General Data Protection Regulation (GDPR) complaints over the legitimacy of the company’s use of behavioral advertising.

The Irish Data Protection Commission (DPC), the principal data protection watchdog in the area for Facebook owner Meta, announced today that it had adopted final decisions on two of these protracted investigations — against Meta-owned social networking site Facebook and social photo sharing service Instagram.

The European Data Protection Board (EDPBbinding )’s decision on these complaints last month that contractual necessity is not an appropriate basis for processing personal data for behavioral ads is confirmed by the DPC’s press release today, which also announces financial penalties of €210 million ($223 million) for Facebook and €180 million ($191 million) for Instagram in relation to these complaints.

These new penalties come on top of a slew of privacy fines handed down to Meta in Europe last year, including a €265M fine for a Facebook data-scraping breach, a €405M fine for an Instagram violation of children’s privacy, a €17M fine for a number of earlier Facebook data breaches, and a €60M fine for violating Facebook cookie consent. All told, these penalties will bring the total amount of (publicly disclosed) EU data protection and privacy

However, Meta has already received fines totaling more than half of the regional total for last year in the first few days of 2023, and additional penalties may be on the way.

Corrective actions are also being taken, in accordance with the DPC’s PR, and Meta has been given three months to make its processing in line with the GDPR.

Therefore, it will have to ask users for their approval rather than relying on the defense of contractual necessity to run behavioral ads. (And users who reject its surveillance advertising cannot be profiled or targeted.)

Max Schrems, the creator of the European privacy rights organization (noyb) that brought the initial GDPR complaints, commented in a statement: “This is a severe blow to Meta’s revenues in the EU. People must now be asked if they agree or disagree with the usage of their data for advertising. They must be given a “yes” or “no” choice and are free to alter their decision at any moment. Additionally, the decision guarantees parity with other advertisers who likewise must obtain opt-in consent.

The internet giant is quite likely to dispute the rulings given how crucial Meta’s tracking and targeting ad strategy still is to its business. If it does, this might cause new delays as legal challenges to the now-ordered enforcement are resolved in the courts. Therefore, it can be years before Meta submits to correction through EU privacy regulation.

Full information on disagreements between data protection authorities as well as other intriguing facts, such how the level of the fines have been established, are still to come. This is because the DPC’s final findings on these inquiries have not yet been released.

However, the DPC offers its own perspective on the regulatory disputes in a press release that announces the two final verdicts, writing:

The CSAs [concerned supervisory authorities] concurred with the DPC’s findings on the issue of whether Meta Ireland had violated its transparency duties, even if they thought the DPC’s suggested sanctions should be enhanced.

Ten out of the 47 CSAs voiced concerns about other parts of the draft rulings (one of which was subsequently withdrawn in the case of the draft decision relating to the Instagram service). The delivery of personalized advertising (as part of the larger suite of personalized services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract, according to this subset of CSAs, who believed that Meta Ireland should not be allowed to rely on the contract legal basis.

The DPC disagreed, expressing its opinion that the Facebook and Instagram services comprise and, in fact, appear to be built around the provision of a personalized service that includes individualized or behavioral advertising. These are, in fact, personalized services that also include individualized advertising. According to the DPC, this reality is crucial to the agreement reached between users and their preferred service provider and is a component of the contract signed when users agree to the Terms of Service.

The EDPB was instructed to (further) raise the level of sanctions issued because the DPC’s PR also reveals that Meta violated the GDPR fairness principle in addition to the transparency breach that the Board supported.

A third ruling against WhatsApp, which is owned by Meta, is still pending at the DPC but is expected to be delivered in the next week or so. (The regulator informs us that this is due to a brief delay in the DPC receiving the binding judgement from the EDPB on that complaint.)

According to noyb, a fine for WhatsApp under that concurrent process is anticipated to be made public by mid-January.

Update: Meta responded to the rulings in a blog post and asserts that the legal foundation it chose to process people’s data for advertising purposes “respects GDPR.” Additionally, it states that it intends to appeal the rulings on both the merits and the severity of the fines levied.

In a statement that echoes the DPC’s assertion that ad-supported “personalized” services must be “all or nothing,” Meta writes that “Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service.

As long as users’ safety and privacy settings allow it, we have relied on a legal theory known as “Contractual Necessity” to offer them behavioral advertisements based on their online actions. It also asserts that it would be highly unusual for a social media service to not be customized to each user, while omitting to mention that, prior to relying on a claim of contractual necessity in 2018, before the GDPR went into effect, it had relied on a claim of user consent for the processing of ads.

Additionally, according to Meta’s blog post, the DPC’s rulings do not forbid personalized advertising on its platform or require the use of consent for ad-based processing.

The claim that personalized advertising can no longer be provided by Meta across Europe without first obtaining consent from each user is false, it says. Similar firms process data using a range of legal basis, and we are considering a number of solutions that will enable us to continue providing our users with a completely personalized service. It is untrue to say that Meta can no longer provide personalized adverts across Europe without first obtaining each user’s consent.

Regulation of coerced consent
The European privacy rights campaign group noyb targeted the tech giant’s use of so-called “forced consent” (i.e., forcing users to accept sign-up terms that state they must “agree” to their data being processed for behavioral ads or they will not be able to use the service) in May 2018, just as the GDPR went into effect throughout the European Union.

