📢JUST IN (from @NOYBeu): @DPCIreland's decisions on Instagram and Facebook:
- Facebook: noyb.eu/sites/default/…
- Instagram: noyb.eu/sites/default/…
I'm reading and live-tweeting my hot-takes (starting with the 196-page Instagram decision)!
- Facebook: noyb.eu/sites/default/…
- Instagram: noyb.eu/sites/default/…
I'm reading and live-tweeting my hot-takes (starting with the 196-page Instagram decision)!
But before that, (re-)familiarizing myself with IAPP's recent infographic on legal bases! iapp.org/media/pdf/reso…
Issue 1: does hitting 'agree to terms' button count as #GDPR consent (Meta said it didn't intend it to count as consent... @noyb said the button was 'forced' consent and misleading): DPC agreed with Meta
'agree to terms' = agreeing to terms
'agree to terms' ≠ not consenting to data processing
'agree to terms' ≠ not consenting to data processing
In case you read the above as 1-0 to Meta and all too straightforward... @noyb then argued that Meta MUST rely on consent and that, if Meta says the 'agree to terms' button wasn't intended to be consent, the processing by Meta was unlawful !
(sidebar: in all of this the @DPC reminds us that there is no hierarchy among the six legal bases. All created equally, all with different qualities: iapp.org/media/pdf/reso…)
Back to consent, DPC decides in favor of Meta (does that make it 2-0 or still 1-0?): Art. 6 of the #GDPR does not require different data processing activities to be based on consent (or, I assume, and by extension, based on other legal bases...)
Issue 2: could Meta rely on 'performance of a contract' as a legal basis? (Now it gets tricky) Worth re-capping who said what, before getting into the DPC's decision
@noyb argued Meta could NOT rely on performance of a contract for personalized content/ads as that was not 'necessary' for the contract (noyb accepted performance of a contract COULD be used for the nuts and bolts of Instagram as a social network, just not for personalized stuff)
Meta argued that what is 'necessary' for a contract ≠ what is 'strictly essential' to that contract and that it's a matter for the parties to the contract (and that contracts don't need to be in the data subjects' interests)
For the DPC, three things were important to define/work out:
1. What is a 'contract' from the point of view of privacy law?
2. What is 'necessary' to perform that contract?
3. What does it mean to 'perform' the contract?
1. What is a 'contract' from the point of view of privacy law?
2. What is 'necessary' to perform that contract?
3. What does it mean to 'perform' the contract?
(Sidebar: EDPB guidelines from 2019 on 'performance of a contract' are back in vogue! edpb.europa.eu/sites/default/…)
DPC analysis on 'necessary' is super interesting: necessity means more than complying with the clauses in the contract... it 'must be necessary to fulfil the core agreement.' Cue: a DP regulator looking into the 'core function' of a contract!
(Delayed follow-up - was looking for past precedent of DP regulators delving into the specific terms of a contract - paragraphs 96-104(ish) - does anyone have any?)
DPC (read: EDPB): 'as a *general rule*, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online service' ... rules (especially general rules) have exceptions ...
The DPC's 'preliminary' and 'provisional' view was that Meta could depart from the general rule - i.e., the core service of Instagram is 'premised on' personalized ads = Meta could rely on performance of a contract . . . this COULD have made it 3-0 to @Meta vs @noyb
That third goal has to go to VAR - reviewing the DPC's 'preliminary' and 'provisional' view are the European DPAs. There's a split decision -- Austria, Germany, Spain, Finland, France, Hungary, the Netherlands, Norway and Sweden disagree with the Irish DPC
EDPB: "it is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance"
and then concludes Meta's processing for personalized ads is not necessary for the performance of a contract because:
1. Instagram's Terms of Use don't contain ANY contractual obligations that bind Meta Ireland to offer personalized ads to users, and...
1. Instagram's Terms of Use don't contain ANY contractual obligations that bind Meta Ireland to offer personalized ads to users, and...
2. Meta Ireland's business model doesn't make it necessary - i.e., providing services at no monetary cost for users but generating income via personalized ads
EDPB and other DPAs then offer up 'realistic, less intrusive alternatives' to personalized advertising - e.g., advertising based on geography, language and content
DECISION OVERTURNED. DPC's preliminary and provisional draft decision is overturned. Meta cannot rely on performance of a contract. I think that now makes it @Meta 2 - 1 @noyb
Issue 3: did Meta provide sufficient notice and did they do so transparently, for the purposes of personalized ads?
(Essential pre-reading for this bit: iapp.org/news/a/transpa…)
Always good to come back to Recital 60 of the #GDPR: "The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes."
and then this from the @DPCIreland: "a failure by a controller to adhere to the transparency requirements is likely to have the direct result that the data subject is misled." Short and sweet.
