Data protectionists and the Facebook group Meta have been arguing about data protection for years. Only the supervisory authority Ireland did hardly anything. But now the Irish are taking a double hit against Meta.

Serious defeat for Meta’s business model in Europe: In the future, the Facebook group may no longer use its users’ personal data without being asked to personalize advertising. This was decided by the responsible Irish data protection authority DPC on Wednesday. At the same time, it imposed a fine of 390 million euros. The group violated the EU General Data Protection Regulation with its Facebook and Instagram platforms, the DPC announced.

Both cases deal with personalized advertising and the way in which Meta collects and processes personal data from users. 210 million euros are due for the Facebook violation and 180 million euros for Instagram.

Meta announces appointment

Meta was “disappointed” with the decision and announced an appeal. In a response from the group, companies were confronted with an unclear legal situation. “We deeply believe that our approach respects the EU data protection regulation, (…) and intends to appeal both the content of the decisions and the penalties,” the meta statement continued.

The Irish regulator has long refrained from taking action against Facebook and Meta after complaints from Facebook customers and data protection activists. In December, the European Data Protection Board overruled the DPC, urging the Irish authority to take firm action against the internet giant.

Clearly regulated since 2018

Since 2018, the GDPR has regulated the conditions under which personal data may be used. In some cases, this can also be done without the customer’s explicit consent, for example if an online shop transfers data to the parcel service provider.

After the GDPR came into force in 2018, Facebook (today Meta Platforms) declared in its terms of use that the display of personally tailored advertising was part of the service for which no separate consent was required. This interpretation has now been dismissed.

The authority concluded that the company then effectively urged its users to accept certain terms, otherwise the services would no longer have been usable for them. In a first reaction, Facebook said: “We strongly believe that our approach respects the GDPR and are therefore disappointed with these decisions.”

The Irish authority also requires Meta to change its data processing practices within three months.

Data protection advocate Max Schrems, who is one of the complainants, criticized Meta’s approach: “Instead of having a yes/no option for personalized advertising, they simply moved the consent clause to the general terms and conditions. That’s not only unfair, it’s clear illegal.”