The Irish Data Protection Commission announced Wednesday that it would fine Meta Ireland a total of $413 million for breaches of the EU’s GDPR (General Data Protection Regulation) related to the company’s handling of personal information on Facebook and Instagram.
Under the GDPR, companies looking to process users’ personal information must do so under one of six identified legal bases, which include the consent of the user, necessity to the performance of a contract, and necessity to comply with a legal obligation. Meta, in response to the original user complaints filed under the GPDR in 2018, stated that it would rely on the “contract” justification, rather than the “consent” prong, as it had previously done. (The complaints argued that, by requiring users to agree to Meta’s use of personal information for ad targeting purposes, the company wasn’t offering users any real choice in the matter.)
The Irish DPC’s initial investigation, that regulator said, didn’t find any fault in the company’s decision, but fined Meta instead for failing to provide a clear explanation of the legal basis required to its users. As part of the procedure required by the GDPR, however, the DPC’s peer organizations reviewed the draft decisions against Meta and argued that the “contract” basis for data processing was legally problematic, saying that the provision of personalized advertising wasn’t necessary, as a matter of law, to the fulfillment of the contract entered into by Meta and its users.
The DPC said Wednesday that it disagreed with this, but that the structure of the GDPR — specifically, the required review by the European Data Protection Board — required it to amend its earlier decisions to reflect the idea that Meta cannot rely on the “contract” justification for its processing of personal information, and amended its proposed fines accordingly.
The DPC pushed back, however, against the Data Protection Board’s instruction that the Irish data regulator conduct fresh investigations into Facebook and Instagram data processing, saying that the EDPB doesn’t have the authority to do that. The group said it would file a complaint with the European Court of Justice to forestall new investigations, arguing that the instructions amount to overreach by the EDPB.
Meta, separately, expressed “disappointment” with the decisions in a public statement, and said that it will appeal “both the substance of the rulings and the fines.” While the DPC’s decisions outline a three-month timeline for the company to comply with the new rulings, the pending legal action could drag the process out far longer.