A recent decision by the Irish Data Protection Commission (“DPC“) imposing a record €405 million fine provides clarification on the lawfulness of processing children’s personal data in accordance with the legal bases of ‘performance of contract’ and ‘legitimate interest’.
On 2 September 2022, the DPC imposed a record €405 million GDPR fine on Instagram (Meta Platforms Ireland Limited (“Meta IE“)) (the “Decision”), the second highest fine (after Luxembourg’s regulators issued a fine of €746 million last year) since the GDPR came into effect, and the largest fine to date issued by the DPC.
This is the first EU-wide decision on children’s data protection rights and highlights the specific protection merited with regards to the processing of children’s personal data.
Meta IE intends to appeal this decision.
Following a breach notification made to the DPC in June 2019, the DPC launched an own-volition inquiry into Instagram’s user registration process. The investigation focused on children between the ages of 13 and 17, the operation of Instagram business accounts, and how such accounts automatically displayed contact information (email addresses and/or phone numbers) of children publicly.
The DPC found that Meta IE, among other things:
- Failed to process data in a fair and transparent manner;
- Failed to take measures to provide child users with information using clear and plain language in relation to the purposes of the data processing;
- Lacked appropriate technical and organisational measures regarding the purpose of processing;
- Failed to conduct a Data Protection Impact Assessment where processing was likely to result in a high risk to rights and freedoms of child users of Instagram; and
- Failed to establish a legal basis for processing the contact information data.
Following its investigation, in December 2021, the DPC circulated its draft decision (the “Draft Decision”) to Concerned Supervisory Authorities (“CSA”) under Article 60 of the GDPR. A number of CSAs (France, Germany, Finland, Italy, the Netherlands and Norway) raised objections in relation to the DPC’s assessment of matters. As these could not be resolved, Article 65 of the GDPR (Dispute resolution by the Board) was triggered. The DPC’s Draft Decision was referred to the European Data Protection Board (“EDPB“) for a binding decision.
The Decision, which adopts the EDPB’s binding decision is a lengthy 248 pages and contains important lessons and interesting nuances as to how Articles 5(1)(a) and (c), 6(1), 12(1), 25(1) and 35(1) GDPR should be complied with. The EDPB’s analysis of Article 6(1) is particularly noteworthy as this is the EDPB’s first binding decision on the lawfulness of processing personal data.
Analysis of Article 6(1)
In its submissions, Meta IE indicated that it relied on one of two legal bases, Article 6(1)(b) (performance of a contract) and Article 6(1)(f) GDPR (legitimate interests) for the processing of contact information of child users.
The DPC in its Draft Decision was satisfied that the processing of the contact information of child users could be necessary for the performance of a contract in line with Article 6(1)(b) GDPR and that the processing of the contact information of child users could be lawful on the basis of Article 6(1)(f) GDPR in respect of some of the child users at issue and that no infringement had occurred. This assessment of Article 6(1) gave rise to some of the objections issued by CSA and the EDPB analysed this further.
The EDPB in its analysis noted that the prerequisite for reliance on Article 6(1)(b) GDPR is that the processing must take place in the context of the performance of a contract and that it is implied that a controller must be able to demonstrate that: (i) a contract exists; and (ii) the contract is valid pursuant to applicable national contract laws.
Relying on CJEU case law the EDPB considered that the concept of necessity has an independent meaning in EU law, which must reflect the objectives of data protection law. The EDPB expressed that the assessment of what is necessary involves, among other things, a strict interpretation of the necessity requirement, mutual understanding by the parties, processing that is genuinely and objectively necessary for the performance of a contract and determining the exact rationale of the contract and the particular aim, purpose, or objective of the service.
The EDPB in its analysis noted that Article 6(1)(f) GDPR is clear when it states that the legitimate interests are not those of the data subject but are the legitimate interests of the controller or a third party. Relying on CJEU case law the EDPB confirmed that three cumulative conditions must be met in order for processing to be lawful under Article 6(1)(f): (i) existence of a legitimate interest; (ii) the necessity of the processing for the purpose of the legitimate interests; and (iii) balancing exercise of fundamental rights and freedoms.
The EDPB considered that a legitimate interest pursued by a controller must be determined in a sufficiently clear and precise manner and be real and present, corresponding to current or future activities or benefits. Due to the lack of specificity here, the EDPB could not assess whether the interests argued were acceptable but went on to provide its view on the second and third conditions.
On the necessity of the processing, the EDPB considered that the approach adopted by the DPC was substantially erroneous as it failed to analyse whether other less intrusive means were available to effectively achieve the objectives pursued. In evaluating the risks of intrusion on the data subject’s rights the EDPB stated that the decisive criterion is the intensity of the intervention for the rights and freedoms of the individual. Given the lack of appropriate measures to address the risks (e.g. possible communication between child users and dangerous individuals), the lack of proper information to data subjects regarding publication and its consequences and the impossibility to opt-out from the publication, the legitimate interests pursued were overridden by the interests and fundamental rights and freedoms of child users. The EDPB made clear that it is not impossible for a controller to rely on Article 6(1)(f) GDPR where the requirements of the GDPR are met and that a well-designed and workable mechanism for opt-out could play an important role in safeguarding the rights and interests of the data subjects.
The EDPB found that the processing of the contact information of child users was not necessary for the performance of a contract or Meta IE’s legitimate interests. It ruled that Meta IE could not rely on Articles 6(1)(b) or 6(1)(f) GDPR as a legal basis and that, in processing children’s data, Meta IE had acted unlawfully. The EDPB instructed the DPC to change its Draft Decision on this basis and to re-assess the envisaged corrective measures.
In amending its Draft Decision and adopting the EDPB’s binding decision, the DPC fined Meta IE €405 million, which includes €170 million for infringements of Article 12(1) and €20 million for infringements of Article 6(1). In addition, the DPC imposed a reprimand formally recognising the serious nature of the infringements and to dissuade non-compliance with the GDPR and an order requiring Meta IE to bring its processing into compliance within three months of the decision.
Under Article 60 and 63 GDPR, data protection authorities may refer issues that implicate multiple Member States to the EDPB to adopt a binding decision in accordance with Article 65. Through the GDPR’s consistency mechanism, proposed fines have typically been increased by the EDPB, reducing the appeal of forum shopping and resulting in significant fines.
As part of its binding decision, the EDPB further clarified when companies can rely on Articles 6(1)(b) and 6(1)(f) GDPR. Companies that process personal data should ensure their policies align with the EDPB’s new guidance.
Children merit specific protection with regard to their personal data and companies targeting children have to be extra careful.
The DPC also looked at the question of whether the DPC was competent to act as lead supervisory authority and was satisfied that the requirements of Article 56 GDPR were met in relation to the processing at issue. In particular, the processing was cross boarder in nature, and that “Facebook Ireland Limited” was the controller of the processing in connection with the Instagram service in the European Union and that “Facebook Ireland Limited” has its main establishment in Ireland for the purposes of the GDPR.
The level of the fine is significant and could have a bearing on the size of future fines. The fine is the third GDPR fine that the DPC has imposed on Meta IE within the last year.
The full Decision is available here.
Please get in touch with any member of the European data protection team if you have any questions about the decision and it impact on your organisation.