An Irish data privacy regulator has issued fines totaling €390 million — roughly $410 million — against Facebook and Instagram parent Meta over practices related to its monitoring of users’ behavior on its services in order to create targeted ads, according to a Wednesday press release by the Irish Data Protection Commission (DPC).
Meta had previously argued to the commission that it had the right to tailor ads to users based on their online activity because the Terms of Service that users agreed to to use the service amounted to a contract, and that gathering this personalized data was a core part of that contract, according to the DPC. Although the DPC originally agreed with this argument, it reversed its position after other European regulators challenged this view during a standard peer review process, finding that Meta was “not entitled” to consider the Terms of Service agreement as sufficient legal basis for its actions.
The fine was issued in two parts, a €210 million fine for alleged wrongdoing at Facebook and a €180 million fine for alleged wrongdoing at Instagram, according to the DPC. Meta intends to appeal the ruling and challenge the fines, according to a press release Wednesday.
“Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed,” the company said.
Meta criticized “a lack of regulatory certainty” surrounding the General Data Protection Regulation (GDPR) — the E.U.’s strict data privacy law which first took effect in 2018 — and noted that the decisions did not prevent it from offering other forms of personalized ads. While Meta allows users to shield their activity on third-party apps and websites for use in personalized ads, the company relies on monitoring users’ activity on its own platforms in order to optimize its targeted advertisements, according to The Wall Street Journal.
“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions,” said Meta.
The DPC found that both Meta’s use of contracts and its lack of transparency regarding how it uses users’ data was in violation of the GDPR, and initially filed its complaint on May 25, 2018, the day that the regulations took effect. The agency gave Meta three months to bring itself into compliance.
In the past 18 months, the Irish regulator has fined Meta nearly $1.4 billion across five decisions, according to the WSJ. In September 2022, Meta was fined more than $400 million for policies that the DPC alleged violated privacy rights for underage users, although Meta stressed to the Daily Caller News Foundation at the time that the ruling was based on policies that had been updated over a year prior.
The DPC did not immediately respond to a DCNF request for comment. Meta directed the DCNF to its press release.
All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact [email protected].