Heavy new sanction in the EU for the Meta group. The parent company of Facebook has been fined this Wednesday with two heavy fines in the amount of 390 million euros for violating the European data regulation (GDPR). The Irish Data Protection Commission (DPC), a regulator acting on behalf of the EU, said in a statement that Meta had breached its “obligations of transparency” and was relying on the wrong legal basis “for processing personal data for the purposes of targeted advertising.
This sanction comes after the adoption in early December of three binding decisions by the European Data Protection Board (EDPS), the European regulator for this sector. The first two were related to violations related to social networks Facebook, for which the fine is 210 million euros, and Instagram, another branch of Meta, which is targeted by the remaining 180 million euros. The EDPS’ third decision, in relation to WhatsApp, was later notified to the Irish regulator and will be the subject of a separate decision next week.
Privacy association Noyb, which launched the three complaints against the group, filed on May 25, 2018, the effective date of the GDPR, had accused Meta of reinterpreting consent “as a simple civil law contract.” do not allow you to opt out of targeted advertising.
Meta forced to configure “like option”
In October 2021, the Irish authority had initially proposed a draft decision confirming the legal basis used by Facebook and suggested a fine of 26 to 36 million euros for lack of transparency. The French Cnil and other regulators had managed to cope with this amount which was considered largely insufficient. They had asked the EDPS to adjudicate the dispute and the latter agreed with them on the legal basis issue.
“Instead of having a ‘yes/no’ option for personalized ads, (Meta) has simply moved the consent clause into the terms and conditions. This is not only unfair, but also clearly illegal,” commented Austrian lawyer Max Schrems, founder of Noyb, in a statement. “We don’t know of any other company that has tried to ignore GDPR in such an arrogant way. Noyb on Wednesday welcomed the decision, which he said will force Meta to create “a consent option” for the use of its users’ personal data, in the event that the company “cannot use the data of them for personalized advertising”.
Meta has three months to “bring data processing operations into line,” DPC said in its press release.
The group will appeal
Meta said he was “disappointed” with the rulings and announced his intention to appeal, “both the merits and the fines”, according to a statement sent to AFP. “The debate about the legal bases” for the processing of personal data “has been going on for some time and companies have faced a lack of regulatory certainty on this issue”, the company estimates. “These decisions do not rule out targeted or personalized advertising” and “advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets,” adds Meta.
The company also believes the DPC does not require it to create a consent option and says it is evaluating a range of solutions to change the legal basis for data processing. A source close to Meta explained that the legal basis of “legitimate interest”, provided by the GDPR, has been reviewed by the company.