Meta Platforms Ireland Limited - January 2023

SectionDecisions made under data protection act 2018
In the matter of the General Data Protection Regulation
DPC Inquiry Reference: IN-18-5-5
In the matter of LB, a complainant, concerning a complaint directed ag ainst Meta Platforms Ireland
Limited (formerly Facebook Ireland Limited) in respect of the Facebook Service
Decision of the Data Protection Commission made pursuant to Section 1 13 of the Data Protection Act,
2018 and Articles 60 and 65 of the General Data Protection Regulation
Further to a complaint-based inquiry commenced pursuant to Secti on 110 of the Data Protection Act,
Decision-Maker for the Commission:
Helen Dixon
Commissioner for Data Protection
Dated the 31st day of December 2022
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, Ireland
1.1 This document is the Decision (“the Decision”) of the Data Protection Commission (“the
Commission”), made in accordance with Section 113 of the Data Protection Act, 2018 (“the 2018
Act), arising from an inquiry conducted by the Commission, pursuant to Section 110 of t he 2018
Act (“the Inquiry).
1.2 The Inquiry, which commenced on 20 August 20 18, examined whether Meta Platforms Ireland
Limited (formerly Facebook Ireland Limited) (“Facebook”) complied with its obligations under the
EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament
and of the Council) (“the GDPR) in respect of the subject matter of a complaint made by Ms. L.B.
(“the Complainant”). While Facebook Ireland Limited has since changed its name to Meta
Platforms Ireland Limited, with effect from 5 January 2022, the relevant events, for the purpose
of the Inquiry, occurred prior to this name change. In the circumstances, the term “Facebook” is
used throughout this Decision to denote Meta Platforms Ireland Limited, the company formerly
known as Facebook Ireland Limited. Similarly, Facebook, Inc. changed its name to Meta Platforms,
Inc. on 28 October 2021 and any references, within this Decision, to “Facebook, Inc.” should be
understood as meaning Meta Platforms, Inc., the company fo rmerly known as Facebook, Inc.
1.3 The complaint was referred to the Commission by the Austrian Data Protection Authority, Die
Österreichische Datenschutzbehörde (“the Austrian DPA “) on 30 May 2018 (“the Complaint“). In
advance of the preparation of this Decision, a preliminary draft of this document (“the Preliminary
Draft Decision”) was circulated to Facebook and the Complainant’s representative so as to enable
them to make submissions on my provisional findings. The submissions of these parties have been
taken into account in finalising this Decision.
1.4 This Decision further reflects the binding decision that was made by the European Data Protection
Board (the “Board” or, otherwise, the “EDPB”) pursuant to Article 65(2) of the GDPR1 (the “Article
65 Decision”), which directed changes to certain of the positions reflected in the draft decision
that was presented by the Commission for the purposes of Article 60 of the GDPR (the “Draft
Decision”), as detailed further below. The Article 65 Decision will be published on the website of
the Board, in accordance with Article 65(5) of the GDPR, and a copy of same is attached at
Schedule 2 to this Decision.
1 Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its
Facebook service (Art. 65 GDPR), adopted on 5 December 2022
1.5 Further details of procedural matters and a chronology pertaining to the Inquiry are set out in
Schedule 1 to this Decision.
2.1 Facebook is an online social network and social media platform. In order to access the Facebook
platform, a prospective user must create a Facebook account. To create a Facebook account, a
prospective user is required to accept a series of terms and conditions, referred to by Facebook
as their Terms of Service (the “Terms of Service”). When a prospective user accepts the Terms of
Service, the terms contained therein constitute a contract between the (new) user and Facebook.
It is only on acceptance of the Terms of Service that the individual becomes a registered Facebook
2.2 In April 2018, Facebook updated the Terms of Service to give effect to changes it sought to
implement to comply with the obligat ions which would arise when the GDPR became applicable
from 25 May 2018. Among the obligations under the GD PR, as under Directive 95/46/EC, was the
fundamental requirement that data controllers have a lawful basis for any processing of personal
data they undertake. Legal bases provided for in the GDPR include consent of the data subject,
necessity for the purposes of the performance of a contract with the data subject or processing
necessary fo r the purposes of the legitimate interests of the data controller. In addition, under
the GDPR, controllers are required to provide detailed information to users at the time personal
data is obtained in relation to the purposes of any data processing and the legal basis for any such
processing. In essence, there must be a legal basis for each processing operation (of personal
data) and there must be transparency in the communication of such information to individual
users. Prior to the GDPR taking legal effect, no detailed requirement existed for a controller to
explicitly state what legal basis they relied on in processing particular categories of personal data.
2.3 To continue to access the Facebook platform, all users were required to accept the updated Terms
of Service prior to 25 May 2018. The updated Terms of Service were brought to the attention of
existing Facebook users by way of a series of information notices and options on the Facebook
platform, referred to as an “engagement flow” or “user flow”. The engagement flow was
designed to guide users through the processing of deciding whether to accept the updated Terms
of Service. The option to accept the updated termswas presented to users at the final stage of
the engagement flow. The final stage of the engagement flow also contained embedded
hyperlinks to the full text of the Terms of Service, the Data Policy and the Cookies Policy. As
referenced in the full text of the Terms of Service, the Data Policy provides information to users
on Facebook’s processing of personal data in respect of the Facebook platform.
2.4 Existing users who were not willing to accept the new terms were advised of the option to delete
their Facebook account. Such users were informe d that they could no longer use the Facebook

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT