Today, the Irish Data Protection Commission (DPC) has set out its findings on the legal basis that Facebook and Instagram use under GDPR for the purpose of serving behavioural advertisements.
The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area. We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.
There has also been inaccurate speculation and misreporting on what these decisions mean. We want to reassure users and businesses that they can continue to benefit from personalised advertising across the EU through Meta’s platforms.
What is a Legal Basis?
In the EU, an organisation needs a legal basis to process data. Data processing occurs in a variety of situations, such as when data is stored, transferred or aggregated.
GDPR allows for a range of legal bases under which data can be processed. The rules of GDPR are clear: there is no hierarchy between these legal bases – none should be considered better or more legitimate than any other. Which basis is most appropriate to use depends on the specific situation. Like many companies, Meta uses a combination of legal bases to provide various services.
Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service. To date, we have relied on a legal basis called ‘Contractual Necessity’ to show people behavioural advertisements based on their activities on our platforms, subject to their safety and privacy settings. It would be highly unusual for a social media service not to be tailored to the individual user.
Businesses lack regulatory certainty around appropriate Legal Bases
Since GDPR came into force, Meta has relied on Contractual Necessity to process the data needed to provide behavioural advertisements in the EU. We have always been open with regulators and courts about this, and in previous assessments of our services they did not object to the use of Contractual Necessity for this type of activity.
However, following recent engagement with and directions from other regulators across Europe, the DPC has now found that Meta must change its approach regarding the legal basis on which it processes user data for behavioural ads.
It’s important to note that these decisions do not prevent personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.
The decisions also do not mandate the use of Consent – another available legal basis under GDPR – for this processing. Similar businesses use a selection of legal bases to process data and we are assessing a variety of options that will allow us to continue offering a fully personalised service to our users. The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect.
There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time. This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether. That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.
We offer tools to manage your advertising and privacy preferences
We’re continually investing in new technology and processes to allow our community to manage their advertising and privacy preferences. This includes steps to provide more detailed information to people about how their data is used and shared, as well as tools to give people greater control over the information they share. For example:
- New Privacy Shortcuts menu: We created a new Privacy Shortcut menu where people can control their data in just a few taps, with clearer explanations of how our controls work. This helps point people to our long-standing ad preferences tool, where everyone on Facebook can control what kinds of ads they see and opt out of having certain kinds of data used to inform the ads they see.
- Tools to find, download and delete your data: On top of our Download Your Information tool, we introduced Access Your Information – a secure way for people on Facebook to access and manage their information, such as posts, reactions, comments, and things people searched for. We also launched a feature on Instagram that allows people to bulk delete content they’ve posted like photos, videos, likes and comments. This is an important way of helping people understand what information they’ve shared on Instagram, what is visible to others, and to have an easier way to manage their digital footprint.
- Transparency about ads: For every ad and post on Facebook, people can click on “Why am I seeing this?” – which explains how factors like basic demographic details, interests and website visits contribute to the posts and ads you see.
You can learn more about how to manage and control your privacy experience on our Privacy Center.