EDPB - Décision contraignante n° 02/2022 adoptée le 28 juillet 2022 concernant l’Irlande et la société META PLATFORMS IRELAND LIMITED (INSTAGRAM)

Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR

Adopted on 28 July 2022

The European Data Protection Board

Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “GDPR”)^[1],

Having regard to the European Economic Area (hereinafter, “EEA”) Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA Joint Committee No 154/2018 of 6 July 2018^[2],

Having regard to Article 11 and Article 22 of its Rules of Procedure (hereinafter, “EDPB RoP”)^[3],

Whereas:

(1) The main role of the European Data Protection Board (hereinafter, “EDPB”) is to ensure the consistent application of the GDPR throughout the EEA. To that effect, it follows from Article 60 GDPR that the lead supervisory authority (hereinafter, “LSA”) shall cooperate with the other supervisory authorities concerned (hereinafter, “CSAs”) in an endeavour to reach consensus, that the LSA and CSAs shall exchange all relevant information with each other, and that the LSA shall, without delay, communicate the relevant information on the matter to the other CSAs. The LSA shall without delay submit a draft decision to the other CSAs for their opinion and take due account of their views.

(2) Where any of the CSAs expressed a reasoned and relevant objection on the draft decision in accordance with Article 4(24) GDPR and Article 60(4) GDPR and the LSA does not intend to follow the relevant and reasoned objection or considers that the objection is not reasoned and relevant, the LSA shall submit this matter to the consistency mechanism referred to in Article 63 GDPR.

(3) In accordance with Article 65(1)(a) GDPR, the EDPB shall issue a binding decision concerning all the matters which are the subject of the relevant and reasoned objections, in particular whether there is an infringement of the GDPR.

(4) The binding decision of the EDPB shall be adopted by a two-thirds majority of the members of the EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) EDPB RoP, within one month after the Chair of the EDPB and the competent supervisory authority have decided that the file is complete. The deadline may be extended by a further month, taking into account the complexity of the subject-matter upon decision of the Chair of the EDPB on own initiative or at the request of at least one third of the members of the EDPB.

(5) In accordance with Article 65(3) GDPR, if, in spite of such an extension, the EDPB has not been able to adopt a decision within the timeframe, it shall do so within two weeks following the expiration of the extension by a simple majority of its members.

(6) In accordance with Article 11(6) EDPB RoP, only the English text of the decision is authentic as it is the language of the EDPB adoption procedure.

HAS ADOPTED THE FOLLOWING BINDING DECISION

1. This document contains a binding decision adopted by the EDPB in accordance with Article 65(1)(a) GDPR. This Binding Decision concerns the dispute arisen following a draft decision (hereinafter, “Draft Decision”) issued by the Irish supervisory authority (“Data Protection Commission”, hereinafter the “IE SA”, also referred to in this document as the “LSA”) and the subsequent objections expressed by several CSAs, namely the German supervisory authority for Hamburg (“Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit”) representing the views of itself and the other German supervisory authorities, including the German supervisory authority for Berlin (“Der Berliner Beauftragte für Datenschutz und Informationsfreiheit”), the German supervisory authority for Bremen (“Der Landesbeauftragte für Datenschutz und Informationsfreiheit der Freien Hansestadt Bremen”) and the German supervisory authority for North Rhein-Westphalia (“Der Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen”), hereinafter referred to collectively as the “DE SAs”; the Finnish supervisory authority (“Tietosuojavaltuutetun toimisto”), hereinafter the “FI SA”; the French supervisory authority (“Commission Nationale de l’Informatique et des Libertés”), hereinafter the “FR SA”; the Italian supervisory authority (“Garante per la protezione dei dati personali”), hereinafter the “IT SA”; the Dutch supervisory authority (“Autoriteit Persoonsgegevens”), hereinafter the “NL SA”; and the Norwegian supervisory authority (“Datatilsynet”), hereinafter the “NO SA”.

2. The Draft Decision related to an “own-volition inquiry” which was commenced by the IE SA on 21 September 2020 regarding processing activities of Facebook Ireland Limited, a company established in Dublin, Ireland. The company has subsequently changed its name to “Meta Platforms Ireland Limited” and hereinafter it is referred to as “Meta IE”. Any reference to Meta IE in this Binding Decision means a reference to either Facebook Ireland Limited or Meta Platforms Ireland Limited, as appropriate.

3. The Draft Decision concerned Meta IE’s compliance with Article 5(1)(a) and (c), Article 6(1), Article 12(1), Articles 13, 24, 25 and 35 GDPR in respect of certain processing of child users^[4] personal data in the context of the “Instagram” social media networking service (hereinafter, “Instagram”). In particular, it concerned the personal data processing by Meta IE in relation to public disclosure of email addresses and/or phone numbers of child users of the Instagram business account feature and a public-by-default setting for personal accounts of child users on Instagram.

4. The IE SA stated in its Draft Decision that it was satisfied that the IE SA is the LSA, within the meaning of the GDPR, for Meta IE, as controller in respect of the cross-border processing of personal data in the context of the Instagram service^[5].

5. The following table presents a summary timeline of the events part of the procedure leading to the submission of the matter to the consistency mechanism:

21 September 2020

The IE SA commenced the inquiry and requested information from Meta IE. The scope and legal basis of the inquiry were set out in the Notice of Commencement of the inquiry that was sent to Meta IE on 21 September

2020. The temporary scope of the inquiry was set to cover a period between 25 May 2018 and 21 September

2020. On 27 October 2020, Meta IE provided replies to preliminary queries by the IE SA.

27 November 2020

The IE SA provided Meta IE with a Statement of Issues, where it set out the factual summary of relevant issues and described the matters for determination under the GDPR. On 10 December 2020, Meta IE made submissions in response to the Statement of Issues and on 29 January 2021, provided the IE SA with an updated Legitimate Interest Assessment.

11 June 2021

The IE SA issued a Preliminary Draft Decision against Meta IE regarding its processing activities within the scope of the inquiry (“Preliminary Draft Decision”). The IE SA invited Meta IE to make submissions on the Preliminary Draft Decision.

August-September 2021

On 9 August 2021, Meta IE provided its submissions on the Preliminary Draft Decision to the IE SA (“Meta IE Preliminary Draft Submissions”). On 16 August 2021 Meta IE provided to the IE SA an additional expert report. On a separate request from the IE SA, on 23 September 2021 Meta IE provided additional submissions regarding Article 83(3) GDPR (“Meta IE Submissions on Article 83(3) GDPR”).

December 2021

On 3 December 2021, the IE SA shared its Draft Decision with the CSAs in accordance with Article 60(3) GDPR. Several CSAs (DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA) raised objections in accordance with Article 60(4) GDPR. Several comments were also exchanged.

21 January 2022

The IE SA issued a Composite Response setting out its compromise proposals (“Composite Response”) and shared it with the CSAs. The IE SA requested the relevant CSAs to provide an indication of whether the IE SA’s compromise proposals could be satisfactory for the CSAs as a possible way forward.

February 2022 In light of the proposals in the Composite Response, further exchanges took place between the IE SA and the CSAs. During the exchanges, several CSAs confirmed to the IE SA that its compromise proposals were not sufficient and they intended to maintain their objections.

On 25 February 2021 Meta IE was invited to exercise its right to be heard in respect of all the material that the IE SA proposed to refer to the EDPB and on 6 April 2022 Meta IE provided its submissions (“Meta IE Article 65 Submissions”).

13 May 2022 The IE SA referred the matter to the EDPB in accordance with Article 60(4) GDPR, thereby initiating the dispute resolution procedure under Article 65(1)(a) GDPR.

6. Following the submission by the IE SA of this matter to the EDPB in accordance with Article 60(4) GDPR in the Internal Market Information system (hereinafter, “IMI”)^[6] on 13 May 2022, the EDPB Secretariat assessed the completeness of the file on behalf of the Chair of the EDPB in line with Article 11(2) EDPB RoP.

7. The EDPB Secretariat contacted the IE SA on 20 May 2022, asking for information and additional documents to be submitted in the IMI. The IE SA provided the information and documents on 24 May 2022.

8. A matter of particular importance that was scrutinized by the EDPB Secretariat was the right to be heard, as required by Article 41(2)(a) of the EU Charter of Fundamental Rights. Further details on this are provided in Section 2 of this Binding Decision.

9. On 1 June 2022, after the IE SA and the Chair of the EDPB confirmed the completeness of the file, the EDPB Secretariat circulated the file to the EDPB members.

10. The Chair of the EDPB decided, in compliance with Article 65(3) GDPR in conjunction with Article 11(4) EDPB RoP, to extend the default timeline for adoption of one month by a further month on account of the complexity of the subject-matter.

2 THE RIGHT TO GOOD ADMINISTRATION

11. The EDPB is subject to the EU Charter of Fundamental Rights, in particular Article 41 (the right to good administration). This is also reflected in Article 11(1) EDPB RoP.

12. The EDPB’s decision “shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them” (Article 65(2) GDPR). It is not aiming to address directly any third party. However, as a precautionary measure to address the possible need for the EDPB to offer the right to be heard at the EDPB level to Meta IE^[7], the EDPB assessed if Meta IE was offered the opportunity to exercise its right to be heard in relation to the procedure led by the LSA and the subject matter of the dispute to be resolved by the EDPB, and in particular if all the documents containing the matters of facts and law received and used by the EDPB to take its decision in this procedure have already been shared previously with Meta IE.

13. The EDPB notes that Meta IE has received the opportunity to exercise its right to be heard regarding all the documents containing the matters of facts and of law considered by the EDPB in the context of this decision and provided its written observations^[8], which have been shared with the EDPB by the LSA^[9].

14. Considering that Meta IE has been already heard by the IE SA on all matters of facts and of law addressed by the EDPB in its decision, the EDPB is satisfied that the Article 41 of the EU Charter of Fundamental Rights has been respected.

15. The general conditions for the adoption of a binding decision by the EDPB are set forth in Article 60(4) and Article 65(1)(a) GDPR^[10].

16. The EDPB notes that several CSAs (DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA) raised objections to the Draft Decision via IMI in accordance with Article 60(4) GDPR. Each of the objections was submitted within the deadline provided by Article 60(4) GDPR.

17. The Portuguese supervisory authority (“Comissão Nacional de Proteção de Dados”) and the Danish supervisory authority (“Datatilsynet”) provided comments on the Draft Decision. As these comments are not objections within the meaning of Article 4(24) GDPR, they cannot trigger the dispute resolution mechanism of Article 65(1)(a) GDPR and therefore are not part of the scope of this Binding Decision^[11].

18. According to the IE SA, the responses received from the CSAs in relation to the Composite Response showed that there was no single proposed compromise that was agreeable to all of the relevant CSAs. In accordance with Article 60(4) GDPR, the IE SA submitted the matter to the consistency mechanism for dispute resolution by the EDPB pursuant to Article 65(1)(a) GDPR. The IE SA clarified in its Letter to the EDPB Secretariat concerning the Article 65 GDPR referral of the dispute to the EDPB that it does not propose to “follow” the objections that were raised by the CSAs and/or does not consider the objections to be relevant and reasoned^[12].

19. As a preliminary remark, the EDPB takes note of the views of Meta IE that an escalation by the IE SA to the EDPB was premature and that the Article 60 GDPR process had not been fully exhausted in the present case^[13]. The EDPB however finds that the case at issue fulfils, prima facie, all the elements listed in Article 65(1)(a) GDPR, since several CSAs raised objections to a draft decision of the LSA within the deadline provided by Article 60(4) GDPR, and the LSA has not followed objections or rejected them as not relevant or reasoned.

20. The EDPB further takes note of Meta IE’s position that the current Article 65 GDPR dispute resolution should be suspended due to pending preliminary ruling proceedings before the Court of Justice of the EU (hereinafter, “CJEU”) in Case C-252/21^[14]. In addition, on 17 May 2022, Meta IE sent a letter to the EDPB^[15], in which Meta IE further asked for stay of proceedings before the EDPB in the procedure at issue in light of pending CJEU cases: C-446/21^[16] and C-252/21^[17]. Following its assessment, the EDPB considers that the scope of the dispute to be resolved by the EDPB in the present procedure does not overlap with the scope of the aforementioned pending preliminary ruling proceedings, given the different processing operations at stake. Therefore, the EDPB does not need to evaluate further the possibility to stay its proceedings on this Article 65 GDPR dispute resolution pending the determination of the preliminary rulings by the CJEU.

21. Considering the above, in particular that the conditions of Article 65(1)(a) GDPR are met, the EDPB is competent to adopt a binding decision, which shall concern all the matters which are the subject of the relevant and reasoned objections, i.e. whether there is an infringement of the GDPR or whether the envisaged action in relation to the controller or processor complies with the GDPR^[18].

22. The EDPB recalls that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs.

23. For each of the objections raised, the EDPB assesses first whether they are to be considered as “relevant and reasoned” within the meaning of Article 4(24) GDPR as clarified in the EDPB Guidelines on the concept of a relevant and reasoned objection^[19].

24. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the EDPB does not take any position on the merit of any substantial issues raised by that objection in this specific case^[20]. The EDPB will analyse the merits of the substantial issues raised by all objections it deems to be “relevant and reasoned”.

25. In 2016, a new type of Instagram account was introduced, called a “business account”. Instagram users who switched from a “personal account” to a “business account” were shown additional information about their profile and followers. Until September 2019, users, including child users, who switched to a “business account” were required to display additional public-facing contact details in the form of an email address and/or a phone number (hereinafter, “contact information”), which were published on the user’s profile^[21]. On 4 September 2019 Meta IE removed the mandatory requirement to publicly display the contact information^[22].

26. In its Draft Decision, the IE SA considered whether Meta IE could rely alternatively on Articles 6(1)(b) and 6(1)(f) GDPR as legal bases for the public disclosure of the contact information of child users of Instagram business accounts (hereinafter, “contact information processing”). In particular, the IE SA found that the following processing operations by Meta IE were concerned^[23]:

(1) Meta IE permitted child users of Instagram to switch from personal accounts to business accounts.

(2) Until 4 September 2019, when switching to a business account, child users were presented with an option screen (titled “Review Your Contact Info”) as part of the switching process. This screen was automatically populated with the user’s information, as obtained by Meta IE at the time of user registration, which the user had the opportunity to modify. In order to complete the business account switching process, the user was required to supply either an email address or a phone number. Users who had private Instagram accounts were prompted to switch to a public account as part of the account switching process.

(3) As of 4 September 2019, when switching to a business account child users were presented with a revised option screen (still titled “Review Your Contact Info”) automatically populated with the user’s information obtained at the time of registration. At this stage, users could either modify their contact details or opt not to provide contact information by pressing the “Don’t use my contact info” button at the bottom of the page.

(4) Where a child user associated an email address and/or phone number with a business account (whether as a mandatory requirement of switching prior to September 2019, or on an optional basis after September 2019), this phone number and/or email address were published on the user’s Instagram profile page, in the form of a “contact button”.

(5) Email addresses and/or phone numbers made public in the context of Instagram business accounts are not encrypted, and are visible as plain text.

(6) Email addresses and/or phone numbers made public in the context of Instagram business accounts are visible to registered Instagram users on the Instagram mobile application.

(7) Additionally, prior to March 2019, email addresses and/or phone numbers associated with Instagram business accounts were visible (including to persons not registered as Instagram users) as plain text in the HTML source code of the web-browser version of Instagram profile pages; and

(8) For a period between August 2020 and November 2020, email addresses associated with Instagram business accounts were visible (including to persons not registered as Instagram users) as plain text in the HTML source code of the web-browser version of Instagram profile pages.

27. The IE SA found that by registering for a personal Instagram account, a data subject agreed to the Instagram Terms of Use^[24]. Section 1 of the Instagram Terms of Use (titled the “The Instagram Service”) listed nine service areas stating^[25]:

“…[t]he [Instagram] Service is made up of the following aspects (the Service):

Offering personalized opportunities to create, connect, communicate, discover, and share. People are different. We want to strengthen your relationships through shared experiences you actually care about. So we build systems that try to understand who and what you and others care about, and use that information to help you create, find, join, and share in experiences that matter to you. Part of that is highlighting content, features, offers, and accounts you might be interested in, and offering ways for you to experience Instagram, based on things you and others do on and off Instagram.”

28. In the light of Meta IE’s submissions, the IE SA found in the Draft Decision that Meta IE relied on Article 6(1)(b) GDPR for the contact information processing only to the extent that a child user had capacity to enter into an enforceable contract under the applicable Member State law^[26]. Meta IE relied on Article 6(1)(f) GDPR as an alternative legal basis with regard to child users who did not have capacity under the applicable Member State law to enter into a contract with Meta IE^[27].

29. When assessing Meta IE’s reliance on Article 6(1)(b) GDPR for the contact information processing, the IE SA first observed that, as explained above, a data subject agreed to the Instagram Terms of Use, when registering for a personal Instagram account and referred to Section 1 of the Instagram Terms of Use^[28]. The IE SA considered that Article 6(1)(b) GDPR does not require the inclusion of express contractual provisions pertaining to processing in order to provide a legal basis and it is sufficient that processing is necessary for the performance of a contract with the data subject^[29]. The Draft Decision further stated that “the publication of contact information in the context of business accounts may be regarded as necessary processing for the purpose of Article 6(1)(b) GDPR”^[30]. The Draft Decision found that “the contact information processing could be necessary for the performance of [Meta IE’s] Terms of Service with its users” and that no infringement by Meta IE occurred “to the extent that it relied on Article 6(1)(b) GDPR as a legal basis for processing personal data of certain child users”^[31].

