We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Alamy Stock Photo

Facebook and Instagram parent company Meta fined €390m by Data Protection Commissioner

The DPC said it has fined Meta Ireland €210 million, for its Facebook service, and €180 million for breaches in relation to its Instagram service.

LAST UPDATE | Jan 4th 2023, 7:06 PM

IRELAND’S DATA PROTECTION watchdog has fined Facebook and Instagram holding company Meta €390 million.

The DPC said today in a statement that they had concluded two inquiries into the data processing operations of Meta Platforms Ireland.

The probe was focused on its Facebook and Instagram services.

The DPC said it has fined Meta Ireland €210 million, for breaches of the GDPR relating to its Facebook service, and €180 million for breaches in relation to its Instagram service.

The DPC has also ordered Meta Ireland to bring its data processing operations into compliance within a period of 3 months.

A statement from the DPC said that inquiries concerned two complaints about the Facebook and Instagram services, each one raising the same basic issues. One complaint was made by an Austrian data subject (in relation to Facebook); the other was made by a Belgian data subject (in relation to Instagram).

The complaints were made on 25 May 2018, the date on which the GDPR came into operation.

The DPC explained that in advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services.

It also flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data.

The user clicked on a button “I accept” to agree to accepting this – if they did not accept it they were not allowed continue using the service.

The DPC in examining the case looked at the use of this contract. They found that it was essentially a retention of data without legitimate grounds or consent. 

The complainants to the DPC alleged that, “contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data.”

“They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of the GDPR,” the statement read.

The DPC entered into a consultation process but following this “it became clear that a consensus could not be reached” the body said.

This dispute was then referred to the European Data Protection Board (EDPB).

The EDPB issued its determinations on 5 December 2022 in which it upheld the DPC’s ruling.

“In terms of sanctions, and in light of this additional infringement of the GDPR, the DPC has increased the amount of the administrative fines imposed on Meta Ireland to €210 million (in the case of Facebook) and €180 million in the case of Instagram.

“The revised levels of these fines also reflect the EDPB’s views in relation to Meta Ireland’s breaches of its obligations in relation to the fair and transparent processing of users’ personal data,” the statement added.

Separately, the EDPB has also directed the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations.

Meta sent a link to a blog to comment on the finding by the DPC and denied that the company had done anything wrong.  

“Today, the Irish Data Protection Commission (DPC) has set out its findings on the legal basis that Facebook and Instagram use under GDPR for the purpose of serving behavioural advertisements.

“The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area. We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.

“There has also been inaccurate speculation and misreporting on what these decisions mean. We want to reassure users and businesses that they can continue to benefit from personalised advertising across the EU through Meta’s platforms,” the blog said.