Bare (Contractual) Necessity: DPC issues Final Decision on Meta Legal Basis

Data Protection Commission Ireland decision on Meta legal basis for targeted advertising is out - What do you need to know?

TL:DR:

Issue 1: Can Facebook rely on Article 6(1)(b) GDPR as a lawful basis for processing personal data with respect to its Terms of Service (Answer:? No; and in the absence of an alternative legal basis, Facebook has violated the Art 6(1) obligation to have a valid legal basis)

Issue 2:? Did Facebook provide the requisite information on the legal basis for processing on foot of Article 6(1)(b) GDPR and did it do so in a transparent manner. (Answer: No, and given the severity of the violation this rises to a breach of the GDPR Art 5 principles of fairness )

Result: Meta must bring its processes (legal basis) and documents (privacy notice etc) in compliance within three months.?

Deeper Dive:

Issue 1 – Can Facebook rely on Article 6(1)(b) GDPR as a lawful basis for processing personal data with respect to its Terms of Service (Answer:? No; and in the absence of an alternative legal basis, Facebook has violated the Art 6(1) obligation to have a valid legal basis)

On Determining a legal basis:?

• The fact that all legal bases are created equal (in standing) doesn’t mean that a controller has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake. The legal basis will not be appropriate if its application to a specific processing defeats this practical effect “effet utile” pursued by the GDPR and its Article 5(1)(a) and Article 6 GDPR.
• As an aid to deciding whether Article 6(1)(b) GDPR is an appropriate lawful basis, and in particular in considering the scope of the relevant contract, the EDPB suggests asking: (1) “What is the nature of the service being provided to the data subject? (2) What are its distinguishing characteristics? What is the exact rationale of the contract (i.e. its substance and fundamental object)? (3) What are the essential elements of the contract? (4) What are the mutual perspectives and expectations of the parties to the contract? (5) How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect?
• Per EDPB guidance: ““as a general rule, processing of personal data for behavioral advertising is not necessary for the performance of a contract for online services. Normally, it would be hard to argue that the contract had not been performed because there were no behavioral ads. This is all the more supported by the fact that data subjects have the absolute right under Article 21 to object to processing of their data for direct marketing purposes.
• The EDPB has set out that processing cannot be rendered lawful by Article 6(1)(b) GDPR “simply because processing is necessary for the controller’s wider business model”.
• The EDPB has also acknowledged that “personalisation of content may (but does not always) constitute an essential or expected element of certain online services”

On users’ expectations:?

• Evidence of the expectation of privacy of the users is also an important consideration in analyzing both contractual necessity and the Art 5 principle of ‘fairness”: In this case, a poll indicates that only 1.6% to 2.5% of the 1.000 respondents, who are Facebook users, understood the request to accept the Facebook Terms of Service to be a “contract” that provides them with a contractual right to personalized advertisement.
• A reasonable user cannot expect that their personal data is being processed for behavioural advertising simply because Meta IE briefly refers to this processing in the Facebook Terms of Service. “Wider circumstances” or “recognised public awareness of behavioural advertising” derived from its “widespread prevalence” do not change this.?
• Complexity, massive scale and intrusiveness of behavioural advertising practice are relevant facts to consider to assess the appropriateness of Article 6(1)(b) GDPR as a legal basis for behavioural advertising and to what extent reasonable users may understand and expect behavioural advertising when they accept Terms of Service and perceive it as necessary for delivery of? service.?
• In view of the characteristics of behavioural advertising, coupled with the very brief and insufficient information that Meta provides about it in the Facebook Terms of Service and Data Policy the EDPB finds it extremely difficult to argue that an average user can fully grasp it, be aware of its consequences and impact on their rights to privacy and data protection, and reasonably expect it solely based on the Facebook Terms of Service.

On Contractual validity:

• The first condition to be able to rely on Article 6(1)(b) GDPR as a legal basis to process the data subject’s data is that a controller, in line with its accountability obligations under Article 5(2) GDPR, has to be able to demonstrate that (a) a contract exists and (b) the contract is valid pursuant to applicable national contract laws
• SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract’s general validity insofar as this is relevant to the fulfillment of their tasks under the GDPR. If a contract is not valid -then there is no legal basis.?
• Processing of personal data that is based on what is deemed to be an unfair term under Directive 93/13/EEC on unfair terms in consumer contracts will generally not be consistent with the requirement under Article 5(1)(a) GDPR that the processing is lawful and fair

On dominant position and “take it or leave it”:?

