Last week’s €405m fine against Instagram, the second-largest penalty ever issued under the GDPR, made headlines. But Meta (which owns Instagram) turned over $117bn last year. Beyond the fine, specific findings around Meta’s legal compliance could hurt the company much more.
Meta required some children—who had converted from “personal” to “business” Instagram accounts—to publish their contact information in plain text on the open web. The company said this processing activity was justified under the GDPR’s legal bases of “contract” and “legitimate interests”.
Perhaps surprisingly, the Irish data protection authority (DPA) appears to have agreed with Meta on this point. But the European Data Protection Board (EDPB) published a “binding decision” under Art. 65 GDPR today, revealing that some other DPAs strongly disagreed.
This article will summarise these other DPAs’ objections—which were found to be “reasoned and relevant” by the EDPB—and consider what they teach us a lot about these fundamental GDPR provisions.
→ Note that I’m focusing on the disagreements around lawfulness among DPAs. There are many other elements involved in the binding decision, and a lot of background around how this investigation came about. For more details on the facts that led to this investigation, see my article from last week.
Meta relied on the legal basis of “contract” to justify publishing the contact information of some children, where those children were old enough to enter into a contract under national law (these rules vary from country to country).
“Contract” is also the company’s main legal basis for the processing of personal data when a user opens an Instagram account.
The Irish DPA’s position: Meta’s reliance on ‘contract’ was valid
As part of its investigation, the Irish DPA had to assess whether the publication of contact information was “necessary for the performance of a contract to which the data subject is party”, per Art. 6 (1) b) GDPR.
Instagram users agree to Meta’s terms of service when signing up for an account. However, it appears that these terms did not include a specific provision requiring Meta to publish Instagram users’ contact details on the open web.
The Irish DPA noted that the GDPR “does not require the inclusion of express contractual provisions pertaining to processing in order to provide a legal basis”.
The Irish DPA’s draft decision determined that Meta did not violate the GDPR by relying on “contract” to publish the contact information of children.
The Irish DPA came to this conclusion because:
- “…the publication of contact information in the context of business accounts may be
- regarded as necessary processing for the purpose of Article 6(1)(b) GDPR”
- “…the contact information processing could be necessary for the performance of [Meta’s] Terms of Service with its users”.
→ #RISK: Europe’s Leading Risk Focused EXPO - November 16 & 17, Excel, London
Risk is now everyone’s business
Objection: There was no valid contract
The Dutch DPA set out the fundamental task for the Irish DPA as being to determine “what the contract is and whether that contract is suitable to serve as a legal basis under Article 6 (1) (b) GDPR”.
The Dutch DPA questioned the validity of the contract between Meta and its users owing to the “serious lack of transparency” on Meta’s part.
As such, the Dutch DPA stated that it was doubtful whether data subjects entered into a contract with Meta willingly and with sufficient information.
This suggests that there was not a valid contract between Meta and its users and no grounds on which to rely on the legal basis of “contract”.
Similar comments about the validity of Meta’s contract with its users were made by the German DPAs and the Finnish DPA (which said the issue of validity was “unsettled” in the draft decision).
The German DPAs also pointed out that Meta did not make it clear in any contract that contact information would be published.
The Irish DPA appears to have noted Meta’s transparency failings were an infringement of the GDPR—but still concluded that Meta’s reliance on “contract” was valid.
Objection: The processing was not necessary for performance of a contract
The other DPAs also determined that the processing in question was not “necessary” for the performance of a contract. This point was made by the Dutch, German, Italian, Finnish, French and Norwegian DPAs.
The Dutch DPA noted that the Irish DPA had not actually considered whether Meta even assessed whether the processing was necessary for the purposes of performing a contract.
The Dutch DPA also noted that an apparent breach of the “data minimisation” principle precluded the possibility that the “necessity” test had been met.
The German DPAs disagreed with the Irish DPA’s assertion that the performance of “essential elements” of a contract justified reliance on the legal basis of “contract”. The German DPAs held that the processing must be necessary for the actual operation of an Instagram business account.
The German DPAs said it was “not comprehensible… why a publication of contact data in plain text or the use of this data for the HTML source text should be necessary for the operation of such an account”.
One clear indication that publishing people’s contact details is not “necessary” for the performance of a contract is that Meta no longer does it by default. The company reversed this policy some time in 2019.
The Italian and Finnish DPAs pointed this out, with the Finnish DPA stating that publication of contact information could not have been necessary “given that it was no longer mandatory”.
The Finnish DPA also pointed out that, given that the processing breached the “data minimisation” requirement, it could not be regarded as “necessary” in the context of justifying reliance on the legal basis of “contract”.
Where children were too young under national law to form a contract, Meta relied on a different legal basis for publishing the contact information of children in plain text on the open web: “legitimate interests”.
Reliance on legitimate interests requires the controller to conduct a “balancing test”, weighing the rights and freedoms of data subjects against its own interests (or those of a third party).
