It may not come as a surprise to many, but it is clear regulatory focus has now turned to personalised advertising. As 2022 drew to a close, the French Data Protection Regulator (the CNIL) fined Apple €8 million for breaching e-privacy rules in respect of the collection of data from user devices in order to serve personalised advertising, while 2023 began with an eye-watering €390 million fine for Meta Ireland (made up of €210 million for Facebook and €180 million for Instagram) from the Irish Data Protection Commission (IDPC).
This decision is the outcome of a lengthy, ongoing IDPC investigation dating back nearly 5 years. Two complaints were filed on 25 May 2018, the day the GDPR came into force, which led to the IDPC investigation into whether Meta had a lawful basis for its processing of user personal data in connection with the provision of its services.
As this was a cross border issue, the IDPC was the lead supervisory authority but the “One Stop Shop” mechanism as set out in Article 60 of the GDPR required the IDPC to seek opinions on its draft decision from other “interested” supervisory authorities known as Concerned Supervisory Authorities (CSAs).
In the draft decision:
(i) the IDPC found Meta was in breach of the transparency principle as they did not make it clear to users what lawful basis they were relying on to provide their service. The proposed fine for this breach was up to €36 million.
(ii) the IDPC did seem to think it was possible for Meta to rely on contractual necessity for the processing of user personal data for the delivery of its services (including ad personalisation). See our article from the time of the draft decision here.
The CSAs agreed with point (i) that Meta was in breach of the transparency principle but felt the fine was too low and should be increased. As for point (ii), ten of the 47 CSAs objected to Meta being able to rely on contractual necessity as a legal basis. As agreement could not be reached on the latter point, the decision was referred to the European Data Protection Board (the EDPB), as required under the GDPR, for final determination.
On 5 December 2022, the EDPB issued its determination and while many CSA objections were rejected it did agree with the CSAs on point (ii), i.e. that Meta could not rely on contractual necessity. The EDPB went on to require the IDPC to increase the amount of the proposed fines, and to exacerbate matters the EDPB then directed the IDPC to carry out a new investigation into the use of special category data in connection with the provision of Facebook and Instagram services. The IDPC retained its requirement that Meta must ensure its processing operations are compliant with the GDPR within 3 months.
The upshot of all this is the IDPC is less than happy (see the final paragraph of the press release) and Meta is not happy (see the blog published on its website) and have made it clear they will be appealing both the fines and the substance of the rulings.
The EDPB determination also touched on whether consent was the only lawful basis on which Meta could rely, although did not give a concrete view other than to say that it believed the CSAs’ argument that Meta could only rely on consent as relevant and reasoned. If this decision is upheld it will be interesting to see whether other platforms may look to rely more on legitimate interest as a lawful basis, especially as the ICO in its latest direct marketing guidance appear more open to the possibility of relying on legitimate interest in certain scenarios subject to strict parameters around enhanced transparency and easy opt outs. We suspect for Meta this may be a challenge due to the nature of the data being processed in connection with its service (i.e. special category data) but let’s see. It is clear this is far from over yet so watch this space!
As for the CNIL, on 29 December 2022 they fined Apple Distribution International €8 million for breaching Article 82 of the French Data Protection Act for not obtaining the consent of iPhone's French users (iOS 14.6 version) to drop identifying tags on their devices for advertising purposes. The CNIL found that under the old version 14.6 of the operating system of the iPhone, when a user visited the App Store, identifiers used for several purposes, including personalisation of ads on the App Store, were dropped by default on the user’s device without obtaining consent. Moreover, it was far more complicated for the user to deactivate this setting – as we know from previous experience this is a big no no for the CNIL so the resulting fine was imposed. Apple plan to appeal this decision.
For further analysis on what these decisions mean for you, keep an eye out for our expert Bryony Long’s forthcoming article for Practical Law Company.