The data protection commissioner (DPC) failed to investigate with “due diligence” data collection and processing at Facebook and Instagram, Europe’s most senior data regulatory body has found.
In a decision published on Thursday, the European Data Protection Board (EPDB) criticised attempts by the Irish regulator to narrow the scope of the investigation and ignore a key question raised in the original complaint, filed in Austria in 2018 under new EU data protection rules.
Facebook and Instagram adapted its terms and conditions to the new GDPR rules, making user consent to data collection a requirement for continued use of the service.
The Austrian complainant argued that this amounted to forced consent, but the DPC – in a draft decision – disagreed. It found that the social media giant breached transparency obligations but does not necessarily require the consent of its users in order to process their data and that it can rely on the argument that it is fulfilling a contract with its users to provide personalised ads.
[ DPC increases Meta fines after European rulingOpens in new window ]
The EDPB, a body which brings together all EU/EEA regional and national data protection regulators, ordered the DPC to reverse its previous legal position on Facebook/Instagram data collection because its “contractual” basis for data collection and personalised advertising breached EU law.
Last month it informed the DPC of three binding decisions and, last week, the Irish regulator issued a revised, final decision that reflected EDPB demands, confirming that the US companies had operated outside European law – and imposed fines 10 times higher than it originally proposed.
Facebook and Instagram, part of Meta Ireland, have been given three months to comply with the decision and alter its data collection policies.
It is not ruled out that parties to the complaint – Meta or Austrian privacy group noyb (none of your business) – will appeal against the decision.
In addition, a second legal action is likely at the European Court of Justice over whether the DPC is obliged to investigate in detail Facebook/Instagram processing of sensitive user data including political and sexual preferences.
The DPC insists this was not part of the original complaint, but both noyb and the EDPB disagree, saying the Irish regulator failed to establish the legal basis of Facebook data collection generally, and also failed to even examine specific concerns flagged by the complainant in the case of sensitive information, considered a “special category” in EU law.
“By deciding not to investigate, further to the complaint, the processing of special categories of personal data in the Facebook service, the [DPC] leaves unaddressed the risks this processing poses for the Complainant and for Facebook users,” said the EDPB in its decision. “In view of these risks to the Complainant and to other Facebook users ... the IE SA did not handle the complaint with all due diligence. The EDPB sees the lack of any further investigation into the processing of special categories of personal data as an omission.”
In her submissions, data protection commissioner Helen Dixon said that “Facebook undoubtedly does process special category data” ... but “I do not however accept that the processing of sensitive categories of personal data ... falls within the scope of this Inquiry”.
The DPC has been approached for comment.