Meta is accused of failing to comply with EU data protection regulations at Facebook and Instagram. The American company intends to contest the penalty.
Proceedings initiated by Max Schrems
Meta Platforms, formerly known as Facebook, was recently taken to task by the Irish data protection authority for its improper practices. The company had stated in its terms of service that the playout of personally tailored ads was part of the service, for which no separate consent was required. This interpretation has now been overturned, and the authority has ordered Meta to change its data processing practices within three months.
Privacy activist Max Schrems criticized Meta’s approach: Instead of a yes/no option for personalized advertising, he said, they simply moved the consent clause to the terms and conditions. He considers this not only unfair, but also illegal. It is clear that Meta must take immediate action to ensure it is compliant with GDPR regulations or face serious consequences. The company must ensure that it provides users with an explicit opt-in option for personalized advertising and that all data processing activities are transparent and secure.
No voluntary consent
The European Data Protection Board (EDPB) recently clarified that informed consent is required to use personal data for advertising purposes. This has put Meta, the parent company of Facebook, Instagram and WhatsApp, in a bind. Immediately before the GDPR regulations came into force in May 2018, Meta had stopped asking its users for consent to use their personal data for advertising purposes and instead made personalized advertising an integral part of its mutual service commitments in its terms and conditions.
The decision was based on a complaint about Facebook by Austrian privacy activist Max Schrems; Instagram is under the jurisdiction of a Belgian user. The Irish Data Protection Commission (DPC) plans to rule on another complaint about WhatsApp, which is also part of Meta, in the coming weeks. If Meta is found guilty of violating GDPR regulations, it could easily exceed the billion-dollar threshold for fines. It remains to be seen how this situation will play out and what impact it will have on other companies that may have used similar tactics with regard to obtaining user consent.
Repeated data protection penalties against Meta
The Irish Data Protection Commission (DPC) has imposed repeated data protection penalties on Meta, a social media company, since September 2021. In November 2021, the DPC fined the group €256 million after data on more than half a billion Facebook users was published online. This was followed in September 2022 by another hefty fine of 405 million euros for serious violations of data protection regulations for children. Meta and its subsidiary WhatsApp were also fined €17 million and €225 million, respectively.
Meta has appealed both the Instagram and WhatsApp decisions, but it remains to be seen whether those appeals will be successful. The repeated fines from the data protection authority show that Meta is not taking its responsibility to protect user data seriously enough. It is clear that further measures need to be taken to ensure that companies are held accountable for their actions regarding the protection of user data.