Recently, Meta was slapped with a hefty €390 million fine for not complying with the GDPR in regard to collecting and processing user data. The example clearly demonstrates the astronomical financial consequences of non-compliance, putting the pressure on just about any legal entity that serves European customers to take a long, hard look at how they go about handling the issue themselves.
We will take a look at how the story unfolded, what went wrong, and see if there are any lessons to be learned from how Meta responded to the fine.
- Data processing must have a lawful basis
Data processing can have many forms, including when it’s aggregated, stored, or transferred. As specified in Article 6 of the GDPR, processing any kind of personal data requires a lawful basis. This can be:
– When given explicit consent
– To perform contractual obligations
– Protect the individual’s interests
– Comply with legal requirements
– Legitimate business reasons
Keep in mind that this data privacy framework breakdown does not represent a hierarchy. Therefore, no particular reason is more legitimate than the other.
- Meta’s initial approach and the reasoning behind it
From the moment when their updated platform went live in 2018, its users had to agree to the updated terms and conditions to continue using it.
Meta’s platform continued its operations in good faith – after all, Facebook and Instagram entered a contractual agreement, the end goal of which was to personalize the user experience and making the ads more targeted to each user’s interests was part of that. Hence, they argued that collecting user data was an integral and necessary part of performing the service.
Following a complaint, the Irish Data Protection Commission took a closer look at the company’s approach and, ironically, sided with Meta. However, other EU data regulators raised their objections and after a long period of back and forth with no consensus in sight, the European Data Protection Board, an independent body, chose to overrule the Irish regulator’s conclusion and imposed its own decision.
The fine consisted of two parts:
– €210 Million on Facebook’s end
– €180 Million on Instagram’s end
- Are GDPR regulators making up the rules as we go along?
What’s shocking about the matter is that the fine was astronomically high, especially considering that different European regulators had different views on whether a violation had occurred in the first place. Whether the decision will be overturned or not following Meta’s appeal, the message is clear: companies that serve European customers are treading on unstable and ever-so-unpredictable ground.
Ultimately, Meta was fined despite following what was considered a legal framework for their operations by asking their users to agree with the terms of use as they relate to the processing of their personal data. This kind of regulatory uncertainty creates more questions than it answers, so let’s take a look at how Meta responded in practice.
- Meta’s response
Openly disappointed with the regulatory conclusion, Meta will be filing an appeal, firmly believing there were no violations on their end. This also means that personalized advertising will continue to be a part of their platform.
It is Meta’s stance that serving personalized ads is an integral part of the service. To date, the company has relied on contractual necessity to establish a legal framework for processing user data, taking every individual’s safety and privacy settings into account and arguing that it would be quite unusual for a social media platform to not be custom-tailoring its services to each and every individual’s preferences.
Meta is now on the lookout for another legal basis for processing user data that would be deemed most suitable. Keep in mind that no court or regulatory body has ordered the company to stop offering personalized ads; it’s a matter of seeking regulatory clarity. In spite of DPC’s latest ruling, Meta believes that processing user data to serve behavioral ads remains a contractual necessity.
- Where to go from here
As we can see from Meta’s example, GDPR compliance is not to be taken lightly. To process any kind of user data, a regulated agreement is required. In essence, this is a contractual agreement between a business and a service, the former of which acts as a data controller and the latter as a data processor.
The agreement should stipulate the nature, purpose, and duration of data processing activities for it to be considered GDPR compliant. This serves to protect the users’ privacy and ensures that there is a legal basis for the company to process their data, barring it from being used for any other purpose other than what constitutes a legal framework.
In practice, as long as a company is serving European customers, it’s a virtual certainty it needs to rely on third-party services that process data. One such example is Google Analytics that webmasters use to analyze their traffic and use that data to improve their website and services. The only other alternative is blocking visitors with European IP’s; however, that may not be the optimal move from a business point of view.
Compliance with GDPR requires user’s consent when any kind of user data processing is involved.
- Conclusion
Oftentimes, GDPR compliance may feel like walking on eggshells, particularly given the recent regulatory uncertainty. Therefore, the recommended way to proceed is to tread with caution and analyze examples of what’s currently working in practice.
