The Irish Data Protection Commission (“DPC”) announced its final decisions on two inquiries into Meta’s data processing operations on Facebook and Instagram. The DPC fined Meta a total of €390 million for breaches of the GDPR and invalidated its reliance on a “contract” legal basis for personal data processing for targeted advertising purposes.  

The decision came after the complaints made by privacy rights organisation NOYB on May 25, 2018, the day the GDPR came into operation.Before 25 May 2018, Meta had changed the Terms of Service for its Facebook and Instagram services, which indicated a change in the legal basis on which Meta relies to legitimate its processing of personal user data. Accordingly, Meta would rely on the contract legal basis for its certain data processing activities in the context of the delivery of the services on Facebook and Instagram, including behavioural advertising, rather than the consent, as it had previously done.

The users were asked to accept the new Terms of Service if they wished to continue to access Facebook and Instagram services. The DPC stated that Meta considered that “a contract was entered into” between Meta and users and that “processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis or processing).”

The complainants argued that by making the use of its services conditional on the users’ acceptance of the Terms of Service, Meta was forcing them to agree to Meta’s use of personal data for behavioural advertising purposes, which implied that Meta was in fact relying on consent as a legal basis for this processing and that there was no real choice for users in this regard.

Following the European Data Protection Board’s binding determinations on the matter, the DPC adopted its final decisions in which it stated that:

  • Meta is not entitled to rely on the contract legal basis for the delivery of behavioural advertising services on Facebook and Instagram and therefore, the processing of personal user data based on contract legal basis constitutes a violation of Article 6 of the GDPR, and
  • Since users were not clearly informed about the legal basis relied on by Meta and what processing operations were being performed on their data, Meta violated its transparency obligations. It is considered that such a lack of transparency constituted breaches of the lawfulness, fairness and transparency principle enshrined in Article 5(1)(a), and Articles 12 and 13(1)(c) of the GDPR.

Furthermore, the decision also includes that Meta must bring its data processing operations into compliance with the GDPR within a period of 3 months. This means that Meta has to find a new legal basis for its processing activities in relation to targeted advertising.

NOYB Founder Max Schrems embraced the decision and said users “must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”

Although the decision concerns the activities of Meta on Facebook and Instagram, it is surely expected to exert influence over other online platforms in the digital advertising industry.

In June 2022, TikTok has amended its privacy policy to reflect its intended switch from relying on users’ consent to the legitimate interest as a legal basis for the processing of personal data for personalised advertising. This was followed by Italian Supervisory Authority’s warning to TikTok that the processing of personal data for personalised advertising on the basis of legitimate interest would violate the GDPR and ePrivacy Directive. TikTok has eventually agreed to pause the controversial privacy policy update in the EU after the engagement with the DPC.

As Schrems argued, many platforms currently make the access to their service conditional on the user’s consent. The decision leaves the question whether Meta or other online businesses must allow users to refuse targeted advertising without preventing them from having access to their services.


Does your organization make use of GDPR compliant targeted advertising? Contact us, experts in data privacy, if you want to learn more via: