Inquiry into Meta Platforms Ireland Limited - December 2022

Year2022
SectionDecisions made under data protection act 2018
An Coimisiún um Chosaint Sonraí, 21 Ce arnóg Mhic Liam, Baile Átha Cliath 2.
Data Protection Commission, 21 Fitzwilliam Square, Dublin 2.
www.cosantasonrai.ie | www.dataprotection.ie | eolas@cosantasonrai. ie | info@dataprotection.ie Tel: +353 (0)76 1104800
In the matter of the General Data Protection Regulation
DPC Inquiry Reference: IN-18-5-7
In the matter of TSA, a complainant, concerning a complaint directed against Meta Platforms Ireland
Limited (formerly Facebook Ireland Limited) in respect of the Instag ram Service
Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act, 2018
and Articles 60 and 65 of the General Data Protection Regulation
Further to a complaint-based inquiry commenced pursuant to Section 110 of the Data Protection Act 2018
DECISION
Decision-Maker for the Commission:
Helen Dixon
________________________________
Commissioner for Data Protection
Dated the 31st December 2022
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, Ireland
2
1. Introduction .......................................................................................................................... 4
2. Factual Background and the Complaint ..................................................................................... 4
FACTUAL BACKGROUND .................................................................................................................................. 5
OVERVIEW OF THE COMPLAINT ........................................................................................................................ 8
Legal Basis of Processing ........................................................................................................................ 8
Transparency ....................................................................................................................................... 10
Corrective Powers ................................................................................................................................ 11
SCOPE OF THE COMPLAINT ............................................................................................................................ 11
3. Issue 1 Whether Clicking on the “Agree to Terms” Button Constitutes or must be consent for the
purposes of the GDPR ..................................................................................................................15
Introduction ............................................................................................................................................. 15
Relevant Provisions .................................................................................................................................. 15
Whether Clicking “Agree to Terms” Constitutes Consent for the Purposes of the GDPR ......................... 16
Whether Meta Ireland must rely on Consent ........................................................................................... 19
4 Issue 2 - Reliance on 6(1)(b) GDPR as a lawful basis for personal data processing ..........................24
Introduction ............................................................................................................................................. 24
Relevant Provisions .................................................................................................................................. 24
Assessment of whether Meta Ireland was entitled to Rely on Article 6(1)(b) GDPR ................................ 25
Relat ionship between the Term s of Use and the Da ta Policy
................................................................ 25
Whether Meta Ireland wa s Entitled to Rely on Article 6(1)(b) GDPR
..................................................... 27
Finding 2: ............................................................................................................................................. 49
5 Issue 3 Whether Meta Ireland provided the requisite information on the legal basis for processing
on foot of Article 6(1)(b) GDPR and whether it did so in a transparent manner ....................................49
Introduction ............................................................................................................................................. 49
Relevant Provisions .................................................................................................................................. 50
The “Layered” Approach ...................................................................................................................... 52
Information provided to the Data Subject in respect of the purposes and/or legal basis of processing .. 55
Information provided by Meta Ireland in relation to Processing in accordance with Article 6(1)(b) ........ 67
Whether Meta Ireland Comp lies with Article 5(1)(a), 12( 1) and 13(1)(c) GDPR ...................................... 73
Article 5(1)(a) GDPR Principle of Transparency ..................................................................................... 78
Finding 3: ............................................................................................................................................. 81
6 Whether Meta Ireland infringed the article 5(1)(a) principle of fairness .......................................82
3
Finding 4: ............................................................................................................................................. 85
7 Summary of Findings .............................................................................................................86
8 Decision on Corrective Powers ...............................................................................................86
9. Order to Bring Processing into Compliance ..............................................................................87
10. Administrative Fine ...........................................................................................................91
ARTICLE 83(2)(A): THE NATURE, GRAVITY AND DURATION OF THE INFRINGEMENT TAKING INTO ACCOUNT THE NATURE
SCOPE OR PURPOSE OF THE PROCESSING CONCERNED AS WELL AS THE NUMBER OF DATA SUBJECTS AF FECTED AND THE
LEVEL OF DAMAGE SUFFERED BY THEM ........................................................................................................... 105
ARTICLE 83(2)(B): THE INTENTIONAL OR NEGLIGENT CHARACTER OF THE INFRINGEMENT ........................................ 118
ARTICLE 83(2)(C): ANY ACTION TAKEN TO MITIGATE THE DAMAGE TO DATA SUBJECTS ............................................ 123
ARTICLE 83(2)(D): THE DEGREE OF RESPONSIBILITY OF THE CONTROLLER OR PROCESSOR TAKING INTO ACCOUNT TECHNICAL
AND ORGANISATIONAL MEASURES IMPLEMENTED BY THEM PURSUANT TO ARTICLES 25 AND 32 ............................... 1 24
ARTICLE 83(2)(E): ANY RELEVANT PREVIOUS INFRINGEMENTS BY THE CO NTROLLER OR PROCESSOR ........................... 126
ARTICLE 83(2)(F): THE DEGREE OF COOPERATION WITH THE SUPERVISORY AUTHORITY, IN ORDER TO REMEDY THE
INFRINGEMENT AND MITIGATE THE POSSIBLE ADVERSE EFFECTS OF THE INFRINGEMENT ........................................... 128
ARTICLE 83(2)(G): THE CATEGORIES OF PERSONAL DATA AFFECTED BY THE INFRINGEMENT ..................................... 129
ARTICLE 83(2)(H): THE MANNER IN WHICH THE INFRINGEMENT BECAME KNOWN TO THE SUPERVISORY AUTHORITY, IN
PARTICULAR WHETHER, AND IF SO TO WHAT EXTENT, THE CONTROLLER OR PROCESSOR NOTIFIED THE INFRIN GEMENT .. 131
ARTICLE 83(2)(I): WHERE MEASURES REFERRED TO IN ARTICLE 58(2) HAVE PREVIOUSLY BEEN ORDERED AGAINST THE
CONTROLLER OR PROCESSOR CONCERNED WITH REGARD TO THE SAME SUBJECT-MA TTER, COMPLIANCE WITH THOSE
MEASURES ................................................................................................................................................ 131
ARTICLE 83(2)(J): ADHERENCE TO APPROVED CODES OF CONDUCT PURSUANT TO ARTICLE 40 OR APPROVED CERTIFICATION
MECHANISMS PURSUANT TO ARTICLE 42 ........................................................................................................ 132
ARTICLE 83(2)(K): ANY OTHER AGGRAVATING OR MITIGATING FACTOR APPLICABLE TO THE CIRCUMSTANCES OF THE CASE,
SUCH AS FINANCIAL BENEFITS GAINED , OR LOSSES AVOIDED, DIRECTLY OR INDIRECTLY, FROM THE INFRINGEMENT ........ 132
WHETHER TO IMPOSE AN ADMINISTRATIVE FINE ............................................................................................. 134
11 OTHER RELEVANT FACTORS ........................................................................................................ 146
ARTICLE 83(3) GDPR ................................................................................................................................ 146
ARTICLE 83(5) GDPR ................................................................................................................................ 152
SUMMARY OF ENVISAGED ACTION ................................................................................................................ 157

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT