In early 2023, the Irish Data Protection Commission ("DPC") published three decisions following inquiries into the data processing operations of Meta Platforms Ireland Limited in respect of its Facebook1 and Instagram Service2 and the processing carried out by WhatsApp Ireland ("WhatsApp")3 (together the "DPC Decisions").

The DPC Decisions call for a higher level of transparency on how individuals' personal data is used. Although they concern social media businesses, the transparency requirements apply to all businesses controlling personal data including investment funds. In this update, we examine the key findings arising from the DPC Decisions relating to the provision of information to individuals.

Providing Information to Data Subjects

Articles 13 and 14 of the General Data Protection Regulation ("GDPR") require controllers to provide specified mandatory information to individuals on how and why their personal data is processed. Transparency is a core data protection principle because if individuals do not know how and why their personal data is processed, they cannot exercise their data protection rights.

WhatsApp, Facebook and Instagram's approaches to providing the specified mandatory information were each found to have infringed their respective transparency obligations under Articles 5(1)(a), 12(a) and 13(1)(c) of GDPR.

DPC Corrective Action

The DPC Decisions ordered each of WhatsApp, Facebook and Instagram to bring its terms of service and data policy into compliance with Articles 12(1) and 13(1)(c).

Facebook, Instagram and WhatsApp were fined €210 million, €180 million and €5.5 million, respectively, for their transparency failures. The WhatsApp fine was relatively low when compared to the Facebook and Instagram fines because WhatsApp had already received a fine of €225 million for transparency breaches in 2021 and the DPC was satisfied that WhatsApp had taken corrective measures to address these past failures.

Although the DPC Decisions are the subject of a number of appeals and challenges, a number of corrective actions have been taken to address the DPC's core findings in relation to the provision of transparency information.

Updating your Data Protection Notice

One of the core findings of the DPC Decisions is that the purpose, processing operation and legal basis in respect of the intended processing must be specifically provided for each category of personal data. Often investment funds' data protection notices list all, or most, of the potential GDPR Article 6 legal bases. The DPC Decisions confirm that this approach is not sufficient. Retail investors, their connected persons and connected persons of institutional investors need to be given more granular information linking each category of personal data with a specific processing purpose, processing operation and legal basis.

Footnotes

1. Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation concerning a complaint directed against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in respect of the Facebook Service dated 31 December 2022. DPC Inquiry Reference: IN-18-5-5 ("DPC Facebook Decision")

2. Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act, 2018 concerning a complaint directed against Meta Platforms Ireland dated 31 December 2022. DPC Inquiry Reference: IN-18-5-7 ("DPC Instagram Decision")

3. Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation concerning WhatsApp Ireland Limited in respect of the WhatsApp Service dated 12 January 2023. DPC Inquiry Reference: IN-18-5-6 ("DPC WhatsApp Decision");

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.