Latest News

Meta’s €400mn data protection fine spells trouble for its business model

Written by Kingsley Hayes, Head of Data and Privacy Litigation at specialist group action law firm Keller Postman UK.

Facebook and Instagram owner Meta has been fined €390 million by the Irish data regulator, the Data Protection Commission. The heavy penalty was imposed after the regulator concluded that Meta had unlawfully used personal data for targeted adverts to users of its social media platforms.

This followed complaints from privacy campaigner Max Schrems on behalf of users from May 2018, arguing that users must have a ‘yes or no’ option to choose between, should be able to change their mind at any time, and should not be forced to consent to access the platforms. Lengthy investigations followed, during which Meta argued that its data processing was GDPR compliant based on customers’ consent to its contractual terms and that consent was essential for the platforms to work. Ultimately, Meta’s position was rejected by the regulator.

The regulator decided that the way in which the company obtained consent for its use of personal data breached the EU’s General Data Protection Regulations (GDPR), as the consent to commercial use of customer data was effectively buried in the company’s terms and conditions. Effectively, consent was mandatory as users were given no option to decline. The decision also raised concerns as to transparency in determining that Meta was not clear enough with its users about how and why their personal data was used.

The regulator’s draft decision in October 2021 initially proposed fines of between €28 and 36 million for less extensive breaches of the GDPR. However, this was overturned by the European Data Protection Board, whose decision is binding on the regulator. It is now clear that Meta had no lawful basis to process personal data to deliver targeted advertising and its reliance on its ‘automatic’ contract with no opt out option was in breach of the GDPR requirement of lawful data processing. The tech firm will need to make major changes in order to ensure that its processing of user data is lawful, subject to any appeal decision.

As a result of the GDPR breaches which were found to have been committed by Meta over many years, in December 2022 the regulator was required by the Data Protection Board to increase its fine to reflect the seriousness of the GDPR breaches determined. Notably, the December 2022 decision included more extensive breaches than had been initially determined by the regulators.

The decision provided Meta with 3 months to make its data processing operations GDPR compliant, or face further regulatory action. It remains to be seen what changes Meta intends to make to bring its procedures into line with the law. Campaigners will be keen to hear of any changes Meta proposes to implement to ensure the lawfulness of its data processing, given the company’s ongoing denial of any illegality and the regulators’ extensive findings of non-compliance.

Meta has a history of receiving fines for illegal data processing, reportedly totaling €770 million in 2022. In November 2022 it was fined €265m by the Irish regulator over a data breach that saw the personal details of hundreds of millions of Facebook users published online, a decision which is currently being appealed. The company also faces ongoing legal action in the UK High Court brought by campaigner Tanya O’Carroll in November 2022, alleging that the company’s data processing for targeted advertising was in breach of the GDPR.

It is well known that the tech firms’ massive profits are generated by advertising. It has been reported that over 99% of the firm’s revenue derives from advertising. For the 12 months up to 30 September 2022, Meta reported gross profit of $94.85bn. However, the company has still not revealed how much money it has made from illegal data collection since 2018. What is fundamentally clear is that each user of Meta’s platforms is having significantly more information collected about them than they understand or even imagine may be happening.

The company has announced an appeal against the December 2022 rulings and fines and highlighted its belief that, despite the breaches of GDPR determined by the regulator, it continues to be able to lawfully process user data for the purpose of delivering targeted advertising. It remains to be seen whether Meta would win any appeal. Regardless, there is a clear need for key changes to a major part of Meta’s business to be made, which are unannounced as yet.

 

Sources:

Meta fined €390m over use of data for targeted ads – BBC News

Meta’s New Year kicks off with $410M+ in fresh EU privacy fines | TechCrunch

Meta fined €265m by Irish data watchdog over breach – BBC News

Meta hit by £346m data fine as UK lawsuit approaches (uktech.news)

Data Protection Commission increases Meta fines to €390m after European ruling – The Irish Times

DPC unable to fine Facebook, Instagram on basis of profits earned from illegal data processing – The Irish Times

Meta shares plummet 20% after posting rare profit decline | CNN Business

Meta faces UK lawsuit over surveillance business model | Computer Weekly