On 31 December 2022, the Irish Data Protection Authority (DPC) rendered decisions regarding Facebook and Instagram and these decisions have consequences for many other companies as well.
The question was whether or not Facebook and Instagram could use "contract" as legal basis for behavioural advertising.
Originally the DPC thought that so would be the case, and they argued that (as set out in their press release): "the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service."
In the consultation process between the data protection several of the other data protection authorities protested. The other data protection authorities argued that behavioral advertisement is not objectively necessary for the performance of Meta's contract. The question was brought before the EDPB to decide.
Not surprisingly, the EDPB took the "narrow" view of what a contract can contain. This is inline with earlier guidelines from the EDPB on how one shall interpret what may be put into a contract. In fact, it was the interpretation of the DPC that was surprising. The EDPB concluded that Meta Ireland was not entitled to rely on the “contract” legal basis for its processing of personal data for the purpose of behavioural advertising.
The EDPB underlined that even though Meta chooses to make profits through personalized ads, this does not make the ads "necessary". Meta has other options for income and placing ads, and they specifically mention contextual based ads.
An important question is if the decisions are clear on whether or not one now must use consent for behavioural advertising. Although this is written sometimes, it is not entirely obvious and needs further analysis. However, it is quite clear that the EDPB Guidelines on retargeting of individuals in social media still is relevant, and therein is set out several alternative legal bases.
Legal basis for retargeting for many companies may thus be consent, or it may even be legitimate interest. Given the profondeur of the assumed analysis carried out by Facebook, it seems probable that they need to use consent. For other controllers, basing retargeting on less intrusive information than what Facebook has, legitimate interest could be appropriate.
The difference on when it is necessary to use consent and when legitimate interest is sufficient will be very important going forward.
Do also note that the decisions for Facebook and Instagram did not address legal basis for content personalization or product improvement, but this came in the WhatsApp decision (see below).
Meta was fined €210 million for breaches of the GDPR relating to its Facebook service and €180 million for breaches in relation to its Instagram service. Not surprisingly, Meta is supposedly going to appeal the matter.