30. When assessing Meta IE’s reliance on Article 6(1)(f) GDPR for the contact information processing relating to child users unable to enter into an enforceable contract, the IE SA first noted that “the processing meets the requirements of Article 6(1)(f) to the extent that the interests pursued in connection with the contact information processing are legitimate interests of [Meta IE] and other Instagram users, insofar that publication of contact details to the public may be a reasonable and lawful mode by which to promote a professional undertaking or other public initiative”^[32]. With regard to the necessity of the contact information processing for the purpose of the legitimate interests pursued, the Draft Decision stated that: “such processing may have been, to an extent, a reasonable means for Instagram users to publish off-platform contact details in some circumstances. In particular, such processing could be regarded as necessary for those business account users who wished to be publicly contactable by email or phone in connection with their professional activities”^[33].

31. Regarding the balancing test, the IE SA concluded in the Draft Decision that: “in some circumstances, where the contact information processing occurred in the context of the well-considered professional activities, it is possible that the legitimate interests at issue would not be overridden by the interests or fundamental rights and freedoms of the child user”^[34]. The IE SA further concluded that the contact information processing could be lawful on the basis of Article 6(1)(f) GDPR “in respect of some of the child users at issue” and therefore no infringement by Meta IE occurred “to the extent that it relied on Article 6(1)(f) GDPR as a legal basis for processing personal data of certain child users”^[35].

32. The DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA raised objections regarding the conclusions by the LSA in the Draft Decision that no infringement occurred to the extent Meta IE relied on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the contact information processing.

33. The NL SA first considered that reliance on Article 6(1)(b) GDPR required clarity on what purposes were to be regarded in the context of the assessment and a valid contract between the controller and the data subject^[36]. The NL SA considered that it is a legal requirement for the IE SA to establish “what the contract is and whether that contract is suitable to serve as a legal basis under Article 6(1)(b) GDPR”^[37]. Considering the serious lack of transparency on behalf of the controller established by the IE SA in the Draft Decision, the NL SA had a reasonable doubt as to whether data subjects had indeed been able to enter into a contract with the Meta IE both willingly and sufficiently informed. Therefore, the NL SA questioned whether such valid contract existed between Meta IE and the data subjects in the case at hand^[38]. Second, the NL SA questioned whether the data processing activities in question were actually necessary for the performance of the contract^[39]. The NL SA stressed that the Draft Decision of the IE SA did not address the question of whether Meta IE made the assessment regarding necessity and if any such assessment met the strict necessity standard that reliance on this legal basis requires^[40]. According to the NL SA, other evidence in the Draft Decision, in particular referred to in the last sentence of paragraph 115 of the Draft Decision, as well as the IE SA’s assessment of the data minimisation, indicated that the necessity criterion of Article 6(1)(b) GDPR would actually not be met in this case^[41].

34. The NL SA stated that the contact information processing also did not fulfil the requirements of Article 6(1)(f) GDPR^[42]. Concerning the requirement of the pursued interest being legitimate, the NL SA observed that the Draft Decision did not include an assessment on why the interest pursued by Meta IE were sufficiently clarified and precise or exactly whose interests were pursued^[43]. The NL SA further noted that the IE SA left unassessed if the interests were lawful^[44] and real and present^[45]. Regarding the requirement of necessity of the processing, the NL SA stated that IE SA did not clearly express why there was a link between the processing and interests pursued. Rather, the NL SA was of the view that the IE SA’s statement that the processing may have been a reasonable means to achieve the publication of off-platform contact details was circular reasoning^[46]. In addition, according to the NL SA, in the Draft Decision the IE SA did not appropriately consider whether any other means to achieve the objectives were available to the controller. In particular, the fact that as from 4 September 2019 it was no longer mandatory to publish the contact information of child users indicated that it was likely that there were less intrusive means available for the controller to reach its objective^[47]. Furthermore, according to the NL SA, by using phrases like “in some circumstances” and “it is possible that” in the Draft Decision, the IE SA only addressed those particular situations and possibilities^[48]. Such a wording led to the Draft Decision not addressing questions relating to the necessity of contact information processing in other situations, such as where child users did not wish to be publicly contactable by email or phone in connection to their professional activities^[49]. According to the NL SA, in the context of the balancing of interests, the wording of the Draft Decision suggested that only in those situations where the users were well-informed or digitally literate children who used Instagram for well- considered professional activities, the legitimate interests pursued would not be overridden by the interests or fundamental rights of those children. Leading from this, the NL SA suggested that the IE SA had acknowledged that in other situations, the interests of the data subjects could override the interests of Meta IE. However, such situations were not addressed in the Draft Decision^[50]. The NL SA also argued that without analysing and concluding how evident the legitimate interest pursued was and if Meta IE’s assessment of the impact of the processing on the data subjects’ interests or fundamental rights and freedoms was appropriate, the IE SA could not have concluded that the interests of Meta IE were not overridden by the interests or fundamental rights and freedoms of the data subjects^[51].

35. Further, the NL SA asked the LSA to take appropriate corrective measures to address the infringement and, moreover, the compliance order to the controller, as described in paragraph 627 of the Draft Decision, should include the obligation to remedy the breach of Article 6 GDPR^[52]. Finally, the NL SA stated that the Draft Decision, if unchanged, would lower the lawfulness threshold for processing and undermine the protection of personal data of individuals that enter into contracts that entail processing of personal data; it would also deprive data subjects of the protection mechanisms envisaged in the GDPR and posed the risk that the choice, agency and protection of data subjects – particularly children – is undermined^[53].

***

36. The DE SAs stated that the prerequisites for relying on Article 6(1)(b) GDPR were not fulfilled in the present case. First, based on the information delivered by the IE SA, no sufficient proof of a valid contract between Meta IE and the child users was provided, although a valid contract is a prerequisite for controllers to rely on Article 6(1)(b) GDPR as made clear in the EDPB Guidelines 2/2019^[54]. The IE SA should also have examined or at least obtained an explanation of the validity of the contract on which the controller relies^[55]. Moreover, according to the DE SAs, if the controller did not clearly communicate in a transparent manner that the publication of the contact information would be based on a contract (as observed in Findings 1 and 2 of the Draft Decision), then no contract with this content could come into existence for which the particular processing could be based on Article 6(1)(b) GDPR^[56]. Regarding necessity, the DE SAs did not agree with the LSA’s analysis in the Draft Decision and stated that Article 6(1)(b) GDPR can only be used to legitimise data processing that constitutes an essential element of the contract^[57]. Accordingly, only the data processing that was actually necessary for the corresponding contractual purpose – the operation of an Instagram business account – can be justified on the basis of Article 6(1)(b) GDPR. In this respect, according to the DE SAs, it was not comprehensible, nor explained by Meta IE, why a publication of contact data in plain text or the use of this data for the HTML source text should be necessary for the operation of such an account. The DE SAs considered that such necessity did not exist in the present case^[58].

37. The DE SAs stated that the contact information processing did not fulfil the requirements of Article 6(1)(f) GDPR. Firstly, according to the DE SAs, the interest pursued by Meta IE was not legitimate. More precisely, the DE SAs argued that promoting a professional business or other public initiative could not be a legitimate interest of Meta IE as the business-holders, being children, could not express their legally binding commitment to the terms of use of Instagram. According to the DE SAs, treating children as professional undertakings in circumstances where national contract law protects children by requiring parental consent would undermine the protection of children^[59]. Secondly, the DE SAs argued that the processing did not fulfil the requirement of necessity in relation to the pursued interest. Here, the DE SAs based its view on the same arguments provided in the context of Article 6(1)(b) GDPR, as referred in the preceding paragraph. In addition, the DE SAs observed that Meta IE later changed its practice to no longer require the publication of the contact information of business accounts. Thirdly, the DE SAs stated that the balancing of interests should be based on the protection of child users in general rather than the specific technical and economic abilities of each child user. According to the DE SAs, based on their mental vulnerability, the protection of children should prevail over the interests referred by Meta IE^[60].

38. Finally, the DE SAs considered that the Draft Decision posed a significant risk for the fundamental rights and freedoms of child users of Instagram and other data subjects. In particular, since it would result in the data subjects having no control over their personal data, the LSA’s wide understanding of Articles 6(1)(b) and (f) GDPR would generally render ineffective the protection afforded by the GDPR and Article 8 of the EU Charter of Fundamental Rights, and would undermine effective enforcement of the GDPR, which is a precondition for guaranteeing the fundamental rights and freedoms of the data subjects^[61].

***

39. The IT SA stated that with respect to Article 6(1)(b) GDPR the assessment of whether a certain processing activity is necessary should be factually based on the purposes of the service being offered and the data subject should be made aware of those purposes through the appropriate information. In the case at hand, very high level information on the purposes of the processing was available and the arrangements to inform users, especially underage users, were all but unambiguous^[62]. According to the IT SA, Meta IE failed to demonstrate the necessity of the processing. The subsequent change, when the publication became optional, proved that the processing was not necessary. The publication of data at large in the HTML page source code in the web-based version of Instagram could hardly be regarded as necessary^[63]. The IT SA also observed that Meta IE’s Privacy Policy available in Italy showed no reference to the applicable national law, making it accordingly impossible to understand on which legal basis it relied to legitimise the processing of data relating to child users for opening and managing business accounts^[64].

40. The IT SA pointed out that with respect to Article 6(1)(f) GDPR the IE SA drew conclusions only on digitally skilful child users. Furthermore, the IT SA stated that the balancing exercise as required under Article 6(1)(f) GDPR was flawed^[65]. In this context, the IT SA noted the conflict between Meta IE’s claims that the risks which child users were exposed to by the contact information processing were potential rather than actual and that appropriate safeguards had been adopted, and the IE SA’s finding that Meta IE had not implemented appropriate security measures and therefore infringed Articles 24 and 25 GDPR. Moreover, the IT SA observed that Meta IE chose not to carry out a data protection impact assessment, which indicated a flawed risk assessment. According to the IT SA, the inaccurate risk evaluation undermined the balancing of interests and left the arguments of the IE SA without substance but instead with inconsistencies^[66]. Furthermore, the IT SA stated that, where national contract law prevented child users to conclude contracts due to their incapacity to fully understand the consequences thereof, it was unlikely that a balancing test could result in the interests of the controller overriding the protection of the rights and freedoms of child users^[67].

41. Further, the IT SA asked the LSA to amend the Draft Decision “in respect of the action envisaged in relation to the controller. In particular, the amount of the administrative fine should be re-calculated by having regard to the criteria set out in Article 83(2) GDPR”^[68]. Finally, the IT SA stated that, if left unchanged, the Draft Decision would result in a risk to the fundamental rights and freedoms of data subjects, because there would be no effective deterrence for the infringement of data subjects’ rights and the approach adopted by the LSA regarding the legal bases would jeopardise the data subjects’ rights in general, as it may be construed as an endorsement of the controller’s approach to the processing of child users’ personal data^[69].

***

42. The FI SA stated that in order to rely on Article 6(1)(b) GDPR there needed to be a valid contract between the controller and the data subjects but the Draft Decision left this issue unsettled. Furthermore, according to the FI SA, the Instagram Terms of Use or the Data Policy were not provided in a particularly clear and plain language that would allow a child to sufficiently understand and be genuinely informed in order to enter into a contract, also considering the severe issues identified by the Draft Decision concerning the controller’s failure to meet the transparency requirements^[70]. In addition, the FI SA raised the potential issues of children being considered as a legitimate party of a contract in the context of Article 6(1)(b) GDPR, and considered that, in any case, the assessment on whether the requirements of Article 6(1)(b) GDPR have been met should be made particularly thoroughly^[71]. Regarding whether the processing was necessary, the FI SA considered that the processing cannot be regarded as necessary for the purpose of Article 6(1)(b) GDPR, when it was found that the same processing breached the necessity requirement set by Article 5(1)(c) GDPR. Finally, the FI SA questioned whether the publication of the contact information could be seen as necessary at all given that it was no longer mandatory^[72].

43. The FI SA objected to the conclusion in the Draft Decision regarding Article 6(1)(f) GDPR and stated that the assessment of the legitimate interest pursued was insufficient. According to the FI SA, the IE SA did not adequately assess and reason the legitimate interests of the controller or a third party^[73]. Neither did the IE SA assess if such interests were expressed in a sufficiently clear and precise manner. The FI SA argued that the IE SA did not substantiate the particular extent to and circumstances under which the processing was necessary to protect the legitimate interests and expressed that certain processing operations did not fulfil the necessity requirement^[74]. In addition, the FI SA found that the IE SA did not correctly assess the balancing of the legitimate interests and the rights of data subjects. For example, according to the FI SA, the IE SA left unclear in which circumstances it was possible that the legitimate interests would not be overridden by the interests and rights of the data subjects, in particular when they were children and considering the related risks as identified in other parts of the Draft Decision^[75]. Also, the FI SA stated that as the IE SA found infringements of the transparency obligations under Article 5(1)(a) and Article 12 GDPR, most likely the data subjects could not upon the collection of their personal data had reasonably expected that their contact information would be published^[76].

44. Further, the FI SA considered that the conclusions in the Draft Decision led to a considerable risk for the rights and freedoms of data subjects, in particular, as the publication of contact information resulted in risks to child users and the approach regarding legal bases adopted in the present case would undermine the level of protection afforded to them, also in other similar situations^[77]. Finally, the FI SA requested to take “appropriate corrective measures” to address the infringements^[78].

***

45. The FR SA noted a contradiction in the Draft Decision insofar as the LSA considered that the display of contact information was necessary for the performance of the contract under Article 6(1)(b) GDPR and yet, the LSA found that such display violated the principle of data minimisation. In the FR SA’s view, the mandatory display of contact information was not necessary for the performance of the contract, for the reasons set out by the IE SA in paragraphs 221 to 456 of the Draft Decision and the IE SA did not fully draw the conclusions from its own analyses and positions^[79]. Also, according to the FR SA, the fact that Meta IE itself changed its position on the mandatory nature of the display of contact details as of September 2019 proved that it was not essential in the context of business accounts^[80]. The FR SA further observed that in the absence of clear information given to the user on the terms of contract, the specific contract can hardly be viewed as valid and in this respect the IE SA failed to draw conclusions from its own analysis^[81]. With regard to Article 6(1)(f) GDPR, the FR SA observed the contradiction between the IE SA’s findings that, on the one hand, the contact information processing may have been necessary for business account holders and, on the other hand, that such processing went beyond what was necessary and thereby did not satisfy the data minimisation principle^[82]. The FR SA noted that certain risks identified by the IE SA, such as harassment and child grooming, were not appropriately taken into account in the balancing test under Article 6(1)(f) GDPR. According to the FR SA, if such risks had been considered, the rights and freedoms of the child users would have prevailed over the interests of the controller^[83]. Moreover, the FR SA stated that the balancing of interest also should have included the finding of the IE SA that Meta IE had not informed its child users of the contact information processing in an appropriate manner^[84]. In the view of the FR SA, such lack of information deprived the child users of control over their personal data and, therefore, was likely to lead to the child users’ interests prevailing over those of the controller^[85]. Finally, the FR SA noted that the use of legitimate interest as a basis for processing offered less protection to child users compared to processing based on a contractual obligation. Therefore, according to the FR SA, basing the processing on legitimate interest deprived the child users of protection in the Member States where national contract law did not allow the legal basis of contract to be used in such context^[86]. As a consequence, the FR SA asked the LSA to observe a breach of Article 6 GDPR, impose an administrative fine for this additional breach and order Meta IE to comply within three months^[87]. Finally, the FR SA stated that the Draft Decision posed risks to the fundamental rights and freedoms of the persons concerned, as the approach suggested by the LSA regarding the legal bases in the present case would significantly reduce the protection that minors should merit regarding their data and expose them to an increased risk of harassment and grooming^[88]. In addition, it would create a precedent for other organisations and would therefore impact other similar cases^[89].

***

46. The NO SA first considered that the LSA’s findings and assessment in the Draft Decision logically led to the conclusion that the requirement of necessity under Article 6(1)(b) and (f) GDPR was not met^[90]. The NO SA noted that the LSA found that Meta IE carried out processing beyond what was necessary for the purposes of the processing and identified considerable risks for child users^[91]. Based on these findings, the NO SA concluded that Meta IE did not fulfil the necessity requirement under Article 6(1)(b) and (f) GDPR and suggested that the LSA should have carried out a corresponding legal analysis on the processing in the context of Article 6(1)(b) and (f) GDPR^[92].

47. Specifically concerning Article 6(1)(b) GDPR, the NO SA referred to the EDPB Guidelines 2/2019^[93] stating that, when processing is based on Article 6(1)(b) GDPR, the controller must assess what is necessary to fulfil the fundamental and mutually agreed contractual purpose. The NO SA noted that the LSA found in its Draft Decision that the processing violated Article 5(1)(c) GDPR. Therefore, the NO SA considered that the same processing could not be necessary for the fundamental and mutually agreed contractual purpose^[94]. The NO SA also considered that since, according to the LSA, the contact information processing went beyond what was necessary for the specific purpose of processing under Article 5(1)(c) GDPR, the processing also must have gone beyond what was necessary for the performance of the contract^[95]. Specifically concerning Article 6(1)(f) GDPR, the NO SA stated that the balancing test could not be fulfilled for child users^[96]. More specifically, the NO SA noted, first, that the legitimate interests pursued by Meta IE were not specified in the Draft Decision. Secondly, Meta IE did not demonstrate that the contact information processing was necessary for the purposes of the legitimate interests pursued. Thirdly, the NO SA also considered that since, according to the LSA, the contact information processing went beyond what was necessary for the specific purpose of processing under Article 5(1)(c) GDPR, the processing also must have gone beyond what was necessary for the legitimate interests pursued^[97].

