Meta, the parent company of social media platforms Facebook and Instagram, has been fined €390m by the Irish Data Protection Commission (DPC) for violating EU data rules. The DPC found that Meta had unlawfully asked for permission to use people’s data for targeted ads, and had failed to give users adequate information about how their data was being used.
The regulator also stated that Facebook and Instagram could not “force consent” by stating that users had to accept how their data would be used or leave the platforms. The decision was the result of a complaint made by privacy campaigner Max Schrems in 2018, just as the General Data Protection Regulation (GDPR) was being introduced.
Meta is expected to appeal the decision, but if the ruling stands, the company will be forced to change how it obtains and uses data for advertising. This could have a significant impact on the company, as advertising makes up the bulk of its revenue.
The fine is the second significant penalty imposed on Meta by the DPC in recent months. In November, the company was fined €265m for a data breach that saw the personal details of hundreds of millions of Facebook users published online.
Privacy campaigners have welcomed the DPC’s decision, stating that it is a major victory for user privacy. The ruling means that Meta will have to give users a genuine choice over how their data is used for targeted advertising.
The decision was not arrived at easily, however, and was only made after a dispute with other European data authorities. Meta argues that it gives users a number of tools to control how their data is used and plans to challenge the size of the fine.
The DPC’s decision is likely to have far-reaching implications for the use of personal data in advertising. It remains to be seen how Meta will respond to the ruling, and what impact it will have on the company’s business model. However, the decision is a clear signal that companies must respect user privacy and give consumers a genuine choice over how their data is used.