On Wednesday, tech giant Meta was slapped with a fine of €390 million ($414 million) for a breach of European Union (EU) privacy laws. Meta was accused of “forcing” subscribers to consent to the processing of their personal data for behavioural advertising and other personalised services.
Specifically, Meta was ordered to pay two separate fines totally €390 million – one of €210 million for violating European Union’s General Data Protection Regulation (GDPR) and another €180 million related to breaches of the same law by Instagram.
GDPR places strict requirements on companies regarding the processing of people’s information. Companies that flout the rules risk facing penalties as high as 4% of global annual revenues.
The decision was meted out by the Irish Data Protection Commission after concluding two lengthy investigations into Meta. The investigation started on May 25, 2018, the day the EU’s GDPR came into effect.
In the report of the ruling made public on the 4th of January 2023, the Data Protection Commission (DPC) found out that:
- In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time.
- In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis.
The DPC maintained that Meta must bring its processing operations into compliance with the GDPR within a period of 3 months.
In a statement in response to the ruling, Meta said that it planned to appeal the ruling. It added that the decision does not amount to a ban on personalized advertising and businesses can continue using Meta’s platforms to target users with ads.
In November 2022, the same body slammed Meta’s Facebook €265 million fine for exposing users’ data to hackers.