48. Finally, the NO SA asked the LSA to conclude that the legal bases under Article 6(1)(b) and (f) GDPR were not applicable for the contact information processing and to exercise the following corrective powers under Article 58(2) GDPR: (1) to order the controller to identify a valid legal basis for the processing in question, or from now on abstain from such processing activities; and (2) to impose an administrative fine for unlawfully processing personal data, erroneously relying on Article 6(1)(b) and (f) GDPR^[98]. The NO SA further stated that an administrative fine of a substantial amount should be imposed to ensure effectiveness and dissuasiveness under Article 83(1) and (2) GDPR for the unlawful processing of personal data, considering the nature and gravity of the infringement, as well as the number of data subject affected and the damage suffered^[99]. Finally, according to the NO SA, if left unchanged in this respect, the Draft Decision would pose significant risks to the protection of data subjects’ rights. In particular, the NO SA argued that by allowing the processing of personal data without a legal basis, the Draft Decision would violate the data subject’s fundamental right to data protection and would set a dangerous precedent^[100]. In addition, the NO SA stated that, if a fine is not imposed for the infringements, the rights of the data subjects would not be effectively safeguarded, thus creating an incentive for the controller and other companies to continue or engage in such violations^[101].

49. The IE SA confirmed that it does not propose to “follow” the objections that were raised by the CSAs and/or does not consider the objections to be relevant and reasoned^[102]. Regarding the objections of the DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA concerning Meta IE’s compliance with Article 6(1)(b) and (f) GDPR in relation to the contact information processing, the IE SA further stated that these objections constituted “relevant and reasoned” objections. However, with respect to “the corrective action element” in the FI SA, FR SA, IT SA and NL SA objections, the IE SA considered that it was not adequately rationalised and the significance of the risks for the rights and freedoms of data subjects was not addressed^[103]. Regarding the NO SA objection requiring to reassess the administrative fine taking into account the potential additional infringement, the IE SA stated that this objection constituted a “relevant and reasoned” objection^[104].

50. In this section the EDPB assesses whether the objections of the DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA, regarding Meta IE’s reliance on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the contact information processing, meet the threshold of Article 4(24) GDPR.

51. The EDPB first takes note of Meta IE’s views that the objections of the DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA regarding Meta IE’s compliance with Article 6(1) GDPR failed to meet the threshold of Article 4(24) GDPR. According to Meta IE, all the objections at issue were not relevant and reasoned as the LSA’s observations in the Draft Decision were provisional in nature^[105]. Further, Meta IE provided reasoning, referring to all the objections, whereby they were not reasoned as the significance of the risks was not clearly demonstrated by the objections^[106]. The EDPB recalls that Meta IE’s compliance with Article 6(1) GDPR in relation to the contact information processing was within the scope of the IE SA’s inquiry in the case at hand^[107] and that in the Draft Decision the IE SA drew conclusions on Meta’s IE reliance on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the specific processing within the scope of its inquiry, i.e. the contact information processing^[108]. Thus there is a clear link between the objections and the Draft Decision^[109]. The relevant conclusions in the Draft Decision assessed the lawfulness of the specific processing by Meta IE and provided for an interpretation of the conditions for relying on the legal bases under Article 6(1)(b) and (f) GDPR. The EDPB reiterates that conclusions on the lawfulness of the personal data processing have significant impact on the effective protection of the data subjects’ rights, since the lawfulness of processing of personal data is a fundamental pillar of the EU data protection law^[110]. As a consequence, and as further shown and elaborated by the analysis of the EDPB below, the EDPB disagrees with these arguments brought forward by Meta IE.

52. The EDPB further analyses whether each of the objections at issue is a “relevant and reasoned objection” as required under Article 4(24) GDPR.

53. The EDPB considers that the objection of the NL SA concerns “whether there is an infringement of the GDPR”, as the NL SA opposed the IE SA’s conclusions that no infringement occurred to the extent Meta IE relied on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the contact information processing. If followed, the NL SA’s objection would lead to a different conclusion with regard to the findings on Article 6(1)(b) and (f) GDPR. The objection would also entail a change in the compliance order to the controller and possibly additional “appropriate corrective measures”^[111]. Therefore, as it demonstrated a direct connection with the substance of the Draft Decision, the objection is “relevant”. The objection is also “reasoned” since it put forward several factual and legal arguments for the proposed change in the legal assessment as to why the requirements of Article 6(1)(b) and (f) GDPR are not met in the case at hand and why Meta IE cannot lawfully rely on those provisions and, therefore, the infringement must be remedied^[112]. Accordingly, the EDPB is not persuaded by Meta IE’s submissions that the objections are neither relevant nor reasoned^[113]. In addition, the EDPB recalls that the assessment of the merits of the objection is made separately, after it has been established that the objection satisfies the requirements of Article 4(24) GDPR^[114].

54. Concerning the requirement to demonstrate the significance of the risks posed for the rights and freedoms of data subjects, contrary to Meta IE’s views^[115], the EDPB finds that the objection raised by the NL SA meets the required standard by pointing out several consequences that the Draft Decision would have for the fundamental rights and freedoms of data subjects^[116].

55. Finally, contrary to the views of the LSA, the EDPB considers that the qualification of the NL SA’s objection as relevant and reasoned also applies to the part thereof related to the compliance order and other “appropriate corrective measures”. In this respect, the EDPB underlines that the arguments put forward by the NL SA, as addressed in the paragraphs 33-34 above, clearly demonstrated why the Draft Decision should be changed in order to include an infringement regarding the lack of legal basis for the contact information processing and the consequent need to ensure that such processing complies with the GDPR, by amending the compliance order to the controller and adopting the appropriate corrective measures. Likewise, the NL SA’s objection clearly set out the significance of the risks for the data subjects if the Draft Decision remained unchanged and the infringement was not remedied.

***

56. In their objection, the DE SA disagreed with the finding of the IE SA that there was no infringement to the extent Meta IE relied on Article 6(1)(b) GDPR and alternatively on Article 6(1)(f) GDPR for the contact information processing, thus also concerning “whether there is an infringement of the GDPR” within the meaning of Article 4(24) GDPR. As it demonstrated a direct connection with the substance of the Draft Decision and that, if followed, the objection would lead to a different conclusion, the objection is “relevant”. The objection is also “reasoned” since it put forward several factual and legal arguments for the proposed change in the legal assessment as to why the requirements of Article 6(1)(b) and (f) GDPR are not met in the case at hand^[117]. Accordingly, the EDPB is not swayed by Meta IE’s submission that the objections are neither relevant nor reasoned^[118].

57. The EDPB also considers that the DE SA demonstrated the significance of the risk for the fundamental rights and freedoms of data subjects^[119].

***

58. Similarly, the objection of the IT SA also concerns “whether there is an infringement of the GDPR”. In the IT SA’s view, the contact information processing cannot “be regarded as necessary for [the] operation of the service”^[120], hence resulting in the “unlawfulness of the processing based on Article 6(1)(b) [GDPR]”^[121] and Article 6(1)(f) GDPR^[122]. As the objection demonstrated a direct connection with the substance of the Draft Decision and, if followed, it would lead to a different conclusion^[123], the objection is “relevant”.

59. As the IT SA presented arguments on the factual and legal mistakes in the Draft Decision regarding the analysis on Article 6(1)(b) and (f) GDPR^[124], the objection is “reasoned” inasmuch as it concerns the additional infringement related to the lack of legal basis for the contact information processing.

60. The EDPB is not swayed by Meta IE’s submissions to the contrary^[125], as the IT SA explained how its objection, if followed, would result in a different conclusion and put forward several factual and legal arguments for the proposed change in the legal assessment.

61. Finally, the EDPB finds that the objection of the IT SA clearly demonstrated the significance of the risks that the Draft Decision presented to the fundamental rights and freedoms of the data subjects by laying out how there would be no proportionate and dissuasive measures regarding the infringements and how the Draft Decision may be construed as an endorsement of the controller’s approach to the processing of children’s personal data, thus jeopardising their rights^[126].

62. With regard to the relevant parts of the IT SA’s objection related to the imposition of an administrative fine for the possible additional infringement related to Meta IE’s reliance on Article 6(1)(b) and (f) GDPR, it concerns “whether the envisaged action in relation to the controller complies with the GDPR”.

The objection is linked to the IT SA’s objection on the findings in the Draft Decision on Article 6(1)(b) and (f) GDPR for the contact information processing. There is a direct connection with the substance of the Draft Decision and, if followed, the objection would lead to a different conclusion. Thus, it is “relevant”. However, the EDPB considers that the objection did not sufficiently elaborate the legal or factual arguments that would justify a change in the Draft Decision in this regard to specifically increase the level of the fine. Likewise, the significance of the risks for the data subjects related to the imposition of an administrative fine is not sufficiently explained. Therefore, the IT SA’s objection with regard to the imposition of an administrative fine for the possible additional infringement is not “reasoned”.

63. The EDPB therefore considers that the objection of the IT SA, inasmuch as it concerns the additional infringement related to the lack of legal basis for the contact information processing, is both “relevant” and “reasoned” and meets the threshold set by Article 4(24) GDPR. While, insofar it concerns the imposition of the administrative fine for the possible additional infringement, the objection of the IT SA is not “reasoned” and thus does not meet the threshold of Article 4(24) GDPR.

***

64. In its objection, the FI SA disputed the IE SA’s finding that the contact information processing met the requirements of Article 6(1)(b) and (f) GDPR. Therefore, the FI SA’s objection concerns “whether there is an infringement of the GDPR”. The objection of the FI SA would also possibly entail additional “appropriate corrective measures”^[127]. As the objection demonstrated a direct connection with the substance of the Draft Decision and, if followed, it would lead to a different conclusion, the objection is “relevant”. For the same reasons explained above with regard to the other objections in this section, the EDPB is not swayed by Meta IE’s arguments regarding the lack of relevance of this objection^[128]. In addition, the EDPB considers the objection “reasoned” since the FI SA put forward legal and factual arguments explaining why the requirements of Article 6(1)(b) and (f) GDPR are not met in the case at hand, and explained why the IE SA did not assess the application of Article 6 GDPR properly and, therefore, the infringement must be remedied^[129].

65. Having considered Meta IE’s submissions arguing that the objection of the FI SA “relies on vague assertions”^[130], the EDPB finds that the objection of the FI SA conclusively demonstrates the significance of the risks that the Draft Decision poses to the fundamental rights and freedoms of the data subjects^[131].

66. Finally, contrary to the views of the LSA, the EDPB considers that the qualification of the FI SA objection as relevant and reasoned also applies to the part thereof related to the additional corrective measures. In this respect, the EDPB underlines that the arguments put forward by the FI SA, as addressed in the paragraphs 42-43 above, clearly demonstrate why the Draft Decision should be changed in order to include an infringement regarding the lack of legal basis for the contact information processing and the consequent need to ensure that such processing complies with the GDPR, by adopting the “appropriate corrective measures”. Likewise, the FI SA objection clearly set out the significance of the risks for the data subjects if the Draft Decision remained unchanged and the infringement was not remedied.

***

67. As laid down in its objection, the FR SA disagreed with the IE SA’s conclusions that the contact information processing could be based on Article 6(1)(b)GDPR and alternatively on 6(1)(f) GDPR and considered that the IE SA erred in its legal assessment as it should have reached a different conclusion^[132]. Hence, the objection of the FR SA also concerns “whether there is an infringement of the GDPR” and, if followed, it would lead to a different conclusion with regard to the findings on Article 6(1)(b) and (f) GDPR and the corrective measures to the controller^[133]. As the objection demonstrated a direct connection with the substance of the Draft Decision, it is “relevant”. For the same reasons explained above with regard to the other objections in this section, the EDPB is not swayed by Meta IE’s arguments regarding the lack of relevance of this objection^[134].

68. The EDPB also considers that, inasmuch as the objection concerns the additional infringement related to the lack of legal basis for the contact information processing and the change in the compliance order, the objection is “reasoned”, since the FR SA clearly set out a disagreement as to the conclusions reached by the IE SA in the Draft Decision by highlighting contradictions in the IE SA’s own analyses and put forward several factual and legal arguments for the proposed change in the legal assessment, including why the controller could not lawfully rely on Article 6(1)(b) and (f) GDPR in this case and, therefore, the infringement must be remedied^[135]. Therefore, the EDPB is not convinced by Meta IE’s argument that the FR SA “merely raise[s] abstract and broad (and irrelevant) concerns” and that it “fails to link them to a conclusion as to infringement”^[136].

69. The EDPB finds that the objection of the FR SA sufficiently substantiated the risks to the fundamental rights and freedoms of the data subjects since it clearly explained the consequences that the Draft Decision would have for the fundamental rights and freedoms of data subjects^[137].

70. With regard to the relevant parts of the FR SA’s objection related to the imposition of an administrative fine for the possible additional infringement related to Meta IE’s reliance on Article 6(1)(b) and (f) GDPR, it concerns whether the envisaged action in relation to the controller complies with the GDPR^[138]. The objection is linked to the FR SA’s objection on the findings on Article 6(1)(b) and (f) GDPR for the contact information processing. Given that it concerns the imposition of a corrective measure for an additional infringement, which would be found as a consequence of reversing the findings of the Draft Decision, there is a direct connection with the substance of the Draft Decision and, if followed, the objection would lead to a different conclusion. Thus, it is to be deemed as “relevant”, as stated in paragraph 67 above. However, the EDPB considers that the objection does not sufficiently elaborate the legal or factual arguments that would justify a change in the Draft Decision with regard to the imposition of this specific corrective measure. Therefore, the FR SA’s objection is not “reasoned” with regard to the imposition of an administrative fine for the possible additional infringement related to the legal basis for the contact information processing.

71. The EDPB therefore considers that the objection of the FR SA, inasmuch as it concerns the additional infringement related to the lack of legal basis for the contact information processing, is both “relevant” and “reasoned” and meets the threshold set by Article 4(24) GDPR. While, insofar it concerns the imposition of the administrative fine for the possible additional infringement, the objection of the FR SA is not “reasoned” and thus does not meet the threshold of Article 4(24) GDPR.

***

72. The objection of the NO SA expressed disagreement with respect to the IE SA’s assessment in the Draft Decision on Article 6(1)(b) and (f) GDPR. If followed, the NO SA’s objection would lead to a different conclusion with regard to the findings on Article 6(1)(b) and (f) GDPR and would also have an impact on the compliance order to the controller. Therefore, as it demonstrated a direct connection with the substance of the Draft Decision, the objection is therefore “relevant”. For the same reasons explained above The EDPB is not swayed by Meta IE’s arguments regarding the lack of relevance of this objection^[139]. The objection is also “reasoned” since it put forward several factual and legal arguments for the proposed change in the legal assessment as to why the requirements of Article 6(1)(b) and (f) GDPR are not met in the case at hand and why the controller cannot lawfully rely on those provisions and, therefore, the infringement must be remedied^[140].

73. Regarding the requirement to demonstrate the significance of the risks posed by the Draft Decision to the rights and freedoms of data subjects, the EDPB finds that the objection of the NO SA meets the criteria set forth by Article 4(24) GDPR^[141]. Therefore, the EDPB is not swayed by Meta IE’s submissions to the contrary^[142].

74. With regard to the NO SA’s objection on the administrative fine to be imposed for the additional infringements regarding the lack of legal basis of the contact information processing, the EDPB considers that it concerned “whether the envisaged action in relation to the controller complies with the GDPR”^[143]. The objection is linked to the NO SA’s objection on the findings on Article 6(1)(b) and (f) GDPR for the contact information processing. Given that it concerns the imposition of a corrective measure for an additional infringement, which would be found as a consequence of reversing the conclusions in the Draft Decision, there is a direct connection with the substance of the Draft Decision and, if followed, the objection would lead to a different conclusion. Thus, it is “relevant”. The EDPB is not swayed by Meta IE’s arguments regarding the lack of relevance of this objection^[144], including with regard to the imposition of an administrative fine for the proposed findings on Article 6(1)(b) and (f) GDPR. The EDPB also finds the objection “reasoned” since it put forward several factual and legal arguments that support the imposition of an administrative fine for the alleged infringement^[145]. Regarding the significance of the risk posed by the Draft Decision to the rights and freedoms of data subjects, the objection sufficiently demonstrated what would be the negative impact for data subjects should a fine for the infringement of the GDPR concerning the lack of legal basis not be imposed^[146]. Therefore, the EDPB finds that the objection of the NO SA meets the criteria set forth by Article 4(24) GDPR.

***

75. On the basis of the above considerations, the EDPB finds that the objections raised by the NL SA, DE SAs, IT SA, FI SA, FR SA and NO SA concerning the conclusions in the Draft Decision on Articles 6(1)(b) and 6(1)(f) GDPR regarding the contact information processing qualify as relevant and reasoned objections under Article 4(24) GDPR, including with respect to the changes in the compliance order requested in the objections of the FR SA, NL SA and NO SA and the additional appropriate corrective measures requested by the FI SA and NL SA.

