Data Protection Enforcement and the Tech Sector in Ireland
Monday, 13 February 20232022 saw the imposition by the Data Protection Commission (the "DPC") of several landmark fines against tech companies operating in Ireland, for non-compliance with various provisions of the General Data Protection Regulation (the "GDPR"). In fact, it has been reported that the DPC issued 66% of all EU data breach fines in 20221. The outcome of the recent decisions of the DPC in respect of Meta’s social media platforms (the “Meta Decisions”) suggest that this trend will continue in 2023. We look back at some of the decisions leading to the fines issued in 2022 and also consider the Meta Decisions and other pending DPC inquiries, which are likely to have significant consequences for the tech sector.
Instagram Decision
Following a two-year investigation, the DPC found that Meta Platforms Ireland Limited ("Meta") permitted child-users of Instagram, aged between 13 to 17, to avail of the 'business account feature' on the social media platform, which led to the public disclosure of the email addresses and phone numbers of these children (“contact information processing”). Additionally, the DPC discovered that, once registered, children’s accounts were automatically set to 'public' by default (“public-by-default processing”).
In its final decision, the DPC concluded both the contact information processing and public-by-default processing activities carried out on the Instagram platform amounted to infringements of multiple articles of the GDPR. Article 12(1) provides that a data controller must communicate with data subjects in a “…concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.” The DPC attributed the largest portion of the overall administrative fine of €405 million to the infringement of this obligation, strongly emphasising the need for companies to act transparently with user personal data, to enable data subjects to exercise control over how their data is used.2
Facebook Decision
In November, the DPC announced that it was imposing a fine of €265 million and a suite of corrective measures on Meta, for practices associated with its Facebook platform. The DPC inquiry was commenced in April 2021, following the publication of the names, Facebook IDs, locations, phone numbers, email addresses and birthdates of 533 million Facebook users on a hacking forum. Facebook maintained that the data had been 'scraped' and not 'hacked' due to a vulnerability in its tools. The inquiry was to determine whether Meta had complied with its obligations, as a data controller, in relation to the processing of the personal data of its users under the GDPR. An examination and assessment were conducted of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing during the period between 25 May 2018 and September 2019.
The DPC concluded that Meta had infringed its obligations under Article 25(1) of the GDPR, by failing to implement appropriate technical and organisational measures in an effective manner and to integrate the necessary safeguards into its processing. The DPC also found that Meta had breached Article 25(2), by failing to implement appropriate technical and organisational measures to ensure that, by default, only personal data that is necessary for each specific purpose of the processing is processed. In addition to the €265 million fine imposed, the DPC also issued a reprimand and an order requiring Meta to take a range of specified remedial actions within a particular timeframe.
Meta Decisions (Facebook, Instagram & WhatsApp)
In January 2023, the DPC announced the conclusion of its long-awaited inquiries into the data protection operations on the Facebook, Instagram and WhatsApp social media platforms. These inquiries emanated from three complaints filed to the DPC by NOYB (an organisation co-founded by Austrian privacy activist, Max Schrems) on 25 May 2018, the date on which the GDPR took effect.
The issues underpinning the Facebook and Instagram investigations were similar and centred predominantly on the lawful basis pursuant to Article 6 of the GDPR that Meta purported to rely on when processing user data, in particular for the purpose of behavioural advertising to users. Despite some apparent difference of opinion between the DPC and the EDPB on the matter, the DPC was bound by the final decision of the EDPB and concluded that Meta could not rely on the “performance of a contract” legal basis of Article 6 for processing personal data for the purposes of behaviour advertising. The DPC also took issue with the lack of transparency provided to users of Facebook and Instagram which led to “insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR”.3 These inquiries culminated in a collective fine of €390 million being imposed on Meta and a direction from the DPC to remedy the infringements within 3 months of the date of the decision.
The third and final complaint by the NOYB group, against Meta-owned WhatsApp Ireland Limited culminated in the DPC fining WhatsApp in the amount of €5.5 million for breaches of the GDPR relating to its service. The breaches pertained to lack of transparency around the processing activities that were carried out on user data and the legal basis on which WhatsApp was purporting to rely on when processing data. The DPC was bound by the conclusion of the EDPB that WhatsApp could not rely on the ‘performance of a contract’ basis when processing user data for the purpose of delivering service improvements and security to users.4
Yahoo! EMEA Limited
The DPC announced in November 2022, that it had submitted a draft decision to its European counterparts, following an investigation into certain practices of Yahoo! EMEA Limited, which commenced on 1 August 2019. Similar to the investigations conducted around the Meta platforms mentioned above, this investigation is focused on the company’s compliance with transparency requirements under the GDPR. A decision of the DPC is expected in early 2023.
