Facebook parent company Meta kicked off the New Year with a new fine from the EU, with the Irish privacy regulator concluding that the company’s advertising and data handling practices were in breach of EU privacy laws. To that end, the Irish Data Protection Commission (DPC) slapped Meta with fines totaling more than $400 million. The watchdog is the lead regulatory authority for Meta and several other U.S. tech giants, which have their EU headquarters in Ireland.
One of the fines, worth 210 million euros ($222.5 million), was issued over violations of the European Union’s General Data Protection Regulation, or GDPR, and the second, a 180 million euro fine related to breaches of the same law by Instagram. In total, that’s 390 million euros or some $414 million.
The decision marks the conclusion of two lengthy investigations into Meta by the Irish regulator, which had been criticized over delays in the process. The DPC began investigating the company on May 25, 2018, when the EU’s GDPR came into effect.
As you may know, the GDPR places strict requirements on firms concerning the processing of people’s information. Firms that run afoul of the rules risk facing penalties as high as 4% of global annual revenues.
In the ruling, the DPC said that Meta must bring its data processing operations into compliance within three months.
Meta, unsurprisingly, plans to appeal the ruling.
“The suggestion that personalized ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect,” a Meta spokesperson told CNBC. “There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal basis is most appropriate in a given situation has been ongoing for some time. That’s why we strongly disagree with the DPC’s final decision and believe we fully comply with GDPR by relying on Contractual Necessity for behavioral ads, given the nature of our services. As a result, we will appeal the substance of the decision.”
Previously, Meta relied on a user’s consent to process their information to enable behavioral advertising. However, after the entry into force of the GDPR, the company changed the terms of service for Facebook and Instagram, and switched the legal basis upon which it processes that information to something called “contractual necessity.”
The same year, Austrian privacy activist Max Schrems submitted a complaint alleging this change forced users to accept the processing of their information for ad targeting in exchange for the use of the platforms.
Schrems now believes that the DPC’s decision means that Meta would have to develop a version of its apps that doesn’t use personal data for advertising within three months.
He added Meta would still be allowed to ask users for consent to ads with a “yes/no” option, however.
“This is a huge blow to Meta’s profits in the EU,” Schrems said. “People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”
In December, the European Data Protection Board, said that Meta wasn’t entitled to rely on contracts as a legal basis for processing user data for targeted ads, effectively deeming the company’s advertising practices illegal.
Subsequent to that move, the DPC reiterated that statement, adding that “Meta’s processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR.”
The fines imposed by the DPC were raised substantially from those proposed in a draft decision in October, where the regulator suggested a levy of between 28 million and 36 million euros.
On our end, we like that at least someone is using the “stick approach” with the Tech Giants. They can handle these fines with ease and would hopefully at least fine-tune their practices to the benefit of all of us. And then, hopefully, roll out similar changes beyond the EU.