Irish privacy watchdog fines Meta $400 million amid disagreement among European authorities
Ireland’s data privacy watchdog has handed down a €390 million (about $413 million) fine to Meta after two years-long inquiries into the data processing operations of Facebook and Instagram.
The inquiries resulted from two complaints filed in May 2018 centered on the legal justifications used by the social media giant for the collection of user data.
Ireland’s Data Protection Commission (DPC) ruled that Meta did not clearly outline to users the “processing operations” that were being carried out with personal data nor what that data was being used for. The lack of transparency was a violation of the European Union’s General Data Protection Regulation (GDPR).
While a blow to Meta, the decision also exposed disagreement within Europe over how to enforce the GDPR. The original fines proposed by the DPC were much lower and were only raised on orders from the European data protection authority. The DPC ultimately regulates Meta because its European headquarters are based in Dublin.
Ireland’s commission originally determined that Meta did not violate the GDPR by relying on “forced consent” – whereby Facebook and Instagram force users to “accept” a terms of service agreement in order to use the platforms.
Other bodies within Europe disagreed, concluding the company was indeed in violation of the law. Those terms of service agreements are used by Meta to justify the legality of their data collection practices.
Under the GDPR, bodies like the DPC submit their decisions to regulators across the European Union. The other privacy watchdogs agreed with the DPC’s first assessment around transparency but said the fines needed to be increased.
On the second issue, 10 of the 47 privacy authorities in Europe raised objections to DPC’s findings.
Several privacy watchdogs said Meta should not be allowed to rely on byzantine terms of service agreements to justify the use of personalized ads on Facebook and Instagram. The personalized ads were not "necessary to perform the core elements" of the social media platforms' functions, they found.
The DPC, however, argued that Facebook and Instagram are “personalized services that also feature personalized advertising” – which is “central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.”
The two sides could not agree on a resolution and the decision was then sent to the European Data Protection Board (EDPB), which ruled on December 5 that the DPC needed to increase its fine and backed the 10 watchdogs that disagreed with Meta’s legal justifications for data collection.
The EDPB’s ruling on the additional violation of GDPR is what prompted the DPC to increase the fine to €210 million (about $229 million) for Facebook privacy violations and €180 million (About $200 million) for Instagram.
Meta now has three months to bring its operations into compliance with the GDPR or they will face additional fines.
The EDPB also ordered the DPC to conduct a new investigation into Facebook and Instagram’s data processing operations – something the DPC vehemently disagreed with and plans to challenge in court.
"transparency" of the illegal processing, but not stop the illegal processing itself. Kind a like "we ask them to break the law in a more transparent way" - why don't you think this is enough?
— Max Schrems (@maxschrems) January 4, 2023
The third #noyb complaint on WhatsApp is delayed for another two weeks, but will...
NOYB, the organization that filed the complaints in 2018, said in a statement that it felt vindicated by the EDPB ruling rejecting what they felt was an attempt by the DPC and Meta to bypass the rules outlined in the GDPR.
Meta will now have to get "opt-in" consent for personalized advertising and must provide users with a "yes/no" option, the organization explained.
They noted that a third complaint they filed against another Meta service – WhatsApp – has been delayed until mid-January.
"Instead of having a 'yes/no' option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way," said Max Schrems, a NOYB privacy expert.
“This case is about a simple legal question. Meta claims that the 'bypass' happened with the blessing of the DPC. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC got overruled."
A Meta spokesperson told The Record that the level of disagreement within Europe demonstrated by the DPC’s press release was "very telling," adding that there is a "total lack of regulatory certainty or clarity on this topic."
The spokesperson said the company has a variety of options to process user data and they are currently assessing which to use.
“The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area. We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” a Meta spokesperson said.
“These decisions do not prevent targeted or personalized advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.”
The New York Times reported that the personalized ad practices at issue generated $118 billion in revenue in 2021 for Meta.
Almost 5 years after the GDPR came into force, this is probably the most significant enforcement decision to date - following complaints made on May 25, 2018 (!), the day the GDPR came into force. The Irish DPC fined Meta 390 million euros, but this is not about the fine. 1/ https://t.co/riEEEV6ZZ1
— Dr. Gabriela Zanfir-Fortuna (@gabrielazanfir) January 4, 2023
Schrems criticized the DPC for allegedly holding 10 confidential meetings with Meta and accused the watchdog of helping Meta skirt GDPR rules. Schrems said the Irish authority also tried to influence the European regulatory body to rule in favor of Meta.
He argued that despite what was in DPC’s statement, the privacy watchdog “shielded Meta and they got voted down on the EU level."
“The decision means that Meta must allow users to have a version of all apps that does not use personal data for ads within three months,” NOYB said.
“The decision would still allow Meta to use non-personal data (such as the content of a story) to personalize ads or to ask users for consent to ads via a 'yes/no' option. Users must be able to withdraw consent at any time and Meta may not limit the service if users choose to do so. While this will limit Meta's profits dramatically in the EU, it would not fully prohibit ads.”
The privacy non-profit also took issue with DPC’s rollout of the decision, noting that the watchdog only informed them today that they would not be releasing the full decision to them, citing confidentiality, despite the fact that the organization is a plaintiff in the case.
Schrems said he has never seen a decision only being served to one party, but not the other.
According to Schrems, the original fine proposed by DPC was between €28 million to €36 million (about $29 million to $38 million). He noted that Meta has been hit with fines totaling nearly €1 billion ($1.06 billion) since the GDPR went into effect.
In September, Meta said it was appealing another fine, worth $400 million, for violations related to Instagram allowing children as young as 13 to operate business accounts. Last year, the DPC also fined Meta $267 million for GDPR violations related to data processing done by WhatsApp.
The DPC also fined Meta €265 million (about $275 million) in November for the company’s data protection practices.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.