Meta hit with €400m in fines for GDPR breaches

Meta, like many big tech companies — including Google, Adobe, and Twitter, to name a few — runs its European headquarters in Ireland to take advantage of the country’s generous tax laws. So when Meta has been bad anywhere in Europe, it’s Ireland that gets to carry the big stick.

The DPC found that both Meta subsidiaries were guilty of GDPR breaches. On top of the €210 million fine for Facebook, and a €180 million fine for Instagram, Meta has now been directed to clean up its act in Europe within three months and conform to European regulations.

The fines arise from two complaints made in May 2018, when the EU brought in its wide-ranging General Data Protection Regulation (GDPR). The GDPR may be a European law, but any company wishing to do business in the EU must comply.

The complaints were based on changes Meta made to its terms of service in 2018, whereby Meta contended that users, by clicking “I accept”, were entering into a contract with Meta. This would then allow Meta to take advantage of user data to tailor services such as targeted advertising.

Contracts are one of the six legal bases for lawful use of customer data under the GDPR.

Previously, Meta had simply relied upon user consent, but the two complaints believed that Meta’s contract was simply consent by other means. Meta was now simply forcing it upon them, which the complaints believed was in breach of the GDPR.

The DPC’s investigations led to two draft decisions. First, that Meta Ireland’s terms of service were lacking in transparency when it came to the legal basis under which the terms were being applied and was in breach of a range of GDPR articles.

The second finding was actually in favour of Meta — the “contract” that Meta was expecting users to sign was not in fact based on forced consent, since Facebook’s personalised services are part and parcel of the platform’s functionality. 

VIEW ALL

“In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the terms of service,” the DPC concluded in the release announcing the fines.

However, GDPR practice requires draft decisions to be admitted to peers in the EU, known as Concerned Supervisory Authorities (CSAs) — and not all of them agreed with the DPC’s findings.

The matter of transparency was found to be sound, though the CSAs believed the breach to be worthy of a larger fine than the one first suggested by the DPC. However, out of 47 CSAs looking at the drafts, 10 felt that Meta could not rely on its contract defence.

Despite the DPC believing otherwise, they felt that Facebook’s targeted services “could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract”.

The DPC took the dispute to the European Data Protection Board (EDPB), which in December of last year declared it was siding with the objecting CSAs, and that Meta’s contract defence for its handling of user data was in fact invalid. The EDPB also believed the fines should be larger than first suggested.

In a curious twist, the EDPB directed the DPC to open a wider investigation into Meta’s data processing practices, which the DPC feels is beyond the board’s scope. 

“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation,” the DPC declared in the same announcement that revealed the fines levied against Meta.

The conflict between the two bodies will now be taken to the Court of Justice of the EU. 

Meanwhile, Facebook has announced it will appeal the fines, claiming in a statement, “We strongly believe our approach respects GDPR.

“The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area.

“As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”

This is just the latest in a long list of fines that Meta has been slapped with in the last year. In early December of 2022, the company was fined €265 million for a series of breaches that saw the data of 530 million Facebook users posted online, and a massive €1 billion in fines in 2021.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.