Final Decision Our remarks The two decisions in question were both issued by • When relying on the fulfillment of a contract as a the Irish DPA, which fined Meta 210,000,000 EUR legal basis, ensure that the processing is in fact for breaches related to its Facebook Service and necessary for the performance of the contract. 180,000,000 EUR for the breaches related to its Instagram service. The fines were issued for the ° The necessity of processing is to be determined by following violations: reference to a particular contract. In this case, the • Lack of a legal basis for the processing (GDPR, Irish DPA took a broad approach to determine what Article 6(1)(b)). The Irish DPA and EDPB addressed was necessary, based on “the nature of the services whether Meta could rely on the fulfillment of provided and agreed upon by the parties”. The a contract as the lawful basis for processing DPA then stated that “it seems that the core of the personal data. The Irish DPA agreed with Meta Facebook model is... an advertisement model”. The that processing was necessary for contract EDPB, however, argued that the main purpose of the performance, while the EDPB disagreed. The EDPB services was to enable their users to communicate highlighted that behavioral advertising was not with others. Additionally, the EDPB specified that the essential to the contract. understanding of necessity should be interpreted • Failure to provide meaningful information about the in a manner that fully reflects the objective pursued processing operations, making it impossible for the by the GDPR, stating that the draft decision by the users to understand what data was processed and Irish DPA posed a risk of potentially legitimizing any on what legal basis, as the information provided collection and reuse of personal data. was lacking in clarity and conciseness (GDPR, Articles 5(1)(a), 12 and 13). • In this case, the combination of factors, such as • Infringement of the principle of fairness as the ‘take the asymmetry of the information created by it or leave it’ model, which created a significant Meta regarding Facebook service users combined imbalance between the platforms and their users with the ‘take it or leave it’ situation that they (GDPR, Article 5(1)(a)). are faced with, was argued to be systematically Additionally, the DPA ordered META Ireland to bring its disadvantageous for Facebook service users, processing operations into compliance within a three- limiting their control over the processing of their month period. personal data and undermining the exercise of their rights. Besides the DPA decision, the EDPB directed the Irish DPA to investigate Facebook and Instagram’s data ° When assessing the contract between the controller processing activities in regard to special categories and data subject, ensure that the contract is not of personal data that may be processed by these asymmetrical by considering principles relating to services. This is, however, inconsistent with the processing of personal data in conjunction with the jurisdictional structure laid down by the GDPR, which data subject’s actual ability to exercise their rights. is why the Irish DPA considered it appropriate to bring an action for annulment before the European Court of Justice. It is therefore not clear whether such an investigation will be conducted. 93