Irish regulators on Wednesday hit Facebook parent Meta with hundreds of millions in fines for online privacy violations and banned the company from forcing European users to agree to personalised ads based on their online activity.
Ireland’s Data Protection Commission imposed two fines totaling €390 million in its decision in two cases that could shake up Meta’s business model targeting users with ads based on what they do online.
The watchdog fined Meta €210 million for violations of the European Union’s strict data privacy rules involving Facebook and an additional €180 million for breaches involving Instagram.
Previously, Meta relied on getting informed consent from users to process their personal data to serve them personalized, or behavioral, ads. When GDPR came into force, the company changed the legal basis under which it processes user data by adding a clause to the terms of service for advertisements, effectively forcing users to agree that their data could be used. That violates EU privacy rules.
The Irish watchdog initially sided with Meta but changed its position after the draft decision was sent to a board of EU data protection regulators, many of whom objected.
In its final decision, the Irish watchdog said Meta “is not entitled to rely on the ‘contract’ legal basis to deliver behavioral adverts on Facebook and Instagram.”
Meta said in a statement that “we strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
The Irish watchdog is Meta’s lead European data privacy regulator because its regional headquarters is in Dublin.