The authoritative news source for communications regulation

Irish Privacy Chief Fines Meta $414 Million for Facebook, Instagram Breaches

Meta Ireland owes $414 million (390 million euros) for data processing breaches in connection with its Facebook and Instagram services, the Irish Data Protection Commission said Wednesday. It fined the company $223 million for EU general data protection regulation (GDPR)…

Start A Trial
violations by Facebook and $191 million for those by Instagram. It gave Meta three months to bring its data processing operations into compliance. Meta said it will appeal. The 2018 cases involved complaints about the two services over whether Meta could lawfully, under the then newly effective GDPR, change the legal basis it relied on to legitimize the processing of users' personal data for such things as behavioral advertising from user consent to a "contract" basis. The DPC provisionally found several breaches and submitted its findings to other data protection regulators, some of which objected to various parts of the decisions. When no agreement could be reached, the DPC referred the disputed points to the European Data Protection Board. It largely upheld Ireland's position that Meta couldn't rely on the "contract" legal basis for delivery of behavioral advertising and that its processing of user data to date, in reliance on that legal basis, violated the GDPR. However, the DPC said, the board tried to order it to launch a new investigation into all of Facebook and Instagram's data processing operations. The EDPB, however, "does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation." If the EDPB is overreaching, the DPC said, it will ask the European Court of Justice to annul the order. Meta said it intends to appeal the "substance of the rulings and the fines." The debate on legal bases for processing personal data "has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area." Meta believes it fully complies "with the GDPR in relying on Contractual Necessity for behavioural ads given the nature of our services."