Meta, formerly known as Facebook, was recently fined €390 million (roughly $414 million USD) by the Irish Data Protection Commission (DPC) for breaching EU data privacy rules. The DPC found that Meta’s privacy policies were insufficiently clear and that users had been “forced” to consent to targeted advertising. The finding around privacy policies has widespread implications for the majority of companies privacy policies. So what do businesses need to know about this and what impact will it have on the data privacy landscape going forward? Read our blog below which dives into this topic in greater detail.
What reasons did the DPC give?
In short, this fine highlights the need for companies to ensure that their privacy policies are concise, transparent, and easily accessible, using clear and concise language. The DPC highlighted that privacy policies must not be vague and should contain a clearly mapped-out correlation of how users’ data is being processed and sent to third parties. The DPC also emphasized the need for companies to provide specific details about third-party data sharing and to list the categories of personal data that would be shared with each category of recipient. From the filings, it is clear that abstract lists of personal data, processing purposes, and legal bases are no longer sufficient to satisfy GDPR Article 13(1)(c).
What does this mean for your business?
Privacy policies should also enable users to quickly and easily locate and identify the categories of third parties that will receive their personal data, including a brief description of the services in question.
Furthermore, the DPC found that Meta improperly used “performance of a contract” as the justification for processing users’ personal data for behavioral advertising, violating GDPR Article 6(1). This highlights the importance of companies ensuring that their legal basis for data processing is clearly communicated in their privacy policies. Meta argued that GDPR does not require controllers to “map” the legal bases it relies on to process personal data to individual processing operations and purposes. The DPC disagreed, saying that Article 13(1)(c) requires controllers to map legal basis “to the personal data being processed or, at least, the broad personal data processing operations involved.” In other words, “the purposes and legal bases cannot simply be cited in the abstract and detached from the personal data processing they concern.”
The DPC also criticises Meta for its use of catch-all phrases like “such as” and “things like”, saying that these phrases were more illustrative than concrete so did not provide information in a transparent manner.
Why is this important?
Overall, the DPC’s €390 million fine against Meta serves as a warning to companies to ensure that they comply with EU privacy laws and that their privacy policies are clear and transparent. By following these guidelines, companies can ensure they are in compliance with EU data privacy rules and avoid the hefty fines that come with non-compliance.
How Dataships can help