76. The EDPB also finds that the NO SA objection regarding the imposition of an administrative fine for the findings on Article 6(1)(b) and (f) GDPR is relevant and reasoned under Article 4(24) GDPR. On the contrary, with regard to the relevant parts of the objections of the FR SA and IT SA regarding the imposition of an administrative fine for the possible additional infringement related to Meta IE’s reliance on Article 6(1)(b) and (f) GDPR, the EDPB considers that they are not sufficiently reasoned and, therefore, do not meet the threshold of Article 4(24) GDPR.

77. The EDPB considers that the objections found to be relevant and reasoned in this subsection^[147] require an assessment of whether the Draft Decision needs to be changed in respect of the finding on compliance with Article 6(1) GDPR. The merits of the objection of the NO SA, with regard to the imposition of an administrative fine for the proposed additional infringement, are assessed in section 7.4 of this Binding Decision.

78. When assessing the merits of the objections raised, the EDPB takes into account the position of the IE SA on the objections and the submissions of Meta IE.

79. The EDPB takes note that for the contact information processing Meta IE relied on Article 6(1)(b) GDPR (but only to the extent that a child user has capacity to enter into an enforceable contract) or alternatively on Article 6(1)(f) GDPR (with regard to child users who did not have capacity to enter into a contract with Meta IE)^[148].

80. The EDPB recalls that personal data can be processed on the basis of Article 6(1)(b) GDPR when: (1) the processing takes place in the context of the performance of a contract with the data subject and (2) that processing is necessary for the performance of that particular contract with the data subject^[149].

81. With respect to the existence of a contract, the EDPB takes note of the objections raised by the DE SAs^[150] and FI SA^[151], as well as the IT SA^[152] and FR SA^[153], which questioned the failure by the IE SA to assess and conclude on the existence of a valid contract between Meta IE and the child users insofar as it concerns the contact information processing. The NL SA argued that, first, the LSA did not assess adequately in the Draft Decision if a contract was in place between Meta IE and the data subjects for the provision of the Instagram business account and, second, the NL SA raised doubts about the validity of such contract^[154].

82. In the Draft Decision, the IE SA found that, when registering for a personal Instagram account, a data subject agreed to the Instagram Terms of Use^[155]. The IE SA further found, in the light of Meta IE’s submissions, that the performance of a contract legal basis could be invoked by Meta IE in relation to processing associated with the business account feature on the basis of the Terms of Use^[156].

83. In its submissions, Meta IE argued that SAs do not have competence to assess validity of contracts^[157] and anyway the Draft Decision clearly referred to a contractual relationship between Meta IE and each user based on the Terms of Use^[158]. Meta IE also claimed that it had no legal obligation under the GDPR to include a specific reference to Business Accounts in the Instagram Terms of Use and thus the lack of such reference has no impact on the assessment of whether the processing is necessary for the performance of a contract^[159] and is not contrary to Article 12 GDPR^[160].

84. As recalled above, one of the prerequisites for a controller to be able to rely on Article 6(1)(b) GDPR as a legal basis for the processing of personal data is that the processing takes places in the context of the performance of a contract. As previously stated by the EDPB, this condition more specifically implies that a controller, in line with its accountability obligations under Article 5(2) GDPR, has to be able to demonstrate that (a) a contract exists and (b) the contract is valid pursuant to applicable national contract laws^[161].

85. In order to assess whether Meta IE could have relied on Article 6(1)(b) GDPR for the contact information processing, the EDPB analyses in the following paragraphs whether the processing at stake is necessary for the performance of the alleged contract with the data subjects in the case at hand.

86. In its submissions, Meta IE claimed that insofar as “necessity” is concerned, the CSAs ignored the relevant facts and considerations during the period when Business Accounts were first offered and erred in: (1) applying an overly strict view of the element of necessity for the purposes of Article 6(1)(b) GDPR, and (2) improperly seeking to retroactively find a violation of Article 6(1)(b) GDPR by virtue of a subsequent product modification, which has dangerous implications for controllers seeking to develop and evolve their products over time in respect of user privacy and safety^[162]. According to Meta IE, “the Business Account was created for Instagram in 2016 and, as relevant for the time, it was built around the notion of a “traditional” business, which may have used Instagram to support its external (i.e., off-Instagram) presence, like a website or brick-and-mortar establishment. To enable the off- Instagram promotion of and contact with the business, the Business Account functionality included a “Contact” button to allow the Instagram community to communicate with the business through a contact channel outside of Instagram (e.g., a business phone or email)” and “the EDPB must assess the element of necessity under the correct conceptual framework having regard to the specific purpose of the processing at issue at the time, in line with its prior guidance”^[163]. In addition, according to Meta IE, compliance with Articles 5(1)(c) and 6(1)(b) GDPR must be considered separately, the LSA’s finding on Article 5(1)(c) GDPR was narrow in scope, and, moreover, Articles 5(1)(c) and 6(1)(b) GDPR have distinct and separate meanings, thus a finding of non-compliance with Article 5(1)(c) GDPR does not and cannot equate automatically to a finding of non-compliance with Article 6(1)(b) GDPR^[164].

87. The EDPB recalls that the concept of necessity has an independent meaning in Union law, which must reflect the objectives of data protection law^[165]. In particular, as the CJEU has stated: “[a]s regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”^[166].

88. When analysing the performance of a contract legal basis, the necessity requirement has to be interpreted strictly. As stated earlier by the Working Party 29 (hereinafter “WP29”)^[167], this “provision must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller”^[168].

89. The EDPB recalls that for the assessment of necessity under Article 6(1)(b) GDPR, “[i]t is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance”^[169]. As the EDPB has previously stated, regard should be given to the particular aim, purpose, or objective of the service and, for applicability of Article 6(1)(b) GDPR, it is required that the processing is objectively necessary for a purpose and integral to the delivery of that contractual service to the data subject^[170].

90. Moreover, the EDPB notes that the controller should be able to justify the necessity of its processing by reference to the fundamental and mutually understood contractual purpose. This depends not only on the controller’s perspective, but also on a reasonable data subject’s perspective when entering into the contract^[171]. In this context, the EDPB recalls that children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data^[172].

91. Regarding the objective and purpose of the specific contract, Meta IE claimed that, when the Business Account was created, it was built around the notion of a “traditional” business and was aimed to allow the Instagram community to communicate with the business through a contact channel outside of Instagram^[173]. The IE SA found that “the business account feature, on the basis that this social media tool allows users to ‘create, find, join, and share in experiences’ with other people (as described in the Terms of Use), and forms a central part of the Instagram service as offered”^[174].

92. While the EDPB agrees that processing may be objectively necessary for the performance of a contract even if not specifically mentioned in the contract^[175], it should be possible for an ordinary user to identify the “fundamental and mutually understood” contractual purpose based on the information presented by the controller^[176].

93. Considering the high-level information provided to child users regarding the Instagram service in the Terms of Use^[177] and that no specific information about the Business Account feature was provided to the child users^[178], the EDPB considers that the publication of the contact details on their profiles could have not been reasonably expected by such child users in the context of their use of Instagram, including the business account feature. Further, the EDPB does not agree that the contact information processing, in respect of the child users, could be considered as “integral” or “central” to the Instagram service, including the business account feature. Moreover, as correctly noted by the IE SA, it is possible to operate a professional profile without also publishing contact information^[179].

94. Furthermore, the EDPB recalls that the assessment of what is necessary involves a combined, fact- based assessment of the processing for the objective pursued. If there are realistic, less intrusive alternatives, the processing is not necessary^[180]. In this respect, the principle of proportionality should also be taken into account^[181].

95. The EDPB observes that, if the publication of the contact details was indeed intended for traditional businesses only as Meta IE claims, it was technically possible to distinguish them from the child users during the registration process based on age information^[182]. It would have therefore been possible to avoid publishing child users’ contact information, even while maintaining the contact button option for “traditional” businesses.

96. The EDPB further considers that in the present case the analysis of necessity should be supported by the above-mentioned analysis of the existence of less intrusive means. However, the IE SA did not analyse in the Draft Decision whether other less intrusive means were available to effectively achieve the objective pursued. In this regard, the existing possibility to contact users directly through direct messaging within the platform should have been taken into consideration. In fact, it is clear from the Draft Decision that Meta IE was aware that certain business account users preferred to communicate with their audience through direct messaging on Instagram, rather than by e-mail or phone^[183]. The Draft Decision clearly stated that “[Meta IE] acknowledges that publication of phone and email contact information was not always preferred from the perspective of business account users” because, according to Meta IE “[s]ome businesses also noted that they preferred […] to communicate with their audience or customers through direct messaging on Instagram rather than traditional means (like phone or email)”^[184]. Despite this, the IE SA failed to take account of such circumstances in its assessment of the necessity requirements and erred in its conclusion that the contact information processing was necessary for the performance of the contract in the present case.

97. The EDPB recalls that within the “contact information processing” there was also a processing operation (occurring for a specific timeframe) consisting in the publication in plain text of the contact information in the HTML source code on the Instagram website. Meta IE highlighted that “business contact information appeared in the HTML source code for Business Accounts for the purpose of providing a “Contact” button on the Web version of Instagram" since "in order for a web browser to render the relevant Instagram Web page, the browser must ‘speak’ to an Instagram Web server”^[185]. The IE SA found an infringement (not disputed by the objections raised) of the principle of data minimisation limited to this “mandatory publication (prior to 7 March 2019) of contact information on the website version of Instagram (in HTML) for all business account users”, since this “had the result that the personal data at issue (i.e. contact information of child users on webpages) was not limited to what was necessary in relation to the purposes for which [Meta IE] processed this specific information”^[186]. As noted by the IE SA, the HTML publication of contact information was not considered necessary by Facebook’s Security Team and was subsequently discontinued^[187]. The EDPB considers that the analysis of the principle of data minimisation (Article 5(1)(c) GDPR) is relevant for the necessity assessment on the basis of Article 6(1)(b) GDPR^[188]. Consequently, the EDPB further finds that such analysis should have complemented the LSA’s assessment on the necessity of the processing for the performance of the contract, with specific regard to the publication of the contact information in the HTML source code on the Instagram website. The EDPB considers that the IE SA could not have concluded that the publication of the contact information of child users in the HTML source code may be regarded as necessary for the performance of the contract between Meta IE and child users.

98. Also, the EDPB takes note of the findings in the Draft Decision that the contact information processing could pose severe risks to the rights and freedoms of child users^[189]. The existence of such risks could have also been considered in the assessment as to whether the processing of the child users’ contact information was necessary for the contract.

99. Considering the above^[190] and in light of the specific circumstances of the processing, the EDPB finds that the IE SA could not have concluded in paragraph 115 of the Draft Decision that the contact information processing may be regarded as necessary for the performance of a contract between Meta IE and child users.

100. As a consequence, the EDPB finds that Meta IE could not have relied on Article 6(1)(b) GDPR as a legal basis for the contact information processing.

101. The EDPB recalls that personal data can be processed on the basis of Article 6(1)(f) GDPR when the processing is necessary for the purposes of the legitimate interests of the controller or of a third party, inasmuch as those interests are not overridden by the interests or fundamental rights and freedoms of the data subjects concerned. In this regard, particular attention should be paid when the data subject is a child^[191].

102. The EDPB recalls^[192] that Article 6(1)(f) GDPR is one of the legal grounds that controllers can rely on for the processing of personal data, as long as the conditions for relying on it are fulfilled^[193].

103. As the CJEU has confirmed, Article 6(1)(f) GDPR establishes three cumulative conditions, in order for the processing to be lawful: “first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of [the data subject] do not take precedence”^[194].

a. Existence of a legitimate interest

104. The EDPB recalls that a legitimate interest can have a legal, economic or non-material nature but needs to be real and present^[195], and not fictitious, for the entity in question: as clarified by the CJEU case law, the legitimate interest must be present and effective at the date of the data processing and must not be hypothetical at that date^[196]. The EDPB moreover considers that the interest pursued must be determined in a sufficiently clear and precise manner: the determination and perimeter of the legitimate interest pursued must be clearly identified in order to ensure that it will be properly balanced against the interests or fundamental rights and freedoms of the data subject. In addition, the legitimate interest must also be lawful (i.e., acceptable under the law)^[197]. As a general rule, those interests which can be traced back to the law – a legislative measure or a legal principle – can amount to “legitimate” interest.

105. As a preliminary matter, the EDPB notes that the DE SAs considered that a legitimate interest cannot exist when the controller relies on it only in case that Article 6(1)(b) GDPR is not applicable to minors on the basis of national law. In the view of the DE SAs, accepting reliance on Article 6(1)(f) GDPR in this situation would be a “circumvention of the corresponding child protection provisions” and “contradicts the purpose of these provisions”^[198]. In this respect, the EDPB recalls that, as stated by the WP29, “[a]n appropriate assessment of the balance under [Article 6(1)(f)] (…) may in some cases be a valid alternative to inappropriate use of, for instance, the ground of ‘consent’ or ‘necessary for the performance of a contract’. Considered in this way, [Article 6(1)(f)] presents complementary safeguards compared to the other pre-determined grounds”^[199]. Therefore, it does not seem impossible for a controller to rely on Article 6(1)(f) GDPR if, given the specific circumstances of the processing, the requirements enshrined in the GDPR are met. In order to determine whether processing of personal data may rely on Article 6(1)(f) GDPR, data controllers must assess in detail whether the cumulative conditions aforementioned can be met so that the processing of personal data is lawful.

106. In the Draft Decision, the IE SA considered that the legitimate interests pursued are those of Meta IE and other Instagram users, “insofar that publication of contact details to the public may be a reasonable and lawful mode by which to promote a professional undertaking or other public initiative”^[200]. The IE SA did not specify if it referred to all Instagram users or to a specific type of users. Considering the submissions of the controller, to which the Draft Decision referred in paragraph 109, it appears that the IE SA’s followed the former interpretation (i.e., looking at the interests of all Instagram users).

107. In its submission, Meta IE stated that “the display of business contact information served [Meta IE]’s legitimate interest of creating, providing, supporting, and maintaining innovative products and features that enable people under the age of majority to express themselves, communicate, and engage with information and communities relevant to their interests and build community. The display of business contact information on a Business Account also served the legitimate interest of other Instagram users who sought to engage with such an account”^[201]. Therefore, in accordance with Meta IE’s submission, the legitimate interests pursued are connected to the fundamental right to conduct a business and the fundamental right to freedom of expression of Instagram users^[202]. The IE SA seemed to agree with such interpretation^[203], although the IE SA did not specify how it came to such conclusion.

108. The NL SA and the FI SA argued in their objections that the IE SA did not sufficiently assess whether the interests as formulated by Meta IE are sufficiently clear, precise, lawful (i.e., acceptable under the law) and of real existence^[204].

109. As described above, Meta IE described the different interests that it pursued with the processing of personal data at stake. More specifically, Meta IE pursued:

- the legitimate interest of the controller of “creating, providing, supporting, and maintaining innovative products and features that enable people under the age of majority to express themselves, communicate, and engage with information and communities relevant to their interests and build community”, and

- the legitimate interest of a third party (i.e., other Instagram users) to be able to engage with Business Account owners.

110. As stated above, the legitimate interest pursued by the controller must be sufficiently clearly articulated and be real and present, corresponding to current activities or to benefits that are expected in the near future^[205]. The aforementioned interests the controller claimed to be pursuing via the processing activities at stake were identified and described in a vague fashion. This is especially the case for the second interest mentioned. Therefore, the EDPB has doubts that the legitimate interest argued by Meta IE meets the requirements of being sufficiently specific, despite Meta IE’s allegations on the contrary^[206]. Therefore, due to the lack of specificity, the EDPB cannot assess whether the interests argued are real and lawful (i.e., acceptable under the law). The EDPB also considers that the evaluation of the existence of the legitimate interest(s) pursued should have been more substantiated in the Draft Decision.

111. In any case, the existence of a legitimate interest is only one of the three cumulative conditions that must be met in order to lawfully rely on Article 6(1)(f) GDPR. The EDPB analyses below the two other conditions having regard to the alleged legitimate interests, as described and identified by the controller, in case they were to be considered sufficiently clear, precise, real and lawful (i.e., acceptable under the law).

b. The necessity of the processing for the purposes of the legitimate interests

112. As stated above, the concept of necessity has an independent meaning in Union law, which must reflect the objectives of data protection law^[207]. The assessment of what is necessary involves a combined, fact-based assessment of the processing for the objective pursued. If there are realistic, less intrusive alternatives, the processing cannot be considered as necessary^[208].

113. With regard to Article 6(1)(f) GDPR, the necessity of the processing requires a connection between the processing and the legitimate interest(s) pursued and should not lead to an unduly broad interpretation thereof^[209]. In this context, the EDPB recalls that the principle of data minimisation is relevant^[210]. The EDPB notes that the IE SA found an infringement of the principle of data minimisation limited to “the mandatory publication (prior to 7 March 2019) of contact information on the website version of Instagram (in HTML) for all business account users”, since it “had the result that the personal data at issue (i.e. contact information of child users on webpages) was not limited to what was necessary in relation to the purposes for which [Meta IE] processed this specific information”^[211]. The EDPB considers that such analysis should have complemented the assessment on the necessity of the processing, with specific regard to the HTML publication processing operation, as stated above.

