A long-running investigation into the practices of obtaining consent from Facebook and Instagram users to use their personal data for advertising purposes has resulted in a €390 million ($414 million) financial penalty for Meta for violations of the European Union’s General Data Protection Regulation (GDPR).
The Irish Data Protection Commission (DPC) launched an investigation into Meta and its subsidiaries following two May 25, 2018 complaints from the privacy and data rights campaigner, Max Schrems and his organization NOYB, alleging Meta had bypassed the consent requirements of the GDPR by adding a clause to the terms and conditions of Facebook and Instagram that required users of those platforms to consent to behavioral advertising and other personalized services as a condition of using the platforms. Users that did not agree to the new terms and conditions of service would be prevented from using the platforms. The change to the terms and conditions occurred at midnight on May 25, 2018 – the date and time that the GDPR took effect.
The GDPR introduced new rights for EU citizens over their personal data, which includes the requirement for consent to be obtained before personal data can be used for tracking and online advertisements. The complaints alleged that by making consent part of the terms and conditions of service, users of Facebook and Instagram were forced into allowing their personal data to be used for advertising and other personalized services. The complaints also alleged that insufficient information was provided to users on how their data would be used.
Under the one-stop-shop provision of the GDPR, a single data protection agency is responsible for investigating allegations of GDPR violations when there has been cross-border processing of personal data. Ireland led the investigation because Meta’s EU base is in Ireland. The DPC submitted a draft decision to other EU privacy watchdogs that recommended fines of €36 million for Facebook and €23 million for Instagram over the alleged privacy violations; however, 10 data protection authorities raised objections to the decision and the two cases were referred to the European Data Protection Board (EDPB). The EDPB ruled that additional findings of infringements of the GDPR must be included and that the financial penalties should be increased. The DPC then increased the financial penalties to €210 million for Facebook and €180 million for Instagram.
Meta and its subsidiaries have now been fined more than €1.3 billion ($1.37 bn) for violations of the GDPR and a decision in a case against the Meta subsidiary WhatsApp is due later this month. “We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” said a Meta spokesperson in response to the DPC’s decision. That said, Meta has set aside €2 billion to cover financial penalties for GDPR violations that will likely need to be paid in the next 12 months.
The post Meta Slapped with 390 Million Euro Fine for GDPR Violations appeared first on HIPAA Journal.