Meta GDPR consent fine €4bn short, says Max Schrems

Privacy campaigner Max Schrems has blasted the Irish data regulator’s recent €390m (£346m) GDPR fine against Meta – for using “forced consent” to gather advertising data – claiming the penalty should have been €4.36bn – €3.97bn short – due to the severity of the offence.

The ruling, issued earlier this month, followed complaints made back in 2018, just days after GDPR came into force.

The complaints claimed that all Meta’s platforms – Facebook and Instagram, as well as WhatsApp – use a strategy of “forced consent” to process users’ personal data. This means that consumers have no choice over whether to have their information collected for advertising if they want to use the sites.

Through his NOYB privacy organisation, Schrems maintains that the Irish DPC gave Meta “a €3.97bn present” by turning a blind eye to the revenue generated from violating GDPR when calculating its fine.

This was despite a two-thirds majority vote of all EU authorities – who sit on the European Data Protection Board – having directed the Irish DPC to factor in Meta’s “billions in ill-gotten revenues”.

Schrems said: “We all know about Meta’s enormous revenue. It’s astonishing that this was not taken into account by the DPC. The DPC didn’t even use its statutory powers to ask Meta for the information. We therefore researched publicly available information and found that this factor alone should have increased the fine.

“The maximum cap of 4% of global turnover was easily overrun by the revenue from unlawful processing in the past 4.5 years. It is easy to show from public information that the revenue factor alone would have required imposing the maximum fine.”

NOYB quotes Meta’s own figures, which show it made €84.7bn from advertising on the European continent between Q3 2018 and Q3 2022. Adjusted for user numbers in the EU only, this amounted to roughly €72.5bn.

The organisation states: “While behavioural advertisements do not make up all the revenue of Meta’s overall advertising, it is clear that in any realistic scenario, the revenue in the EU overshot the maximum fine of €4.36bn.”

Schrems concluded: “By not even checking publicly available information, the DPC gifted €3.97bn to Meta. It took us an hour and a spreadsheet to make the calculation. I am sure the Irish taxpayers would not mind having that extra cash, if a DPC employee would have just opened a search engine and done some research.

“Bottom line, it absolutely paid off for Meta to violate GDPR and the Irish DPC made it even more profitable for Meta to violate EU law.”

NOYB has now sent a letter to the EDPB detailing the problem in the Irish DPC decision and all calculations. The organisation is asking the EDPB to ensure that its decision is fully upheld by the Irish regulator.