The Irish Data Protection Commission (DPC) fined Meta Ireland a total of 390 million euros (U.S. $414 million) for breaching the General Data Protection Regulation (GDPR) by forcing users to agree their personal data can be used for targeted advertising to access Facebook and Instagram.
Of the penalty total, €210 million (U.S. $223 million) relates to Facebook breaches and €180 million (U.S. $191 million) to Instagram breaches, the regulator announced Wednesday. Complaints against the platforms were lodged the day the GDPR came into force in May 2018.
Meta Ireland must also bring its data processing operations into compliance with the decision within three months.
The company said it plans to appeal.
In the run-up to the GDPR taking effect, Meta (then Facebook Ireland) informed users it would be changing its terms of service so they now had to accept their personal data would be used to help target advertisements at them more effectively. If they refused, they could no longer access the service.
The complainants—one of which was Austrian privacy campaigner Max Schrems—argued Meta’s terms and conditions simply forced users into giving consent to drive behavioral advertising, which was a breach of the GDPR.
The case highlighted concerns over the way tech companies use contract terms to secure users’ consent to monetize personal data to drive their business models.
It also created a split in the enforcement appetites of some European Union data protection authorities regarding how strictly the GDPR should be interpreted in everyday business practices, what level of penalties should be imposed, and whether the rules have even been broken.
“This case serves notice Big Tech cannot hide behind ‘contractual necessity’ to play fast and loose with personal data of EU citizens.”
Jonathan Compton, Partner, DMH Stallard
The Irish DPC came into conflict with the European Data Protection Board (EDPB), the EU’s overarching GDPR regulator, over “forced consent.” The EDPB once again intervened when several supervisory authorities objected to the Irish DPC’s original decision.
The EDPB said in December that as a matter of principle, Meta Ireland was not entitled to rely on users signing a contract rather than giving their explicit consent to process their personal data to push advertising.
In its earlier decision, the Irish DPC held Meta was not relying on “forced consent” but did find the company breached GDPR transparency requirements about how personal data could be used.
Legal experts believe the decision—if it stands—is a serious issue for tech firms who now need to get consent for targeted advertising. Schrems, in a statement, called it “a huge blow to Meta’s profits in the EU.”
Jonathan Compton, partner at law firm DMH Stallard, said, “This case serves notice Big Tech cannot hide behind ‘contractual necessity’ to play fast and loose with personal data of EU citizens.”
He said the deeper problem for Facebook—which relies on personalization of advertisements for users for about 80 percent of its revenue—is the decision “strikes at the heart of its business model, effectively denying tech firms the ability to use personal data to tailor the ad output to individual users if they are harvesting user data to do the tailoring.”
In a post on its website, Meta said businesses “have faced a lack of regulatory certainty” regarding the legal processing of data since the GDPR came into force, adding it “strongly disagree[s] with the DPC’s final decision.”
The company said the decision does not prevent it from continuing to use behavioral advertising—only the legal basis upon which it carries it out.
“Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticized for the approach we have taken to date,” Meta added. “[T]herefore, we also plan to challenge the size of the fines imposed.”