Irish DPA did not investigate Facebook with “due diligence”

17. January 2023

On January 12th, 2023, the European Data Protection Board (EDPB) issued a decision criticizing the Irish Data Protection Commissioner’s attempt to narrow the scope of an investigation in Facebook’s (a part of American tech giant Meta Inc.).

Furthermore, the EDPB found that the Commissioner had ignored a key element arising from a complaint filed in Austria in 2018: Meta Inc. had adapted its terms and conditions to the new GDPR rules in order to be compliant with the European regulation. This resulted in user consent becoming a requirement for continued use of the service.

The complaint argued that this could amount to forced consent. However, the Data Protection Commissioner disagreed and stated that the tech company can rely on the argument that it is fulfilling a contract with its users to provide personalized ads, although breaching transparency obligations.

The EDPB ordered the Commission to reverse its legal position on Meta Inc.’s data collection and processing as its contractual basis for data collection breached EU law.

Furthermore, the EDPB stated that the Irish Data Protection Commission failed to clearly establish the legal basis of data collection generally, and also failed to investigate specific concerns in the matter of sensitive information.