Ireland’s Data Protection Commission issued fines against Meta totaling €390 million — about $414 million — after determining that the social-media giant’s Facebook and Instagram services violated European Union data-privacy rules. Meta it “strongly disagrees[d]” with the DPC’s verdict and it plans an appeal.
The regulator fined Meta Ireland €210 million for breaches of the EU’s General Data Protection Regulation (GDPR) relating to Facebook and €180 million for breaches relating to Instagram. In addition, the DPC has ordered the Matter Ireland business to “bring its data processing operations into compliance” within three months.
Meta Ireland’s change in May 2018 – when the GDPR came into effect – required Facebook and Instagram users to accept a contractual legal basis for processing their data for the purposes of behaviorally targeted advertising in its terms of service. A pair of complaints filed at the time by European users argued that the change amounted to “forced consent” because they would be barred from using Facebook or Instagram if they refused to agree to the new terms. The DPC ruling, announced on Wednesday, found that Meta Ireland “provided insufficient clarity about what processing activities are being carried out on their personal data” and that the company “is not entitled to rely on the legal basis of ‘agreement'” for behavior-based advertising for Facebook and Instagram.
In response, Meta said it intends to appeal “both the substance of the ruling” as well as the size of the fine imposed.
“We strongly believe that our approach respects the GDPR, and we are therefore disappointed by these decisions and intend to appeal both the substance of the judgment and the penalty,” the company said in a blog post on Wednesday.
Meta also said, “There has been a lot of speculation and misreporting about what these decisions mean. We want to reassure users and businesses that they can benefit from personalized advertising across the EU through Meta’s platform.”
According to Meta, the GDPR “allows for a variety of legal bases under which data may be processed.” To date, the company said, it has relied on a legal basis called “contractual requirements” to serve ads to users based on their activity on the platform, subject to their security and privacy settings.
“We have always been open with regulators and courts on this matter, and in previous assessments of our services they have not objected to the use of contractual requirements for this type of activity,” Meta said. “Given that the regulators themselves disagreed with each other on this issue until the final stage of these proceedings in December, it is difficult to see how we can be criticized for the approach we have taken, and so we plan to challenge. Amount of fine imposed.”