The Data Protection Commissioner (the DPC) recently issued two decisions imposing Meta Platforms Ireland Limited (Meta) a hefty fine of €390 million over the use of personal data for targeting ad practices employed by Facebook and Instagram respectively.

The DPC found that Meta’s reliance on the ‘contract’ legal basis in relation to the personal data processing for ad targeting on Facebook and Instagram amounted to a breach of Article 6 of the GDPR. In particular, Meta argued that it relied on contract as a legal basis as on accepting Meta’s updated Terms of Service, as “a contract was entered into” with the users and the “processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising”.

However, the DPC found that Meta was “not entitled to rely on the ‘contract’ legal basis (Article 6(1)(b) GDPR for the purpose of behavioural advertising in the context of its Facebook Terms of Service and Instagram Terms of Use” and held that placing the legal consent within the terms of service agreement essentially forced users to accept personalised ads, as it meant that the users must either allow their data to be used for personalised ads or stop using Meta’s social media services altogether.

Subsequent to that, the DPC has directed Meta to bring its data processing operations into compliance within a period of three months.

This decision highlights the importance of determining the appropriate lawful basis for processing personal data under the GDPR and the consequences of failing to do so. In light of this decision, organisations should take the time to assess the appropriate lawful bases for processing before starting to process any personal data.

The DPC’s decision in relation to Facebook can be found here.

The DPC’s decision in relation to Instagram can be found here.

The DPC’s press release can be found here.