Irish Data Watchdog Fines Meta €390M for Ad Delivery System Abuses in EU

On Wednesday, Ireland’s Data Protection Commission (DPC) announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited in connection with the delivery of its Facebook and Instagram services. The agency said Meta will be fined €210 million for breaches of the General Data Protection Regulation (GDPR) in relation to Facebook and €180 million in relation to Instagram.

The resolution comes after Austrian and Belgian “data subjects” complained about Meta’s ad delivery services on the day the GDPR was enacted in May 2018. In particular, the complainants took issue with changes to Meta’s terms of service enacted ahead of the law’s inception and concerning the legality of how Meta obtains consent from users for the processing of their personal data for behavioral advertising and other personalized services.

After an investigation, the DPC’s draft decision found against Meta insofar as it breached its obligations in relation to user transparency. The DPC said that “information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR.”

A second determination made by the DPC regarding whether Meta could legally rely on a “contract” legal basis for its processing of personal data was subsequently overturned by the European Data Protection Board (the EDPB). The EDPB found that as a matter of principle, Meta’s reliance on the “contract” legal basis as a means of obtaining consent for data processing was unfounded. In turn, the higher body scaled up the DPC’s proposed fines.

The press release explained that the final decisions adopted by the DPC on Dec. 31, 2022 reflect the EDPB’s binding determinations. Meta has three months to bring its data processing operations into compliance in order to avoid further scrutiny.