European Union: Announced Investigation into Meta Ireland's Instagram for GDPR compliance and data processing operations

On 20 August 2018, the Data Protection Commission Ireland (DPC) initiated an investigation into Meta Ireland's Instagram service to determine its compliance with the General Data Protection Regulation (GDPR). The investigation concerned Meta Ireland's legal basis for processing users' personal data related to the Instagram service. Before the GDPR, Meta Ireland relied on users' consent to process their personal data, including for behavioural advertising. Before the GDPR came into effect, Meta Ireland updated its Terms of Service and sought to rely on the contract legal basis for most of its processing operations. Users were required to accept the updated Terms of Service to continue using Instagram, which Meta Ireland believed formed a contractual agreement between the user and Meta Ireland. Meta Ireland also believed that the processing of users' data in connection with the delivery of its services was necessary for the performance of that contract, which included providing personalised services and behavioural advertising. The complainants argued that Meta Ireland was still relying on users' consent to process their personal data and that by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was effectively coercing users to consent to the processing of their personal data for behavioural advertising and other personalised services, which they considered to be a violation of the GDPR.