The Irish Data Protection Commission (DPC) has recently announced the outcome of its inquiries into Meta Platforms Ireland Limited. B P Collins’ commercial team urges businesses that process personal data to pay close attention to the findings, otherwise they too may risk a heavy financial penalty.
The DPC has decided to fine Meta Platforms Ireland Limited a total of €390 million (€210 million in relation to breaches by Facebook services and €180 million in relation to Instagram services).
The two inquiries relate to complaints made back in 2018, when GDPR came into force, and demonstrate how long, complex and time-consuming these investigations can be.
Under both EU and UK GDPR, organisations that process personal data have to be clear, open and honest with individuals about how and why they are processing personal data. The DPC found in this case that there was a breach of obligations regarding transparency. Specifically, the legal bases for data processing were not clear and so people could not be sure of the processing activities or why they were being carried out.
This highlights how important it is for businesses that process personal data to have accurate privacy notices that set out exactly what they do with personal data and include (among other things) the following:
- what personal data it is they collect,
- what lawful basis they are relying on,
- what their processing activities are,
- what data protection rights people have and how they can enforce those rights, and
- who the data is shared with and where it is shared.
In order to process data, a business must be able to rely on at least one of the six lawful bases. Here, the DPC found that Meta Platforms Ireland Limited could not rely on ‘contract’ as its lawful basis when it came to behavioural advertising. Therefore, this decision shows that businesses need to be clear on which lawful basis might apply and ensure that they have established the correct lawful bases for each processing activity that they are carrying out.
At B P Collins, we understand how complicated and difficult it can be to ensure compliance with data protection legislation. Our commercial team has a wealth of experience in providing data protection advice and can assist with all of your data protection queries and issues, so please get in touch.