Ireland’s data regulator, known as the Data Protection Commission (DPC), Tuesday fined Meta Platforms Ireland Limited (Meta Ireland) €390 million for its Facebook and Instagram personalized advertisement delivery, which violated the EU’s General Data Protection Regulation (GDPR). The DPC fined Meta Ireland €210 million for its Facebook breaches and €180 million for its Instagram breaches. Further, the DPC directed that Meta Ireland’s data processing operations must be in compliance with the GDPR within three months.
In advance of the GDRP’s implementation on May 25, 2018, Meta Ireland changed its Facebook and Instagram terms of service regarding its reliance on user consent for advertisement delivery, including behavioral advertising. Meta Ireland said that they would instead rely on the “contract” legal basis for its processing operations. Under the contract legal basis, users are prompted to click “I accept” to express their individual acceptance of Facebook and Instagram’s updated terms of service.
On May 25, 2018–the GDRP’s effective date–Austria and Belgium filed complaints against Meta Ireland regarding Facebook and Instagram. Austria and Belgium argued that, despite the implementation of the GDRP, “Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data” in breach of the GDPR. The DPC’s investigation into Meta Ireland revealed that Meta Ireland’s users lacked clarity regarding the operating procedures’ utilization of their personal data. However, the DPC’s investigation also revealed that Meta Ireland’s reliance on user consent was not required and that the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis. As a result, the DPC found that Meta Ireland did not obtain “forced consent” of its Facebook and Instagram users.
The DPC previously fined Meta Ireland €265 million for its violation of the EU’s data privacy law in November, in addition to previous fines regarding its violations.