Ireland’s data protection authority fined Meta €390 million for illegal data processing in personalized ads on Instagram and Facebook. The verdict puts the tech giant’s ad revenue at risk.

Meta’s European headquarters are located in Ireland. The Irish data protection authority oversees the organization’s European arm.

In 2018, the regulator received two complaints about Meta’s processing of European Instagram and Facebook user data. The Irish data protection authority launched an investigation and built a case over the course of the past four years.

The verdict was announced on January 4, 2023. Meta has been found guilty of GDPR violations. The tech giant received a €390 million fine and is required to revamp its data processing policies within three months.

Violation

The issue revolves around the legal basis on which Meta processes European Instagram and Facebook user data. Under the GDPR, organizations must have a legal basis to process personal data. The most well-known basis is ‘consent’, whereby organizations request user consent.

Meta used the basis in the years prior to the GDPR’s introduction in 2018. The tech giant changed its policy ahead of the law’s implementation. The basis was adjusted from ‘consent’ to ‘contract’.

Organizations can invoke the ‘contract’ basis when users’ personal data has to be processed in order to fulfil an agreement. Consider a delivery service that can’t deliver orders to correct locations without address data.

Meta claimed that the personal data of Facebook and Instagram users had to be processed to operate the social media platforms. The tech giant stopped requesting user consent. Anyone who wanted to use Facebook and/or Instagram had to sign an agreement. Anyone that refused was denied access to the platforms.

Verdict

Privacy activist Max Schrems spoke out against the change and sued Meta before the Irish data protection authority in 2018. In his complaint, Schrems described that Meta indirectly forced users to consent to data processing by barring access for users that refused to sign.

The complaint led to an investigation. The Irish data protection authority recently ruled that Meta is not entitled to the ‘contract’ basis under certain circumstances.

Personalized ads are one of the reasons the tech giant processes user data. The ruling stipulates that Meta can’t use the ‘contract’ basis when processing data for personalized ads.

The decision is a blow to Meta. In addition to a €390 million fine, the tech giant has to implement a new basis for data processing related to personalized ads within three months.

Meta may end up switching the basis back to ‘consent’. In that case, ad revenue is likely to decline. Users would be given the option to refuse data processing for personalized ads. Personalized ads are generally more profitable than non-personalized ads.

Tip: Ireland fines Meta for 500 million user data breach