Meta Fined $413M for GDPR Breaches

Meta, Ireland, EMEA, Facebook, Instagram, GDPR, fines

Facebook parent company Meta is facing 390 million euros ($413.4 million) in fines.

Ireland’s Data Protection Commission (DPC) said in a Wednesday (Jan. 4) press release that Meta Ireland’s advertising business model is not compliant with the EU’s General Data Protection Regulation (GDPR).

Accordingly, the DPC issued the social media giant two fines: a 210 million euros ($222.62 million) fine for Facebook and a 180 million euros ($190.8 million) fine for Instagram.

The company has been given three months to amend its practices to bring it in line with the DPC’s interpretation of GDPR rules, a major blow to Meta’s European business model that threatens its ability to monetize user data.

While the DPC ruling doesn’t explicitly forbid Meta from using user data for targeted ads, it moves the needle on what is considered sufficient legal justification for doing so.

The complaints that led to Wednesday’s fines go back to May 25, 2018, when the GDPR was enacted.

At the time, Meta asked all its users to accept updated contractual terms if they wanted to continue using its services, which it has since argued gives it the right to collect data for advertising purposes without it having to gain additional consent from users.

The DPC’s latest ruling boils down to whether or not Meta’s updated terms of use count as a contract according to the GDPR rulebook.

“Users had insufficient clarity as to what processing operations were being carried out on their personal data,” the DPC argued.

Meta said that it intends to appeal both rulings in a response to the DPC’s decisions.

“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions,” the company wrote.

It’s important to note that although the DPC is responsible for overseeing Meta’s GDPR compliance because the firm has its European headquarters in Dublin, decisions such as this require the agreement of all EU privacy authorities, a prerequisite which was difficult to achieve in this instance.

However, the European Data Protection Board supported the DPC’s decision.

Meta said that there has been “a lack of regulatory clarity on this issue,” adding that “given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticized for the approach we have taken to date.”

For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.