• The fact that Meta has a dominant position in the domestic market for online social networks for private users “does play a role in the assessment of the freedom of consent and in the assessment of reliance on Article 6(1)(b) GDPR for a service and its risks to data subjects.?
• Giving users a take it or leave it choice or either agreeing to terms that limit the right to determine the processing of personal data and giving up the right to opt out of direct marketing, or to not be able to communicate with millions of users. This adversely affects freedom of expression and information.

On Contractual necessity:

• Merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b).
• Regard should be given to the particular aim, purpose, or objective of the service and, for applicability of Article 6(1)(b) GDPR, it is required that the processing is objectively necessary for a purpose and integral to the delivery of that contractual service to the data subject.
• The main purpose for which users use Facebook and accept the Facebook Terms of Service is to communicate with others, not to receive personalized advertisements.
• The controller should be able to justify the necessity of its processing by reference to the fundamental and mutually understood contractual purpose. This depends not only on the controller’s perspective, but also on a reasonable data subject’s perspective when entering into the contract.
• The fact that the Facebook Terms of Service do not provide for any contractual obligation binding Meta IE to offer personalized advertising to the Facebook users and any contractual penalty if Meta IE fails to do so shows that, at least from the perspective of the Facebook user, this processing is not necessary to perform the contract.
• Meta IE’s business model of offering services, at no monetary cost for the user to generate income by behavioral advertisement to support its Facebook service, among others, does not make this processing necessary to perform the contract. Under the principle of lawfulness of the GDPR and its Article 6, it is the business model which must adapt itself and comply with the requirements that the GDPR sets out in general and for each of the legal bases and not the reverse.
• Assessing what is “necessary” involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the processing is not “necessary”.
• ?Article 6(1)(b) GDPR will not cover processing that is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes.
• In this case, there are less invasive options like: contextual advertising based on geography, language and content, which do not involve intrusive measures such as profiling and tracking of users.
• The absolute right available to data subjects, under Article 21(2)(3) GDPR to object to the processing of their data (including profiling) for direct marketing purposes further supports its consideration that, as a general rule, the processing of personal data for behavioral advertising is not necessary to perform a contract. The process cannot be necessary to perform a contract if a subject has the possibility to opt out from it at any time, and without providing any reason.

Finding:?

• The behavioral advertising performed by MetaIE in the context of the Facebook service is objectively not necessary for the performance of Meta IE’s alleged contract with data users for the Facebook service and is not an essential or core element of it.
• Meta IE has inappropriately relied on Article 6(1)(b) GDPR to process the Complainant’s personal data in the context of the Facebook Terms of Service and therefore lacks a legal basis to process these data for the purpose of behavioral advertising.
• In the absence of an alternative legal basis, Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data

Issue 2 – Did Facebook provide the requisite information on the legal basis for processing on foot of Article 6(1)(b) GDPR and did it do so in a transparent manner. (Answer: No)

• “Controllers should make sure to avoid any confusion as to what the applicable legal basis is” and that this is “particularly relevant where the appropriate legal basis is Article 6(1)(b) GDPR and a contract regarding online services is entered into by data subjects”, because “[d]epending on the circumstances, data subjects may erroneously get the impression that they are giving their consent in line with Article 6(1)(a) GDPR when signing a contract or accepting terms of service.
• Article 13 does clearly require that the purposes and legal bases must be specified in respect of the intended processing. Purposes and legal bases cannot simply be cited in the abstract and detached from the personal data processing they concern
• Absence of any level of specificity as to what the data controller is doing with the data, and more fundamentally what data they are processing at all, would render information on the purposes of this unspecified processing almost useless to a data subject.?
• In the absence of information on the nature of the data being used and the nature of the processing being carried out, it would be nigh on impossible to exercise data subject rights in an informed manner. Such an absence of transparency and accountability could not be reconciled with a purposive or systematic reading of the GDPR.
• Having access to the information required by Article 13(1)(c) GDPR in? conjunction with the category/categories of personal data being processed is essential if the data subject is to be empowered to hold the data controller accountable for compliance with the Article 5(1)(b) GDPR purpose limitation principle.
• The information provided must set out: the purpose(s) of the specified processing operation/set of processing operations for which the (specified category/specified categories of) personal data are intended, and the legal basis being relied upon to support the processing operation/set of operations. In that information, there should be a clear link between the specified category/categories of data, the purpose(s) of the specified operation(s), and the legal basis being relied on to support the specified operation(s).
• A controller is entitled to provide additional information to its user above and beyond that required by Article 13 and can provide whatever additional information it wishes. However, it must first comply with more specific obligations under the GDPR, and then secondly ensure that the additional information does not have the effect of creating information fatigue or otherwise diluting the effective delivery of the statutorily required information.
• Relevant information for the purposes of Article 13(1)(c) GDPR must be provided by reference to the processing operations themselves.
• Even if variations of the same information in several documents aren’t of themselves noncompliant, they are not compliant when it amounts, in practice, to statements about services and objectives that are not linked to specified processing operations and which do not provide meaningful information to the data subject on the core issues identified in Article 13 GDPR.
• It has to be possible to identify what processing operations will be carried out in order to fulfill the objectives that are repeated throughout the documents and the legal basis for such operations. In the absence of such information, the user is left to guess as to what processing is carried out on what data, on foot of the specified lawful bases, in order to fulfill these objectives and that is not sufficient information under Art 13 GDPR
• Prefacing things by “such as”, and describing location-based information as “things like…” are clear examples of the open-ended language that is not conducive to the provision of information in a transparent manner

