European Union: Announced Investigation into Meta Ireland's Facebook for GDPR compliance and data processing operations

On 20 August 2018, the Data Protection Commission Ireland (DPC) initiated an investigation into Meta Ireland's Facebook service to determine its compliance with the General Data Protection Regulation (GDPR). The investigation concerned Meta Ireland's legal basis for processing users' personal data related to the Facebook service. Prior to the GDPR, Meta Ireland relied on users' consent to process their personal data, including for behavioural advertising. Before the GDPR came into effect, Meta Ireland updated its Terms of Service and sought to rely on the contract legal basis for most of its processing operations. Users were required to accept the updated Terms of Service to continue using Facebook, which Meta Ireland believed formed a contractual agreement between the user and Meta Ireland. Meta Ireland also believed that processing users' data in connection with the delivery of its services was necessary for the performance of that contract, which included providing personalised services and behavioural advertising. The complainants argued that Meta Ireland was still relying on users' consent to process their personal data and that by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was effectively coercing users to consent to the processing of their personal data for behavioural advertising and other personalised services, which they considered to be a violation of the GDPR.