Meta Fined $410M for GDPR Violations

Stemming from complaints made by the non-profit, None of Your Business (NOYB), on May 25, 2018, the Irish Data Protection Commission (DPC) announced and released finalized decisions against Meta’s Facebook and Instagram platforms totaling more than $410 million for violating the GDPR.

First a little history, prior to May 25, 2018, Facebook and Instagram relied upon consent for the processing of personal data. Shortly before the GDPR went into effect, Meta updated its terms and conditions for the Facebook and Instagram platforms essentially requiring users to agree to updated terms and conditions to use the platforms and entering the users into a contract to use the platform. This included personalized advertising.

In the final decisions, it was determined that Meta violated the GDPR in two ways:

1. Failing to transparently notify data subjects of the legal basis relied upon to process personal data which also resulted in Meta violating the requirement to process personal data lawfully, fairly, and in a transparent manner.
2. In an interesting turn of events, the DPC did not believe that Meta needed to rely upon consent for personalized advertising, however, through the cooperation mechanism it was ultimately determined that consent was in fact required.

The cooperation mechanism process discussed above and the commentary from the DPC in the press release is an interesting finding that is sure to come up on Meta’s appeals. 

While the fine may seem insignificant for a company with a market cap of $562 billion, the enforcement decision by the DPC will have a huge impact on how the company operates and provides their services within the EU and will level the playing field with other providers.

The DPC outlined that Meta has three months to bring its data processing into compliance with the GDPR. Meta is expected to appeal the decision, with a spokesperson from the company stating that “We strongly disagree with the DPC’s final decision, and believe we fully comply with the GDPR by relying on Contractual Necessity for behavioral ads given the nature of our services.”

Relying upon consent for personalized advertising is nothing groundbreaking, but organizations should pay close attention to how the appeals process plays out. An entire industry and every organization will be keen to understand if a lawful basis other than consent is appropriate for behavioral advertising.

CompliancePoint has an experienced team of privacy professionals that can help your organization reach and maintain compliance with the GDPR and U.S. privacy laws. Contact us and connect@compliancepoint.com to learn more.