Kanzlei Dr. Bahr
Navigation
Kategorie: Onlinerecht

Irische Datenschutzbehörde: 390 Mio. EUR DSGVO-Bußgeld gegen Meta wegen Facebook und Instagram

Wie die irische Datenschutzbehörde in einer aktuellen Pressemitteilung erklärt, hat sie gegen Meta ein DSGVO-Bußgeld iHv. 390 Mio. EUR verhängt. Die Summe verteilt sich auf 210 Mio EUR bei Facebook und 180 Mio. EUR bei Instagram.

Inhaltlich geht es dabei um die Nutzung der personenbezogenen Daten des Users zu Werbezwecken. Meta hatte sich im Jahr 2018 von der Möglichkeit der Einwilligung verabschiedet und die Nutzung vielmehr als Teil ihrer Leistung in ihren AGB verankert. Dies stuften die Datenschutzbehörden nun als rechtswidrig ein:

"In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. (Under Article 6 of the GDPR, data processing is lawful only if and to the extent that it complies with one of six identified legal bases). Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising), Meta Ireland now sought to rely on the “contract” legal basis for most (but not all) of its processing operations.

If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click “I accept” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so).

Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).."

  Die Datenschützer bewerten dies als unzulässig:

"Following comprehensive investigations, the DPC prepared draft decisions in which it made a number of findings against Meta Ireland. Notably, it found that:

  • 1. In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time. 
  • 2. In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis."

Die Entscheidung in voller Länge soll erst in einigen Tagen erfolgen. 

Das Bußgeld ist nicht rechtskräftig, sondern Meta hat bereits angekündigt, Rechtsmittel einzulegen.

Rechts-News durch­suchen

02. Dezember 2024
Die Nutzung von Adressdaten eines Kunden für Briefwerbung ist nach der DSGVO grundsätzlich zulässig, solange keine überwiegenden Interessen des…
ganzen Text lesen
19. November 2024
Der BGH hat entschieden, dass ein bloßer Kontrollverlust über persönliche Daten nach der DSGVO einen immateriellen Schaden begründen kann.
ganzen Text lesen
18. November 2024
Die Bereitstellung eines Self-Service-Tools erfüllt den DSGVO-Auskunftsanspruch, wenn Nutzer darüber Zugriff auf ihre Daten erhalten können.
ganzen Text lesen
07. November 2024
Scorewerte wie der SCHUFA-Basisscore gelten als Meinungsäußerungen und unterliegen daher nicht dem DSGVO-Recht auf Berichtigung nach Art. 16 DSGVO.
ganzen Text lesen

Rechts-News durchsuchen