Wie die irische Datenschutzbehörde in einer aktuellen Pressemitteilung erklärt, hat sie gegen Meta ein DSGVO-Bußgeld iHv. 390 Mio. EUR verhängt. Die Summe verteilt sich auf 210 Mio EUR bei Facebook und 180 Mio. EUR bei Instagram.
Inhaltlich geht es dabei um die Nutzung der personenbezogenen Daten des Users zu Werbezwecken. Meta hatte sich im Jahr 2018 von der Möglichkeit der Einwilligung verabschiedet und die Nutzung vielmehr als Teil ihrer Leistung in ihren AGB verankert. Dies stuften die Datenschutzbehörden nun als rechtswidrig ein:
"In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. (Under Article 6 of the GDPR, data processing is lawful only if and to the extent that it complies with one of six identified legal bases). Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising), Meta Ireland now sought to rely on the “contract” legal basis for most (but not all) of its processing operations.
If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click “I accept” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so).
Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).."
Die Datenschützer bewerten dies als unzulässig:
"Following comprehensive investigations, the DPC prepared draft decisions in which it made a number of findings against Meta Ireland. Notably, it found that:
- 1. In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time.
- 2. In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis."
Die Entscheidung in voller Länge soll erst in einigen Tagen erfolgen.
Das Bußgeld ist nicht rechtskräftig, sondern Meta hat bereits angekündigt, Rechtsmittel einzulegen.