Meta, the parent company of Facebook and Instagram, has been fined almost €400mn by the EU’s main privacy regulator for breaching the bloc’s privacy rules, in a move that some experts believe could threaten a primary source of revenue for the company.
Ireland’s Data Protection Commission issued two separate fines on Wednesday — €210mn for Facebook breaking the bloc’s landmark data privacy rules, and €180mn to Instagram for similar violations.
The ruling also orders Meta to align its approach to processing user data with EU law within three months, which could have significant implications for the way both social media platforms wield personal data for advertising, a substantial source of revenue for the $335bn company.
In advance of the rollout of the EU’s General Data Protection Regulation in May 2018, Meta introduced changes to its terms of service, making them accessible to users only if they agreed that their data might be processed to deliver highly targeted advertising.
However, the Irish regulator found that Meta was effectively forcing users to accept these conditions, arguing it was “not entitled to use the ‘contract’ legal basis as providing a lawful basis for its processing of personal data”.
Meta said it would appeal against the ruling and that its approach was in line with privacy rules in Europe. “We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
Meta added: “These decisions do not prevent targeted or personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.”
However, legal experts and privacy activists say the ruling, if upheld, could undermine Meta’s business model.
Austrian privacy activist Max Schrems said: “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not . . . The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”
Jonathan Compton, partner at London law firm DMH Stallard, said: “The deeper problem for Facebook, which relies on personalisation of adverts for users for about 80 per cent of its revenue, is that this case strikes at the heart of that model, effectively denying tech firms the ability to use personal data to tailor the ad output to individual users, if this means harvesting their user data to do the tailoring.”
Meta has been fined roughly €1.3bn in Ireland over five different cases in less than two years. Beyond the financial burden for Meta, the fines highlight disagreements over how privacy rules are being enforced in Europe.
The Irish watchdog had initially suggested a much lower fine, arguing that Meta’s justification for behavioural advertising was not illegal under GDPR rules, but other privacy watchdogs in Europe disagreed. The EU’s board of privacy regulators last month overruled Ireland’s original decision.
In a separate case, France’s data protection authority, the Commission Nationale de l’Informatique (CNIL), on Wednesday fined Apple €8mn, citing data protection breaches in how the company tailors advertisements to iPhone users without their express consent.
“When a user visited the App Store, identifiers used for several purposes, including personalisation of ads on the App Store, were by default automatically read on the terminal without obtaining consent,” the CNIL said.
Apple said it was disappointed with the decision and will appeal.
Additional reporting by Patrick McGee