Governance & Risk Management
,
Privacy
Social Media Company Fined for GDPR Violation Related to Ad Personalization
The Irish Data Protection Commission has imposed a fine of 390 million euros against Meta Ireland for violating the General Data Protection Regulation related to user data processing. Meta confirmed it will contest the penalty, which targets ad personalization by Facebook and Instagram.
See Also: Encryption is on the Rise! Learn how to Balance Security with User Privacy and Compliance
The latest fine is part of two separate inquiries launched by the commission against Meta’s social media platforms, Facebook and Instagram, regarding the company’s use of user data for ad personalization.
The inquiries, which were launched after two separate complaints were filed by Austrian privacy rights group NYOB and an Australian individual in 2018, looked into how Meta Ireland may have violated the user consent clause stipulated under Article 6 of the GDPR.
In 2018, Meta Ireland introduced “contractual necessity,” its updated, privacy-focused terms of services for Instagram and Facebook that sought to legitimize the processing of user data just as the European GDPR came into effect.
While the company previously required users’ consent to access Facebook and Instagram services, under the revised changes, users were required to accept the company’s updated terms of service in order to continue to access the services.
The complaints argued that Meta Ireland’s updated terms of service in fact forced users to consent and accept the company’s terms of service for processing user data for behavioral data and other personalized services. They further argued that in introducing the updated terms, Meta Ireland “bypassed” the consent requirement under the GDPR by adding a clause to the terms and conditions to include advertisement.
Concluding their inquiries on Wednesday, the Irish DPC announced that Meta Ireland’s program violated multiple GDPR provisions by failing to give users information on how their data would be processed. As a result, it fined Meta Ireland 210 million euros for breaches relating to Facebook services and 180 million euros for Instagram services.
The commission also gave Meta Ireland a deadline of three months to comply with GDPR.
In a separate statement, also released on Wednesday, Meta said it “strongly disagreed” with the commission’s final decision and that it will appeal the decision.
“Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticized for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed,” Meta said.