The Data Protection Commission (DPC) has fined Meta 390 million euros. The parent company of Facebook and Instagram served users personalized ads without explicitly asking for permission. In an initial response, the American technology company announced that it is contesting the fine.
The Irish regulator announced the fine through a press release (1).
Meta is a company that has become big by selling personalized ads. To offer such ads, the company has long collected personal information from Facebook and Instagram users. By agreeing to the terms and conditions, members agreed.
In May 2018, the General Data Protection Regulation (GDPR) went into effect. At that time, the DPC received two complaints about Meta, including one from the Austrian privacy organization Noyb. The essence of the complaint was that Meta did not properly obtain consent to collect user data. According to European privacy rules, the tech company had to explicitly ask for permission to do so.
Instead of introducing an opt-in to Facebook and Instagram users, Meta added a consent clause to its terms of use. In effect, the company said that online tracking and offering targeted ads were part of the services Meta provides. By being active on the online platforms, users agreed to this.
In December 2022, the European Data Protection Board (EDPB), representing all national privacy regulators in the EU, ruled that this "contractual necessity" was illegal. This opinion was submitted to the DPC. The Irish privacy watchdog announced today that it is adopting the European umbrella organization's findings.
The ruling is striking: previously, the regulator believed that Meta's methods were legal. So now the DPC is backtracking on that. Facebook will be fined 210 million euros for violating European privacy rules for offering personalized ads. Instagram has to put a sum of 180 million euros on the table.
Meta will have three months to adjust the way it collects user data.
Austrian privacy foundation Noyb welcomes the DPC's ruling. Max Schrems, president of Noyb, calls the ruling "a huge blow to Meta's profits in the EU." "People now have to be asked whether they want their data to be used for ads or not. They should have a 'yes or no' option and can change their mind at any time. The decision also creates a level playing field with other advertisers who must also get opt-in consent," Schrems said in a statement (2).
Meta disagrees with the decision and says it is appealing the Irish regulator's decision. "We strongly believe that our approach respects European privacy law, which formulates a set of legal bases under which data may be processed without users' consent. We want to reassure users and businesses that they can continue to benefit from personalized advertising across the EU through Meta's platforms," the company said in a statement to Reuters news agency (3).
It is not the first fine Meta has received from the Irish privacy watchdog. In September 2021, WhatsApp was told to pay €225 million for violating European privacy laws and regulations. A year later, the DPC fined Instagram 405 million euros for careless handling of children's data.
Finally, in November 2022, Facebook was fined 265 million euros for a data breach that came to light in early 2021. Hackers then managed to capture the personal data of 533 million Facebook users. This included first and last names, places of residence, dates of birth, gender, phone numbers, email addresses, relationship status, texts contained in users' biographies, Facebook IDs and account creation dates.
Added together, Meta's fines come to nearly 1.3 billion euros.
https://www.dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-two-inquiries-meta-ireland
https://noyb.eu/nl/breaking-meta-verbiedt-gebruik-van-persoonsgegevens-voor-reclame
https://www.reuters.com/technology/irish-privacy-regulator-fines-meta-more-than-400-mln-2023-01-04/
