The Data Protection Commission (DPC) concluded two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) over the delivery of its Facebook and Instagram services.
DPC fined Meta Platforms a total of €390 million (roughly $414 million).
“Final decisions have now been made by the DPC in which it has fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).” reads the announcement published by DPC. “Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months.”
The inquiries were related to Facebook and Instagram services; one complaint was made by an Austrian data subject and was related to the data processing operations of Facebook, and the second one was made by a Belgian data subject in relation to Instagram.
Both complaints were made on the date on which the GDPR came into operation, on 25 May 2018.
In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services.
Meta Ireland considered that, by accepting the updated Terms of Service, the users gave the company the consent to process their data to deliver its Facebook and Instagram services, including the provision of personalised services and behavioural advertising
“Following a consultation process, it became clear that a consensus could not be reached. Consistent with its obligations under the GDPR, the DPC next referred the points in dispute to the European Data Protection Board (“the EDPB”).” continues the DPC. “The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.”
The fine will have a severe impact on the ad revenue of the social media giant, Meta believes its approach is compliant with the EU GDPR and announced it will appeal the DPC’s findings.
“It’s important to note that these decisions do not prevent personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.” states Meta. “The decisions also do not mandate the use of Consent – another available legal basis under GDPR – for this processing.”
“That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision.” Meta added.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Meta)
[adrotate banner=”5″]
[adrotate banner=”13″]