114. In addition, it is relevant to highlight also in this context that when assessing the necessity of a given processing operation, the existence of less intrusive means that would contribute effectively to achieving the interests pursued should be analysed. In this respect, the principle of proportionality should also be taken into account^[212]. However, the IE SA did not analyse in the Draft Decision whether other less intrusive means were available to effectively achieve the objectives pursued. In this regard, the existing possibility to contact business account users directly through direct messaging within the platform should have been taken into consideration. In fact, it is clear from the Draft Decision that Meta IE was aware, prior to 4 September 2019, that certain business account users preferred to communicate with their audience through direct messaging on Instagram, rather than by e-mail or phone^[213]. The IE SA clearly stated that “[Meta IE] acknowledges that publication of phone and email contact information was not always preferred from the perspective of business account users” because, according to Meta IE “[s]ome businesses also noted that they preferred […] to communicate with their audience or customers through direct messaging on Instagram rather than traditional means (like phone or email)”^[214]. The IE SA also considered that “it is possible to operate a professional profile without also publishing contact information”^[215]. Despite this, the IE SA failed to take account of such circumstances for the assessment of the necessity of the contact information processing.

115. Finally, the EDPB notes that the IE SA considered that, in some circumstances, the publication of the contact details of minors may have been necessary in some cases, in particular with respect to those business account users who wished to be publicly contactable by email or phone in connection with their professional activities^[216].

116. The EDPB considers that the approach adopted by the IE SA when assessing the necessity of the processing is substantially erroneous. As stated above, reliance on Article 6(1)(f) GDPR requires that the processing be necessary to achieve the legitimate interests pursued, which, in this case, Meta IE considers to be the interest to conduct its business and the interest of Instagram users to contact business account owners and engage with them^[217]. The benefits that such processing may bring to the data subject (i.e., in this case, the child business account owners) are not a relevant element for the assessment of necessity of the processing. Article 6(1)(f) GDPR is clear when it states that the legitimate interests are those of the controller or of a third party (and not those of the data subject). Therefore, when assessing the necessity of the processing, the legitimate interests at stake have to be considered with regard to the controller and, if relevant, the third parties concerned (i.e., Meta IE and all Instagram users, in this case).

117. Due to the approach adopted by the IE SA, it failed to justify in the Draft Decision why it considered the publication of contact details necessary for the attainment of the purposes of legitimate interests of Meta IE and other Instagram users. In fact, it is apparent from the Draft Decision that Instagram users had other means of communication with business account users that did not significantly diminish the possibility of engaging with those accounts. The availability of other means of communication with business account users is also shown by the fact that certain business account users even preferred to communicate with their audience via direct messaging within the platform and did not want their information to be public. As the IE SA acknowledged “[i]t is also clear that many business account users did not require the publication of personal contact information in order to pursue their professional purposes on Instagram”^[218] and that “the requirement to publish contact information was clearly not ‘appropriate’ as of May 2018”^[219]. This proves with significant certainty that Instagram users could have achieved the alleged legitimate interest of engaging with business account owners even if their contact details were not public and, therefore, Meta IE could also achieve its alleged legitimate interest to create, provide, support and maintain innovative products that enable children to express themselves, communicate and engage with others.

118. Therefore, in the view of the EDPB, the IE SA failed to take into account the relevant legitimate interests when performing the assessment of necessity of the processing and, therefore, it should have not concluded^[220] that the processing may have been necessary in some circumstances.

119. For the reasons described above, the EDPB considers that there are sufficient elements to raise significant doubts on the necessity of the publication of the contact information of child users for the purposes of the legitimate interests pursued.

120. In any case, even if the necessity of the processing could be established under some circumstances, in order to lawfully rely on Article 6(1)(f) GDPR as a legal basis for the processing, there is a need to ensure that the interests and fundamental rights and freedoms of the data subjects do not override the legitimate interests pursued.

c. The balancing exercise

121. When a controller intends to rely on Article 6(1)(f) GDPR, it has to evaluate the risks of intrusion on the data subject’s rights. In this respect, the decisive criterion is the intensity of the intervention for the rights and freedoms of the individual^[221]. The EDPB has previously stated that intensity can inter alia be defined by the type of information that is gathered, the scope, the number of data subjects concerned, the situation in question, the actual interests of the group of data subjects, the existence of alternative means, as well as by the nature and scope of the data assessment^[222]. The reasonable expectations of the data subject at the time and in the context of the processing shall also be considered^[223]. In this regard, the EDPB recalls that the age of the data subject may be one of the factors to take into account in the context of the balancing of interests^[224].

122. The objective of the balancing of interests is to understand the impact of the processing on the data subjects, in order to properly conclude whether their interests or fundamental rights and freedoms override the legitimate interests of the controller. The purpose is not to prevent any negative impact on the data subject, but to prevent a disproportionate impact^[225]. Such impact encompasses the different ways in which an individual may be affected - positively or negatively - by the processing, and should address any possible (potential or actual) positive and negative consequences of such processing^[226]. These consequences may include potential or future decisions or actions by third parties or fear and distress that the data subject may experience when losing control over personal information, for example through exposure on the internet^[227]. The key elements to assess the impact are the likelihood that the risk materialises, on one hand, and the severity of the consequences on the other one^[228]. The EDPB underlines that safeguards play a special role in reducing any undue impact on the data subject. In order to ensure that the interests and fundamental rights and freedoms of data subjects do not override the legitimate interests pursued, the safeguards in question must be adequate and sufficient, and must unquestionably and significantly reduce the impact on data subjects^[229].

123. The assessment should also take into account the measures that the controller plans to adopt in order to comply with its obligations, including in terms of proportionality and transparency^[230]. The relationship between the balancing test, transparency and the accountability principle has already been underlined by the WP29, which considered it “crucial” in the context of Article 6(1)(f) GDPR^[231]. In this regard, the EDPB recalls that, if the controller hides important information to the data subject, it will not fulfil the requirements of reasonable expectations of the data subject and an overall acceptable balance of interests^[232].

124. In the Draft Decision, the IE SA disagreed with Meta IE’s analysis of the adequacy of the information provided to child users and the security and safety measures implemented, which, in the view of the IE SA, did not mitigate all relevant risks for child users^[233]. In fact, the insufficiency of the measures led the IE SA to conclude that “there are possible and severe risks associated with the two forms of processing which are the subject of this Inquiry; these risks are primarily related to possible communication between child users and dangerous individuals, both on and off the Instagram platform (…). I am also satisfied that the measures and safeguards implemented by [Meta IE] (in the form of account options, tools and information) were not adequate with regard to the specific processing operations at issue” since they “did not adequately mitigate the risk of communication between dangerous individuals and child users. Accordingly, I do not share [Meta IE]’s view that the processing at issue did not result in high risks to the rights and freedoms of child users”^[234]. The IE SA also considered that the changes to the processing in July and September 2019 “reduced but did not adequately mitigate the risks for child users in connection with the processing”^[235]. Meta IE argued that neither the CSAs nor the IE SA gave “due weight to the other half of the balancing test to mitigate and/or negate” the risks to the data subjects^[236]. Therefore, the EDPB disagrees with the view of Meta IE and considers that the IE SA on the assessment of the risk is accurate. The EDPB also underlines that it is possible to accommodate the objective of effectively reducing the risk for children while ensuring their right to freedom of expression, by implementing appropriate safeguards and measures^[237].

125. The IE SA also addressed the lack of transparency regarding the information on the publication of the contact details. In this respect, the IE SA stated in the Draft Decision that “[Meta IE] facilitated the publication of phone and email contact information for children as young as 13, using a streamlined account switching process which automatically completed certain information for the user, without warning child users that publication of their personal contact information may result in high risks to their rights and freedoms”^[238]. Therefore, taking into account both the assessment of the risk and the mitigating measures, as well as the lack of information provided, the IE SA concluded that “the contact information processing by [Meta IE] (both before September 2019, and after) results in high risks to the rights and freedoms of child users, for the purposes of Article 35(1) GDPR”^[239].

126. As mentioned above, the transparency of the information provided has an impact on the reasonable expectations of the data subjects. Likewise, adequate and sufficient additional safeguards are those that unquestionably and significantly reduce the impact on data subjects. These are important elements to take into account in the assessment of the balancing of interests. However, despite acknowledging the lack of proper measures and information, and the severe risks that this creates for child users, when analysing the balancing exercise to verify whether Meta IE could rely on Article 6(1)(f) GDPR the IE SA only concluded that, in some circumstances, it is possible that the legitimate interests would not be overridden by the interests or fundamental rights and freedoms of the child user^[240]. In addition, despite the lack of proper information, the IE SA concluded that technically literate users may have expected the publication, regardless of their age^[241]. The EDPB finds particularly problematic that, despite the risks of the processing, recognised by Meta IE itself^[242], the publication of contact details of child users was mandatory until 4 September 2019. In fact, child users were not even informed of such publication, since the Option Screen only stated that “these contact options will be linked to your business profile”^[243]. Even though the screen included a note at the end stating that “people will be able to email, call and get directions to your business […]”, it did not specify that it was because of the publication of the information. In the view of the EDPB, it is not reasonable to expect that a normal user, let alone a child, even if technically literate, could deduce from such a vague statement that publication of their information would take place and that it would allow any type of person (including persons with whom they had had no contact or link) to contact them directly. In fact, as the IE SA noted, the term “will be able” may have been understood by the child users as a conditional indication that an additional contact-publication feature could be implemented optionally by the user^[244].

127. Taking the above into consideration, the EDPB is of the view that the IE SA did not properly assess the impact of the processing when performing the balancing exercise. In fact, the IE SA only took into account the positive consequences of the processing^[245], whereas it failed to give proper weight to all the other relevant elements and the risks it had itself identified.

128. Therefore, the EDPB considers that, regarding the publication of the contact information of child users prior to 4 September 2019, the legitimate interests pursued were overridden by the interests and fundamental rights and freedoms of child users. The EDPB comes to this conclusion given the severe risks identified by the IE SA, the lack of appropriate measures to address those risks, the lack of proper information to data subjects regarding publication and its consequences and the impossibility to opt-out from the publication. All these elements combined tip the balance in favour of the interests and fundamental rights and freedoms of the data subjects.

129. With regard to the processing of personal data of child users after 4 September 2019, the EDPB notes that the Option Screen stated that the contact information would be displayed publicly in the profile of the users “so people can contact you”^[246]. This change in the wording could have allowed child users to understand that any person could contact them as their details would be publicly available^[247]. In addition, child users were given the option to opt-out from the publication of their contact details. The availability of a well-designed opt-out option without the need for any justification to exercise it and the relationship between the balancing test and transparency are crucial for the balancing exercise under Article 6(1)(f) GDPR. In fact, in those cases in which the balance is difficult to strike, a well- designed and workable mechanism for opt-out could play an important role in safeguarding the rights and interests of the data subjects^[248]. In this regard, it is relevant to bear in mind the finding of the IE SA in the Draft Decision that the information provided to child users by Meta IE after 4 September 2019 in the course of the business account switching process was in compliance with Articles 12(1), 13(1)(c) and 13(1)(e) GDPR (Finding 3 in the Draft Decision)^[249].

130. This being said, the EDPB finds that these elements are not sufficient to change the outcome of the balancing test in light of the aforementioned considerations. This is especially the case because of the high risk resulting from the publication of contact details as explained above in paragraph 124 and of the fact that children were not warned about such risks. These circumstances were not affected by the changes brought as of 4 September 2019 and thus these changes were not sufficient to change the outcome of the balancing test.

131. On the basis of the above, the publication of the contact information of child users prior to and after 4 September 2019 did not meet the requirements under Article 6(1)(f) GDPR, since the interests and fundamental rights and freedoms of the data subjects overrode the alleged legitimate interests pursued.

132. Considering the EDPB’s conclusion in paragraphs 118-119 and, especially, 131 above, it is the view of the EDPB that Meta IE could not rely on Article 6(1)(f) GDPR for the contact information processing since the processing was either unnecessary or, if it were to be considered necessary, it did not pass the balancing test.

133. Considering the conclusions in paragraphs 100 and 132 of this Binding Decision, i.e. that Meta IE could rely neither on Article 6(1)(b) GDPR, nor on Article 6(1)(f) GDPR for the contact information processing, and bearing in mind that Meta IE relied on these two legal bases alternatively for the processing at stake^[250], the EDPB finds that Meta IE processed the personal data unlawfully^[251]. As a consequence, to that extent Meta IE infringed Article 6(1) GDPR. Accordingly, the EDPB instructs the IE SA to change its Draft Decision in order to establish the relevant infringement.

134. Considering the nature and gravity of the infringement, as well as the number of data subjects affected, the EDPB further instructs the IE SA to re-assess its envisaged action in accordance with the conclusions reached by the EDPB in order to consider the additional infringement of Article 6(1) GDPR. In this respect, the additional infringement of Article 6(1) GDPR shall be considered in the compliance order, to the extent that the processing is ongoing, in order to ensure that full effect is given to Meta IE’s obligations under Article 6(1) GDPR.

135. With regard to the imposition of an administrative fine for the infringement of Article 6(1) GDPR, the EDPB refers to section 7.4.2.4 of this Binding Decision for its assessment.

136. In its inquiry and the Draft Decision, with regard to the legal basis for the contact information processing, the IE SA solely considered whether Meta IE could rely on Articles 6(1)(b) and alternatively on 6(1)(f) GDPR as the legal bases^[252] (as summarized above in paragraphs 25-31 of this Binding Decision).

137. The DE SAs raised an objection whereby the only applicable legal basis for the contact information processing is consent under Article 6(1)(a) GDPR. According to the DE SAs, Meta IE should have additionally obtained parental consent for minor users under 16 years of age, unless the national legislator has regulated this differently^[253]. The DE SAs also objected to the LSA having not found an infringements of Articles 7 and 8(1) GDPR regarding contact information processing as a consequence of the infringement of Article 6(1)(a) GDPR. In the view of the DE SAs, Meta IE should have complied with the requirements for consent under Article 7 GDPR and the conditions applicable to a child’s consent under Article 8(1) GDPR. However, Meta IE had neither fulfilled the conditions under Article 7 GDPR, nor obtained parental consent with regard to children below the age of 16 years as required under Article 8 GDPR^[254]. The DE SAs also requested the LSA to take specific additional corrective measures as a consequence of the possible infringements^[255].

138. The IE SA confirmed that it does not propose to “follow” the objections that were raised by the CSAs and/or does not consider the objections to be relevant and reasoned^[256].

139. The EDPB observes that in the Draft Decision the IE SA analysed if Meta IE could rely on Article 6(1)(b) and alternatively on Article 6(1)(f) GDPR for the contact information processing. The EDPB notes that the CSAs can raise a relevant and reasoned objection on additional infringements in relation the conclusions to be drawn from the findings of the investigation^[257], or on whether the LSA has sufficiently investigated the relevant infringements of the GDPR^[258]. The DE SAs’ objection requests the LSA to find infringements of Article 6(1)(a) GDPR and, consequently, of Article 7 and Article 8(1) GDPR. In this regard, the potential infringements of Article 7 and Article 8(1) GDPR is a consequence of the potential infringement of Article 6(1)(a) GDPR. However, the EDPB firstly considers that the objection regarding the infringement of Article 6(1)(a) GDPR fails to establish a direct connection with the specific legal and factual content of the Draft Decision, thus lacking relevance. As the EDPB finds that the DE SAs objection, insofar it concerns Meta IE’s compliance with Article 6(1)(a) GDPR, is not relevant, this also affects the relevance of the DE SAs objection, insofar it concerns Meta IE’s compliance with Article 7 and Article 8(1) GDPR. Consequently, the EDPB finds that the DE SAs objection on the potential infringements Article 6(1)(a), Article 7 and Article 8(1) GDPR are not “relevant”.

140. The EDPB further observes that it remains unclear from the DE SAs objection if in the present case the infringements of Article 7 and Article 8(1) GDPR can be established on the basis of the findings in the Draft Decision or the LSA’s inquiry. Moreover, the EDPB finds that the DE SAs objection in relation to Article 7 and Article 8(1) GDPR does not provide sufficiently precise and detailed legal reasoning regarding infringement of each specific provision in question. In addition, the objection does not put forward sufficient arguments to demonstrate the significance of the risk posed by the Draft Decision for the rights and freedoms of the data subjects or the free flow of data within the EU. Therefore, the objection is also not sufficiently “reasoned” in light of the Guidelines on RRO^[259].

141. Considering the above, the EDPB finds that the DE SAs objection, insofar it concerns Article 6(1)(a), Article 7 and Article 8(1) GDPR does not meet the threshold of Article 4 (24) GDPR. With regard to the potential infringement of Article 6(1)(a) GDPR, the DE SAs objection is not “relevant” and, regarding Article 7 and Article 8(1) GDPR, the DE SAs objection is neither “relevant”, nor “reasoned”. Consequently, there is no need for the EDPB to further analyse the merits of this objection. 6.2. On potential infringements of Article 5(1)(a) and Article 5(1)(b) GDPR regarding contact information processing

142. In its Draft Decision, the IE SA considered whether Meta IE could rely on Article 6(1)(b) GDPR or alternatively on Article 6(1)(f) GDPR for the contact information processing^[260] (as summarized above in paragraphs 25-31 of this Binding Decision). 6.2.2. Summary of the objection raised by the CSAs

143. The DE SAs objected to the IE SA not finding that an infringement of Articles 5(1)(a) and (b) GDPR occurred. In the view of the DE SAs, the IE SA should have found an infringement of Articles 5(1)(a) and (b) GDPR stemming from Meta IE’s lack of legal basis for the processing^[261].