Finding:

Meta IE infringed its transparency obligations under Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR by not clearly informing the Complainant and other users of the Facebook service’s specific processing operations, the personal data processed in them, the specific purpose they serve, and the legal basis on which each of the processing operations relies.

Issue 3: Do the violations amount to a breach of Art 5(1)(a) GDPR Principle of Fairness (Answer: Yes)

• Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject
• Among the key fairness elements that controllers should consider in this regard, are autonomy of the data subjects, data subjects’ expectation, power balance, avoidance of deception, ethical and truthful processing
• “The principle of fairness includes, inter alia, recognising the reasonable expectations of the data subjects, considering possible adverse consequences processing may have on them, and having regard to the relationship and potential effects of imbalance between them and the controller”
• A fair balance must be struck between, on the one hand, the commercial interests of the controllers and, on the other hand, the rights and expectations of the data subjects under the GDPR
• Lack of transparency can make it almost impossible in practice for the data subjects to exercise an informed choice over the use of their data, which is in contrast with the element of “autonomy” of data subjects as to the processing of their personal data
• One of the elements of compliance with the principle of fairness is avoiding deception i.e. providing information “in an objective and neutral way, avoiding any deceptive or manipulative language or design
• Considering the constantly increasing economic value of personal data in the digital environment, it is particularly important to ensure that data subjects are protected from any form of abuse and deception, intentional or not, which would result in the unjustified loss of control over their personal data.
• Processing cannot be regarded as ethical and truthful if it is confusing with regard to the type of data processed, the legal basis and the purpose of the processing, which ultimately restricts the users’ possibility to exercise their data subjects’ rights

Finding:?

• In this particular case the breach of Meta IE’s transparency obligations is of such gravity that it clearly impacts the reasonable expectations of the Facebook users by confusing them on whether clicking the “Accept” button results in giving their consent to the processing of their personal data?
• Considering the seriousness of the infringements of the transparency obligations by Meta IE already identified in the Draft Decision and the related misrepresentation of the legal basis relied on, the EDPB agrees with the IT SA that Meta IE has presented its service to the Facebook users in a misleading manner, which adversely affects their control over the processing of their personal data and the exercise of their data subjects' rights. Therefore, the EDPB is of the opinion that the IE SA’s finding of breach of Article 5(1)(a) GDPR with regard to the principle of transparency should extend to the principle of fairness too.
• The combination of factors, such as the asymmetry of the information created by Meta IE with regard to Facebook service users, combined with the “take it or leave it” situation that they are faced with due to the lack of alternative services in the market and the lack of options allowing them to adjust or opt out from a particular processing under the contract with Meta IE, systematically disadvantages Facebook service users, limits their control over the processing of their personal data and undermines the exercise of their rights under Chapter III of the GDPR

Result:?

Meta must, within three months:

• bring the Data Policy and Terms of Service into compliance with Articles 5(1)(a), 12(1) and 13(1)(c) GDPR as regards information provided on: (i) data processed pursuant to Article 6(1)(b) GDPR as well as (ii) data processed for the purposes of behavioral advertising in the context of the Facebook service, in accordance with the principles set out in this Decision.
• take the necessary action to bring its processing of personal data for the purposes of behavioral advertising, in the context of the Facebook Terms of Service, into compliance with Article 6(1) GDPR in accordance with the conclusion reached by the EDPB. Per, DPC, such action may include, but is not limited to, the identification of an appropriate alternative legal basis, in Article 6(1) GDPR, for the Processing together with the implementation of any necessary measures, as might be required to satisfy the conditionality associated with that/those alternative legal basis/bases.