Meta Fined More Than $400 Million After Regulator Rules It Violated EU User Privacy Law With Targeted Ads

Tech giant says it plans to appeal ruling from Ireland's Data Protection Commission

Courtesy of Meta

Ireland’s Data Protection Commission issued a fine against Meta totaling €390 million — about $414 million — after determining the social-media giant’s Facebook and Instagram services violated European Union data-privacy regulations. Meta said it “strongly disagree[d]” with the DPC ruling and that it planned an appeal.

The regulator fined Meta Ireland €210 million for breaches of the EU’s General Data Protection Regulation (GDPR) relating to Facebook and €180 million for breaches related to Instagram. In addition, the DPC directed Meta’s Ireland business “to bring its data processing operations into compliance” within a period of three months.

At issue is Meta Ireland’s change in May 2018 — when GDPR went into effect — to its terms of service requiring Facebook and Instagram users to accept a contractual legal basis for processing their data for the purposes of behaviorally targeted ads. A pair of complaints lodged at the time by European users argued that the change amounted to “forced consent,” because they would be prevented from using Facebook or Instagram if they declined to agree to the new terms. The DPC ruling, announced Wednesday, found that Meta Ireland provided users “insufficient clarity as to what processing operations were being carried out on their personal data” and that the company is “not entitled to rely on the ‘contract’ legal basis” in connection with behavioral-based advertising for Facebook and Instagram.

In response, Meta said it intends to appeal “both the substance of the rulings” as well as the size of the fines imposed.

“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” the company said in a blog post Wednesday.

Meta also said “there has also been inaccurate speculation and misreporting on what these decisions mean. We want to reassure users and businesses that they can continue to benefit from personalized advertising across the EU through Meta’s platforms.”

According to Meta, GDPR “allows for a range of legal bases under which data can be processed.” To date, the company said, it has relied on a legal basis called “Contractual Necessity” to serve users ads based on their activity on its platforms, subject to their safety and privacy settings.

“We have always been open with regulators and courts about this, and in previous assessments of our services they did not object to the use of Contractual Necessity for this type of activity,” Meta said. “Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticized for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”