Meta has been hit with its fifth – and potentially most damaging – GDPR ruling, which will force the company to change the way it collects consumer data for advertising on both Facebook and Instagram.
In the second GDPR ruling against Meta in as many months, the Irish Data Protection Commission has slapped the firm with a €390m (£346m) fine over the unlawful policy and has given it three months to change its practices.
The bulk of the firm’s revenue, over $118bn (£97.8bn) in 2021, comes from advertising.
The consent issue was first raised by privacy organisation NYOB – set up by Austrian lawyer and long-term Facebook nemesis Max Schrems – back in 2018, just days after GDPR came into force.
The complaints claimed that all Meta’s platforms – Facebook and Instagram, as well as WhatsApp – use a strategy of “forced consent” to process users’ personal data. This means that consumers have no choice over whether to have their information collected for advertising if they want to use the sites. GDPR actually states that users must be given a free choice unless a consent is strictly necessary for provision of the service.
Initially, the Irish DPC said the practice did not breach GDPR, but the EU’s top privacy organisation, the European Data Protection Board, over-ruled this decision last month, demanding that the regulator issues public orders that reflect the EDPB’s decisions, along with “significant fines”.
In response to the new ruling, Meta said it was “disappointed” and intends to appeal, stressing that the decision does not prevent personalised advertising on its platforms.
But data protection specialist Jonathan Compton, a partner at city law firm DMH Stallard, said: “This case serves notice that big tech cannot hide behind ‘contractual necessity’ to play fast and loose with personal data of EU citizens.
“The deeper problem for Facebook, which relies on personalisation of adverts for users for about 80% of its revenue, is that this case strikes at the heart of that model, effectively denying tech firms the ability to use personal data to tailor the ad output to individual users, if this means harvesting their user data to do the tailoring.”
The fine is just the latest run-in for Meta; at the end of November, the Irish DPC issued its fourth penalty – of €265m (£210m) – against the company, and the new sanction brings total fines against the tech giant to €1.3bn (£1.2bn) in just over 12 months.
It means that European data protection authorities have issued a total of over €3.22bn (£2.84bn) in fines for 1,402 cases since the law came into force in May 2018.
The latest data, extracted from Enforcementtracker and analysed by Atlas VPN, shows GDPR fines in 2022 alone totalled €832m (£732m), which is 36% lower than the €1.3bn (£1.14bn) issued in 2021, although not all cases are made public and many are still under appeal.
However, last year stands out not in the total sum fined but in the severity of the charges imposed on Meta, whose largest penalty to date is the €405m fine issued on September 5 2022, over the processing of personal data of child users on Instagram.
Of the €3.22bn total, Meta’s €1.3bn in fines account for a third of GDPR violations.
Related stories
Where will we be in 2023…with data-driven marketing?
Meta faces mega fine as ad policy is declared illegal
Privacy group vows to ensure that WhatsApp coughs up
Irish up WhatsApp fine 350% to €225m after EDPB call
Decision Marketing at 10: How GDPR changed the world
GDPR three years on: ‘The aperitif to a cookieless world’
Let battle commence: first GDPR complaints are filed