The Data Protection Commission of Ireland was driven by the European Data Protection Board (EDPB) to issue an enforcement decision against Facebook and Instagram which proscribes their processing of personal data for targeted advertising absent the user’s informed, freely given, specific, and withdrawable consent. The Irish regulator also fined the two companies an aggregate penalty of 390 million Euros.
The Irish Commission’s draft decision also found that Facebook violated GDPR obligations regarding transparency to data subjects, by failing to provide sufficient information about what personal information it processes, how it processes it, and the legal basis for that processing. These violations were translated to a proposed fine in the range of 28 million to 36 million Euros.
Yet data protection authorities throughout the European Union submitted a series of objections to the draft decision of the Data Protection Commission of Ireland. The authorities initiated special proceedings to settle their disagreements within the European Data Protection Board (EDPB). As a result of these proceedings, the EDPB ordered the Commission in Ireland to dismiss Facebook’s assertions about the legal basis of “the performance of a contract”. According to EDPB, the only legal basis that supports the processing of data for targeted ads is the user’s consent. Facebook and Instagram were given gave three months to adjust their activity to these requirements.
The EDPB also demanded that the Commission in Ireland open a broader investigation into all privacy practices of Facebook and Instagram, including their processing of sensitive personal information. The Commission in Ireland fiercely objected because the EDPB does not have the legal power to order the Commission in Ireland to launch this investigation.
Click here to read the press release of the Data Protection Commission in Ireland.