In this news article, we will focus on a decision by the Irish Data Protection Commission (“DPC”), a request for a preliminary ruling referred by the Belgian Market Court and a decision by the Belgian Data Protection Authority (“DPA”).
1. Monster €405 million fine for Instagram for inadequately securing minors' personal data
On 2 September 2022, the Irish Data Protection Commission (DPC) fined Meta Platforms Ireland Limited (“Meta”) the sum of €405 million for breaching the privacy rights of children under the GDPR when using Instagram.
Many of the big tech companies, such as Meta, are based in Ireland for tax reasons, which gives the Irish DPC an important supervisory role.
The Irish DPC had opened its investigation in 2020 in order to determine whether Meta had put in place the necessary safeguards to protect users’ data. The investigation focused on how the Instagram service retained and processed the personal data of minors between the ages of 13 and 17, and on how the platform allowed these underaged users to operate ‘professional’ accounts. This type of account required users – by default – to make their contact details public, meaning that they were visible to everyone on the social network without any active authorisation having been given.
On the basis of its investigation, the DPC concluded that Meta did not have the necessary safeguards in place to protect user data, especially the data of minors.
The DPC first decided that Meta could not rely on Article 6.1 (b) nor on Article 6.1 (f) GDPR as a legal basis for the processing of minors’ data, and had therefore infringed Article 6.1 GDPR.
Secondly, the DPC found that Meta processed more data than necessary and thereby infringed its obligations in relation to data protection by design and default (Article 25 GDPR) and data minimisation (Article 5.1(c) GDPR).
Thirdly, the DPC ruled that Meta did not provide sufficient transparency as required by Articles 5 and 12 GDPR regarding both the by default public disclosure of minors’ profiles and the public availability of their contact details. Meta, as a data controller, has a duty to provide transparent information in this regard which, particularly when minors are involved, should be unambiguous and clear, leaving no room for nuance.
The decision of the Irish DPC is an historic decision. Not only is this the first cross-border data processing case under the GDPR where all EU/EEA data protection authorities were involved in the Article 60 co-decision-making process, it also involves the second-highest fine imposed since the GDPR came into effect and is the first EU-wide judgement on children's data protection rights. The DPC has made it abundantly clear that businesses that market to children must exercise extreme caution.
Meta has announced its intention to appeal the decision.
2. The IAB Europe saga continues: the Belgian Market Court refers preliminary questions to the Court of Justice of the European Union
In its decision of 2 February 2022, the Belgian DPA found IAB Europe to be a "joint data controller" for processing personal data under the Transparency and Consent Framework (TCF), a widespread mechanism that enables websites, advertisers and ad agencies to efficiently manage consumer consent, objections and preferences for online personalised advertising. As a result, the DPA held IAB Europe responsible for the GDPR violations associated with the use of the TCF and imposed a fine of €250,000.
IAB Europe appealed the decision before the Belgian Market Court. IAB Europe firstly contests that the TC String, a series of numbers and letters representing user preferences that is key to the functioning of the TC, constitutes personal data. IAB Europe secondly contests that it is acting as a joint data controller and that it violated its obligations under the GDPR.
The Market Court decided to refer the following preliminary questions to the EU Court of Justice:
“1) Is the TC String personal data (with or without a combination with an IP address) for the alleged controller and/or with regard to companies that use the TC String? (Article 4(1) GDPR)?
2) a) Is IAB a (joint) controller (Article 4(7) GDPR and Article 24(1) GDPR)?
b) Does it matter whether or not IAB has access to the personal data which are processed by companies that use the standards of IAB?
c) If IAB is indeed a (joint) controller, does this also entail responsibility for further processing by third parties regarding the preferences of data subjects, such as targeted online advertising?”
The EU Court's ruling will have a major impact across the EU, not only because the TCF is a widespread mechanism that facilitates the management of users’ preferences for online personalised advertising, but also because the Court will further clarify key concepts of the GDPR, such as the definition of the term "(joint) data controller" and its applicability to framework developers.
3. Recent ruling of the Belgian Data Protection Authority on direct marketing
In the case that led to the decision of 26 July 2022, a data subject had filed a complaint against a company for sending unsolicited advertising for telecom services. The complainant had exercised his right to object and had requested access to his personal data. He had also requested information about the legal basis for the processing of his personal data.
The company responded that the personal data were processed on the legal basis of "legitimate interest” (Article 6.1(f) GDPR). However, since the complainant had not been a customer of the company for more than two years, he was of the opinion that the company could not invoke legitimate interest for the processing of his e-mail address for direct marketing purposes.
With reference to recital 47 of the GDPR, the DPA firstly confirmed that legitimate interest can be a legal basis for the processing of e-mail addresses for direct marketing purposes.
Secondly, the DPA confirmed that this lawful basis can also be invoked for sending direct marketing to former customers, and not only to existing customers. The DPA pointed out that it had stated in its Recommendation No 01/2020 of 17 January 2020 on the processing of personal data for direct marketing purposes, that if the controller has never had any relationship with a data subject, or if this relationship goes back a long time without being followed up in the meantime, the legitimate interest basis cannot be invoked. In that case, the receipt of direct marketing is not part of the data subject's reasonable expectations. However, the DPA noted that in this case, the complainant had cancelled his subscription in 2019 but the facts dated from 2021. According to the DPA, the complainant could reasonably expect that his data could still be used for direct marketing purposes during that two-year period. Moreover, the controller had informed the complainant that once the contract was terminated, former customers' data would be processed for marketing activities for a maximum period of two years.
Thirdly, the DPA considered that the company had, within the one-month period after receiving the complainant's request not to receive further direct marketing communications (Article 12.3 GDPR), complied with the request by confirming that the complainant's personal data had been deleted.
Under these circumstances, the DPA decided to dismiss the case.
Please contact Karel Janssens for further information about this topic and/or for general legal advice relating to privacy and data protection.