Ireland’s Data Protection Commission (DPC) has fined Meta a total of €390 million ($414 million) in a ruling against Facebook’s and Instagram’s use of targeted advertising. The ruling declared both subsidiaries’ method of furnishing user consent under its updated terms and service a violation of Article 6 of GDPR. The fines levied against Facebook and Instagram amount to €210 million ($225 million) and €180 million ($191 million), respectively.
NOYB, a user privacy protection group, first lodged complaints against Meta’s subsidiaries in May 2018 — immediately after GDPR came into effect. Following this outcome, Meta and its subsidiaries won’t be able to rely on their terms of service as legal cover for obtaining user consent to process their information for personalized ads.
Authorities have repeatedly found Meta in violation of user privacy regulations in Europe, under the GDPR, and also in the US. Just last month, in the Cambridge Analytica settlement, authorities slapped Meta with a $725 million fine, the largest US data privacy class-action lawsuit ever.
The Basis for the $414 Million Fine against Meta
Article 6, under which this recent DPC ruling was made, allows data processing only when an entity complies with one of its six legal premises. In advance of the GDPR implementation in 2018, Meta — then Facebook — changed its terms of services. The company made consent to its processing of user information a precondition for its services.
Arguing its case, representatives of Meta alluded to their terms of service as a legal contract. The “contract” allowed its subsidiaries to process customer data. However, the DPC disagreed and found it in violation of Article 6, and Articles 5 (1)(a), 12, and 13(1)(c) that concern data transparency.
“In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR,” read the DPC statement.
Meta’s Subsidiaries Tried to Bypass GDPR
Max Schrems, who leads NOYB, claims that the prohibition of the use of personal data for targeted advertising is a win for individual privacy. According to NOYB, Meta hid the yes/no binary opt-in decision concerning targeted advertising in its terms and conditions.
According to Schrems: “Instead of having a ‘yes/no’ option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”
Meta very nearly succeeded in its attempt to bypass GDPR as well. DPC’s original fine was €36 million. But when authorities referred the case to the European Data Protection Board (EDPB), it reversed DPC’s decision that Meta and its subsidiaries could use user information for targeted ad campaigns on a legal contract basis. Consequently, the fine was increased by over 1,000%, from €36 million to €390 million.
Schrems has gone as far as to claim that the DPC colluded with Meta: “This case is about a simple legal question. Meta claims the ‘bypass’ happened with the DPC’s blessing. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC got overruled.”
GDPR Affects More than Just Meta
The latest DPC fine puts Meta in a bind. It’ll be unable to operate, in the EU at least, under its current business model. This is especially the case because it’s also struggling to comply with the transatlantic data processing directives. EU authorities are tightening the screws on Big Tech companies. This is in an effort to rein them in and to ensure their compliance with the GDPR.
Apple and Twitter have also recently found themselves in the line of fire. However, fines against Twitter are much less frequent and far lesser than those against Meta. Twitter is currently under a DPC investigation for a breach that could potentially affect 5.4 million users. Apple, meanwhile, has been fined $8 million by the French regulatory authority Commission Nationale de l’informatique et des Libertés (CNIL) for a non-consensual targeted ad campaign toward iOS 14.6 users. The authority leveled the fine under Article 82 of the French Data Protection Act. CNIL previously fined Google for a breach of the same article.
Small and medium-sized businesses are also subject to GDPR provisions, but these cases don’t make major news headlines. The enforcement tracker has a full list of GDPR cases. The tracker includes details such as entity name, fine amount, relevant GDPR provision, jurisdiction, decision date, and official press statement.
To avoid GDPR fines, business owners should tread carefully when processing and using user data. In protecting user information, companies must ensure that their databases are secure. Implementing a combination of cybersecurity protocols, including powerful firewalls, multi-factor authentication, antivirus protection, malware scanners, email spam filters, and automated patch management, can help companies avoid violations.
Implications for Big Tech
For a long time, Big Tech has been operating above the law. This is even though its involvement in feeding deep analytics with user information is an open secret. All this seems to be changing, with the authorities, in Europe especially, calling for stricter GDPR compliance. These stricter user-privacy enforcement measures have led to Meta signaling its withdrawal from the EU. This is because its subsidiaries rely on the processing of user information to remain operational.
Other social media and Big Tech platforms and companies also employ targeted advertising. Big Tech, with its use of sophisticated tracking and surveillance and cross-device, cross-platform monitoring, had eluded accountability for quite some time, with little transparency on how it uses user data.
With GDPR and other directives curtailing Big Tech’s power and enforcing user privacy rights, the playing field is leveling. However, the dream of reclaiming user data and a more sovereign internet still seems distant.