144. The DE SAs considered that as a consequence of Meta IE not validly relying on any of the legal bases of Article 6(1) GDPR, Meta IE violated the principle of lawfulness under Article 5(1)(a) GDPR. Moreover, by disregarding the special requirements for consent under Article 7 and Article 8(1) GDPR as proposed by the DE SAs (see section 6.1 of this Binding Decision), Meta IE processed personal data in an unlawful manner that breached Article 5(1)(a) GDPR^[262].

145. In the context of Article 5(1)(b) GDPR, the DE SAs argued that the lack of legal basis for processing undermined the principle of purpose limitation. The DE SAs argued that Meta IE did not define specific purposes of processing for all groups of children, but rather expressed the performance of a contract as a common purpose for all processing. As the purpose of processing was the performance of a contract, Meta IE could not simultaneously claim that the purpose for certain groups of minors was legitimate interest as this would have been against the controller’s duty to collect personal data for specified, explicit and legitimate purposes^[263].

146. The IE SA confirmed that it does not propose to “follow” the objections that were raised by the CSAs and/or does not consider the objections to be relevant and reasoned^[264].

147. The EDPB observes that in the Draft Decision the LSA analysed if Meta IE could rely on Article 6(1)(b) and alternatively on Article 6(1)(f) GDPR for the contact information processing. As noted above, the CSAs can raise a relevant and reasoned objection on additional infringements in relation the conclusions to be drawn from the findings of the investigation^[265], or on whether the LSA has sufficiently investigated the relevant infringements of the GDPR^[266]. However, the EDPB considers that in this specific case the DE SAs objection insofar as it requests the IE SA to find the infringements of Article 5(1)(a) and Article 5(1)(b) GDPR fails to establish a direct connection with the specific legal and factual content of the Draft Decision. Therefore, the EDPB finds that the DE SAs objection to the extent it concerns the potential infringements Article 5(1)(a) and Article 5(1)(b) GDPR is not “relevant”.

148. The EDPB further finds that the DE SAs objection does not put forward sufficiently precise and detailed legal, as well as factual reasoning in relation to infringement of each specific provision in question. In addition, the objection does not provide sufficient arguments to demonstrate the significance of the risk posed by the Draft Decision for the rights and freedoms of the data subjects or the free flow of data within the EU. Therefore, the objection is also not sufficiently “reasoned” in light of the Guidelines on RRO^[267].

149. Considering the above, the EDPB finds that the DE SAs objection regarding the infringements of Article 5(1)(a) and (b) GDPR does not meet the threshold of Article 4 (24) GDPR, as it is neither “relevant”, nor “reasoned”. Consequently, there is no need for the EDPB to further analyse the merits of this objection. 6.3. On legal basis regarding public-by-default processing 6.3.1. Analysis by the LSA in the Draft Decision

150. In its Draft Decision, the IE SA considered whether the default account settings for child users by Meta IE were contrary to the GDPR, particularly Article 5(1)(c), Article 12(1), Article 24(2), Articles 25(1) and (2) GDPR. As explained by the IE SA in its Draft Decision^[268], public-by-default processing refers to Instagram having a default setting which allowed the social media content of an Instagram account to be viewed by any Instagram user, or by persons who had not registered as Instagram users if the latter were accessing the web-browser version of Instagram (hereinafter, “public-by-default processing”). In contrast, if a user account was set as private, the content posted on the account could be accessed only by users approved by the account holder personally^[269]. To make a user account private, the account holder had to change the default settings after registration as an Instagram user^[270].

151. The IE SA identified that Meta IE had two separate purposes for processing the personal data of its Instagram users in relation to the public-by-default setting. In case of a public profile, Meta IE processed personal data for the purpose of sharing social media content with anyone, including persons who had not registered as Instagram users. In case of a private profile, the purpose of processing was to share content only with Instagram users who had been approved by the account holder^[271].

152. Meta IE informed its child users of the public-by-default account settings in its 2018 and 2020 Data Policies under a section titled “Sharing on Facebook Products”, which stated that “When you share and communicate using our Products, you choose the audience for what you share”. The section further stated the following^[272]:

“Public information can be seen by anyone, on or off our Products, including if they don’t have an account. This includes your Instagram username; any information you share with a public audience; information in your public profile on Facebook; and content you share on a Facebook Page, public Instagram account or any other public forum, such as Facebook Marketplace”.

153. The Data Policy contained a hyperlink to a section titled “How do I set my Instagram account to private so that only approved followers can see what I share?” included in Instagram’s support webpage. The section stated the following^[273]:

“By default, anyone can see your profile and posts on Instagram. You can make your account private so that only followers you approve can see what you share. If your account is set to private, only your approved followers will see your photos or videos on hashtag or location pages.”

154. The instructions on how to switch the account from public to private were included in a section on the support webpage titled “How do I set my Instagram account to private so that only approved followers can see what I share?” and in additional informational resources created by Meta IE for its child users and their parents. In addition to the above contents, the Data Policy 2018 included another hyperlink to a support webpage titled “Controlling Your Visibility”. This webpage included information on how to switch to a private account^[274].

155. With respect to the compatibility with Article 12(1) GDPR, the IE SA concluded that Meta IE infringed this provision because it did not inform the child users of Instagram of the purposes of the public-by-default processing in a clear and transparent manner^[275].

156. Assessing the public-by-default processing in the context of Article 5(1)(c) and Article 25(2) GDPR, the IE SA noted that the public-by-default processing was not necessary or proportionate for the two purposes of this processing that were identified by the IE SA. In particular, the IE SA considered that child users may have a reduced ability to change the privacy settings of their account. Moreover, the public-by-default processing was global in extent^[276]. The IE SA found that Meta IE had failed to implement technical and organisational measures to ensure that, by default, only personal data that was necessary for the relevant purpose of processing was collected. Particularly considering that the child users’ accounts were by default made visible to an indefinite number of natural persons, the IE SA found that the processing had infringed Article 5(1)(c) and Article 25(2) GDPR^[277].

157. The IE SA also concluded that Meta IE infringed Article 25(1) GDPR by not implementing appropriate technical and organisational measures to implement the data protection principles in an effective manner and integrate the necessary safeguards to protect child users from the severe risks that the public-by-default processing posed^[278].

158. Further, the IE SA found that the safeguards and measures implemented by Meta IE did not properly take into account the specific risks to the rights and freedoms of child users^[279]. The IE SA concluded that Meta IE infringed Article 24(1) GDPR^[280].

159. The IE SA’s findings in the Draft Decision regarding Article 5(1)(c), Article 12(1), Article 24(1), Articles 25(1) and (2) GDPR in relation with public-by-default processing are not subject to the present dispute.

160. The NO SA first considered that the IE SA’s findings and assessment in the Draft Decision logically led to the conclusion that the requirement of necessity under Article 6(1)(b) and (f) were not met^[281]. The NO SA noted that the IE SA found that Meta IE carried out processing beyond what was necessary for the purposes of the processing, such as in paragraph 450 of the Draft Decision, and identified considerable risks for child users. Based on these findings, the NO SA concluded that Meta IE did not fulfil the necessity requirement under Article 6(1)(b) and (f) GDPR^[282]. The NO SA suggested that the IE SA should have carried out a legal analysis on the processing to verify if it could rely on Article 6(1)(b) and (f)^[283]. The NO SA suggested that the scope of the inquiry allowed the investigation of whether the lawfulness obligations under Article 6 GDPR were met. This was based on the fact that the Draft Decision included an assessment of Article 6 GDPR and conclusions that were relevant for the assessment of lawfulness^[284].

161. Specifically on the public-by-default processing, the NO SA stated that the fact that the IE SA found that the public-by-default processing was not necessary or proportionate on several grounds indicated that there was a violation of Article 6(1) GDPR. Such grounds were that Meta IE’s child users may have had reduced ability to apply Instagram’s privacy settings, the processing of public accounts was global and the processing was not necessary for such child users who did not wish to have their Instagram account public. The NO SA concluded that the public-by-default processing was not necessary for the performance of a contract or the purposes of the legitimate interests pursued by the controller^[285].

162. Finally, the NO SA asked the IE SA to conclude that the legal bases under Article 6(1)(b) and (f) GDPR were not applicable legal bases for the public-by-default processing and to exercise corrective powers under Article 58(2) GDPR: (1) to order the controller to identify a valid legal basis for the processing in question, or from now on abstain from such processing activities; and (2) to impose an administrative fine for unlawfully processing personal data, erroneously relying on Articles 6(1)(b) and (f) GDPR^[286].

163. The IE SA confirmed that it does not propose to “follow” the objections that were raised by the CSAs and/or does not consider the objections to be relevant and reasoned^[287].

164. The EDPB observes that, although the public-by-default processing was examined by the IE SA in the Draft Decision^[288], the question of compliance of the public-by-default processing with Article 6 GDPR was neither within the scope of the inquiry of the IE SA, nor it was addressed by the IE SA in the Draft Decision. At the same time, the EDPB recalls that the CSAs can raise a relevant and reasoned objection on additional infringements in relation the conclusions to be drawn from the findings of the investigation^[289], or on whether the LSA has sufficiently investigated the relevant infringements of the GDPR^[290]. However, the EDPB considers that in this specific case the NO SA objection fails to establish a direct connection with the specific legal and factual content of the Draft Decision, thus it is not “relevant”.

165. Furthermore, the EDPB considers that, given the legal and factual elements available in the Draft Decision and the arguments presented by the NO SA, the objection does not explain sufficiently clearly, nor substantiate in sufficient detail how the conclusion regarding Meta IE’s compliance with Article 6 GDPR in relation to the public-by-default processing could be reached on that basis. Therefore, the EDPB finds that this NO SA objection is not “reasoned”.

166. Considering the above, the EDPB finds that the NO SA objection regarding the public-by-default processing does not meet the threshold of Article 4(24) GDPR and consequently there is no need for the EDPB to further analyse the merits of this objection.

167. In the Draft Decision, the IE SA analysed the criteria in Article 83(2) GDPR in deciding whether to impose an administrative fine and determine its amount^[291]. The IE SA also specified that the “decision as to whether to impose an administrative fine in respect of each infringement, and the amount of that fine where applicable, is independent and specific to the circumstances of each particular infringement”^[292]. As regards the calculation of the fine, in the Draft Decision the IE SA considered the nature, gravity and duration of the infringement, as per Article 83(2)(a) GDPR^[293]. In terms of nature, the infringements of Article 12(1) GDPR in respect of both the public-by-default processing and the contact information processing were found to be most serious in nature^[294]. The IE SA found that the infringement of Article 5(1)(a) GDPR regarding the contact information processing was serious in nature^[295] and that the infringements of Article 35(1), 24(1), 25(1)^[296], 5(1)(c) and 25(2) GDPR^[297] were serious in nature in respect of both the public-by-default processing and the contact information processing. In terms of gravity, the LSA considered that the gravity of infringements of Article 12(1) GDPR in respect of both the public-by-default processing and the contact information processing was highly serious^[298]. The IE SA found that the gravity of the infringement of Article 5(1)(a) GDPR regarding the contact information processing was serious^[299] and that the gravity of the infringements of Articles 35(1), 24(1), 25(1)^[300], 5(1)(c) and 25(2) GDPR^[301] in respect of both the public-by-default processing and the contact information processing was serious. In terms of duration of the infringement, the IE SA considered that the period of infringement was the period between the entering into application of the GDPR on 25 May 2018 and the commencement of the inquiry on 21 September 2020^[302]. The IE SA found the aforementioned period to be the duration of the infringements apart from the infringement of Article 12(1) GDPR regarding contact information processing, which the IE SA found to have ended on 4 September 2019, the infringement of Article 5(1)(a) GDPR concerning contact information processing, which the IE SA found to have commenced from 4 September 2019 and the infringement of Article 35(1) GDPR regarding both contact information and public-by-default processing, which the LSA found to have commenced on 25 July 2018. Moreover, the LSA found that the duration of the infringement of Articles 5(1)(c) and 25(2) GDPR concerning the contact information processing ended on November 2020 and did not include the period between July 2019 to August 2020^[303].

168. In relation to the intentional or negligent character of the infringements, as per Article 83(2)(b) GDPR, the IE SA concluded that certain Meta IE’s infringements were intentional and others negligent in character^[304]. The LSA found that the infringements of Article 12(1) GDPR regarding both public-by-default processing and contact information processing were negligent and the infringements of Articles 24(1) and 25(1) GDPR regarding both public-by-default processing and contact information processing were highly negligent^[305]. As for the other infringements, the LSA found that the infringements of Article 5(1)(a) GDPR regarding contact information processing and Articles 35(1), 5(1)(c) and 25(2) GDPR in respect of both public-by-default processing and contact information processing were intentional^[306].

169. With regard to other aggravating or mitigating factors, as per Article 83(2)(k) GDPR, the Draft Decision assessed the financial benefit gained by Meta IE from the infringements. The IE SA concluded that the infringement of Article 12(1) GDPR resulted in a financial benefit to Meta IE and considered this to be an aggravating factor^[307]. Regarding the infringement of Article 24 GDPR, the IE SA stated that this infringement was considered separately to other infringements and it was not considered to be an aggravating factor with regard to the other infringements at issue, or an issue which is pertinent to the calculation of the administrative fines^[308].

170. The assessment by the IE SA of the criteria in Article 83(2)(a) and (c) to (j) GDPR is not subject to the present dispute.

171. In the Draft Decision, the IE SA considered the criteria outlined in Article 82(2)(a)-(k) GDPR cumulatively in respect of each infringement, when deciding whether to impose an administrative fine and when deciding the amount of each administrative fine^[309]. The IE SA concluded that an administrative fine for each of the infringements was appropriate and necessary to dissuade non- compliance in the case at hand and similar future cases of Meta IE and other controllers or processors carrying out similar processing activities. Here, the IE SA considered the seriousness of the infringements in nature and gravity, the proportionality of the fines with regard to the nature, gravity and duration of the infringements, the intentional or negligent character of the infringements, the fact that the infringements related to personal data of children, the financial benefit gained from the public-by-default processing and the lack of previous relevant infringements of Meta IE^[310]. Based on these circumstances, the IE SA determined a range for each of the fines that it considered to be effective, proportionate and dissuasive in accordance with Article 83(1) GDPR^[311].

172. The IE SA proposed in the Draft Decision to impose nine administrative fines within the total range of EUR 202 million to 405 million^[312].

173. The DE SAs objected to the amount and calculation of the administrative fine which the LSA proposed to impose in the Draft Decision. In the view of the DE SAs, the LSA’s Draft Decision did not ensure a consistent application of administrative fines, and the envisaged amount of the fines were not effective, proportionate or dissuasive^[313]. The DE SAs argued that fines could only be effective, proportionate and dissuasive if the profitability of the undertaking was taken into account in their calculation. This was based on the argument that the undertaking’s sensitivity to administrative fines was significantly influenced by profitability, not only turnover. According to the DE SAs, the LSA did not explain in its Draft Decision how the element of profitability was taken into account in the calculation of the fine^[314]. The DE SAs also found that the envisaged amount of fines were too low to create special and general preventive effect and to be effective^[315]. According to the DE SAs, in view of the nature, gravity and duration of the infringement and the number of data subjects concerned, it was necessary to issue a fine that has noticeable impacts for the undertaking. Based on this, the DE SAs suggested that, in order to create a preventive effect and impose an effective fine, the amount of fine should generate an impact of approximately one percent of the annual profit of Meta IE^[316]. Furthermore, with regard to the Draft Decision, the DE SAs stated that: “the envisaged fine could not have a general preventive effect. Rather, it will likely have the opposite effect”^[317].

174. Additionally, the DE SAs was of the view that the LSA did not consider appropriately the financial benefit that Meta IE gained from the infringement. Based on publicly available data, the DE SAs proposed an estimation of the financial benefit gained by Meta IE from the public-by-default processing and argued that it should be further considered when calculating the fine^[318].

175. Regarding the calculation criteria in Article 83(2) GDPR, the DE SAs argued that the facts identified by the IE SA pointed towards intentional, not negligent behaviour and therefore disagreed with the IE SA’s assessment in the Draft Decision in this respect. According to the DE SAs, Meta IE wilfully decided on the content of its switching process and their Data Policy and wilfully used language that was excessively general and made it difficult for children to understand the consequences of their choice; moreover, Meta IE as a global data processing company had enough resources to be aware of the problem beforehand^[319].

176. As for aggravating factors, the DE SAs stated that the LSA should have considered the infringement of Article 24 GDPR as an aggravating factor in respect of the other infringements under Article 83(2)(k) GDPR. In the view of the DE SAs, although the infringement of Article 24 GDPR is not itself subject to an administrative fine under the GDPR, it must be reflected in the decisions of supervisory authorities, since the scope of Article 83(2)(k) GDPR, which is necessarily open-ended, should include all the reasoned considerations, including the infringement of Article 24(1) GDPR^[320].

