Less Is More, Too Much Is Not Enough: What the Irish DPC’s €390 Million Fine Against Meta Could Mean for Your Privacy Notice

European data protection authorities kicked 2023 off with a bang when, on January 4, the Irish Data Protection Commission (DPC) announced that Meta Platforms Ireland would be fined a total of €390 million (roughly $414 million USD) for breaches of the GDPR in relation to its Facebook and Instagram services. A week later, the European Data Protection Board (EDPB) released the DPC’s final binding decisions: one relating to Facebook and the other relating to Instagram.

One key finding in those decisions was that Meta improperly relied on “performance of a contract” as the legal basis for its processing of users’ personal data for behavioral advertising and thus breached GDPR Article 6(1). That finding could have major implications for Meta and other platforms whose business models rely on behavioral advertising.

A second major finding could have more widespread consequences. To that end, the DPC found that Meta also violated GDPR’s transparency requirements by failing to provide the requisite information to Facebook and Instagram users about its processing of their personal data as required by Article 12 and Article 13. That finding could require fundamental changes in how controllers draft and present their privacy notices. And in that regard, the decisions reflect conflicting regulatory expectations that will be challenging for controllers to meet.

This post explores some key points from the DPC’s decisions that controllers who are subject to GDPR should keep in mind as they consider updates to their privacy notices.

  1. Abstract lists of personal data, processing purposes, and legal bases are out. Clear linkage from personal data→processing operations→purposes→legal basis is in.

A core criticism levied by the DPC in its decisions was that Meta’s privacy notices and terms of use failed to clearly link the various types of personal data it collected to the corresponding processing operations, purposes, and legal bases under GDPR. Meta, for its part, argued that GDPR Article 13, which specifies the information that a controller must provide to data subjects when it collects their personal information, does not require controllers to “map” the legal bases it relies on to process personal data to individual processing operations and purposes.

The DPC disagreed. It concluded that GDPR Article 13(1)(c), which states that controllers must provide information to data subjects “on the purposes of the processing for which the personal data are intended as well as the legal basis for the processing,” implicitly requires controllers to provide that information “by reference to the personal data being processed or, at least, the broad personal data processing operations involved.” In other words, “the purposes and legal bases can[not] simply be cited in the abstract and detached from the personal data processing they concern.”

Thus, as the DPC’s Instagram decision explains, rather than “generic lists of all data, all purposes, and all legal bases under Article 6(1) GDPR without any indication of the relationships between them,” GDPR requires controllers’ privacy notices to demonstrate “a clear link from:

  1. the specified category/categories of personal data to
  2. the purpose(s) of the specified processing operation(s)/set(s) of operations to
  3. the legal basis which is being relied on to support the specified processing operation(s)/set(s) of operations.”
  1. “Layered” notices are still OK, but not if the layers are repetitive, generalized, circular, or disjointed.

The DPC also criticized Meta’s methods of providing the information required under Article 13, which used a “layered” format that relied on disclosures made through documents that contained links to other documents, which in some cases redirected back to the referring documents. The disclosures about Meta’s processing operations in those documents were, in the DPC’s view, generalized and repetitive, and provided only a “high-level overview” of Meta’s processing.

Meta’s approach, the DPC thus explained, was “circular” and “disjointed,” required users to work too hard to access the required information, and created ambiguity as to “whether all sources of information had been exhausted.” Meta’s notices, the DPC concluded, therefore violated GDPR Article 12(1), which requires that the information provided to data subjects be “concise, transparent, intelligible and easily accessible.”

While the DPC allowed that a layered approach “may be an appropriate means” for a controller to satisfy its transparency obligations (emphasis in the original), its decisions in the Facebook and Instagram cases concluded that controllers adopting that approach to their privacy notices must ensure that it results in a “clearly layered path” in which information “gradually becomes more detailed,” such that data subjects can “quickly and easily understand the full extent of processing operations that will take place as regards their personal data.”

  1. Using open-ended language like “such as” or “things like” to describe processing is out.

Even when, in the DPC’s view, Meta did provide more detailed information about some of its processing—such as in its discussion of users’ location information and IP addresses—the DPC criticized Meta for prefacing that information with qualifying language that included words like “such as” and “things like.” Those qualifiers, explained the DPC, signified that the information provided was “illustrative rather than concrete,” and their use was “not conducive to the provision of information in a transparent manner.”

Those criticisms echo the Article 29 Working Party’s Guidelines on Transparency, which explained that under GDPR, “indefinite language” such as “may,” “might,” “some,” “often,” and “possible,” should be avoided in most cases.  And while those Guidelines stop short of categorically prohibiting the use of those qualifiers, they explain that a controller who uses them “should be able . . . to demonstrate why the use of such language could not be avoided and how it does not undermine the fairness of processing.”

  1. Providing all of the required information in a “clear and concise” manner may require you to get creative.

If you’ve detected a tension between the DPC’s command, on the one hand, for Meta to provide more detailed and granular information about its processing operations, purposes, and legal bases, and its mandate that data subjects be able to “quickly and easily understand” that information, on the other, you’re not alone. Companies engaging in all but the simplest and most straightforward personal data processing will likely find it challenging to craft notices that meet the DPC’s expectations on both fronts.

The DPC, seemingly acknowledging the challenge, offered that while Meta had “chosen to provide its information by way of pieces of text,” there were other options available, such as “the possible incorporation of tables, which might enable [Meta] to provide the information required in a clear and concise manner, particularly in the case of an information requirement comprising a number of linked elements.” The DPC’s decisions also quoted with approval GDPR Recital 58, which contemplates that in addition to clear and plain language, controllers should, “where appropriate,” use “visualisation” to deliver information to data subjects.

Whatever the method chosen, the DPC’s decisions explained, “the importance of concision cannot . . . be overstated.” Controllers will thus need to evaluate whether text alone satisfies the dual aims of comprehensiveness and conciseness, or whether tables or other more creative methods of delivering the information required by Article 13 are necessary.

* * * *

Meta has vowed to appeal the DPC’s decisions, and thus it’s possible that some aspects of those decisions could change. But in the meantime, if you would like to discuss how to approach GDPR’s transparency obligations given the DPC’s findings about how Meta’s notices fell short, please contact any member of our team.