Irish data privacy regulator levies Meta more than $400 million in fines
Data Privacy Commission says Meta breached transparency obligations and orders the company owned by Mark Zuckerberg to comply with EU rules within three months.
Ireland's data privacy regulator has fined Meta a total of 390 million euros ($414 million) for breaches at its Facebook and Instagram services, and said both must reassess the legal basis on how they run advertising based on personal data in the European Union.
The Data Protection Commission (DPC) said in a statement on Wednesday that Meta breached "its obligations in relation to transparency" and used an incorrect legal basis "for its processing of personal data for the purpose of behavioural advertising".
The watchdog fined Meta 210 million euros ($222.6 million) for violations of the European Union's strict data privacy rules involving Facebook and an additional 180 million euros ($190.8 million) for breaches involving Instagram.
It is the commission's latest punishment for Meta for data privacy infringements, following four other fines for the company since 2021 that total more than 900 million euros ($954 million).
The decision stems from complaints filed in May 2018 when the 27-nation EU's privacy rules, known as the General Data Protection Regulation, or GDPR, took effect.
DPC, which is the lead privacy regulator for many of the world's largest technology companies within the EU, directed the Mark Zuckerberg-owned company to bring its data processing operations into compliance within three months.
READ MORE: Meta may face another huge fine after EU privacy ruling
Data Protection Commission announces conclusion of two inquiries into Meta Ireland: https://t.co/KvmD9cBQd6 pic.twitter.com/Csj4z2donq
— Data Protection Commission Ireland (@DPCIreland) January 4, 2023
Previously, Meta relied on getting informed consent from users to process their personal data to serve them personalized, or behavioral, ads. When GDPR came into force, the company changed the legal basis under which it processes user data by adding a clause to the terms of service for advertisements, effectively forcing users to agree that their data could be used. That violates EU privacy rules.
Fresh Investigation
The Irish watchdog initially sided with Meta but changed its position after the draft decision was sent to a board of EU data protection regulators, many of whom objected.
In its final decision, the Irish watchdog said Meta “is not entitled to rely on the ‘contract’ legal basis to deliver behavioral adverts on Facebook and Instagram."
The penalties brought the total fines levied against Meta to date by the DPC to 1.3 billion euros ($1.38 billion).
It currently has 11 other inquiries open into Meta services.
Meta said in a statement on Wednesday that “we strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
READ MORE: Irish privacy regulator fines Facebook $277 million