Privacy Corner

In this issue of privacy corner, we focus on four major new decisions. Three of them are from the Irish Data Protection Authority and one from the European Court of Justice.

On 31 December 2022, the Irish Data Protection Authority (DPC) rendered decisions regarding Facebook and Instagram and these decisions have consequences for many other companies as well.

The question was whether or not Facebook and Instagram could use "contract" as legal basis for behavioural advertising.

Originally the DPC thought that so would be the case, and they argued that (as set out in their press release): "the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service."

In the consultation process between the data protection several of the other data protection authorities protested. The other data protection authorities argued that behavioral advertisement is not objectively necessary for the performance of Meta's contract. The question was brought before the EDPB to decide.

Not surprisingly, the EDPB took the "narrow" view of what a contract can contain. This is inline with earlier guidelines from the EDPB on how one shall interpret what may be put into a contract. In fact, it was the interpretation of the DPC that was surprising. The EDPB concluded that Meta Ireland was not entitled to rely on the “contract” legal basis for its processing of personal data for the purpose of behavioural advertising.

The EDPB underlined that even though Meta chooses to make profits through personalized ads, this does not make the ads "necessary". Meta has other options for income and placing ads, and they specifically mention contextual based ads.

An important question is if the decisions are clear on whether or not one now must use consent for behavioural advertising. Although this is written sometimes, it is not entirely obvious and needs further analysis. However, it is quite clear that the EDPB Guidelines on retargeting of individuals in social media still is relevant, and therein is set out several alternative legal bases.

Legal basis for retargeting for many companies may thus be consent, or it may even be legitimate interest. Given the profondeur of the assumed analysis carried out by Facebook, it seems probable that they need to use consent. For other controllers, basing retargeting on less intrusive information than what Facebook has, legitimate interest could be appropriate.

The difference on when it is necessary to use consent and when legitimate interest is sufficient will be very important going forward.

Do also note that the decisions for Facebook and Instagram did not address legal basis for content personalization or product improvement, but this came in the WhatsApp decision (see below).

Meta was fined €210 million for breaches of the GDPR relating to its Facebook service and €180 million for breaches in relation to its Instagram service. Not surprisingly, Meta is supposedly going to appeal the matter.

A few days after the above decisions, on 12 January 2023, the DPC concluded another case, this time for Whatsapp.

As with the decisions above, the legal question was if WhatsApp could rely on contract as legal basis for processing personal data. But this decision is about processing for development og the service and for security purposes. Not for targeted advertising. In this case, too, there was disagreement between the data protection authorities and the EDPB was brought in. The result in the end was that WhatsApp may not use the contract as legal basis for these activities.

This said, the decision does not explicitly say that they must use consent. Likely, both consent or legitimate interest may be used.

The DPC fined WhatsApp significantly less than in this matter than the two previous ones and pointed to that it had already rendered an very substantial 225 million euros fine. Over a little more than the last year, Meta has been fined a total of approximately 1.3 billion euros.

The difference from using the contract as basis may at first glance not seem very high, but there are some vital differences.

Using consent will of course let the individual have full control over the processing. But even legitimate interest forces the controller to actively put weight on the interests of the individual because they have to do a balancing test between their own purposes and the privacy of the individual. And this assessment must be documented and the privacy policy shall identify the interests that the controller is pursuing. Many companies may have a need to update their privacy policies, following this decision.

Such a balancing test is not carried out if one could use the contract as legal basis (even though one could argue that data protection by design could lead to the same result, but in practice that does not seem to happen).

Another particular feature of using legitimate interest as basis, is that the individual shall have the right to protest against the processing.

An individual requested Österreichische Post, to disclose the identity of the recipients to whom it had disclosed his personal data. This was done with reference to GDPR article 15(1).

The Österreichische Post first merely stated that it uses personal data, to the extent permissible by law and that it offers those personal data to trading partners for marketing purposes. The individual was not content and brought proceedings against the Austrian courts. Österreichische Post further informed that the data had been forwarded to customers, including advertisers trading via mail order and stationary outlets, IT companies, mailing list providers and charitable organisations, non-governmental organisations (NGOs) or political parties. The Supreme Court then decided to ask the ECJ whether the controller had to disclose the specific identities of the recipients or only the categories of recipients.

The judgement from the ECJ is clear that the controller must disclose the actual identity of those recipients. Only if it is not at all possible to identify the recipients, may only the categories of recipients be sufficient.

The reasoning behind the case is interesting. Given the wording of article 15, the result was not completely obvious. The wording in article 15 is that the individual shall have the right to have "the recipients or categories of recipient to whom the personal data have been or will be disclosed". One could easily then conclude that the controller should be able to choose between the alternatives.

However, the ECJ took a broad view of the principals behind the GDPR and argued that the individual would not be in position to exercise it's rights if it does not know exactly whom is holding it's information.

This is not a small thing. It entails that all controllers will have to be able tell individuals about all companies they have shared their personal data with. This covers their data processors, sharing in group companies and any other parties og partners information has been shared with. Maybe it is time to update your article 30 protocol.