The DPC’s investigation began after None of Your Business (“NOYB”), a non-governmental organization co-founded by privacy activist Max Schrems, submitted complaints alleging that Facebook and Instagram “forced” users to consent to the processing of personal data for behavioral advertising and other services. In anticipation of the GDPR entering into force, Meta updated its Terms of Service and asked its users to accept the new terms before continuing to access its services. Meta asserted that when users accepted the new terms, they entered into a contract with the company that allowed the company to rely on the “performance of a contract” legal basis under the GDPR for the company’s processing of personal data. NOYB argued that, by requiring users to accept the updated Terms of Service as a condition to use Facebook and Instagram, Meta “forced” its users to provide consent, and therefore could not rely on the “performance of a contract” legal basis for processing.
Following consultations with peer regulators in the European Union, the DPC submitted its findings to the EDPB. The EDPB agreed that Meta’s practices breached Article 5(1)(a), and, contrary to the DPC’s findings, notably held that the company could not continue to rely on the “performance of a contract” legal basis to support its behavioral advertising activities. In addition, the EDPB directed the DPC to conduct a separate investigation into how Facebook and Instagram process special categories of data.
The DPC adopted the EDPB’s findings, issued a €390 million fine, and directed Meta to bring its data processing activities into compliance with the GDPR within three months.