177. Furthermore, according to the DE SAs, the calculation criteria of Article 83(2) GDPR were wrongly weighted resulting in a fine which is too low. The DE SAs stated that, considering the circumstances of the particular case, including the nature and gravity of the infringements, as well as the sensitivity of the data subjects affected, a fine in the upper range of the possible level of 4% of the turnover would be expected. However, the envisaged fines in the Draft Decision, which amount to about 0.58% of the turnover, are significantly lower^[321].

178. In addition, the DE SAs stated that the IE SA should use the turnover figure of 2021 instead of that of 2020^[322].

179. Finally, the DE SAs elaborated on the risks posed by the Draft Decision to the fundamental rights and freedoms of the data subjects: as the Draft Decision did not promote a consistent application of administrative fines, this would result in a significant risk to the rights and fundamental freedoms of data subjects, since the undertaking and other controllers could orientate their abidance of data protection law on such a barely noticeable fine^[323]; the summed up proposed fines for the infringements were not able to create a deterrent effect and thus would lead to a lesser protection of the fundamental rights and freedoms of the data subjects; and the effective enforcement of the GDPR, which is the precondition for the protection of the fundamental rights and freedoms of the data subjects, would not be ensured^[324].

***

180. As already referred in section 5.2 of this Binding Decision, the NO SA in its objection asked the IE SA to change its exercise of corrective powers in order to impose an administrative fine for the additional infringement regarding the lack of legal basis for the contact information processing. The IT SA and FR SA also specifically requested an additional corrective measure in terms of an administrative fine for the additional infringement^[325].

181. The IE SA confirmed that it does not propose to “follow” the objections that were raised by the CSAs and/or does not consider the objections to be relevant and reasoned^[326].

182. The IE SA did not agree with the DE SAs’ view that Meta IE acted with knowledge and wilfulness taking into account the objective elements of conduct gathered from the facts of the inquiry, except in those parts of the Draft Decision where the IE SA found that Meta IE acted intentionally. In addition, the IE SA disagreed that Article 24 GDPR had to be taken into account as an aggravating factor pursuant to Article 83(2)(k) GDPR^[327].

183. The IE SA further noted that the Draft Decision appropriately concluded that the infringement resulted in a financial benefit to Meta IE, which is an aggravating factor for the purpose of Article 83(2)(k) GDPR. The IE SA also reiterated that the Draft Decision took into account the undertaking’s turnover in the context of Article 83 GDPR, in the manner described in paragraphs 624 and 625 of the Draft Decision^[328].

184. In view of the IE SA, paragraph 569 of the Draft Decision presented a thorough, detailed and specific formulation of the amount of each of the nine fines which allows for the CSAs to properly consider whether the fines are effective, dissuasive and proportionate. According to the IE SA, the overall fining range reflected a number of smaller and larger proposed fines, which have been calculated pursuant to the EDPB’s interpretation of Article 83(3) GDPR in Binding Decision 1/2021^[329], and that, when each of the proposed fines is considered on an individual basis, the proposed fining ranges are sufficiently clear to determine whether they are effective, dissuasive and proportionate^[330].

185. Finally, with respect to the determination of the year of turnover, IE SA agreed with the DE SAs that the relevant year is the year immediately preceding the date of the final decision and confirmed that this will be accounted for in the final decision^[331].

186. In its objection on the proposed calculation of the fine, the DE SAs considered the fine proposed in the Draft Decision to be ineffective, disproportionate and non-dissuasive and outlined several arguments why they disagreed with the Draft Decision in this respect^[332]. The EDPB considers that the DE SAs’ objection related to the content of the Draft Decision^[333] and included sufficient reasoning^[334] as to why, if accepted, it would lead to a different conclusion. The EDPB notes that this objection concerned “whether the action envisaged in the Draft Decision complies with the GDPR”^[335]. Therefore, the EDPB considers the objection to be “relevant”.

187. In its objection, the DE SAs set out legal and factual arguments in relation to each element raised in the objection, in particular its reasoning on how the Draft Decision should assess the criteria of Articles 83(1) and (2) GDPR considering the facts of the specific case and how this would lead to a different conclusion in the Draft Decision^[336]. The DE SAs provided detailed reasoning that a higher fine ought to be imposed, considering the profitability and the global turnover of the undertaking^[337]. Furthermore, the DE SAs considered that without amendment the Draft Decision would set a dangerous precedent with regard to deterrence and clearly demonstrated its view on the significance of the risks posed by the Draft Decision^[338]. Therefore, the EDPB considers the objection to be “reasoned”.

188. The EDPB is not swayed by Meta IE’s submission that the objection at issue is neither relevant, nor reasoned. In this regard, Meta IE failed to explain why the threshold of Article 4(24) GDPR is not met in relation to this specific objection^[339]. In addition, the EDPB recalls that the assessment of the merits^[340] of the objection is made separately, after it has been established that the objection satisfies the requirements of Article 4(24) GDPR^[341].

189. Considering the above, the EDPB finds that the DE SA objection, insofar it concerns the determination of the administrative fine, is a “relevant and reasoned” objection in accordance with Article 4(24) GDPR.

***

190. With regard to the NO SA objection on the imposition of an administrative fine in relation to the findings on Article 6(1)(b) and Article 6(1)(f) GDPR on the contact information processing, the EDPB recalls that it is “relevant and reasoned” in accordance with Article 4(24) GDPR^[342]. On the contrary, the relevant parts of the objections of the IT and FR SAs on the specific matter of an administrative fine for the additional infringement do not meet the threshold under Article 4(24) GDPR, as analysed by the EDPB in section 5.4.1 of this Binding Decision^[343].

191. The EDPB recalls that the consistency mechanism may also be used to promote a consistent application of administrative fines^[344]: where a relevant and reasoned objection challenges the elements relied upon by the LSA to calculate the amount of the fine, the EDPB can instruct the LSA to engage in a new calculation of the proposed fine by eliminating the shortcomings in the establishment of causal links between the facts at issue and the way the proposed fine was calculated on the basis of the criteria in Article 83 GDPR and of the common standards established by the EDPB^[345]. A fine should be effective, proportionate and dissuasive, as required by Article 83(1) GDPR, taking account of the facts of the case^[346]. In addition, when deciding on the amount of the fine, the LSA shall take into consideration the criteria listed in Article 83(2) GDPR.

192. The DE SAs contested the turnover figure cited in the Draft Decision. Though the IE SA deemed the objection not relevant and/or not reasoned, in the Composite Response the IE SA agreed with the DE SAs on the determination of the year of the turnover when calculating the administrative fine^[347].

193. On the notion of “preceding financial year”, the EDPB recalls the decision taken in its Binding Decision 1/2021^[348] and takes note of the IE SAs intention^[349] to take the same approach in the current case.

194. The EDPB agrees with the approach taken by the IE SA for the present case to include in the Draft Decision a provisional turnover figure based on the most up to date financial information available at the time of circulation to the CSAs pursuant to Article 60(3) GDPR. The EDPB recalls that when issuing its final decision in accordance with Article 65(6) GDPR, the IE SA shall take into account the undertaking’s annual turnover corresponding to the financial year preceding the date of its final decision, i.e. the turnover of Meta Platforms Inc. in 2021.

a. The intentional or negligent character of the infringement (Article 83(2)(b) GDPR)

195. Article 83(2) GDPR considers, among the factors to be taken into account when deciding the imposition and amount of an administrative fine, “the intentional or negligent character of the infringement”. In the same sense, Recital 148 GDPR states that “[i]n order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation […]. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility […]” (emphasis added).

196. The characterisation of the infringement as intentional or negligent may therefore have a direct impact on the amount of the fine proposed. The main elements to be taken into account in this regard were already established in the WP29 Guidelines on Administrative Fines, endorsed by the EDPB. The EDPB Guidelines on the calculation of administrative fines under the GDPR^[350] rely heavily on the WP29 Guidelines on Administrative Fines in this respect.

197. As the EDPB recalls in its Guidelines on Administrative Fines, “intentional infringements, demonstrating contempt for the provisions of the law, are more severe than unintentional ones”^[351] and therefore, the supervisory authority is likely to attribute weight to this circumstance. This is likely to warrant the application of a (higher) fine.

198. As the IE SA noted in the Draft Decision, “the GDPR does not identify the factors that need to be present in order for an infringement to be classified as either ‘intentional’ or ‘negligent’”^[352]. The EDPB Guidelines on Administrative Fines, quoting the WP29 Guidelines on Administrative Fines, refer to the fact that “in general, ‘intent’ includes both knowledge and wilfulness in relation to the characteristics of an offence, whereas ‘unintentional’ means that there was no intention to cause the infringement although the controller/processor breached the duty of care which is required in the law”^[353]. In other words, the EDPB Guidelines on Administrative Fines confirm that there are two cumulative elements on the basis of which an infringement can be considered intentional: the knowledge of the breach and the wilfulness in relation to such act. On the other hand, an infringement is “unintentional” when there was a breach of the duty of care, without having intentionally caused the infringement. The EDPB takes note of Meta IE’s position that it did not act intentionally with the aim to infringe the GDPR^[354].

199. The characterisation of an infringement as intentional or negligent shall be done on the basis of objective elements of conduct gathered from the facts of the case^[355]. The EDPB Guidelines on Administrative Fines refer to some examples of conduct that may demonstrate the existence of intent and negligence^[356]. It is worth noting the broader approach adopted with respect to the concept of negligence, since it also encompasses situations in which the controller or processor has failed to adopt the required policies, which presumes a certain degree of knowledge about a potential infringement^[357].

200. In this case, the IE SA considered that the infringements of Article 12(1) GDPR with regard to the contact information processing and with regard to the public-by-default processing were negligent as they fell “short of the standard required”^[358]. Regarding the public-by-default processing, the IE SA took into consideration that at the relevant time, the information that the accounts were public by default and on how to switch to a private account was available in several sources and hyperlinked in the Data Policy. The IE SA considered that these objective elements suggested an intention to provide the information with clarity and transparency^[359]. Considering this, the IE SA concluded that the infringement was not intentional, even though Meta IE should have been aware that the information provided was not clear and transparent enough. Consequently, the IE SA considered that Meta IE was negligent^[360]. Likewise, with respect to the contact information processing, the IE SA considered that the language used did not suggest a deliberate attempt from Meta IE to avoid its transparency obligations^[361]. Considering this, the IE SA concluded that the infringement was not intentional, but it considered it negligent since Meta IE should have been aware that the way in which the information was provided did not meet the standards^[362].

201. It stems from the above that Meta IE had (or should have had) knowledge about the infringement of Article 12(1) GDPR. However, this mere element is not sufficient to consider an infringement intentional, as stated above, since the “aim” or “wilfulness” of the action should be demonstrated. In this respect, the IE SA has not found out that Meta IE wilfully disregarded its obligations.

202. In this regard, the DE SAs argued that Meta IE had enough resources to identify the problem beforehand, and that it wilfully decided on the content of the switching process, using a language that was excessively general^[363]. The DE SAs considered that Meta IE was in fact aware of the problem given that the information was provided in the Instagram Help Centre and other ancillary sources. Therefore, the DE SAs was of the view that Meta IE acted at least with “reckless disregard for the infringement”^[364]. The DE SAs also argued that the level of care required must be determined taking into account the size, economic activities and data processing processes of the company^[365].

203. The EDPB recalls that that having knowledge of a specific matter does not necessarily imply having the “will” to reach a specific outcome. This is in fact the approach adopted in the EDPB and WP29 Guidelines on Administrative Fines, where the knowledge and the “wilfulness” are considered two distinctive elements of the intentionality^[366]. While it may prove difficult to demonstrate a subjective element such as the “will” to act in a certain manner, there need to be some objective elements that indicate the existence of such intentionality^[367].

204. The EDPB recalls that the CJEU has established a high threshold in order to consider an act intentional. In fact, even in criminal proceedings the CJEU has acknowledged the existence of “serious negligence”, rather than “intentionality” when “the person responsible commits a patent breach of the duty of care which he should have and could have complied with in view of his attributes, knowledge, abilities and individual situation”^[368]. In this regard, the EDPB confirms that a company for whom the processing of personal data is at the core of its business activities is expected to have sufficient measures in place for the safeguard of personal data^[369]: this does not, however, per se change the nature of the infringement from negligent to intentional.

205. It shall be underlined that, in the context of the assessment of Article 83(2)(c) GDPR, the IE SA noted that the provision of the information in the Instagram Help Centre and other ancillary sources, hyperlinked in the Data Policy, suggested that Meta IE did not intentionally intend to “deny child users of Instagram an understanding of the purposes of the processing”^[370], with regard to the public by default processing. Regarding the contact information processing, the IE SA considered that “older Instagram users may have understood the consequences of providing their contact information” and that the language used “does not suggest a deliberate attempt on the part of Meta IE to avoid its obligations”^[371]. The EDPB notes that, with respect to the contact information processing, the assessment carried out by the IE SA is general and could have been more nuanced and detailed. However, the EDPB agrees with the IE SA that the objective elements of the case would indicate the absence of wilfulness to act in breach of the law with regard to the infringements of Article 12(1) GDPR. Therefore, on the basis of the available information, the EDPB is not able to identify a will of Meta IE to act in breach of the law as it cannot be concluded that Meta IE intentionally acted to circumvent its legal obligations.

206. Therefore, the EDPB considers that the arguments put forward by the DE SAs fail to provide objective elements that indicate the intentionality of the behaviour of Meta IE. Accordingly, the EDPB is of the view that the Draft Decision does not need to be changed with respect to the findings on the character of the infringements of Article 12(1) GDPR.

b. Other aggravating factors - relevance of the infringement of Article 24(1) GDPR

207. Article 83(2)(k) GDPR gives the supervisory authority room to take into account any other aggravating or mitigating factors applicable to the circumstances of the case, in order to ensure that the sanction applied is effective, proportionate and dissuasive in each individual case^[372]. The provision is open-ended and it entails that the socio-economic, legal and market contexts in which the controller or processor operates should be taken into account^[373].

208. In this regard, the DE SAs considered that, even though the infringement of Article 24 GDPR is not subject to the possibility of imposing an administrative fine, because it is not listed in Article 83(4)- (6) GDPR, it should have been considered as an aggravating factor under Article 83(2)(k) GDPR, since it is part of the assessment of the legal context in which Meta IE operates^[374].

209. The EDPB firstly notes the reference to other infringements in Article 83(2)(e) GDPR, which states that when considering whether to impose a fine and its amount, due regard should be given to “any relevant previous infringements by the controller or processor”. However, the provision deals with previous infringements, but does not make any reference to other current infringements as aggravating factors.

210. In this respect, the IE SA disagreed with the DE SAs and considered that Article 83(2)(k) GDPR does not aim at being a “catch all provision” but at requiring the LSA “to account for any special loss or damage which arose due to the conduct (or omission) of the controller”^[375].

211. The EDPB disagrees with the IE SA on the nature of Article 83(2)(k) GDPR and underlines that this open-ended provision aims at ensuring that the considerations regarding the context (be it the socio-economic, legal, or market context) in which the controller or processor operates are taken into account, so as to impose a fine that is effective, proportionate and dissuasive. At the same time, the EDPB agrees with the IE SA that the infringement of Article 24 GDPR cannot be considered an aggravating factor under Article 83(2)(k) GDPR. In this respect, the EDPB notes that it seems to be a conscious choice by the legislator not to subject infringements of that provision to administrative fines under the GDPR^[376]. If such infringements were taken into account under Article 83(2)(k) GDPR, infringements of Article 24 GDPR would indirectly be subject to an administrative fine, despite the fact that the co-legislators did not provide for the possibility of sanctioning this infringement by means of an administrative fine.

212. The EDPB also notes that, albeit not subject to an administrative fine, infringements of Article 24 GDPR can be subject to other corrective powers of the SA as per Article 58(2) GDPR or to other penalties, as established in Article 84 GDPR.

213. Finally, the EDPB emphasises that Article 24 GDPR is an expression of the accountability principle enshrined in Article 5(2) GDPR. In this respect, the accountability of the controller is taken into account by the supervisory authorities when deciding whether to impose an administrative fine and its amount, since Article 83(2) GDPR includes several provisions in that regard^[377].

a. Weighing of the financial benefit obtained from the infringement

214. As explicitly stated in Article 83(2)(k) GDPR, financial benefits gained directly or indirectly from the infringement can be considered an aggravating element for the calculation of the fine. The EDPB considers this provision “of fundamental importance for adjusting the amount of the fine to the specific case” and that “it should be interpreted as an instance of the principle of fairness and justice applied to the individual case”^[378].

215. The scope of Article 83(2)(k) GDPR should include all the reasoned considerations regarding the socio-economic, legal and market contexts in which the controller or processor operates^[379]. When taking account of these considerations, the supervisory authorities must “assess all the facts of the case in a manner that is consistent and objectively justified”^[380]. Therefore, financial benefits from the infringement could be an aggravating circumstance if the case provides information about profit obtained as a result of the infringement of the GDPR^[381].

216. The aim of Article 83(2)(k) is to ensure that the sanction applied is effective, proportionate and dissuasive in each individual case^[382]. With regard to the financial benefits obtained from the infringement, the EDPB considers that when there is a benefit, the sanction should aim at “counterbalancing the gains from the infringement” while keeping an effective, dissuasive and proportionate fine^[383].

