Meta has just been condemned by the Irish regulator for breaching the GDPR. The Californian giant is accused of circumventing regulations to collect data from Facebook and Instagram users. This is already the third fine since September.
The Irish Data Protection Commission (DPC) has imposed two size fines in Meta. In total, these two sanctions represent 390 million euros. First there is a fine of 210 million euros targeting Facebook. The second penalty concerns Instagram, the group’s other social network, and does not exceed 180 million euros.
On behalf of the European Union, the regulator accuses the Californian giant of having violated the GDPR, the General Data Protection Regulation, in force in Europe since 2018. In a press release, the Irish commission explains that it has launched an investigation to Following several complaints. These were filed by the privacy association Noyb shortly after the application of the GDPR.
Read also: Meta pays 725 million dollars to bury the Cambridge Analytica scandal
“forced consent” » on Facebook and Instagram
According to the Irish regulator, Meta has not honored ” its transparency obligations.. Relying on inappropriate legal foundations about the ” processing of personal data for advertising purposes” targeted, Meta violated the law, argues the DPC.
Specifically, Meta did not explicitly request the consent of Internet users to use their data for advertising targeting. The company gives its users a limited choice: accept data sharing or stop visiting Facebook and Instagram. This coercive approach allows Meta to keep its advertising business, which represents the bulk of its revenue, running.
For Noyb, Meta knowingly reinterpreted the consent request as “a simple civil law contract” to arrive at his ends. Max Schrems, founder of Noyb, explains in a statement :
“Instead of having a ‘yes/no’ option for personalized ads, they just moved the consent clause into the terms and conditions. This is not only unfair but clearly illegal. We don’t know of another company that has tried to ignore GDPR in such an arrogant way.”
For its part, the regulator does not hesitate to talk about “forced consent”. Meta is enjoined to “bring its data processing operations into compliance” within three months.
The Noyb association also filed a complaint with WhatsApp in the crosshairs. The Irish commission will rule on the instant messaging case sometime next week. A new sanction could be decreed in the near future. This round of fines comes a few weeks after the adoption of three binding decisions by the European Data Protection Board (EDPS), ruling on the processes employed by Meta.
Meta defends itself and intends to appeal
Shortly after the fine, Meta stepped up to defend the legitimacy of its practices on his website. Unsurprisingly, the social media giant has appeal to Ireland’s decision. Meta is firmly convinced that its approach does not violate the GDPR, and points to a ” lack of regulatory clarity.
The firm explains that it is based on ” a combination of legal bases to provide various services”. In the case of data collection, Meta clarifies to rely on contractual necessity, which allows advertising targeting subject to certain security and confidentiality parameters.
The group led by Mark Zuckerberg also reassures its advertising partners. For Meta, the sanction of the DPC does not oblige it to cease the exploitation of the data of the Internet users:
“The rulings relate only to the legal basis used by Meta […]. Advertisers can continue to use our platforms to reach potential customers.”
It’s already the third sanction against Meta for violation of the GDPR in the space of a semester The American company has already been fined 265 million euros last November. Following the hacking of 533 million Facebook accounts in 2019, the Irish regulator found that Meta was not correctly applying European regulations.
Two months earlier, Instagram was in the crosshairs of the DPC for violating the privacy of children. Following a lengthy investigation, Meta was fined 405 million euros.
As pointed out a study by AtlasVPN, Meta is involved in the majority of GDPR-related sanctions. The firm was fined 80% of the fines imposed last year. Since the entry into force of the law, ” Meta paid around €1 billion for GDPR violations”explains the study.
CPD