In December 2022, the DPC reported that it had commenced an investigation into international media reports which claimed that collated datasets of Twitters users had been made available on the internet. It seems that Twitter International Unlimited Company notified the DPC of a data breach that may have been the source of the leaked datasets. The DPC investigation is centred on whether the social media company has complied with its obligations as a data controller under the GDPR and if any infringements of the GDPR have occurred.
Digital Services Act (“DSA”)
Many of the organisations mentioned above will also be required to comply with a new set of obligations arising under the DSA, which has been in force in the EU since 16 November 2022 (although many of the provisions of the DSA will not apply until it has been in force for 15 months). The DSA will apply to certain entities that provide an online 'intermediary service' within the EU and it builds on some of the well-established themes underpinning the GDPR. For example, the DSA enhances the protection of the privacy rights of children through a ban on targeted advertising aimed at children and the requirement for service providers to carry out a risk assessment of the risk that their platform may pose to children. The DSA will be enforced by the European Commission and 'Digital Services Co-Ordinators', to be designated by each member state. In the event of non-compliance with the DSA, service providers could receive a fine of up to 6% of their annual global turnover.
Conclusion
The fines levied against Facebook and Instagram in 2022 in the decisions outlined above are the second and third largest fines issued by an EU data regulator to date. This year has commenced with further significant fines for Meta, raising serious questions for tech companies about the future prospect of commercialising the use of personal data, while at the same time remaining compliant with data protection laws. The recent Meta Decisions also highlighted tensions between the DPC, its European counterparts and the EDPB when it comes to enforcement of the GDPR and in particular, the keen differences of opinion that can arise in relation to the appropriate level of administrative fines to be awarded against the large tech companies. In light of the recent media scrutiny of its decisions, it is likely that the DPC will be inclined to take an aggressive approach to enforcement against large tech companies going forward and this approach is likely to be adopted by the regulator at SME level too. Although media attention is focused on enforcement against ‘big tech’, there is evidence of the DPC enforcing data protection and direct marketing laws across all sectors, regardless of the size of the organisation.
In this regard, it is important that all organisations take the opportunity to consider their data protection policies and procedures, to ensure that they are compliant with data protection laws that apply to them. As a starting point, we recommend that all organisations;
- Review their online Privacy & Cookies Policy to ensure that it complies with the transparency requirements of the GDPR;
- Assess any electronic marketing activities that the organisation is engaged in, in order to ensure that these activities are compliant with relevant direct-marketing laws;
- Assess data flows from the organisation and ensure that mandatory policies are in place where required under data protection law. For example, where data is being processed by a third-party on behalf of the organisation, a Data Processing Agreement must be in place;
- Where the organisation is likely to transfer personal data of EU citizens outside of the European Economic Area ("EEA") or provide access to such personal data hosted within the EEA, ensure that an ‘appropriate safeguard’ pursuant to Chapter V of the GDPR is in place prior to transferring or providing access to the personal data;
- Where the organisation provides digital services through an online platform, consider whether the DSA may apply to the organisation and implement appropriate policies and procedures to comply with the DSA;
- Assess the organisation’s incident response policy and training programmes, ensure that the organisation has a robust plan in the event of it being the subject of a cyber-attack or suffer a serious security incident and assess the level of awareness within the organisation of its policies and procedures.
For further information on data protection or IP/Tech-related issues, please contact Zelda Deasy, Sean O’ Donnell, Victor Timon or any member of our Data Protection/GDPR team or our Technology Group.
1 RTE News, “Ireland issued two-thirds of EU data fines last year”, 24 January 2023 Ireland issued two-thirds of EU data fines last year (rte.ie)
2 Meta has lodged an appeal with the Irish High Court against this decision.
3 Data Protection Commission, Press Release, “Data Protection Commission announces conclusion of two inquiries into Meta Ireland”, 4 January 2023.
4 Meta has indicated that it intends to appeal all three decisions of the DPC.