Meta is accused of not complying with EU data protection regulations at Facebook and Instagram. The American company intends to contest the fine.

Proceedings initiated by Max Schrems

Meta Platforms, formerly known as Facebook, was recently taken to task by the Irish Data Protection Authority for its unlawful practices. The company had stated in its terms of use that the display of personalized advertising was part of the service for which no separate consent was required. This interpretation has now been overturned and the authority has ordered Meta to change its data processing practices within three months.
Data protection activist Max Schrems criticized Meta's approach: Instead of a yes/no option for personalized advertising, the consent clause had simply been moved to the terms and conditions. He believes this is not only unfair, but also illegal. It is clear that Meta must take immediate action to ensure it is compliant with GDPR regulations or face serious consequences. The company must ensure that it provides users with an explicit opt-in option for personalized advertising and that all data processing activities are transparent and secure.

No voluntary consent

The European Data Protection Board (EDPB) recently clarified that informed consent is required in order to use personal data for advertising purposes. This has put Meta, the parent company of Facebook, Instagram and WhatsApp, in a bind. Immediately before the GDPR regulations came into force in May 2018, Meta had stopped asking its users for consent to use their personal data for advertising purposes and instead declared personalized advertising to be an integral part of its mutual service obligations in its terms and conditions.
This decision was based on a complaint by Austrian data protection activist Max Schrems about Facebook; a Belgian user is responsible for Instagram. The Irish Data Protection Commission (DPC) plans to rule on a further complaint about WhatsApp, which also belongs to Meta, in the coming weeks. Should Meta be found guilty of breaching GDPR regulations, the billion-euro threshold in fines could easily be exceeded. It remains to be seen how this situation will develop and what impact it will have on other companies that may have used similar tactics with regard to obtaining user consent.

Repeated data protection penalties against Meta

The Irish Data Protection Commission (DPC) has repeatedly imposed data protection fines on Meta, a social media company, since September 2021. In November 2021, the DPC imposed a fine of €256 million on the company after data from more than half a billion Facebook users was published on the internet. This was followed in September 2022 by another hefty fine of 405 million euros for serious breaches of children's data protection regulations. In addition, Meta and its subsidiary WhatsApp were fined €17 million and €225 million respectively.
Meta has appealed against both the Instagram and WhatsApp decisions, but it remains to be seen whether these appeals will be successful. The repeated fines from the data protection authority show that Meta is not taking its responsibility to protect user data seriously enough. It is clear that further action needs to be taken to ensure that companies are held accountable for their actions in relation to the protection of user data.