Today, the Data Protection Commission (DPC) has announced that two inquiries into the data processing operations of Meta Platforms Ireland Limited (Meta Ireland) revolving around the delivery of its Facebook and Instagram services, have been concluded.
Meta Ireland was fined €210 million due to breaches of the GDPR having to do with the company’s Facebook service as well as €180 million for breaches in connection to its Instagram service.
With this, Meta Ireland has also been given three months to bring its data processing operations into compliance with the standards set forth by GDPR.
According to DPC, the inquiries came about from two complaints, both made on May 25, 2018 raising the same basic issue. The Facebook related complaint came from an Austrian data subject while the Instagram complaint was made by a Belgium data subject.
Prior to this, Meta Ireland had altered the Terms of Service for both Facebook and Instagram and flagged the fact that it was changing the legal basis that it relies on to legitimize its processing of the user’s personal data.
This change entailed a shift from relying on user consent to process their personal data to relying on “contract” legal basis for most of its processing operations.
With this, users were asked to click “I accept” in order to indicate their acceptance of the new Terms of Service and continue to have access to Facebook and Instagram.
The complainants stated that because Meta Ireland was still relying on user consent to provide a lawful basis for its processing of users’ data, the company was not in compliance with GDPR regulations.
Initially, a consensus on the inquiry could not be reached, however, after the European Data Protection Board consulted, a determination was issued on December 5, 2022.
The final decision was set forth by DPC on December 31, 2022. It stated that Meta Ireland cannot rely on the “contract” legal basis for the delivery of behavioral advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date violated Article 6 of the GDPR.
For more information, visit the website.