Facebook and Instagram fined €390m over GDPR breaches

Facebook and Instagram fined €390m over GDPR breaches

The Data Protection Commission (DPC) has imposed fines totalling €390 million on Meta Ireland in connection with its Facebook and Instagram platforms.

Meta has said it strongly disagrees with the DPC’s findings and will “appeal the substance of the decision” in the Irish courts.

The fines of €210 million for GDPR breaches relating to Facebook and €180 million for breaches relating to Instagram follow binding decisions issued by the European Data Protection Board (EDPB) last month.

The DPC has also indicated that it will bring an action against the EDPB to the EU courts in a related jurisdictional dispute.

Prior to the EDPB’s intervention, the DPC had proposed a fine of €36m in relation to Facebook and €23m in relation to Instagram. The new total is over 560 per cent more than the DPC’s proposal.

In addition to the fines, Meta Ireland has been directed to bring its data processing operations into compliance within a period of three months.

The inquiries concerned two similar complaints; the complaint in relation to Facebook was made by Austrian privacy campaigner Max Schrems, while the other was made by a Belgian data subject. Both were made on 25 May 2018, the date on which the GDPR came into operation.

The crucial issue in the inquiries was the legal basis on which Meta relied for its processing of personal data for the purpose of behavioural advertising.

Meta argued that its terms of service constituted a contract with users and its processing of users’ data in connection with the delivery of its Facebook and Instagram services, including the provision of personalised services and behavioural advertising, was necessary for the performance of that contract.

Although the DPC’s draft decision found that Meta had breached its GDPR obligations in relation to transparency, it agreed that the company could rely on the “contract” legal basis for behavioural advertising — a position rejected by the EDPB last month.

Mr Schrems, a long-time critic of the DPC, said: “For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC got overruled.”

Responding to the DPC decision, Meta said: “There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time. This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether.

“That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on contractual necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision.

“Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”

In a statement confirming the final decisions in the Facebook and Instagram cases, the DPC also indicated that it will bring legal action against the EDPB over alleged overreach.

The EDPB had directed the DPC to conduct a fresh investigation spanning all of Facebook and Instagram’s data processing operations and examining special categories of personal data that may or may not be processed in the context of those operations.

The DPC said: “The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.

“The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR.

“To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.”

Share icon
Share this article: