Meta Platforms, the owner of Facebook and Instagram, has been fined €390 million by the Irish information regulator for breaching European Union data privacy laws and ordered to change the way it collects user information.
It brings the total fines for the company by the watchdog to more than €1.2 billion in the past 18 months.
The Data Protection Commission (DPC) issued penalties of €210 million yesterday to Facebook and €180 million to Instagram for automatically signing up customers to targeted advertising, based on their terms and conditions.
Over the next three months, the DPC said, the company must make it clear to users that their data will be used for personalised marketing purposes rather than presuming they are happy that this is the case, as it stands under the current “contract” legal basis that Meta has relied on.
The case has not been straightforward. The penalty handed down by the Irish watchdog is a steep increase on the initial fine of €59 million proposed by the Irish authority and follows a review of their initial findings by the European Data Protection Board, the bloc’s central regulator.
Advertisement
Some analysts said that this ruling could hit Meta’s revenue stream in Europe, about 80 per cent of which is derived from advertising, assuming it introduced an “opt-in” option, asking users if they consented to their data being used for advertising or not.
“The change in how customers agree to their data being used raises questions about the company’s business model because it gives people the chance to join Facebook without their data being scraped,” Claire Edwards, partner in the data protection team in Addleshaw Goddard, the law firm, said.
Jonathan Compton, partner at city law firm DMH Stallard and a specialist in data protection regulations, added: “The deep problem for Facebook, which relies on personalisation of adverts for users for about 80 per cent of its revenue, is that this case strikes at the heart of that model, effectively denying tech firms the ability to use personal data to tailor the ad output to individual users, if this means harvesting their user data to do the tailoring.”
A spokesman for Meta denied that the decisions would prevent targeted or personalised advertising on the platform. “The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets,” he said.
An opt-in pop-up for customer consent is not the only avenue Meta could pursue under European data rules, known as the General Data Protection Regulation (GDPR), to continue its current business model. Another might be the broad “legitimate interest” legal basis for processing data used by other large tech companies.
Advertisement
The company could face the same issue in the UK, where the Information Commissioner’s Office has said recently that information collected for marketing purposes must be collected fairly and transparently. Edwards said its guidance at this stage is unlikely to diverge from the EU.
The two inquiries into Facebook and Instagram, which started in 2018 when GDPR rules came into effect, found that users “had insufficient clarity as to what processing operations were being carried out on their personal data”, the DPC said. It rejected the European data watchdog’s advice to conduct a fresh investigation into all Facebook and Instagram data processing operations.
Like many US technology giants, Meta has its European headquarters in Dublin, which makes the Irish authority a key privacy regulator for the industry.
Meta said there had been a lack of regulatory clarity on this issue and it would appeal the decision and the fines. A spokesman said: “Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience — including the ads they see — is a necessary and essential part of that service.”
Shares in Meta closed up $2.63, or 2.1 per cent, at $127.37 in New York.
