The Irish Data Protection Commission (DPC) said on Wednesday it had concluded two inquiries into Meta Platforms Ireland Limited (Meta) in connection with the delivery of its Facebook and Instagram services. Both inquiries relate to users data.
Final decisions have now been made by the DPC in which it has fined Meta a total of €390m ($409m), €210 million for breaches of the GDPR relating to its Facebook service and €180 million for breaches in relation to its Instagram service.
Meta has also been directed to bring its data processing operations into compliance within a period of three months.
This follows a €265m DPC fine in November 2022 for GDPR failings, specifically a design vulnerability in tools provided by Facebook that left the personal data of Facebook’s users exposed to a legal technique called “data scraping”.
GDPR 2018
GDPR came into operation in Ireland on 25 May 2018. Before this Meta changed its Facebook and Instagram terms of service “flagging the fact it was changing the legal basis on which it relies to legitimize its processing of users’ personal data.” Article 6 of GDPR offers a number of legal bases that can be relied on for the processing of data. Instead of relying on consent (GDPR Article 6(1)(a)), Meta sought to rely on establishing a contractual legal basis for the processing of data (Article 6(1)(b)).
If new and existing users wanted to continue to access Facebook or Instagram after the introduction of GDPR they needed to explicitly accept the updated terms of service. If the users declined to accept the new terms and conditions they would not be able to access the services. Meta believed that acceptance of the updated terms of service constituted a contract between it and the user.
The complainants, one from Belgium and the other from Austria, contended that consent was still being relied on. The DPC agreed with their argument that by making accessibility to the services conditional on accceptance Meta was effectively “forcing” users to consent to the processing of their personal data and that this was a breach of GDPR.
Meta considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. The complainants contended that, contrary to Meta’s stated position, it was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data.
In a news release commenting on the decision Meta indicates that it intends to appeal “both the substance of the rulings and the fines”. In the release Meta specifically draws attention to the continuing legal uncertainty and regulatory clarity around the issue of legal bases stating that given “that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date”.
Meta was penalized nearly $800m in total last year in a series of charges for data breaches and privacy violations, according to Reuters. In addition to the fines levied to date, the Irish regulator has another 11 inquiries open into Meta’s services. Meta’s response to this latest fine seems to signal a more combative approach to the charges, which is unsurprising given their frequency, the size of the fines involved, as well as the fact that the decisions appear to undermine the very business model on which Meta depends on for the vast majority of its profits.