Meta and beyond: What is next for data protection across Europe

The Irish data protection authority, the Data Protection Commission (DPC) started the year by publishing its final decision to issue a fine against Meta Platforms Ireland Limited (Meta Ireland) of €390 million in respect of GDPR breaches across its Facebook and Instagram platforms.

Our European cyber risk team discussed this decision and the wider consequences in our Meta and beyond: What is next from data protection across Europe webinar (available to view on demand at the end of this page). The webinar considered the views from Ireland, Germany, France and UK on the key trends and issues arising in data protection and the differing approaches taken by data protection authorities across Europe, the impact of Brexit, our views on the litigation risk following the Meta Ireland decision and a look into whether such fines can be insured.

€390 million fine

In advance of the GDPR coming into operation, Meta changed the terms of service for Facebook and Instagram. Users were now asked to click “I accept” to indicate their acceptance of the new terms (referred to as the “contract legal basis” for processing operations). Services were inaccessible to users if they declined to do so.

Complaints were raised by data subjects from Austria and Belgium, alleging that this essentially forced users to consent to the processing of their personal data for behavioural advertising and other personalised services, which would be a breach of the GDPR. The complaints were transferred to the DPC, which led the investigations as Meta’s EU headquarters are based in Ireland.

On 6 October 2021, the DPC issued a draft decision, concluding that the GDPR did not preclude Meta Ireland from relying on the contract legal basis as an appropriate legal basis for processing the data needed to provide personalised advertisements.

In accordance with Article 60(3) GDPR, the DPC submitted the draft decision to other supervisory authorities, concerned with the complaint. A number of European data protection authorities objected to the decision and as a result, the European Data Protection Board (EDPB) considered the matter. In December 2022, the EDPB issued binding decisions regarding Meta Ireland’s practices, in which it disagreed with the DPC and found that Meta Ireland was not entitled to process personal data relying on the contract legal basis, for the purposes of behavioural advertising and that in doing so, it was acting in contravention of Article 6(1) GDPR.

In its final decisions dated 31 December 2022 (published on 4 January 2023), the DPC incorporated the EDPB’s binding determination that Meta Ireland’s reliance on the contract legal basis to process users’ data violated the GDPR.

Meta has said that it plans to appeal the ruling.

Could this lead to a charge for premium content?

Assuming the DPC decision remains unchanged following any Meta appeal, Meta (and other companies) are going to have to rethink their stance on obtaining and processing personal data to deliver personalised advertising. One result could be a move by big tech and social media companies to start to charge for premium content. This approach has in fact been suggested in the past by the Bavarian data protection authority in Germany, which indicated that it would be open to interpreting Article 6(1)(b) of the GDPR (stating that data processing shall be lawful if the processing is necessary for the performance of a contract) to include offering premium services. However, at the time, this approach was not agreed by other German data protection authorities.

Opening the litigation floodgates?

If the final DPC decision is upheld, following any Meta Ireland appeal, there is the possibility of resulting litigation, given that social media platforms have potentially been processing user data since 25 May 2018, to achieve personalised advertising without a lawful basis under the GDPR.

We wait with interest,the decision of the Court of Justice of the European Union in Österreichische Post on whether damages should be awarded for “mere upset”. The Advocate General has tended towards a restrictive interpretation of non-material damages when giving his opinion (for more on this, view our insight here) and even if the strictest of approaches is applied, there is still a risk that litigation could follow.

In the UK, the Supreme Court judgment in Lloyd v Google established some challenges for bringing large data breach class actions in England and Wales (read our insight here). There are likely to be similar hurdles for any claims brought on the basis of the Meta Ireland decision, notwithstanding that this is based on a violation of the GDPR and not the Data Protection Act 2018 (as in Lloyd v Google). There is currently a claim against Facebook in the High Court (although this is not seeking damages) and a challenge in the Competition Appeals Tribunal (which has now been heard and a decision is awaited, read a summary here), both concerning the collection of personal data for marketing purposes.

Can fines issued by data protection authorities be insured?

In the UK, Ireland, and other common law jurisdictions, this becomes a question of whether the principle of illegality is invoked. Whether an insurance policy covers a fine will depend on the public policy question of whether it is possible to recover a loss which results from your own wrongdoing. The field is a complex one and there is a grey area when we look at fines imposed for negligent conduct. A key point here is that the EPDB described Meta’s conduct as “serious neglect” and this is what will guide illegality.

In other jurisdictions, the question is not about illegality. In Germany, for example, it is about whether insurability undermines the effectiveness of the fine.

Are cracks beginning to show?

In May this year, it will be five years since the GDPR came into force. With more investigations undertaken and more fines issued, we are beginning to get a flavour of where any points of contention may arise.

One-stop shop

As an example, the one stop shop mechanism under the GDPR (which allows an organisation which conducts cross-border data processing to deal with a single lead supervisory authority) has not been repeatedly tested. It has now come under scrutiny as a result of the Meta Ireland investigation, insofar as objections received by concerned supervisory authorities within the EU to the DPC’s draft decision, could be said to show some concern that data protection authorities in certain countries, such as Ireland, are being left to police the large tech companies, particularly where tech investment in that country has been actively courted.

In France, the data protection authority, the CNIL, has always said that tech companies are the top priority when it comes to enforcing the GDPR and we have seen that the CNIL has been very active in issuing sanctions. It appears, however, to have found an effective work around to the one-stop shop and has issued large fines using local privacy regulations (in particular, regarding cookies). Whilst this is an approach seemingly taken in France, it is not one that is being (or indeed can be) used in other EU countries. In Germany, for example, the local e-privacy regulation only allows for a maximum fine of €300,000 and so it cannot use such rules to issue substantial fines in the same way.

Jurisdiction of the EDPB

Following on from the Meta Ireland fine, it looks as if we may be heading for an altercation between some EU data protection authorities and the EDPB. As part of its final decision, the EDPB directed that the DPC carry out a new investigation into Meta’s processing operations to determine if it processes special categories of data and complies with the relevant obligations under the GDPR. The DPC however, has questioned the jurisdiction of the EDPB to direct investigations by national data protection authorities and has indicated that it intends to challenge this direction by the EDPB in the CJEU.

View from the EU

There are some tensions emerging from within the EU regarding interpretation of the GDPR. For example, in France the approach of the CNIL has met with some disapproval, with consumers and critics commenting that it is too political. It is, however, largely seen as effective for consumer protection. However, consumer associations have accused the CNIL of being too “pro-business”.

Further, in Ireland, there is the balance of encouraging innovation and investment on one hand and consumer protection on the other. There is some unease that the DPC is not the strictest of task masters and has form for only imposing the highest of penalties after pressure from other EU data protection authorities. In other countries however, such as Germany, Spain and Italy, there is often the view that the local data protection authorities tend towards a strict interpretation of the GDPR.

How about the UK?

Since Brexit, the UK sits apart from the 27 EU member states. The EDPB decision is not binding on the UK, but it cannot be dismissed. In the UK, the Information Commissioner has recently indicated somewhat of a change in direction with a recognition that fines are not the only way in which to enforce the GDPR. Fines are still considered important and will be used where truly needed, for example, where contravention of the GDPR has caused the most harm, or the business in question has profited from the non-compliance, but the ICO is pursuing other options to enforce data protection regulation, such as the publication of investigations and reprimands.

The ICO has also confirmed its continued approach to focus on big tech and its commitment to safeguarding vulnerable groups, including the use of children’s data. 

To view our on-demand webinar and hear our views on these and other issues in more detail, click here.