Meta Ireland fined €390m for GDPR breaches

The fines follow inquiries into two complaints made on 25th May 2018 about Facebook and Instagram services, with the first made by an Austrian data subject relating to Facebook and the second from Belgium and referring to Instagram.

Meta Ireland had changed its terms of service prior to that date, changing the legal basis for processing personal data from the consent of users to processing their personal data to deliver Facebook’s and Instagram’s services to a ‘contract’ legal basis for most processing operations.

Users were informed that they had to accept the terms of service to continue using Facebook and Instagram following the introduction of the GDPR.

However, the complainants in the two cases brought before the DPC argued that Meta Ireland was still looking to rely on consent to provide a lawful basis for its processing of users’ data.

Meta has rejected the claims that its approaches to data processing contravene GDPR, and has said it intends to appeal the ruling and fine issued by the DPC.

The DPC determined that the legal basis relied on by Meta was not clearly outline to users, which meant that there was “insufficient clarity” on how personal data was being processed and therefore contravened the GDPR.

Therefore, the DPC decided that Meta Ireland was not entitled to rely on a contract legal basis in the delivery of behavioural advertising as part of its Facebook and Instagram services.

That decision meant that the processing of users’ data, in purported reliance on the contract legal basis, contravened Article 6 of the GDPR.

The DPC decided to fine Meta Ireland €210m for breaches of the GDPR relating to Facebook and €180m for breaches involving Instagram.

Meta Ireland was also ordered to ensure its data processing operations were GDPR compliant within three months.

The DPC will also take on a fresh investigation into all of Facebook and Instagram’s data processing and examining special categories of personal data that may or may not be processed in the context of those operations.

The decision follows a recent case in the US where Meta decided to settle a $750m lawsuit related to the Cambridge Analytica scandal.

Meta said in a statement posted online: “We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines. 

“There has also been inaccurate speculation and misreporting on what these decisions mean. We want to reassure users and businesses that they can continue to benefit from personalised advertising across the EU through Meta’s platforms.”

Meta said there was a lack of regulatory clarity on this issue, with the debate about which legal base to use for data processing currently being discussed in EU courts, and added that it believed it fully complied with GDPR by relying on contractual necessity for behavioural adverts. 

The statement from Meta added: “Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”