More on children’s data and the importance of selecting the correct lawful basis
More on children’s data and the importance of selecting the correct lawful basis
The DPC also imposed the second-largest EU GDPR fine ever, €405 million, against Meta's Instagram for violations concerning the handling of children's data. This decision serves as a reminder that when relying on the performance of a contract as a lawful basis, controllers must demonstrate that the processing is "strictly necessary".
Overview
Ireland’s Data Protection Commission (DPC) submitted a preliminary decision to other ‘concerned supervisory authorities’ in the EU in respect of an inquiry into TikTok’s processing activities. The inquiry focuses on TikTok’s platform settings; the public-by-default privacy settings for children under the age of 18 and the age verification measures for children under the age of 13. It also looks into TikTok’s compliance with the transparency principle as it relates to users under the age of 18.
More significantly, the DPC handed down a €405 million fine against Meta’s Instagram for violations concerning the handling of children’s data. This is the second largest EU GDPR fine ever to be imposed.
The decision by the DPC reflects the binding decision made by the European Data Protection Board (EDPB), which directed changes to some of DPC’s positions in the latter’s initial draft decision.
This decision is significant because it marks the first ever binding decision to concern the lawfulness of processing under Article 6 of the GDPR. The EDPB found that Meta's processing of personal data was not necessary for the performance of the contract and was not proportionate to the purpose for which it was being processed.
Why is this significant and what does it mean for me?
The decision against Meta’s Instagram does not directly affect UK data controllers. However, its implications could be relevant even for organisations without any exposure to the EU GDPR. This is because, despite Brexit, the EDPB continues to be a compelling authority in the field of data protection, even if its findings are no longer binding for the ICO in the UK.
The decision serves as a stark reminder that any need to process personal data should be narrowly interpreted. Organisations and controllers, those that provide online services to data subjects, relying on the performance of a contract as a lawful basis, controllers must be ready to demonstrate that the processing is ‘strictly necessary’.
The decision echoed the EDPB’s guidelines, recognising that processing may sometimes be objectively necessary even if not specifically mentioned in the contract. However, controllers should still be able to show that the processing is ‘integral’ to the contract i.e., in line with ‘fundamental and mutually understood contractual purpose’. Additionally, controllers should be mindful that, if there are ‘realistic, less intrusive alternatives, the processing is not necessary’.
In the light of the above, organisations in the UK could benefit from re-assessing their processing activities to check whether the selected lawful basis is relevant and appropriate. In certain cases, for example, consent or legitimate interests could be a more suitable lawful basis.
Controllers should also remember the importance of conducting Legitimate Interests Assessments (LIAs) before relying on this lawful basis. Controllers must ensure that their legitimate interests are properly articulated in a privacy notice in order to comply with their transparency obligations.
Notably, Meta has recently sought judicial review proceedings before the Irish Hight Court to overturn the fine, alleging that certain sections of Ireland’s 2018 Data Protection Act are unconstitutional and incompatible with the European Convention on Human Rights. Meta also plans to have the EDPB’s decision annulled by the Court of Justice of the European Union. The company is arguing, in particular, that the DPC’s decision is unlawful, and that it treated EDPB’s ‘non-binding views’ as binding.
If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.