Meta to fight €390 million fine for breaching EU data privacy laws

The Irish Data Protection Commission (DPC) has fined Meta a total of €390 million after finding that it forced Facebook and Instagram users to consent to personal data processing for targeted advertising.

Today's decision comes after the conclusion of two investigations into Meta's data processing operations prompted by complaints filed by the noyb non-profit organization on behalf of Austrian and Belgian users on May 25, 2018, when the EU's General Data Protection Regulation (GDPR) data privacy and security law came into operation.

"Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook's and Instagram's services (including behavioural advertising), Meta Ireland now sought to rely on the 'contract' legal basis for most (but not all) of its processing operations," the Irish data watchdog said.

"If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click "I accept" to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so)."

The DPC imposed a €210 million administrative fine on Meta Ireland for GDPR breaches related to its Facebook service and a €180 million one for violations linked to Instagram services.

The DPC also ordered Meta to bring its current data processing operations into compliance with GDPR's regulations within the next three months, likely meaning that the company would no longer be able to process its users' personal information for personalized advertising until they opt-in.

Meta has to get "opt-in" consent for personalized advertisement and must provide users with a "yes/no" option. The decision on a third parallel case on WhatsApp is delayed until mid-January. (3)

— noyb (@NOYBeu) January 4, 2023

Meta rejects DPC's findings and will appeal the fines

However, Meta also published today a statement in reaction to DPC's announcement of the €390 million fine, claiming that its approach respects GDPR and blaming the decision on a "lack of regulatory clarity."

The company added that it would appeal the fines and reassured businesses and users that they would be able to "continue to benefit" from personalized ads on Meta's platforms across the EU.

"We strongly believe our approach respects GDPR, and we're therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines," Meta said.

"These decisions do not prevent personalised advertising on our platform. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets."

"Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service."

In November, Meta was also fined €265 million ($275.5 million) by the Irish data watchdog for failing to protect Facebook users' data from scrapers after data belonging to 533 million was leaked on a hacker forum.