After ending 2022 with four privacy fines, social networking giant Meta entered the new year with another multi-million penalty in Europe. The Irish Data Protection Commission (DPC) also ordered Facebook’s parent company to adhere to data processing rules within three months.
As if Meta’s dwindling revenue and profits were not enough, the company is now hit by a €390 million (~$413 million) fine in Europe. But that’s not it. The company is required to make a major policy and operational change in Europe over user data processing for ad targeting.
The Irish DPC imposed a combined fine of €390 million (~$413 million) on Meta split as €210 million (~$222 million) for Facebook and €180 (~$191 million) million for Instagram, the image and short video-sharing platform it owns. Meta is alleged to have violated European Union privacy laws under GDPR.
The latest fine comes after a four-year investigation, launched on the same day in May 2018 when GDPR came into effect in the EU, into Meta’s data processing practices. DPC also ordered Meta to comply with GDPR-mandated data processing operations in a quarter.
DPC concluded that Meta incorrectly interpreted the six legal bases under Article 6 of the GDPR, which allows a company to process user data. Meta uses the behavioral data it collects to serve targeted ads.
When the GDPR came into effect in May 2018, Meta (then Facebook) required users to accept updated Terms of Service for both Facebook and Instagram, thus establishing a new contract.
However, two separate complaints from an Austrian and a Belgian national, which were later confirmed by the DPC investigation, noted that “by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact ‘forcing’ them to consent to the processing of their personal data for behavioral advertising and other personalized services.”
Essentially, Meta can no longer claim its contract with the user based on user-accepted Terms of Service as a legal basis on which the company can process data. Meta would necessarily have to ask for user consent before targeting them with behavioral ads, and it has three months to make this possible.
Initially, DPC, which is the primary regulatory and enforcement agency for American tech companies operating in the EU (with headquarters in Ireland), did not consider Meta to violate GDPR, but the European Data Protection Board (EDPB) determined that “as a matter of principle, Meta Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioral advertising.”
DPC’s conduct drew criticism from privacy advocates who questioned the long-drawn-out investigation over almost five years. Austrian data privacy activist Max Schrems noted: “This case is about a simple legal question. Meta claims that the ‘bypass’ happened with the blessing of the DPC. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities.”
See More: Five Reasons Why Data Privacy Compliance Must Take Center Stage in 2023
“It is overall the fourth time in a row the Irish DPC got overruled,” Schrems continued. “The core issue was that Meta illegally processed user data for more than four years, the DPC shielded Meta and they got voted down on the EU level.”
Chris McLellan, director of operations at Data Collaboration Alliance, previously expressed to Spiceworks that fines without any substance can only do so much. “The endless parade of fines and regulatory show trials – or any attempt to mitigate the underlying chaos that defines the current state of personal information – are doomed to fail.”
However, DPC’s latest decision requires operational changes, something that regulators previously have not enforced.
Almost 5 years after the GDPR came into force, this is probably the most significant enforcement decision to date – following complaints made on May 25, 2018 (!), the day the GDPR came into force. The Irish DPC fined Meta 390 million euros, but this is not about the fine. 1/ https://t.co/riEEEV6ZZ1
— Dr. Gabriela Zanfir-Fortuna (@gabrielazanfir) January 4, 2023
In a blog post published on Wednesday, Meta said it would appeal the decision and wrote, “Facebook and Instagram are inherently personalized, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service.”
Schrems added, “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”
DPC is yet to release its decision publicly. Schrems went on to accuse that there is a cooperation between the Irish regulator and Meta, which is “well and alive – despite being overruled by the EDPB.”
In December 2022, Meta settled the Cambridge Analytica scandal case for $725 million.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock