Partner and Head of Data and Privacy Litigation, Kingsley Hayes, examines the €400mn data protection fine brought against Meta by the Irish Data Protection Commission.
Kingsley’s article was published in UK Tech News, 23 January 2023, and can be found here.
Facebook and Instagram owner Meta has been fined €390 million by the Irish data regulator, the Data Protection Commission. The heavy penalty was imposed after the regulator concluded that Meta had unlawfully used personal data for targeted adverts to users of its social media platforms.
This followed complaints from privacy campaigner Max Schrems on behalf of users from May 2018, arguing that users must have a ‘yes or no’ option to choose between, should be able to change their mind at any time, and should not be forced to consent to access the platforms. Lengthy investigations followed, during which Meta argued that its data processing was GDPR compliant based on customers’ consent to its contractual terms and that consent was essential for the platforms to work. Ultimately, Meta’s position was rejected by the regulator.
The regulator decided that the way in which the company obtained consent for its use of personal data breached the EU’s General Data Protection Regulations (GDPR), as the consent to commercial use of customer data was effectively buried in the company’s terms and conditions. Effectively, consent was mandatory as users were given no option to decline. The decision also raised concerns as to transparency in determining that Meta was not clear enough with its users about how and why their personal data was used.
The regulator’s draft decision in October 2021 initially proposed fines of between €28 and 36 million for less extensive breaches of the GDPR. However, this was overturned by the European Data Protection Board, whose decision is binding on the regulator. It is now clear that Meta had no lawful basis to process personal data to deliver targeted advertising and its reliance on its ‘automatic’ contract with no opt out option was in breach of the GDPR requirement of lawful data processing. The tech firm will need to make major changes in order to ensure that its processing of user data is lawful, subject to any appeal decision.
As a result of the GDPR breaches which were found to have been committed by Meta over many years, in December 2022 the regulator was required by the Data Protection Board to increase its fine to reflect the seriousness of the GDPR breaches determined. Notably, the December 2022 decision included more extensive breaches than had been initially determined by the regulators.
The decision provided Meta with 3 months to make its data processing operations GDPR compliant, or face further regulatory action. It remains to be seen what changes Meta intends to make to bring its procedures into line with the law. Campaigners will be keen to hear of any changes Meta proposes to implement to ensure the lawfulness of its data processing, given the company’s ongoing denial of any illegality and the regulators’ extensive findings of non-compliance.
Meta has a history of receiving fines for illegal data processing, reportedly totaling €770 million in 2022. In November 2022 it was fined €265m by the Irish regulator over a data breach that saw the personal details of hundreds of millions of Facebook users published online, a decision which is currently being appealed. The company also faces ongoing legal action in the UK High Court brought by campaigner Tanya O’Carroll in November 2022, alleging that the company’s data processing for targeted advertising was in breach of the GDPR.
It is well known that the tech firms’ massive profits are generated by advertising. It has been reported that over 99% of the firm’s revenue derives from advertising. For the 12 months up to 30 September 2022, Meta reported gross profit of $94.85bn. However, the company has still not revealed how much money it has made from illegal data collection since 2018. What is fundamentally clear is that each user of Meta’s platforms is having significantly more information collected about them than they understand or even imagine may be happening.
The company has announced an appeal against the December 2022 rulings and fines and highlighted its belief that, despite the breaches of GDPR determined by the regulator, it continues to be able to lawfully process user data for the purpose of delivering targeted advertising. It remains to be seen whether Meta would win any appeal. Regardless, there is a clear need for key changes to a major part of Meta’s business to be made, which are unannounced as yet.