Facebook fined €390 mn for breaching EU privacy law: Why is the ruling significant?

What is the significance of Facebook’s €390 million fine for violating EU data protection legislation? Meta, Facebook’s parent company, was fined €390 million by the Irish Data Protection Commission. An examination of the disagreement, the decision, and any possible consequences.

The Irish privacy regulator fined Facebook’s parent company Meta a total of €390 million after the company’s advertising and data handling practices violated the EU’s general privacy law. On Wednesday, January 4, the Irish Data Protection Commission recommended a €210 million fine for violating the EU’s General Data Protection Regulation (GDPR) and a €180 million fine for Instagram’s GDPR violations.

Facebook: Ireland’s choice

According to the Irish Data Protection Commission, EU authorities discovered that Meta’s lengthy terms of service effectively forced users to accept personalised advertisements in violation of the GDPR by requesting their consent to collect their data for targeted advertising. According to the order, Meta must “come into compliance within three months” concerning its data processing activities.

According to the European Data Protection Board, which oversees data privacy regulatory action across the EU’s 27 member states, Meta could not rely solely on contracts as a legal basis for processing user data for targeted advertisements. This claim is expanded upon in the DPC decision.

What prompted Ireland’s regulatory authority to make this decision?

According to the GDPR, cross-border cases must be handled by the data protection authority in the country where the company is headquartered. As a result, Meta and several other US technology behemoths with Irish offices rely on the Irish DPC as their primary regulatory body.

The decision’s significance

* To begin, the Irish DPC began investigating Facebook on May 25, 2018, when the GDPR took effect. In some ways, the case’s outcome reinforces a vital tenet of the EU’s ground-breaking legislation: the individual’s right to her data, as well as the requirement that an individual provides explicit consent before their data can be processed.

* According to Bloomberg data, the fine has reduced Meta’s projected profits for 2023 by nearly 50%. According to performance metrics, the company’s much-touted Metaverse push is failing, with users and advertisers abandoning the platforms (with the exception of Instagram Reels and messaging platform WhatsApp). And since 2021, when Meta, formerly known as Facebook, changed its name, its stock price has dropped by nearly 60%.

Furthermore, the DPC fines were significantly higher than the tax of between €28 and €36 million proposed in an October draught decision.

* Finally, and perhaps most importantly, the DPC decision may necessitate Meta making changes to its apps over the next three months to prevent the use of personal data for advertising purposes. This could be a major setback for the company’s marketing strategy:

Following the implementation of the GDPR, Meta modified the information processing terms of service for both Facebook and Instagram. Previously, Meta needed a user’s permission to process this information for behavioural advertising purposes.

However, activists argue that the changes effectively required users to consent to the processing of their data for ad targeting in order to use the platforms. To ensure compliance with the DPC ruling, everything must now be changed.

The consequences of the decision

This decision may compel Meta to explicitly ask EU users if they want their data used for targeted advertising. In essence, it may imply that Meta would be required to obtain “opt-in consent” in the same way that other advertisers doing business in the EU are now.

Following the decision, Meta issued a statement on January 4 stating that it intended to appeal the decision and that businesses could continue to target users with ads via Meta’s platforms because the decision “does not even amount to a ban on personalised advertising.”

This forced change follows Apple’s decision last year to make it more difficult for iPhone apps to track users’ online activity. Apple’s changes, according to Meta, could cost the company $10 billion in revenue in 2022, with long-term consequences.

Other regulatory actions, including the DPC decision, are currently being addressed by Meta. In addition to investigating Meta’s proposed acquisition of Within, a developer of virtual reality fitness applications, the US Federal Trade Commission is suing Meta for alleged abuse of its main “monopoly” in social networking. According to The Economist, UK regulators ordered Meta to cancel its acquisition of Giphy, a company that creates animated images, in October.

The most likely outcomes

Given that the EU is the main de facto global technology regulator, decisions based on the GDPR’s broad principles could have far-reaching implications, including in India. While the GDPR is clearly focused on privacy and requires individuals to provide explicit consent before their data can be processed, Graham Greenleaf, professor of law and information systems at the University of New South Wales, claims that companies like Meta now face a pair of sub-legislation — the Digital Services Act (DSA) and also the Digital Markets Act (DMA) — that take off.

The DMA establishes a new category of platforms known as “dominant gatekeepers” and focuses on non-competitive practises and abuse of dominance by these players, whereas the DSA addresses issues such as hate speech and counterfeit goods.

The Indian government is currently working on a technology policy framework. This framework will include the recently announced new personal data protection bill, a comprehensive digital India Act that will eventually replace the current IT Act, and a new telecom Bill that will go into effect in October 2022.

According to Ireland’s Data Privacy Commissioner, Facebook and Instagram must reconsider their legal basis for using personal data for advertising purposes in the European Union (DPC). According to a confidential decision seen by Reuters last month, the EU’s privacy watchdog issued the order on how both social media companies run advertising in December, overruling the Irish regulator’s draught decision on the subject.

In response to new EU privacy laws, Facebook and Instagram changed their terms of service in 2018, and Meta attempted to rely on the contractual legal basis for the majority of its processing activities.

Meta believed that when users accepted the revised 2018 terms, a contract was formed, making such advertising legal, rather than relying on users’ prior consent to the processing of their main personal data for targeted advertising.

The Data Privacy Commissioner (DPC) of Ireland, who gave Meta three months to bring its data processing operations into compliance, regulates many of the EU’s largest technology companies.

Edited by Prakriti Arora