Get in touch
If you have any questions relating to this article or have any legal disputes you would like to discuss, please contact the Commercial & Technology team on
On 4 January 2023, the Irish Data Protection Commission (DPC) announced that it has fined Meta Platforms Ireland Limited (Meta) €210 million and €180 million respectively for breaches of the GDPR relating to its Facebook and Instagram services.
Before the GDPR came into force, Meta updated its Facebook and Instagram Terms of Service (ToS) to rely on the ‘contract’ lawful basis when processing its users’ personal data for targeted advertising purposes, whereas it previously relied on the lawful basis of ‘consent’. In order to continue using and accessing Facebook and Instagram, users were required to click “I accept” to accept the new ToS.
On 25 May 2018 (the day the GDPR came into effect), complaints were made against Meta arguing that Meta was in breach of GDPR because Meta was still relying on consent as a lawful basis for processing personal data and not the ‘contract’ lawful basis as Meta stated in its ToS. Users could not use the platform without accepting the new ToS, users were “forced” to consent to their personal data being used for targeted advertising.
Meta argued that:
In its initial draft decisions, the DPC found that:
A number of supervisory authorities in the EEA objected to the findings and the level of the fines and, following a consultation process, the DPC referred the matter to the European Data Protection Board (EDPB). In its binding determination, the EDPB concluded that:
On reversion to the DPC, the DPC reflected the EDPB’s binding determinations, fining Meta a total of €390 million for its breaches of the GDPR. In addition to the fine, Meta was given three months to bring its processing operations in compliance with GDPR. Meta has stated that it will appeal the decisions for “both the substance of the rulings and the fines”.
The decision serves as a stark reminder of the enforcement powers available to supervisory authorities and the importance of complying with the GDPR. In particular:
Businesses should ensure that they have established the most appropriate lawful basis for their processing, and that they understand the risks of getting this wrong. The outcome of this case does not prohibit the processing of personal data for targeted advertising but stresses the importance of businesses giving individuals a choice as to whether their personal data is used for such advertising. Giving individuals such choice will undoubtedly have an impact on businesses whose financial model relies heavily on targeted advertising.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.
Share:
If you have any questions relating to this article or have any legal disputes you would like to discuss, please contact the Commercial & Technology team on
Sign up to receive the latest news on areas of interest to you. We can tailor the information we send to you.
Sign up to our newsletter