Meta has once again become the subject of a hefty set of fines after being found to breach data rules over how it asks permission for ads on its Facebook and Instagram platforms.
The Irish Data Protection Commissioner (DPC) has fined Meta Ireland €390m after concluding two inquiries and confirming a final ruling from the European Data Protection Board (EDPB) that it breached GDPR rules.
The fines include €210m for breaches of the rules in relation to Facebook and €180m for breaches on Instagram. The DPC has also given Meta a three month deadline to change the way it processes data to bring its operations into compliance with GDPR.
'Forcing consent' to use the platform
The inquiries arose from two complaints in Austria and Belgium when GDPR came into force in late May 2018. The complainants alleged that Meta was “forcing consent” to the processing of their personal data for behavioural advertising and other personalised services, and challenged that the firm’s process was a breach of GDPR.
The complaints relate to Meta’s move to reply on a “contract” legal basis for most of its processing operations – meaning that if users wanted to continue to use Facebook and Instagram post-GDPR, they had to click “I accept” to indicate they accepted the tech giant’s updated terms of service. If users didn’t click, they were blocked from using the service.
Meta had previously relied on the consent of users to the processing of their personal data, the DPC said and the change was brought in before GDPR came into play.
Targeted ads ‘an essential part of the platforms’ existence’
The DPC found that Meta was not clear to users about the legal basis it relied on as to how data was used and why - “with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s)”. The regulator originally found that Meta did not have to rely on consent from users to process data, supporting the view that it was fulfilling a contract with users to supply personal ads.
But this was challenged in a dispute with other European data authorities after a GDPR-mandated peer review of the commission’s initial decisions. The dispute was settled at the end of 2022 by the EDPB, which found that Meta Ireland was not entitled to rely on “contract” as providing a lawful basis for processing of personal data for targeted ads.
Meta said that Facebook and Instagram were “inherently personalised” and that providing users with personal experiences – including targeted ads – was a necessary and essential part of the platforms’ existence.
It said in a post: “To date, we have relied on a legal basis called ‘Contractual Necessity’ to show people behavioural advertisements based on their activities on our platforms, subject to their safety and privacy settings. It would be highly unusual for a social media service not to be tailored to the individual user.”
The tech giant said it was disappointed and “strongly disagreed” with the final decision, believing its approach respected GDPR. Meta is intending to appeal both the rulings and the fines, citing that regulators disagreed with each other on the issue.
“There has also been inaccurate speculation and misreporting on what these decisions mean. We want to reassure users and businesses that they can continue to benefit from personalised advertising across the EU through Meta’s platforms.”
Meta added: ”These decisions do not prevent personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.”
Challenging an 'open-ended and speculative' investigation
The DPC is however challenging a direction from EDPB to conduct a fresh investigation spanning all Facebook and Instagram data processing operations – by seeking annulment from the European Court of Justice.
It said the EDPB had “purported to direct” the regulator to conduct the investigation, which in its view was “problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR”. The DPC added that the EDPB was not open to direct the regulator “to engage in open-ended and speculative investigation”.