Le Monde Informatique reports that Meta, the conglomerate that owns both Facebook and Instagram, has been fined a total of €390 for breaches of the EU’s General Data Protection Regulation (GDPR) in respect of both platforms’ personal data processing policy.
It has been a bad start to the year for Meta which has just been notified of a fine of €390 mn. by the Irish Data Protection Commission (DPC). The regulator is penalising the actions of Meta’s 2 subsidiaries, Facebook to the tune of €210 mn. and Instagram €180 mn. This decision concludes a case which started on 25 May 2018 (the date the GDPR entered into effect after 2 complaints had been filed – one by well-known Austrian privacy campaigner Max Schrems and the other by a Belgian citizen.
In this case Meta Ireland changed its general terms and conditions before the date of entry into effect of the GDPR, in particular “the legal basis on which it relied to legitimise its processing of users’ personal data (including behavioural advertising)”. To adopt this new policy, existing and recent Facebook and Instagram users were asked to click on the “I Accept” button on pain of no longer being able to access the platforms’ services. The questions then arose as to whether users had been forced to give their consent and if the “contract” concluded between Meta and its users conformed to Article 6 of the GDPR.
A fine increased by the EDPB
The debate was long and heated, including at European regulator level. As a matter of fact, the Irish DPC’s analysis did not meet with agreement from other European data protection authorities. For example, it considered the aspect of “forced consent” could not be upheld. Many authorities likewise thought the original Irish financial penalties too lenient. The European Data Protection Board (EDPB) was contacted to settle the matter and gave its decision on 5th December. It judged that “Meta Ireland was not entitled to invoke the legal basis of the “contract” as a legal based for its personal data processing for behavioural advertising purposes”.
It also demanded the fines proposed by the Irish regulator be raised. This is the second fine imposed on Meta in recent months by the CPD. Last November the American company was fined €275 mn. for so-called data scraping. In both cases, Meta still has the possibility of challenging the regulator’s decisions before the European judicial authorities.
Facebook and Instagram have now been given three months to bring their terms and conditions into line with the GDPR.