Does the $400 Million DPC Decision Against Meta Take “Necessity” into Account?

Meta kicked off the New Year with a fine of over $400 million levied by the Irish Data Protection Commission (DPC) for breaching EU privacy laws. These new sanctions were added to multiple privacy fines for Meta in Europe last year. This time the DPC was forced by the European Data Protection Board (EDPB) to find that Meta violated the General Data Protection Regulation (GDPR) in relying on its contractual relationship with Facebook and Instagram users as the basis for using user data in personalized advertising. The core disagreement was whether it is lawful for Meta to treat user data for personalized advertising as “necessary for the performance” of the contract between Meta and its users. However, what actually determines whether any specific component is “necessary” is the balance of costs and benefits from the business model’s technological and economic components. In the Meta decision, the EDPB got it wrong.