Irish Data Protection Commission imposes a fine of € 390 million on Meta for breaking E.U. data rules
The Irish Data Protection Commission (DPC) has imposed a fine of € 390 million (£ 346 million) on the United States (U.S.) based Meta, for breaking European Union (E.U.) data rules.
As Facebook and Instagram have European headquarters in Ireland, the DPC takes the lead in ensuring they comply with E.U. data law. The DPC said the way Meta asked permission to use peoples’ data for ads on Facebook and Instagram was unlawful.
Meta, which owns both platforms, has 3 months to change how it obtains and uses data to target ads. The DPC said that Facebook and Instagram cannot “force consent” by saying consumers have to accept how their data is used or leave the platform. Meta said it is disappointed and intends to appeal, stressing that the decision does not prevent personalized advertising on its platforms.
The decision means Meta will have to give users real choice over how their data is used to target online advertisements. The bulk of the firm’s money, over U.S. $ 118 billion (£ 97.8 billion) in 2021, came from advertising.
This is the second significant penalty imposed by DPC in recent months. In November 2022, Meta was fined € 265 million (£ 228 million) by the DPC over a data breach that saw the personal details of hundreds of millions of Facebook users published online. Meta has set aside funds in tune of € 2 billion (£ 1.7 billion) to cover potential European fines in 2023.
Announcing the conclusion on enquiry on Meta, the DPC tweeted,
Data Protection Commission announces conclusion of two inquiries into Meta Ireland: https://t.co/KvmD9cBQd6 pic.twitter.com/Csj4z2donq
— Data Protection Commission Ireland (@DPCIreland) January 4, 2023
The DPC investigation was sparked by complaints made in 2018 by privacy campaigner – Max Schrems, on behalf of two users in Austria and Belgium. The complaint was brought just as the E.U.’s new data and privacy law – General Data Protection Regulation (GDPR), came into operation.
In order to comply with GDPR both Facebook and Instagram asked users to click “I accept” to indicate that they agreed to updated terms of service setting out how their data would be used in ads. If users did not accept, they were unable to use Facebook or Instagram.
The complainants argued that this meant Meta was forcing” them to consent to their data being used in targeted ads and this breached the GDPR. Meta argued that Facebook and Instagram are inherently personalized and that, as part of that personalization, targeted ads are a “necessary and essential part” of how the platforms work. The complainants said that Meta was not giving users an ultimatum, and that there was just no way the platforms could work without using data for advertising.
Meta argues that far from forcing people to accept how it uses data, it gives consumers a number of tools to control how their data is used. But the DPC found that is not the case and users were forced to consent. The DPC also found that Meta was not clear enough with users about how it was using their personal data and why.
