Meta has been fined €390m for breaching EU data rules.
The Irish Data Protection Commission (DPC) says the way Meta asked permission to use people’s data for ads on Facebook and Instagram was unlawful.
Meta, which owns both platforms, has three months to change how it receives and uses data to target ads.
Meta is “disappointed” and wants to appeal, stressing that the decision does not prevent personalized ads on its platforms.
The regulator said Facebook and Instagram cannot “enforce consent” by saying consumers must accept how their data is being used or leave the platform.
With Facebook and Instagram having their European headquarters in Ireland, the DPC takes the lead to ensure they comply with EU data law.
Privacy campaigners say the decision is a major victory and means Meta must give users real choice over how their data is used to target online advertising.
That means Meta may need to change the way a key part of its business works.
Most of the company’s money, over $118 billion (£97.8 billion) in 2021, comes from advertising.
The fine is the second significant penalty imposed by the supervisor in recent months.
In November, the DPC fined €265m (£228m) over a data breach that released the personal details of hundreds of millions of Facebook users online.
According to the Irish Times, Meta has committed €2bn (£1.7bn) to cover potential European fines in 2023.
The DPC investigation was sparked by complaints filed by privacy activist Max Schrems in 2018 on behalf of two users in Austria and Belgium. The complaint was made when the EU’s new data protection law, the General Data Protection Regulation (GDPR), came into force.
To comply with the GDPR, both Facebook and Instagram asked users to click “I accept” to indicate that they have agreed to the updated Terms of Service, which outlines how their data will be used in ads.
If users didn’t accept, they couldn’t use Facebook or Instagram.
The complainants argued that doing so meant that Meta was “forcing” them to consent to the use of their data for targeted advertising – and doing so violated the GDPR.
Meta officials argued that Facebook and Instagram are “inherently personalized” and that targeted advertising as part of that personalization is a “necessary and essential part” of how the platforms work.
They said that Meta doesn’t give users an ultimatum and that the platforms just can’t function without using data for advertising.
However, the DPC determined that was not the case and users were forced to agree.
The DPC also found that Meta was not clear enough to users about how it uses their personal information and why.
But the decision was only made after a dispute with other European data authorities.
This was finally settled in December by the European Data Protection Board.
Meta spokespeople say they plan to challenge the size of the fines imposed “because regulators themselves disagreed on the issue.”
The company argues that instead of forcing people to accept how it uses data, it gives consumers a range of tools to control how their data is used.
Responding to the decision, privacy activist Schrems said: “This is a major blow to Meta’s profits in the EU. People now need to be asked whether or not they want their data used for advertising.
“They must have a ‘yes or no’ choice and can change their mind at any time.”
Add Comment