The DPC was not a fan of tick-boxing through the notice requirements via a layer-by-layer approach - preferring to be more 'cumulative' and 'holistic' in assessing whether notice has been given . . . do we think ChatGPT is up to the challenge @omertene?
DPC looked for a 'clear link' in Meta's notice between: 1. the specified category/categories of data to 2. the purpose(s) of the specified processing, to 3. the legal basis being relied on
DPC couldn't find that link. Instead, it found 'an oversupply of very high level, generalised information at the expense of a more concise and meaningful delivery of the essential information necessary' . . .
DPC recommends considering tables in privacy notices vs blocks of text (other formatting options are available).
My favorite quote SO FAR is "the importance of concision cannot nonetheless be overstated." 👏👏👏
DPC really did not like Meta's privacy notice... "generalised, repetitive information, in combination with [its] circular manner ... lacks clarity and concision, which in turn means it is difficult for users to identify or have meaningful information"
I sense an equalizer coming from @NOYBeu
There it is: DPC found it "impossible for the user to identify with any degree of specificity what processing is carried out on what data" ... @Meta 2 - 2 @NOYBeu
Sensing the need for a winning goal, the Italian DPA sought an ADDITIONAL finding: that Meta was in breach of the GDPR 'fairness' principle
(Some good pre-reading, this time from @ICOnews: ico.org.uk/for-organisati….)
Key elements of 'fairness' (which BTW 'underpin the entire data protection framework' so they're a big deal) are: (i) autonomy of the data subjects, (ii) data subjects’ expectation, (iii) power balance, (iv) deception, (v) ethical and truthful processing
And, while we're being fair about fairness, the EDPB recalled "that a fair balance must be struck between... the commercial interests of the controllers and... the rights and expectations of the data subjects"
📢and there it is, the winning goal...
The EDPB found that the 'gravity' of Meta's transparency breaches, that left users 'in the dark' = a breach of the fairness principle. @Meta 2 - 3 @NOYBeu
The @DPCIreland ordered Meta to bring Instagram's Data Policy and Terms of Use into compliance within 3 months ... Meta asked for more time, DPC was not persuaded as Meta is "large multinational organisation with significant financial, technological and human resources"
and it isn't just about changing paperwork... the DPC Order is for Meta to take the "necessary action" with its processing of personal data for personalized ads/content - i.e., find and make it work with a non-contract legal basis or stop the processing.
The above is way more significant than it looks in tweet-form, especially when you recall the EDPB's words: "a controller (does not have) absolute discretion to choose the legal basis that suits better its commercial interests."
Some more back-and-forth between Meta and DPC on the three-month deadline for compliance... all setting itself up for the inevitable application for an injunction to stay the effect of the DPC decision
Oh, and there'll be fines. Sign of the times, and how far DP enforcement has come, where there are so many headlines (and hyperventilating from me) about non-fine matters
Notwithstanding the fact that the fines equal EUR 390 MILLION fines (levied against Meta for its Instagram and Facebook services)
The DPC's preliminary and provisional fine (remember when it was momentarily 3-0...) got ratcheted UP by the EDPB (following objections by the following DPAs who wanted higher fines: Germany, France, Italy, the Netherlands and Norway)
Relevant factors when determining the level of fine:
- relevant previous infringements
- effectiveness, proportionality and dissuasiveness of the fine (which, interestingly, can take into account the reputational impact from bad PR associated with the investigation)
... cont'd
- relevant previous infringements
- effectiveness, proportionality and dissuasiveness of the fine (which, interestingly, can take into account the reputational impact from bad PR associated with the investigation)
... cont'd
- gravity of the infringement(s)
- number of people affected
- damage suffered (including 'non-material' damage
- the intentional or negligent character of the infringement(s)
- financial / competitive benefit obtained from the infringement(s)
- number of people affected
- damage suffered (including 'non-material' damage
- the intentional or negligent character of the infringement(s)
- financial / competitive benefit obtained from the infringement(s)
(Helpful IAPP resources on past enforcement issues/actions: iapp.org/tag/enforcemen…)
The DPC landed on EUR 180 MILLION for the Instagram infringements but... not before referencing its ability to fine up to 4% of Meta's total worldwide annual turnover: $4.7billion. Oomph.
It is at this point that one ought to say 'The End.' This is big news. Very big news. Cue: uncertainty, more litigation, greater scrutiny on legal bases, and potentially more enforcement.
It's probably better to conclude this thread with... Hold onto your hats (or helmets)!
In case you thought the thread ends there... oh no, it goes ON. See here:
https://twitter.com/JoeGTJones/status/1613252177434402816?t=PsU_iwHom_-y9F78lGZG_A&s=19
• • •
Missing some Tweet in this thread? You can try to
force a refresh
