Personal information: 390 million euros fine for Meta
American Meta, Facebook’s parent company, has been hit with two hefty fines worth €390 million for violating European data protection regulations (RGPD), following two other sanctions imposed this fall.
The Irish Data Protection Commission (DPC), acting on behalf of the EU, said in a statement that Meta breached “obligations of transparency” and “relied on the wrong legal basis for processing personal data for the intended purposes”. advertising.
The sanction follows the adoption of three binding decisions by the European Data Protection Board (EDPS), the European regulator for the sector, in early December.
The first two relate to violations of social networks Facebook, for which the fine was 210 million euros, and Instagram, another subsidiary of Meta, which was targeted for 180 million euros.
A third decision involving WhatsApp was later reported to the Irish regulator and will be the subject of a separate decision next week.
On May 25, 2018, the date GDPR came into effect, the privacy group Neub, which initiated three complaints against the Group, accused Meta of reinterpreting consent as a “simple civil law contract.” does not allow you to opt out of targeted advertising.
In October 2021, the Irish authorities initially proposed a draft decision confirming the legal framework used by Facebook and proposing fines between 26 and 36 million euros for lack of transparency.
France’s Cnil and other regulators have stepped up to the plate in the face of this amount, which is widely considered insufficient. They asked the EDPS to review the dispute and the latter agreed with them on the legal basis.
“Instead of having a yes/no option for personalized ads, (Meta) simply moved the consent clause into the terms. This is not only unfair, but also clearly illegal,” Austrian lawyer Max Schrems, the founder of Neub, said in a press release.
“We don’t know of any other company that is trying to flout GDPR in such an arrogant way,” he said on Wednesday.
David vs. Goliath
Neub welcomed the ruling, which he believes will force Meta to exercise a “consent option” for the use of personal data, otherwise the company will not be able to use it for personalized advertising.
Like David defeating Goliath, Max Schrems rejoiced on Twitter: “Noyb (…) defeated Meta” and “CEPD forced DPC to change its decision”.
The DPC said Meta “has three months to adapt its data processing operations”.
Meta said he was “disappointed” and intended to appeal, according to a statement sent to AFP.
The company believes that the debate around the “legal basis” for processing personal data “has been going on for some time and companies face a lack of regulatory certainty on this issue”.
Meta adds: “These decisions do not prevent targeted or personalized advertising” and “advertisers can continue to use our platforms to reach potential customers”.
The Californian giant also believes that the DPC does not require it to establish a consent option and says it is evaluating different solutions to change the legal basis for data processing.
The Irish constable already fined the Californian giant €405 million in September for failing to handle minors’ data, and €265 million in November for failing to adequately protect its users’ data.
For Wedbush’s Dan Ives, this new fine and restrictions on Meta’s use of its users’ personal data could be a “huge blow to the gut, threatening 5% to 7% of ad revenue.”
“This adds difficulty to an already complex environment for digital advertising,” continued Facebook and Meta founder Mark Zuckerberg analyst, but Wall Street is betting on the appeals process, which will further “delay” the results of decisions by specific European regulators.
Meta shares were up 3% on the Nasdaq by 1 p.m.