Meta Fined €390 Million for Facebook and Instagram GDPR Violations
Irish Data Protection Commission (DPC) has announced that Meta, the parent company of Facebook, Instagram, and WhatsApp, has been fined a total of €390 million ($414 million) for violations of the General Data Protection Regulation (GDPR) related to the processing of the personal data of European Union citizens by its subsidiaries Facebook and Instagram. A third case against WhatsApp is still pending and will likely similarly result in a substantial financial penalty. The decision on that investigation is expected next week.
The DPC had previously announced that its investigations into Facebook and Instagram had uncovered GDPR violations, resulting in fines of €36 million ($38.2 million) and €23 million ($24.4 million) being imposed on Facebook and Instagram. The decision to issue penalties was referred to the European Data Protection Board (EDPB) which agreed with the decision to impose financial penalties but said the penalties should be increased. Facebook has now been fined €210 million and Instagram fined €180 million.
These penalties both relate to the legal basis Meta used to run behavioral advertisements on the platforms, with the complaints against the companies dating back to the very day the GDPR took effect – May 25, 2018. The complaints against the companies were both made by the data rights campaigner Max Schrems and NOYB. Under the GDPR, consent must be obtained from EU citizens before their personal data can be used for purposes such as advertising. While both companies did obtain consent, the manner in which consent was obtained was the issue. Meta required users of the platforms to consent to the use of their personal data for behavioral advertising and other personalized services in order to continue using the platforms, which it was argued was forcing them to accept to consent to the use of their personal data for behavioral advertising, as they could not continue to use the service if they did not consent. The complainants also argued that the nature and extent of data processing were not made clear in its terms and conditions.
“The GDPR allows for six legal bases to process data, one of which is consent under Article 6(1)(a). Meta tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the “service” that it contractually owes the users,” explained NOYB. That change to its terms and conditions occurred at midnight on the date the GDPR took effect. “So-called “contractual necessity” under Article 6(1)(b) is usually understood narrowly and would e.g. allow an online shop to forward the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, took the view that it could just add random elements to the contract (such as personalized advertisement), to avoid a yes/no consent option for users.”
In addition to the financial penalty, Meta is required to bring its business practices into line with the GDPR, with the company and its subsidiaries banned from using personal data for behavioral ads based on the contract users enter into to use the service. They must be provided with a yes or no consent option and must agree before their personal data can be used for behavioral ads. Other forms of advertising on the platform have not been banned.
The latest fines for Meta bring the total penalties imposed on the platform for GDPR violations up to €1.3 billion in the past 18 months alone, which include a €265 million fine for Facebook over a data scraping breach, a €405 million penalty for Instagram for violations of children’s privacy, a €60 million penalty for Facebook for cookie-related GDPR violations, and a further €17 million for historical data breaches at Facebook.
“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” said a spokesperson for Meta in response to the decision.