Meta fined 390 million euros for data privacy violations

Kollage aus dem Facebook-Logo
When the GDPR came into effect, Meta had written the processing of personal data for advertising purposes into its terms of use.
(Source: IMAGO / NurPhoto)

Meta must pay a data privacy fine amounting to a total of 390 million euros in Ireland. The group has so far required users to give their consent to data processing for personalized advertising in its terms of use. However, this violates the General Data Protection Regulation (GDPR), the Irish data protection authority DPC has now ruled. According to the assessment of the Austrian organization Noyb, Meta must ask its users for consent in order to use their personal data for advertising purposes in the future.

Meta enables its corporate clients to place personalized advertising on the Facebook and Instagram platforms based on users’ online activities. In the European Union, the GDPR regulates the conditions under which personal data may be processed. As a rule, this requires the consent of the affected users. However, there are exceptions, such as when the information is actually required for the execution of a contract. For example, in the case of delivery services that absolutely require an address.

Meta also relies on this exception, and in 2018 stipulated data processing for advertising purposes in the terms of use for its services. Anyone who wants to use Facebook or Instagram must agree to the terms of use.

GDPR violation

However, Meta is not allowed to rely on this exception, as the Irish data protection authority has now announced. The Irish authority is responsible for the company because it has its European headquarters in the country. As the group’s actions to date have violated the GDPR, the DPC has imposed two fines: 210 million euros for Facebook and 180 million euros for Instagram.

Meta must also align its data processing practices with the requirements of the European General Data Protection Regulation within three months. The authority did not provide further details.

The decision stems in part from a complaint filed by Austrian organization Noyb in 2018, which was the year the GDPR came into effect. Noyb had argued that access to services should not depend on consent to data processing, which the GDPR prohibits.

Max Schrems of Noyb commented on the decision that has now been issued: “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”

In a statement, Meta expressed its “disappointment” with the decision and announced its intention to appeal. The company also pointed out that personalized advertising would remain possible on its platforms.

Noyb, on the other hand, said that as a result of the decision, Meta would have to ask its users for consent to use personal data for advertising purposes in the future. To do so, Meta could either offer an additional version of its apps that does not use personal data for advertising or offer a yes/no option. Users would also have to be able to revoke their consent at any time without the service being restricted for them.

According to the organization, this would “drastically limit” Meta’s profits in the EU. However, other forms of advertising, such as contextual, would remain possible.

European Data Protection Board had issued a decision

The Irish data protection authority is regularly criticized for proceeding too slowly in the case of data protection violations by major tech companies. Noyb also criticizes the authority in the current case, as it has only sent the decision to Meta so far. The organization, on the other hand, had not yet received the document as a party to the proceedings because it could allegedly receive confidential information. Schrems criticized: “In ten years as a lawyer, I have never experienced that a decision was served to only one party, but not to the other.”

The Irish data protection authority had initially regarded Facebook’s action as permissible. The authority had only wanted to impose a data protection penalty because of a lack of transparency. However, because other European data protection commissioners objected to this planned decision, the case became the subject of the European Data Protection Board (EDPB). The board is made up of representatives of national data protection authorities and the European Data Protection Supervisor.

In December, the EDPB had overruled the Irish authority (in German) and instructed it to publish a decision to that effect.

Repeated data privacy fines against Meta

This is the fifth time since September 2021 that the Irish data protection authority has ordered Meta to pay a hefty fine. As recently as November, it imposed a fine of 256 million euros (in German) on the group after data on more than half a billion Facebook users was published on the Internet (in German) in 2021.

In September 2022, the DPC fined Instagram 405 million euros for serious violations of child privacy rules. Previously, it had also fined Meta 17 million euros, as well as its subsidiary WhatsApp 225 million euros.

Meta has appealed against both the Instagram and WhatsApp decisions. (dpa / js)