Meta Sanction: how does it affect my company?
2023 is starting strong as far as GDPR sanctions are concerned, due to the 390M euros META sanction imposed by the Irish Authority because of the manner in which it processes its users’ data from Facebook and Instagram.
The sanction, which occurred after the involvement of the European Data Protection Council, has forced the Irish Authority to change its initial criteria and multiply its sanction by 10.
Meta Sanction: Why has been penalised?
In short, the terms and conditions of META included the fact that data from Facebook and Instagram users could be used for custom advertising purposes and, more importantly, it did not request any specific consent for this purpose, considering this data processing necessary to fulfil the contract (the terms and conditions) accepted by users.
What do the data protection authorities say?
Essentially, they say that receiving custom advertising does not fall within the expectations of users when they register on one of the two social networks, and that their expectation or the service they expect to receive is none other than to communicate with others or to remain informed.
In conclusion, the processing of data for advertising purposes is not part of the service that users expect to receive, so the use of their data for this purpose requires their express and prior consent.
META Sanction: OK, but how does it affect my company?
Well, this decision deals with the core of the GDPR, which is none other than what is known as the lawful basis of processing. This is what justifies a company or public authority to process someone’s personal data.
Regarding the lawful bases, some important considerations:
- There are 6 and none is above another. If you comply with one, you are complying with the GDPR at this point.
- In any case, any data processing must be included in one of these 6 lawful bases. Processing data outside these assumptions means breaching the GDPR, it’s as simple as that.
This is how Art 6.1 of the GDPR includes them:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by said interests.
The two conflicting lawful bases: consent and contractual compliance
As indicated, the basis for the META sanction is the use of one lawful basis (compliance with a contract) over another (consent). Undoubtedly, deciding that data processing is justified by the fulfilment of a contract or, in other words, providing a service selected by the user, makes things easier for the company, as express and independent acceptance will not be necessary beyond the terms and conditions.
On the other hand, if we decide that consent is required, the process is complicated because we will have to find a way for the user to accept, regardless of the terms and conditions, the use of their personal data.
What use of data is included in the fulfilment of a contract and what is not?
Unfortunately the answer is, it depends.
Indeed, we must analyse what is contracted or what expectations the user has when they accept some terms and conditions to decide, from there, what we can do with the data without additional consent. For example: purposes such as receiving the product or providing the service, administrative tasks or guarantee management might imply processing typical of the contract between the company and the user.
From there, apply the criterion of caution: what is not included in the contract or in case of doubt, always request consent. In addition, we must analyse whether any other lawful basis applies, such as legitimate interests, which is analysed in this post.
As always, use caution and analyse what we want to do with someone’s data before it is collected in order to later avoid problems arising from data collected with insufficient information or without the necessary consent for its use.
If you want or need more information on this topic, contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.