On 4th January 2023, the Irish Data Protection Commission (herein ‘DPC’) announced the conclusion of two inquiries into the conduct of Meta Ireland. Their delivery of its services through Facebook and Instagram were found to contravene EU Data Protection Legislation (herein ‘DPL’), facing fines of €210 million and €180 million respectively.
The DPC’s decision is the latest among a series of inquiries testing the parameters of the EU General Data Protection Regulation (herein ‘GDPR’). It makes clear the bloc’s policy towards users’ online rights, holding data controllers responsible for their protection.
However, the continued development of the EU’s data protection regime brings with it more pro-found geo-political concerns regarding the growing significance of personal data.
The complaints against Meta Ireland were initiated on 25th May 2018, the date on which the GDPR came into operation. The allegations against Meta Ireland regarded the legal basis of their data processing. In preparation for the GDPR’s introduction, Facebook and Instagram notified their customers that they had changed their legal basis from ‘consent’ to ‘contract’ for most of its services, as provisioned under Article 6(1)(b) of the GDPR:
‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’
In clicking ‘I accept’ to the updated Terms of Service, Meta alleged that the user was entering a contract with the data controller. Declining to do so barred one from accessing the Facebook and Instagram services, as the processing was argued to be ‘necessary’ for their provision.
The protracted proceedings saw the complaints subjected to scrutiny by both the Concerned Supervisory Authorities (herein ‘CPAs’), the DPC’s peer regulators within the EU, and the European Data Protection Broad. In its final decision adopted on 31st December 2022, the DPC concluded that Meta Ireland was not entitled to rely on the ‘contract’ legal basis for data processing. In seeking to rely on this, its services were failing to adhere to both the transparency and fairness principles at the core of the GDPR.
The DPC’s decision will have a far-reaching impact on global data protection regimes. From a bureaucratic viewpoint, the EU has immense regulatory influence, forcing other jurisdictions or multi-national corporations to match their high standards in order to guarantee access to its critical markets. The phenomenon is described by Anu Bradford in her book ‘The Brussels Effect: How the European Union Rules the World’.
Additionally, the DPC’s decision draws attention to an ever-growing trend: the use of personal data as an economic and political commodity. The Meta case illustrates the lengths that social meta platforms go in order to collect and justify their use of personal data for economic gain. However, by global standards, their processing techniques are merely the peak of the iceberg.
Data experts are growing increasingly suspicious of TikTok’s data harvesting techniques, not just for economic gains, but also political. Security experts have warned that the social media network can identify a specific individual through fingerprint technology, ‘voiceprints’, and ‘faceprints’. Profiles are then built through technologies which grants it unprecedented access into users’ phone hardware (including how much disk space is left, apps installed, networks and Wi-Fi access points), and a reading of users’ locations (which can be updated every 30 seconds). TikTok has been described as ‘a data collection service that is thinly-veiled as a social network’ on which its users’ are ‘bleeding data’.
Whilst the direct linkages between TikTok and the Peoples Republic of China (“PRC”) are unconfirmed, the US has recently banned the application on all government devices due to fears that the PRC government may leverage TikTok to access those devices and US user data. The parent company, ByteDance has reassured that its aim to serve a global audience had ensured that they have minimised their relationship with the PRC. Nevertheless, on 22nd December, ByteDance admitted that four of their employees had used the app to carry out surveillance on journalists investigating TikTok’s ties to the Chinese government.
The use of personal data as a political and economic commodity is becoming increasingly evident. The inquiries against Meta’s Instagram and Facebook services, as well as the impending decision regarding WhatsApp, is only the beginning. A TikTok class action lawsuit has been filed in the state of Illinois, with more expected to emerge.
If Anu Bradford’s thesis is correct, the EU’s GDPR could pave the way for a global right to data privacy and protection.
Quintel Intelligence provides services to litigation funders, law firms and multinational organisations examining matters relating to the collection and distribution of personal data.
Global Risk Investigations
92 Albert Embankment
London, SE1 7TY
+44 (0)203 948 1988