Meta Platforms Ireland Limited - January 2023

• Section: Decisions made under data protection act 2018

In the matter of the General Data Protection Regulation

DPC Inquiry Reference: IN-18-5-5

In the matter of LB, a complainant, concerning a complaint directed ag ainst Meta Platforms Ireland

Limited (formerly Facebook Ireland Limited) in respect of the Facebook Service

Decision of the Data Protection Commission made pursuant to Section 1 13 of the Data Protection Act,

2018 and Articles 60 and 65 of the General Data Protection Regulation

Further to a complaint-based inquiry commenced pursuant to Secti on 110 of the Data Protection Act,

2018

DECISION

Decision-Maker for the Commission:

Helen Dixon

________________________________

Commissioner for Data Protection

Dated the 31st day of December 2022

Data Protection Commission

21 Fitzwilliam Square South

Dublin 2, Ireland

2

1. INTRODUCTION AND PROCEDURAL BACKGROUND

PURPOSE OF THIS DOCUMENT

1.1 This document is the Decision (“the Decision”) of the Data Protection Commission (“the

Commission”), made in accordance with Section 113 of the Data Protection Act, 2018 (“the 2018

Act”), arising from an inquiry conducted by the Commission, pursuant to Section 110 of t he 2018

Act (“the Inquiry”).

1.2 The Inquiry, which commenced on 20 August 20 18, examined whether Meta Platforms Ireland

Limited (formerly Facebook Ireland Limited) (“Facebook”) complied with its obligations under the

EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament

and of the Council) (“the GDPR”) in respect of the subject matter of a complaint made by Ms. L.B.

(“the Complainant”). While Facebook Ireland Limited has since changed its name to Meta

Platforms Ireland Limited, with effect from 5 January 2022, the relevant events, for the purpose

of the Inquiry, occurred prior to this name change. In the circumstances, the term “Facebook” is

used throughout this Decision to denote Meta Platforms Ireland Limited, the company formerly

known as Facebook Ireland Limited. Similarly, Facebook, Inc. changed its name to Meta Platforms,

Inc. on 28 October 2021 and any references, within this Decision, to “Facebook, Inc.” should be

understood as meaning Meta Platforms, Inc., the company fo rmerly known as Facebook, Inc.

1.3 The complaint was referred to the Commission by the Austrian Data Protection Authority, Die

Österreichische Datenschutzbehörde (“the Austrian DPA “) on 30 May 2018 (“the Complaint“). In

advance of the preparation of this Decision, a preliminary draft of this document (“the Preliminary

Draft Decision”) was circulated to Facebook and the Complainant’s representative so as to enable

them to make submissions on my provisional findings. The submissions of these parties have been

taken into account in finalising this Decision.

1.4 This Decision further reflects the binding decision that was made by the European Data Protection

Board (the “Board” or, otherwise, the “EDPB”) pursuant to Article 65(2) of the GDPR1 (the “Article

65 Decision”), which directed changes to certain of the positions reflected in the draft decision

that was presented by the Commission for the purposes of Article 60 of the GDPR (the “Draft

Decision”), as detailed further below. The Article 65 Decision will be published on the website of

the Board, in accordance with Article 65(5) of the GDPR, and a copy of same is attached at

Schedule 2 to this Decision.

1 Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its

Facebook service (Art. 65 GDPR), adopted on 5 December 2022

3

1.5 Further details of procedural matters and a chronology pertaining to the Inquiry are set out in

Schedule 1 to this Decision.

2. FACTUAL BACKGROUND AND THE COMPLAINT

FACTUAL BACKGROUND

2.1 Facebook is an online social network and social media platform. In order to access the Facebook

platform, a prospective user must create a Facebook account. To create a Facebook account, a

prospective user is required to accept a series of terms and conditions, referred to by Facebook

as their Terms of Service (the “Terms of Service”). When a prospective user accepts the Terms of

Service, the terms contained therein constitute a contract between the (new) user and Facebook.

It is only on acceptance of the Terms of Service that the individual becomes a registered Facebook

user.

2.2 In April 2018, Facebook updated the Terms of Service to give effect to changes it sought to

implement to comply with the obligat ions which would arise when the GDPR became applicable

from 25 May 2018. Among the obligations under the GD PR, as under Directive 95/46/EC, was the

fundamental requirement that data controllers have a lawful basis for any processing of personal

data they undertake. Legal bases provided for in the GDPR include consent of the data subject,

necessity for the purposes of the performance of a contract with the data subject or processing

necessary fo r the purposes of the legitimate interests of the data controller. In addition, under

the GDPR, controllers are required to provide detailed information to users at the time personal

data is obtained in relation to the purposes of any data processing and the legal basis for any such

processing. In essence, there must be a legal basis for each processing operation (of personal

data) and there must be transparency in the communication of such information to individual

users. Prior to the GDPR taking legal effect, no detailed requirement existed for a controller to

explicitly state what legal basis they relied on in processing particular categories of personal data.

2.3 To continue to access the Facebook platform, all users were required to accept the updated Terms

of Service prior to 25 May 2018. The updated Terms of Service were brought to the attention of

existing Facebook users by way of a series of information notices and options on the Facebook

platform, referred to as an “engagement flow” or “user flow”. The engagement flow was

designed to guide users through the processing of deciding whether to accept the updated Terms

of Service. The option to accept the updated “terms” was presented to users at the final stage of

the engagement flow. The final stage of the engagement flow also contained embedded

hyperlinks to the full text of the Terms of Service, the Data Policy and the Cookies Policy. As

referenced in the full text of the Terms of Service, the Data Policy provides information to users

on Facebook’s processing of personal data in respect of the Facebook platform.

2.4 Existing users who were not willing to accept the new terms were advised of the option to delete

their Facebook account. Such users were informe d that they could no longer use the Facebook