2023 began with the imposition of up to 390 million euros in fines by the Irish Data Protection Commission – DPC – against Meta, the technology multinational founded by Mark Zuckerberg and owner of social networks such as Facebook, Instagram or WhatsApp.
They are not the first sanctions that the firm receives for violating some aspect of the General Data Protection Regulation, the GDPR, but these fines have much more background.
Behind them is at stake something as sensitive as the very business model of a powerful multinational that is experiencing difficult times,” they announced. 11,000 layoffs a few weeks ago—and that for just over a year has defended being focused on the creation of the metaverse.
On the other hand, these sanctions have also served to demonstrate for the first time the hostilities between the Irish DPC and the rest of the data protection agencies of the member states of the European Union. Several voices criticize, from Brussels and from the rest of the capitals, that the DPC is too lax with the technological multinationals.
All this marks a turning point on a rule, the GDPR, which had become an international benchmark when it comes to offering guarantees in the processing of personal data, but which had also shown signs of exhaustion in parts of its articles. Above all, due to this disparity of criteria between national agencies who ensure compliance.
All this in one year, 2023, in which the GDPR will celebrate its fifth anniversary. How did you get to this situation? What can change from now on?
An Irish decision on Facebook, the start of hostilities against the agencies of other EU countries
The sanctions of 390 million euros that were known at the beginning of the year are distributed in 210 million to Facebook and 180 million to Instagram, but they could go up. WhatsApp could also be penalized imminently, raising the amount of the fines for Meta, which already reserved up to 3,000 million of your budget to deal with them.
What the Irish DPC was settling in this case is the legal basis with which Meta, both on Facebook and Instagram, collects the personal data of its users to serve them personalized advertising. It all started with some complaints filed by Max Schrems, an activist in defense of privacy, on May 25, 2018.
That day the GDPR came into force. and in the early hours of that same day, both Facebook and Instagram introduced a clause in their terms and conditions. The GDPR requires platforms to collect the personal data of their users only if they have their explicit consent. Meta tried to get around this new requirement with that clause.
The clause stated that offering personalized advertising based on the personal data of users is part of a “service” that the platform provides to Internet users. It is similar to what tried TikTok a few months ago: The short video social network only serves personalized advertising to those users who explicitly consent to it in their settings menu.
The TikTok attempt was halted after it various data protection agencies They will show their misgivings about an imminent change in their privacy policies.
In the case of Meta there was no time. The update of the terms and conditions was carried out at dawn and only Schrems, president of an association in defense of the privacy of European users called Noyb, filed that complaint with the Austrian data protection agencythat referred the case to the Irish DPC.
Austria referred the case to Ireland because the GDPR contemplates a “one-stop-shop” principle whereby the competent national data protection agency is the one where the company is based. In the case of the European Union, most of the large technology multinationals settle in Ireland thanks to its tax advantages.
Ireland presented a draft resolution in 2021. In that draft resolution a fine of between 28 and 36 million euros was contemplated for Meta. However, several data protection agencies —Austrian, German, French, Italian, Dutch, Norwegian, Polish, Portuguese and Swedish— filed objections to that resolution.
In the absence of consensus, Ireland turned to the European Data Protection Board, EDPB for its acronym in English. The EDPB is the body in Brussels that brings together all the data protection agencies of the member countries. Ireland understood that only 10 of the more than 40 agencies had an objection about your resolution.
The EDPB responded with a sledgehammer.
Ireland continues to favor Meta after the resolution of the European Committee for Data Protection, according to Noyb
The EDPB advanced its decision on the case of Ireland against Meta in December 2022. It took for granted that the legal basis with which Meta collected the personal data of its users to serve them personalized advertising has been illegal since 2018 and raised the fines, from 36 million to the 390 million that are now known.
Although the EDPB handed over its deliberation to the Irish DPC, the document never reached Noyb, Max Schrems’ association, which is a party to the process. Instead, the DPC waited until the first days of January to communicate that it accepted the EDPB guidelines and announced it through a press release.
Noyb, for his part, could not access the final decision of the DPC with the adaptations of the EDPB until several days later, on January 11. The reaction from the activist platform on the resolution: “It seems like when a student does not care about their homework mistakes and is limited to copying the teacher’s correction”.
The decision of the Irish DPC with the fixes of the European Committee for Data Protection also brought surprises. For example, postponed the start of the 3-month period for a few days that is given to the multinational to correct the deficiencies detected when obtaining the consent of its users to collect and process their data.
Other evidence for Noyb of the alleged advantages that the Irish DPC offers Meta is the amount of the fines. On Facebook, for example, the EDPB – the European Committee – only demanded “significantly higher” fines. But from the original 36 million it has only jumped to 210 millionexposes the Austrian association.
On the other hand, Ireland limits itself to stating that the illegality of collecting data from its users only occurs in those cases in which data was extracted to serve advertising. Noyb is not convinced: he understands that the consent basis to collect data was illegal both to serve advertising as for any other function of the platformbe it Facebook or Instagram.
It doesn’t stay there. In its decision, the EDPB entrusted Ireland with the need to investigate all the data processing of Facebook and Instagram, as well as the special categories of data -the most sensitive-, to find out whether or not this information should have been processed in accordance with the lack of legal basis to have the consent of its users.
Ireland, far from accessing itunderstands that the EDPB is exceeding its functions, leading an interference against the DPC that would only be acceptable if it were practiced from a national court of that country, and consequently announced an appeal for annulment before the Court of Justice of the European Union (CJEU).
The dependence on Ireland becomes a weak point of the GDPR and the situation of Meta in the EU is very affected
The conflict has become explicit again, and can sink its roots in the same comparative legislation. Noyb, the platform that filed the complaint against Facebook and Instagram in May 2018, outlines a future appeal against the Irish DPC decision, even with the corrections made by the EDPB, as long as it is limited to the legal basis of consent for the advertising.
Noyb, in his complaint in 2018, also raised as problematic the clause with which the legal basis was claimed to guarantee the consent of users to receive content adjusted to their usage habits and their personal data, for example.
“The underlying conflict is that under Austrian or German law, the complaint defines the approach of the procedure, while the DPC understands that under Irish law, the focus of the process must be limited to the complaint”explains the platform led by the privacy activist Max Schrems.
The case of Facebook and Instagram has highlighted the tensions that the Irish DPC lives with its analogues. It is a problem that civil organizations in Ireland have also diagnosed. A study by an organization determined months ago how 98% of the data protection claims received by the DPC had not been resolved.
To the laxity of which this Irish agency is accused, we must add the problems that the agency has to face a reality: the majority of foreign technology companies establish their European subsidiary in Ireland. This means that with resources comparable to those of an agency in another country of the European Union, Ireland has to assume a huge workload.
In recent months they have tried to correct this problem known as the Irish bottleneck. One of the senior officials of the European Data Protection Supervisor, the data protection ‘agency’ of the European institutions, raised exactly one year ago that 2022 would be key to improve those shortcomings of the GDPRbut so far no progress has been made.
At the same time, the situation of Meta in Europe is delicate. still remains to know a sanction for a similar cause about WhatsApp, but right now the firm founded by Mark Zuckerberg has until April to find an alternative to collect the consent of your users explicitly to process your data.
In recent months Washington and Brussels have begun work on achieving a new transatlantic agreement that guarantees data transfers. The GDPR understands that the personal data of European users can leave the continent towards “safe ports” that give the same guarantees to data processing than those offered by Brussels with the GDPR.
However, the Court of Justice of the EU ruled that the US should no longer be considered a safe harbor, knocking down the framework that covered the transfers until then. As a result of this, Meta has insisted annually to the US market regulator, the SEC, on the need to reach a new agreement. On the contrary, would be forced to leave Europe.
The need for another legal basis to seek explicit consent from European users, as evidenced by the EDPB and Ireland’s decision, is unlikely to lead Meta to threaten again with his departure from the Old Continent. But it is true that these resolutions come in the most delicate moment for the technology company.
We would like to thank the writer of this article for this awesome content
Facebook’s tricks to extract your data in Europe trigger tension between Ireland and the rest of the countries and show the weak point of the GDPR