Note, again, that the processing must be “necessary” for the legitimate interests of the controller or a third party.
The Irish DPA’s position: Meta’s reliance on ‘legitimate interests’ was valid
The Irish DPA argued that the publication of children’s contact details on the open web was “necessary” for the legitimate interests of Meta and “other Instagram users”.
The Irish DPA came to this conclusion because:
- “…publication of contact details to the public may be a reasonable and
- lawful mode by which to promote a professional undertaking or other public initiative”
- “…such processing may have been, to an extent, a reasonable means for Instagram users to publish off-platform contact details in some circumstances.
Meta also said that the rights of business users to publish their contact information could outweigh the rights of children to keep their contact information private in some circumstances:
“…in some circumstances, where the contact information processing occurred in the context of the well-considered professional activities, it is possible that the legitimate interests at issue would not be overridden by the interests or fundamental rights and freedoms of the child user…”
Objection: Interests are unclear and not legitimate
The Dutch DPA leads the charge in opposing the Irish DPA’s conclusions around Meta’s reliance on “legitimate interests”.
The Dutch DPA notes that the draft decision did not include an assessment of whether “the interest pursued by Meta… were sufficiently clarified or precise” or “exactly whose interests were pursued”.
The German DPAs said that the interests pursued by Meta were not legitimate. A reminder that these interests were supposedly, in part, those of Instagram business account users who wished to make their email addresses easily accessible to the public.
The German DPAs pointed out that treating children as “professional undertakings in circumstances where national contract law requires parental consent” would “undermine the protection of children”.
The Finnish DPA noted that the Irish DPA did not adequately assess the nature of the interests pursued by Meta.
Objection: Processing was not necessary to pursue the interests
The Dutch DPA accused the Irish DPA of “circular reasoning” in concluding that the publication of children’s contact information “may have been a reasonable means to achieve the publication of off-platform contact details”.
The Dutch DPA also noted that the Irish DPA did not consider whether there were alternative methods of pursuing the interests without publishing contract information publicly.
It is worth noting that the researcher who first exposed this issue suggested that Instagram could use anonymous email contact forms to enable users to contact businesses on Instagram, in a similar fashion as exists on classified ads website Craigslist.
Note that in determining that Meta did not violate the GDPR’s rules on “lawfulness”, the Irish DPA uses a lot of “hedging” language when drawing its conclusions:
- “may be regarded as necessary”
- “could be necessary”
- “may be a reasonable and lawful mode”
- “in some circumstances”
- “it is possible that”
One important argument made by several DPAs is that these phrases suggest that the processing, if it “could” be necessary in “some circumstances”, did not meet the GDPR’s “necessity” test.
Several DPAs also pointed out that the processing could hardly be “necessary” for the pursuit of a legitimate interest if the publication of contact information was now optional.
Objection: Balancing test was not met
As noted, the legitimate interests supposedly pursued by Meta remain somewhat unclear.
However, the “balancing test” appears to have weighed:
- The desire of some Instagram business users to make their businesses easily contactable off-platform, against
- The right of children not to have their contact information published in plain text on the open web.
The Irish DPA concluded that Meta had struck the balance right by requiring some children to publish their contact details. Perhaps unsurprisingly, several other DPAs disagreed.
Recall that only children who had converted their Instagram accounts to business accounts had their contact details published.
However, the Danish DPA argued that Meta’s balancing test only seemed to consider “well-informed or digitally literate children who used Instagram for well-considered professional activities”. Other children’s rights were seemingly not considered by Meta or the Irish DPA.
The German DPAs made similar comments, arguing that Meta and the Irish DPA should have considered the rights of children in general—rather than “the specific technical and economic abilities of each child user”.
The German DPAs also argued that the Irish DPA had not sufficiently considered the risks involved in publishing children’s contact information in this way, and the fact that such processing activity could lead to children losing control over their data.
The French DPA also noted that Meta had not appropriately taken into account several of the risks identified by the Irish DPA, such as the possibility of harassment and grooming.
The Irish DPA did find that Meta violated the principle of data protection by design and had failed to implement appropriate security measures to protect personal data.
As such, the Italian DPA noted that this conclusion conflicted with the Irish DPA’s conclusion that Meta had properly assessed the risks to children as part of its balancing exercise.
The Italian DPA noted that, in situations where a user was too young under national law to agree to a contract, “it was unlikely that a balancing test could result in the interests of the
controller overriding the protection of the rights and freedoms of child users”.
The Finnish DPA pointed out that, given that the contract between Instagram and its users was unclear, users might not reasonably expect that their contact details would be published, and thus Meta’s assessment of the balance of interests was not valid.
→ #RISK - ExCel, LONDON: 16th & 17th November 2022
Europe’s Leading Risk Focused EXPO
Risk is now everyone’s business
#RISK is where the whole ‘risk’ community comes together to meet, debate, and learn, to break down silos and improve decision-making. Five content hubs with insightful sessions, case studies, networking, high level thought leadership presentations and panel discussions.