The Irish Data Protection Commission (DPC) has fined Meta for handling user data, following hundreds of millions of dollars in similar fines and potentially putting parts of its advertising business at risk. The DPC announced today that Meta must pay €210 million (approximately $222 million) for violating European Union privacy rules with Facebook’s practices, plus €180 million (approximately $191 million) for similar violations with Instagram.
The fines stem from two complaints from 2018 about how Meta – formerly Facebook – complied with the General Data Protection Regulation (GDPR), which took effect that year. Both Facebook and Instagram’s terms of service began requiring users to accept a new service contract that included the processing of user data. But the complaints claimed that this amounted to “forcing” them to agree to things like targeted ads that violate the new rules.
The DPC found that Meta’s updates were not sufficiently clear, and beyond consultation with the European Data Protection Board (EDPB), it decided that Meta could not rely on the contract as an outright defense of its business practices. The EDPB’s guidance also led regulators to increase their planned fines for the company. In addition to the fines, Meta must bring its business operations into line with the GDPR within three months.
Previous reporting by The Wall Street Journal indicated that Meta could face significant restrictions on its ability to target advertising under the new rules. In a blog post, Meta said it planned to appeal the decisions, but denied they meant it would have to stop the practice. “These decisions do not preclude personalized advertising on our platform. The decisions relate only to the legal basis used by Meta in serving certain advertisements. “We are assessing several options that will allow us to continue to provide a fully personalized service to our users.”
These fines come on top of a number of previous rulings that Meta violated European regulations. The DPC in November ordered Meta to pay $276 million for a 2021 data breach, in September it fined it $402 million for its handling of teens’ Instagram data, and in March it fined the company fined approximately $18 million for record-keeping issues.