In contrast to the EDPB’s binding ruling, the Irish regulator’s draft judgement on the complaints was disclosed back in October 2021, and the DPC did not raise concerns about Meta’s reliance on contractual necessity for running behavioral ads. Despite finding violations of the GDPR’s transparency rules, the report claimed that it was doubtful that consumers knew they were agreeing to a Facebook ad contract when they clicked the site’s “I agree” button.

Therefore, the DPC initially requested a reduced penalty (of about $36M) compared to the financial blow in final decisions that is now emerging, which is more than 10x larger (still with the WhatsApp final decision pending).

Through the GDPR’s cooperation mechanism, which involves other EU data protection authorities (who can, and in this case several did, object to a lead supervisor’s draft decision), and designates the EDPB as the final arbiter when regulators can’t agree among themselves, a much tougher enforcement regime has been reached. Therefore, in this instance (and not for the first time), the DPC has been given instructions to arrive at a different decision than it would have otherwise.

The level of enforcement resulting from a collective regulatory mechanism baked into GDPR is higher (and stricter) than it would have been with Ireland acting alone, as has happened multiple times before.

The EDPB “took a different view on the ‘legal basis’ question,” according to the regulator, who added that the final decisions adopted by the DPC on December 31, 2022, “reflect the EDPB’s binding determinations as set out above.” The DPC frames the outcome somewhat differently—as a difference of legal interpretations. Because of this, the DPC’s decisions include conclusions that Meta Ireland is not permitted to rely on the “contract” legal basis in connection with the delivery of behavioral advertising as part of its Facebook and Instagram services and that its purported processing of user data up to this point in reliance on the “contract” legal basis constitutes a violation of Article 6 of the GDPR.

It will be interesting to see if Meta’s attorneys attempt to capitalize on the DPC’s (now publicly stated) assertion that Facebook and Instagram are “premised on, the provision of a personalised service that includes personalised or behavioral advertising” and its (convenient-for-Meta) conflation of personalised services and personalised advertising through an expressed stance that such a conjoined pairing is “central to the bargain struck between users and their chosen servic

It’s odd that the DPC’s position on this issue (as well as Meta’s!) ignores the presence of additional types of (ads that don’t violate privacy) that Meta might employ to fund its service, including contextual advertisements.

Additionally, its PR makes no mention of the possibility that Meta will be required to destroy all the information it has been unlawfully processing since 2018. However, litigation finance companies are unlikely to pass up the chance to scale privacy class actions.

Additional drama is developing in relation to today’s DPC statement as well: Schrems tweeted his displeasure with the DPC’s statement that noyb wouldn’t receive the final verdict until Meta had an opportunity to redact the paper. In ten years of litigation, I’ve never seen anything like it, he continued. F*cking insane

https://twitter.com/maxschrems/status/1610625661042933761?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1610625661042933761%7Ctwgr%5Eca5f8f0f746bb75df4fc553e6528ba909c016160%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Ftechcrunch.com%2F

(Recall that noyb had already filed a case of criminal corruption against the DPC in 2021, alleging the regulator of corruption and “procedural blackmail” in connection with attempts to block the publication of records pertaining to GDPR complaints.)

The DPC’s “quite diabolic public relations game,” according to noyb’s Schrems, is further criticized in a press statement from the company. He writes: “Getting overturned by the EDPB is a big blow for the DPC, but now they seem to at least strive to gain the public impression of this issue. I have been involved in litigation for 10 years and have never witnessed a decision being served to one side but not the other. The DPC engages in very evil public relations tactics. It attempts to co-write the story of the decision with Meta by preventing noyb or the general public from reading it. Despite being overridden by the EDPB, it appears that the cooperation between Meta and the Irish regulator is still going strong.

The DPC has stated it is commencing an annulment action against specific “jurisdictional” components of the EDPB judgement, another unusual move by the Irish regulator that only looks destined to increase criticism of its friction-generating approach to GDPR enforcement.

Instead, it asserts that it disagrees with other aspects of the guidance provided by the Board and accuses the steering board of exceeding its authority in a disagreement under GDPR Article 65.

The Board’s legally binding decision also instructs the DPC to carry out what the Irish regulator describes as “a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations,” which suggests that this action was initiated.

In the EU, where legal experts have been warning for years that the tech giant’s consent-free tracking and profiling of citizens is in violation of the bloc’s legal framework on data protection, such an investigation, should it actually occur, could really drive a stake through the heart of Meta’s privacy-sucking business model.

It’s therefore intriguing that the DPC wants to avoid opening a thorough inquiry into Meta’s data processing at the EDPB’s request.

According to its PR, the decisions it has made today “necessarily do not include reference to additional investigations of all Facebook and Instagram data processing operations that were instructed by the EDPB in its binding decisions.” The regulator explains why it takes issue with this statement:

Regarding national independent authorities, the EDPB does not have a general oversight role comparable to that of national courts, nor is it permitted to order and instruct such authority to conduct an unrestricted and speculative investigation. In light of this, the instruction is problematic from a legal standpoint and does not seem to follow the GDPR’s guidelines for collaboration and consistency. The DPC believes it is appropriate to file an action for annulment before the Court of Justice of the EU in order to request the setting aside of the EDPB’s instructions in the event that the directive may represent an overreach on the part of the EDPB.

What the EU General Court will do with the DPC’s complaint is still up in the air.

However, the court last month decided that WhatsApp’s legal challenge of an earlier EDPB binding decision on a different GDPR inquiry, which similarly significantly increased the level of enforcement it would have faced from an earlier DPC draft ruling, was inadmissible.