The EDPB has told the DPC to conduct a new investigation into Meta, though Ireland’s regulator has hinted it will contest this direction in court.
The EU’s key GDPR regulator has criticised how Ireland’s Data Protection Commission (DPC) investigated Meta’s handling of personal data.
The European Data Protection Board (EDPB) said the complaint towards Meta raised the fact that sensitive data was being processed by the company.
However, the EDPB said Ireland’s regulator ignored a key part of this complaint as it did not assess the processing of sensitive data in its investigation. This meant the board did not have “sufficient factual evidence” to make any findings on possible GDPR infringement, the EDPB claims.
The investigation related to two GDPR complaints against Meta in 2018 by an Austrian data subject and a Belgian data subject.
These complaints claimed Meta had been forcing Facebook and Instagram users to consent to the processing of their personal data by making services inaccessible unless they clicked “I accept” to show acceptance of the company’s terms of services.
These complaints led to two fines for Meta this month for its targeted advertising practices, costing the company €390m. The social media company was also ordered to bring its data processing into GDPR compliance within three months.
At the end of 2022, the EDPB stepped in and issued three dispute resolution decisions regarding Meta’s advertising practices, which altered the DPC’s draft decision.
The EDPB said it had steeply increased the size of the fines from the DPC’s proposed total of €59m to the recent fine of €390m.
Due to the lack of factual evidence from the Irish watchdog’s investigation, the EDPB said it disagreed with the DPC’s “proposed conclusion” that Meta is not legally obliged to rely on consent to carry out processing activities for Facebook and Instagram.
The European regulator said this conclusion can’t be “categorically concluded without further investigations” and has told the DPC to carry out a new investigation.
When the DPC announced the Meta fines this month, it also referenced the EDPB’s direction to start a new investigation. The Irish regulator claimed it would not open a fresh investigation as it is not open to the EDPB “to instruct and direct an authority to engage in open-ended and speculative investigation”.
The DPC also hinted that it will bring an annulment action to the European Court of Justice “to seek the setting aside of the EDPB’s directions”.
The Irish data watchdog has faced scrutiny in the past for its enforcement of GDPR. In 2021, privacy campaigner Max Schrems accused the DPC of improperly lobbying other EU regulators to allow Meta to bypass GDPR regulation. The DPC said these accusations were “baseless”.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.