The DPC has also ordered Meta to bring its data processing operations into GDPR compliance within three months.
Ireland’s data watchdog has fined Meta a total of €390m for its targeted advertising practices in a landmark decision that could impact the tech giant’s policies in Europe.
The Data Protection Commission (DPC) has fined Meta Ireland €210m for GDPR breaches relating to Facebook, along with €180m for Instagram breaches.
Meta has also been directed to bring its data processing operations into GDPR compliance within three months.
The company said it is “disappointed” by the decision and plans to appeal both “the substance of the rulings and the fines”, adding that it strongly believes its approach respects GDPR.
The decision relates to two GDPR complaints against Meta in 2018 by an Austrian data subject and a Belgian data subject. The DPC led the investigations, as the company’s EU headquarters are based in Ireland.
The DPC said these complaints claimed Meta was forcing users to consent to the processing of their personal data by making services inaccessible unless they clicked “I accept” to show acceptance of the company’s terms of services.
The complaints alleged that this esssentially “forced” users to consent to the processing of their personal data for behavioural advertising and other personalised services, which would be a breach of GDPR.
The DPC had issued a draft decision on the case, but other European data watchdogs objected to the decision. The regulator said 10 out of 47 “concerned supervisory authorities” in Europe disagreed with elements of the draft decision and a consensus could not be reached.
As a result, the European Data Protection Board (EDPB) stepped in last month and issued three dispute resolution decisions regarding Meta’s advertising practices. The Irish regulator’s new ruling is based on the EDPB’s binding decision.
The DPC said the fines were increased as a result of the EDPB’s decision, but that the three-month period for Meta to enter GDPR compliance was retained.
The decision is significant as it could impact Meta’s advertising practices across Europe. However, the company said it does not prevent personalised advertising on its platform.
“Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets,” Meta said in a blog post.
Last September, the social media giant was fined €405m by the data watchdog for breaching GDPR related to children’s privacy on Instagram, including the publication of kids’ email addresses and phone numbers in some cases.
Two months ago, Meta was also fined €265m over a Facebook data breach that affected millions of its users. Together with a €225m fine for WhatsApp GDPR breaches in 2021, the Irish data watchdog has hit Meta with more than €1bn in penalties over the past two years.
Meanwhile, the DPC said it was directed by the EDPB to conduct a fresh investigation that would “span all of Facebook and Instagram’s data processing operations”.
The Irish watchdog said its decision does not include reference to fresh investigations as it is not open to the EDPB “to instruct and direct an authority to engage in open-ended and speculative investigation”.
“To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions,” the DPC said in a statement.
The Irish data watchdog has faced scrutiny in the past for its enforcement of GDPR. In 2021, privacy campaigner Max Schrems accused the DPC of improperly lobbying other EU regulators to allow Meta to bypass GDPR regulation. The DPC said these accusations were “baseless”.
Updated, 7.59am, 5 January 2023: This article was updated to include a statement from Meta on the DPC’s decision.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.