On 04.01.2023, the Irish Data Protection Commission (DPC) announced a fine of € 390 million against Meta (1) due to unlawful personalized advertising on Facebook and Instagram. A first analysis of the decisions now reveals that the DPC has turned a blind eye on the revenue generated from violating the GDPR when calculating its fine. This was despite a 2/3 majority vote of all EU authorities (the EDPB) having directed the Irish DPC to factor in Meta's billions of Euro of ill-gotten revenue. The DPC's maneuver saved Meta almost € 4 billion.
Background: Meta's violation of the GDPR. In a 4.5 year battle over the lack of a legal basis for providing personalized advertisement in the EU, noyb scored a major victory. The European Data Protection Board (EDPB) overturned the core element of a previous draft decision by the Irish DPC and held that Meta did not have a proper legal basis to process personal data for behavioural advertising. Meta's attempt to squeeze an "agreement" into the terms and conditions of Facebook and Instagram was found to be unlawful. Any processing based on this "bypass" since 25 May 2018 was therefore illegal. The EDPB told the DPC that an additional fine must "counterbalance the gains from the infringement" and ordered the DPC to "impose a fine that exceeds that amount".
New Development: DPC unable to estimate Meta's unlawful revenue? On 5 December 2022, the European Data Protection Board (EDPB) ordered the DPC to quantify how much revenue Meta had generated by infringing the GDPR, and to factor that sum in to its fine. However, the DPC simply ignored the unlawful revenue made by Meta and claimed that "the Commission is unable to ascertain an estimation of the matters" and that it is therefore "unable to take these matters into account". This is despite having the power to demand such information from Meta under Article 58(1) GDPR.
Max Schrems, Chair of noyb: "We all know about Meta's enormous revenue. It's astonishing that this was not taken into account by the DPC. The DPC didn't even use its statutory powers to ask Meta for the information. We therefore researched publicly available information and found that this factor alone should have increased the fine by € 3.97 billion."
https://noyb.eu/en/breaking-meta-prohibited-use-personal-data-advertising
Noyb's letter to EDPB outlining the DPC's failure to comply with the EDPB decision (PDF)
Table with relevant numbers (PDF)
Facebook's public information on users and revenue (see "Earning Slides")
