The Irish Data Protection Commission (DPC) issued two fines to Meta this week that totaled more than $400 million for breaching the General Data Protection Regulation (GDPR) laws.
The DPC also stated that Meta has three months to bring its data processing operations into compliance.
Complaints were made about Meta on May 25, 2018, the same day that the GDPR began operation. Prior to May 25, Meta changed its terms of service and shifted from relying on the consent of users for the processing of their personal data to seeking to rely on a “contract” legal basis for its data processing.
Users who did not accept these new conditions were unable to use their social media accounts.
The DPC complaints argued that “By making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data.” This was considered to be a direct breach of the GDPR.
Comprehensive investigations also found that Meta was breaching transparency rules. The DPC found that “Information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users,” and added that users had no clarity on what their personal data was being used for.
It was considered such a clear violation of fundamental matters outlined in the GDPR that the DPC fined Meta.
However, a consensus could not be reached about the “forced consent” argument, so they referred their disputes to the European Data Protection Board (EDPB). The EDPB concluded that “as a matter of principle, Meta Ireland was not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioral advertising.”
They also instructed the DPC to increase the amount of fines for violating transparency law, (210 million pounds from Facebook and 180 million pounds from Instagram.)
Meta has stated that it intends to appeal the ruling.