EU regulators have hit tech goliath Meta with fines totalling hundreds of millions of euros for privacy breaches and said the social media multinational must reassess the legal basis of how personal data is used to create targeted advertisements.
Meta Ireland was fined €210 million ($222 million) for breaches of EU data privacy rules relating to Facebook and €180 million ($190m) for breaches on Instagram by Ireland’s data watchdog.
The ruling from the Data Protection Commission takes aim at how Meta, the parent company of Facebook, Instagram and WhatsApp, makes millions from personalised advertising.
It also banned the company from forcing users in the 27-nation bloc to agree to personalised advertisements based on their online activity.
Meta said it intended to appeal both the substance of the rulings and the fines imposed, and that the decisions do not prevent personalised advertising on its platforms.
The privacy regulator said Meta must reassess the legal basis for how Facebook and Instagram use personal data to create targeted advertising in the EU.
Jonathan Compton, a partner at DMH Stallard law firm and a specialist in data protection regulations, said the ruling was a warning to tech firms.
“This case serves notice that big tech cannot hide behind ‘contractual necessity’ to play fast and loose with personal data of EU citizens,” he said.
“The deeper problem for Facebook, which relies on personalisation of adverts for users for about 80 per cent of its revenue, is that this case strikes at the heart of that model, effectively denying tech firms the ability to use personal data to tailor the ad output to individual users, if this means harvesting their user data to do the tailoring.”
Two complainants had argued that Meta Ireland was “forcing” them to consent to their personal data being used for behavioural advertising and other services by making use of its social media conditional on accepting its terms of service.
The decision stems from the complaints filed in May 2018, when EU privacy rules, known as the General Data Protection Regulation, or GDPR, took effect.
Previously, Meta relied on getting informed consent from users to process their personal data to serve them with personalised, or behavioural, advertisements, which are based on what users search for online, the websites they visit or the videos they click on.
When GDPR came to force, the company changed the legal basis under which it processes user data by adding a clause to the terms of service for advertisements, effectively forcing users to agree that their data can be used.
The Irish watchdog initially sided with Meta but changed its position after its draft decision was sent to a board of EU data protection regulators, many of whom objected.
In its final decision, the Irish watchdog said Meta “is not entitled to rely on the ‘contract’ legal basis” to deliver behavioural ads on Facebook and Instagram.
Meta has three months to ensure its “processing operations” comply with the EU rules, though the ruling doesn’t specify what the company has to do.
The company said the decision does not prevent it from displaying personalised ads, it only covers the legal basis for handling user data.
A decision in a third case involving Meta’s WhatsApp messaging service is expected later this month.