217. The financial benefit obtained by Meta IE was considered by the IE SA in the Draft Decision with regard to Finding 1 (i.e. the infringement of Article 12(1) GDPR for the public-by-default processing^[384]). In particular, the IE SA considered that “the objective of switching new accounts to ‘public’ was clearly also intended to drive the creation of more public user-generated content for consumption, increasing engagement and creating favourable commercial conditions for the sale of targeted advertising by [Meta IE]”^[385] and, therefore, the IE SA concluded that Meta IE benefited from the infringement and considered this an aggravating factor^[386].

218. In this respect, the DE SAs considered that the IE SA did not properly weigh this factor, since the fine proposed in the Draft Decision for the infringement of Article 12(1) GDPR was less than the DE SAs’ estimation of the financial benefit obtained with the infringement. The DE SAs engaged in a very detailed calculation to justify the estimation of the benefit, although they acknowledged that it was based on assumptions^[387].

219. The relevance of the financial benefit gained with the infringement for the calculation of the fine amount has been addressed by the CJEU in competition law cases. In fact, the CJEU has stated that the benefits obtained from the infringement are among the factors that may be taken into account in order to determine the amount of the fine, but there is no obligation to ensure that the fine is directly proportional to the benefits achieved by that undertaking or “that it does not exceed those profits”^[388]. Nonetheless, the CJEU has made clear that the amount of the fine must be proportionate to “the duration of the infringement and the other factors capable of affecting the assessment of the gravity of the infringement, including the profit that it was able to derive from those practices”^[389]. In fact, the CJEU has clearly accepted that the amount of the fine can be increased on the basis of the financial benefit obtained with the infringement, in order to reinforce the deterrent effect of such fine^[390]. It is an accepted practice in EU competition law to increase the amount of the fine in order to exceed the amount of the gain obtained as a result of the infringement, where it is possible to estimate that amount^[391].

220. Considering the need to have fines that are effective, proportionate and deterrent, and in light of common accepted practice in the field of EU competition law, which inspired the fining framework under the GDPR, the EDPB is of the view that, when calculating the administrative fine, the supervisory authority could take account of the financial benefits obtained from the infringement, in order to impose a fine that exceeds that amount.

221. In the present case, the IE SA has explicitly considered the financial benefits obtained from the infringement as an aggravating factor. However, the IE SA has not provided any estimation of the amount gained by Meta IE with the specific infringement and the DE SAs’ calculation is still largely based on assumptions. Due to this, the EDPB does not have sufficiently precise information to evaluate the specific weight of the financial benefit obtained from the infringement.

222. Therefore, the EDPB considers that it does not have objective elements to conclude whether the fine envisaged in relation to Finding 1 takes sufficient account of the financial benefit obtained from the infringement and, therefore, has a deterrent effect.

223. Nonetheless, the EDPB acknowledges the need to prevent that the fines have little to no effect if they are disproportionally low compared to the benefits obtained with the infringement. The EDPB considers that the IE SA should have elaborated in more detail the weight given to this element in paragraphs 563, 564 and 567 of its Draft Decision. Therefore, the EDPB requests the IE SA to further elaborate its reasoning on this aspect and, if further estimation of the financial benefit from the infringement is possible in this case and results in the need to increase the amount of the fine proposed, the EDPB requests the IE SA to increase the amount of the fine proposed.

b. Weighing of other criteria under Article 83(2) GDPR and assessment of the fine in light of Article 83(1) GDPR

224. In its objection, the DE SAs claimed that the elements of Article 83(2) GDPR were not weighed correctly by the LSA when calculating the administrative fines in the present case, in light of the requirements of Article 83(1) GDPR. The DE SAs argued that the mitigating circumstances were few, therefore a fine in the upper range of the possible level would be expected. Also, according to the DE SAs, the amount of the proposed fines did not reflect the nature and gravity of the infringements, in particular, when it comes to the seriousness of the infringements, in light of the number and sensitivity of the data subjects (children) affected^[392]. Furthermore, the DE SAs argued that the proposed fines were ineffective, disproportionate and non-dissuasive and they provided for neither special, nor general preventive effect, especially considering the total profit and the total turnover of the specific undertaking^[393].

225. In this regard, the EDPB notes that the Draft Decision contained an assessment by the IE SA on the different elements in relation to each infringement^[394]. The EDPB further notes that in the Draft Decision the IE SA explained why it considered the proposed fines to be effective, proportionate and dissuasive in relation to each infringement, taking into account all the circumstances of the IE SA’s inquiry^[395]. Finally, the EDPB observes the differences in the level of ranges of the envisaged fines by the IE SA, where the higher ranges are envisaged for the infringements of Article 12(1) GDPR regarding both the public-by-default processing and the contact information processing, as well as for the infringements of Article 35(1) GDPR regarding both the public-by-default processing and the contact information processing compared to the envisaged fines for the remaining infringements^[396].

226. The EDPB takes note of the position of Meta IE that the fines set out in the Draft Decision are excessive and disproportionate and therefore any objections aiming to increase the quantum of fines are not compatible with Article 83 GDPR^[397]. According to Meta IE, any calls by the objections to further increase the proposed fines would need to be supported by compelling evidence of a serious and intentional infringement and consequential harm, however, no such evidence was ever provided by the LSA or the CSAs^[398]. Furthermore, according to Meta IE, Article 83(2) GDPR does not identify annual profit as a factor to which the LSA should have regard in calculating the amount of the administrative fine and selecting one percent of annual profit would be arbitrary, punitive and undermining the discretion and independence of the LSA in making its fine assessment^[399]. Also, it is the view of Meta IE that there is no basis in the GDPR for concluding that the amount of the fine must have a general preventive effect^[400].

227. The EDPB reiterates that it is incumbent upon the supervisory authorities to verify whether the amount of the envisaged fines meets the requirements of effectiveness, proportionality and dissuasiveness, or whether further adjustments to the amount are necessary, considering the entirety of the fine imposed and all the circumstances of the case, including e.g. the accumulation of multiple infringements, increases and decreases for aggravating and mitigating circumstances and financial/socio-economic circumstances^[401]. Further, the EDPB recalls that the setting of a fine is not an arithmetically precise exercise^[402], and supervisory authorities have a certain margin of discretion in this respect^[403].

228. The EDPB recalls that, when determining whether a fine fulfils the requirements of Article 83(1) GDPR, due account must be given to the elements identified on the basis of Article 83(2) GDPR^[404]. In the present case, the EDPB notes that in the Draft Decision the LSA considered all the infringements as serious in nature^[405], and that the gravity of infringements of Article 12(1) GDPR in respect of both the public-by-default processing and the contact information processing was highly serious, the gravity of the infringement of Article 5(1)(a) GDPR regarding the contact information processing was serious and that the gravity of the infringements of Articles 35(1), 24(1), 25(1), 5(1)(c) and 25(2) GDPR in respect of both the public-by-default processing and the contact information processing was serious^[406]. Furthermore, the EDPB underlines that, as established by the IE SA, each infringement related to processing of personal data of a significant number of vulnerable individuals (children) and related to significant damage to those vulnerable individuals^[407]. The EDPB also observes that each infringement carried either an intentional or negligent character^[408]. In addition, the IE SA did not attribute significant weight to any mitigating factor^[409].

229. The EDPB reiterates that all these elements need to be given due regard when determining the proportionality of the fine. In other words, a fine must reflect the gravity of the infringement, taking into account all the elements that may lead to an increase (aggravating factors) or decrease of the amount (mitigating factors). The EDPB further assesses in the following paragraphs whether the envisaged fines in the Draft Decision meet the requirement of being effective, proportionate and dissuasive in accordance with Article 83(1) GDPR.

230. In its objection, the DE SAs argued that the proposed fines, which were well below the envisaged maximum under Article 83 GDPR, would be insignificant to Meta IE, considering the global turnover of the undertaking, and they would be neither effective, nor sufficiently dissuasive^[410].

231. The EDPB takes note that in its objection, the DE SAs also requested the IE SA to additionally consider the annual profit of the undertaking at hand in its assessment under Article 83 GDPR^[411]. Regarding this specific issue, the EDPB recalls that, when it comes to the determination of administrative fines under Article 83 GDPR, this determination is to be based on the total worldwide annual turnover of the undertaking, which “gives an indication, albeit approximate and imperfect, of the size of the undertaking and of its economic power”^[412]. Therefore, the EDPB does not find that in the case at hand the LSA should be requested to amend its Draft Decision to additionally consider the annual profit of the undertaking. At the same time, the EDPB reiterates that the imposition of an appropriate fine cannot be the result of a simple calculation based on the total turnover^[413] and that as stated above all the circumstances of the specific case have to be considered in order to assess if the administrative fine is effective, proportionate and dissuasive as required by Article 83(1) GDPR.

232. With regard to effectiveness of the fines, the EDPB recalls that the objective pursued by the corrective measure chosen can be to re-establish compliance with the rules or to punish unlawful behaviour (or both)^[414]. In addition, the EDPB notes that the CJEU has consistently held that a dissuasive penalty is one that has a genuine deterrent effect. In that respect, a distinction can be made between general deterrence (discouraging others from committing the same infringement in the future) and specific deterrence (discouraging the addressee of the fine from committing the same infringement again)^[415]. Therefore, in order to ensure deterrence, the fine must be set at a level that discourages both the controller or processor concerned as well as other controllers or processors carrying out similar processing operations from repeating the same or a similar unlawful conduct, while not going beyond what is necessary to attain that objective^[416]. In this respect, the EDPB disagrees with Meta IE’s views that there is no basis to conclude that the amount of the fine must have a general preventive effect^[417].

233. Moreover, the size of the undertaking concerned and its financial capacity^[418] are elements that should be taken into account in the calculation of the amount of the fine in order to ensure its dissuasive nature^[419]. Taking into consideration the size and global resources of the undertaking in question is justified by the impact sought on the undertaking concerned, in order to ensure that the fine has sufficient deterrent effect, given that the fine must not be negligible in the light, particularly, of its financial capacity^[420]. The EDPB recalls that a fine to be imposed on an undertaking may need to be increased to take into account a particularly large turnover of the undertaking, so the fine is sufficiently dissuasive^[421]. In this respect, the EDPB further notes that in order to ensure a sufficiently deterrent effect, the global turnover of the undertaking can be considered also in light of the undertaking’s ability to raise the necessary funds to pay its fine^[422].

234. The EDPB takes note of the IE SA’s determination on the administrative fines in the present case^[423] and of the proposed amounts of the fines in the Draft Decision^[424]. While, in this Binding Decision, the EDPB does not address as such the use of fine ranges in draft decisions, it notes that the proposed ranges in the Draft Decision in the case at hand are wide^[425].

235. Taking into account the serious nature and gravity of the infringements, their duration, and that each of the infringements related specifically to children’s personal data, as well as the economic power and the global resources of the undertaking, the EDPB considers that in the present case each fine should fall within the higher segment of the envisaged fine amount ranges, in order to be sufficiently effective and dissuasive in accordance with Article 83(1) GDPR.

236. The EDPB therefore asks the IE SA to ensure that the final amount of the administrative fines in the IE SA’s final decision meets the requirements of Article 83(1) GDPR.

237. The EDPB recalls its conclusion in this Binding Decision on the additional infringement of Article 6(1) GDPR regarding the contact information processing^[426]. The EDPB also recalls that the NO SA requested the IE SA to impose an administrative fine for this additional infringement^[427].

238. The EDPB takes note of Meta IE’s views that, even if an infringement is found, no additional fine is warranted given the significance of other administrative fines already imposed for the same processing. Moreover, Meta IE claimed that any additional fine would disregard Meta IE’s cooperation and mitigation efforts and would further make the totality of the administrative fine disproportionate and punitive^[428].

239. The EDPB however agrees with the reasoning of the NO SA in its objection^[429]. The EDPB reiterates that lawfulness of processing is one of the fundamental pillars of the data protection law and considers that processing of personal data without a legal basis is a clear violation of the data subjects’ fundamental right to data protection^[430]. Taking into account the nature and gravity of the infringement in accordance with Article 83(2) GDPR, the EDPB considers that an administrative fine should be imposed for this infringement. In this respect, the EDPB recalls that the infringement at issue relates to the processing of personal data of a significant number^[431] of children and that the level of damage affecting them^[432] has to be considered. Further, the EDPB notes that the identified infringement lasted at least from 25 May 2018 until the commencement of the IE SA’s inquiry in the present case on 21 September 2020^[433]. Finally, the EDPB takes note of the position of the IE SA in the Draft Decision that administrative fines in respect of each of the other infringements envisaged in the Draft Decision, relating to the contact information processing, are appropriate, necessary and proportionate in view of ensuring compliance with the GDPR^[434].

240. Therefore, the EDPB instructs the IE SA to consider the identified infringement of Article 6(1) GDPR in its determination on the administrative fines, by imposing a fine for the additional infringement, which is effective, proportionate and dissuasive in accordance with Article 83(1) and (2) GDPR.

241. In light of the above and in accordance with the task of the EDPB under Article 70(1)(t) GDPR to issue binding decisions pursuant to Article 65 GDPR, the EDPB issues the following binding decision in accordance with Article 65(1)(a) GDPR:

242. On the objections concerning legal basis for the contact information processing:

1. The EDPB decides that the objections of the DE SAs, FI SA, FR SA, IT SA, NL SA and NO SA regarding Meta IE’s reliance on Article 6(1)(b) GDPR and alternatively Article 6(1)(f) GDPR, meet the requirements of Article 4(24) GDPR.

2. The EDPB finds that the objection of the NO SA regarding the imposition of an administrative fine for the proposed additional infringement, meets the requirements of Article 4(24) GDPR. On the contrary, the EDPB decides that the relevant parts of the objections of the FR SA and IT SA on the specific matter relating to an administrative fine for the additional infringement do not meet the threshold of Article 4(24) GDPR.

3. The EDPB instructs the IE SA to find in its final decision that there has been an infringement of Article 6(1) GDPR, on the basis of the conclusion reached by the EDPB in this Binding Decision.

4. The EDPB instructs the IE SA to consider the additional infringement of Article 6(1) GDPR in the compliance order, to the extent that the processing is ongoing, in order to ensure that full effect is given to Meta IE’s obligations under Article 6(1) GDPR.

243. On the objections relating to the possible further (or alternative) infringements of the GDPR identified by the CSAs:

5. With regard to the objection by the DE SAs concerning the possible additional infringements of Article 6(1)(a), Article 7 and Article 8(1) GDPR in relation to the contact information processing, the EDPB decides this objection does not meet the requirements of Article 4(24) GDPR and, therefore, the IE SA is not required to amend its Draft Decision in this regard.

6. With regard to the objection by the DE SAs concerning the possible additional infringements of Article 5(1)(a) and Article 5(1)(c) GDPR in relation to the contact information processing, the EDPB decides this objection does not meet the requirements of Article 4(24) GDPR and, therefore, the IE SA is not required to amend its Draft Decision in this regard.

7. With regard to the objection by the NO SA concerning the legal basis for the public-by-default processing, the EDPB decides this objection does not meet the requirements of Article 4(24) GDPR and, therefore, the IE SA is not required to amend its Draft Decision in this regard.

244. On the objections concerning the administrative fine:

8. The EDPB decides that the DE SAs objection regarding the calculation of the administrative fine meets the requirement of Article 4(24) GDPR.

9. In relation to consideration of the infringement of Article 24 GDPR under Article 83(2)(k) GDPR as proposed in the DE SAs objection, the EDPB does not find that the infringement of Article 24 GDPR can be considered an aggravating factor under Article 83(2)(k) GDPR and, therefore, the IE SA is not required to amend its Draft Decision in this regard.

10. In relation to intentionality under Article 83(2)(b) GDPR, the EDPB considers that the arguments put forward by the DE SAs in their objection fail to provide objective elements that indicate the intentionality of the behaviour of Meta IE. Accordingly, the IE SA is not required to amend its Draft Decision with respect to the findings on the character of the infringements of Article 12(1) GDPR.

11. Regarding the relevance of profit of the undertaking as argued in the DE SA objection, the EDPB finds that in the present case the IE SA does not have to amend its Draft Decision to additionally consider the annual profit of the undertaking pursuant to Article 83 GDPR.

12. The EDPB instructs the IE SA to re-assess its envisaged corrective measure in terms of the administrative fine in accordance with Article 83(1) and (2) GDPR, namely:

12.1. to further elaborate its reasoning concerning the weight given to the financial benefit obtained by Meta IE from the infringement referred to in Finding 1 of the Draft Decision and, if further estimation of the financial benefit from the infringement is possible in this case and results in the need to increase the amount of the fine proposed, the EDPB requests the IE SA to increase the amount of the fine proposed.

12.2. to ensure that the final amounts of the administrative fines are effective, proportionate and dissuasive. 12.3. to consider the identified infringement of Article 6(1) GDPR in the IE SA’s determination on the administrative fines and impose an administrative fine for the additional infringement, which is effective, proportionate and dissuasive.

245. This Binding Decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on the basis of this Binding Decision pursuant to Article 65(6) GDPR.

246. Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs.

247. According to Article 65(6) GDPR, the IE SA shall communicate its final decision to the Chair of the EDPB within one month after receiving this Binding Decision.

248. Once such communication is done by the IE SA, this Binding Decision will be made public pursuant to Article 65(5) GDPR.

249. Pursuant to Article 70(1)(y) GDPR, the IE SA’s final decision communicated to the EDPB will be included in the register of decisions which have been subject to the consistency mechanism.

For the European Data Protection Board

The Chair

(Andrea Jelinek)