Meta fined €390m over EU data breaches

The United States of America social media giant Meta was on Wednesday slapped with fines totalling 390 million euros ($413 million) for breaching European Union personal data laws on Facebook and Instagram, Ireland’s data regulator said.

Meta and other US Big Tech firms have been hit by huge fines over their business practices in the EU in recent years and the bloc has also tightened online regulation.

The Irish Data Protection Commission said in a statement that Meta breached “its obligations in relation to transparency” and used an incorrect legal basis “for its processing of personal data for the purpose of behavioural advertising”.

The watchdog reached “final decisions” to fine Meta Ireland 210 million euros in relation to Facebook and 180 million euros in relation to Instagram, for violating Europe’s landmark General Data Protection Regulation.

The announcement came one month after Europe’s data regulator, the European Data Protection Supervisor, imposed binding decisions over the treatment of personal data by the group.

One of those rulings concerns Meta’s instant messaging division WhatsApp, with Ireland’s DPC due to announce a separate verdict next week.

The internet giant’s European operations are based in Dublin, along with a number of other major global tech companies including Google, Apple and Twitter.

As a result, Ireland’s data protection agency is the lead European regulator responsible for holding them to account.

California-based Meta, which is led by Mark Zuckerberg, expressed disappointment with Wednesday’s news and will appeal.

“The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area,” it said in a separate statement.

“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”

The company also stressed that the decisions “do not prevent targeted or personalised advertising” and relate “only to which legal basis Meta uses when offering certain advertising”.

The latest case follows complaints by privacy campaigning group Noyb that Meta’s three app services failed to meet Europe’s strict data protection rules.

Noyb says they flouted the landmark GDPR that came into force in May 2018 by failing to give users the option of holding back their personal data and blocking targeted advertising.

The campaign group welcomed the Irish regulator’s verdicts.

The Facebook owner has faced a series of massive penalties over its behaviour in recent years.

The DPC hit Meta with a 265-million-euro ($275-million) fine in November after details of more than half a billion users were leaked on a hacking website.

That followed a landmark decision by the Irish watchdog to impose a record 405-million-euro fine in September after Meta’s Instagram platform was found to have breached regulations on the handling of children’s data.

In July 2019, Facebook was fined a record $5 billion by the US federal authorities over its privacy controls in the wake of the Cambridge Analytica scandal.

In September 2021, the DPC also fined WhatsApp 225 million euros for failing to comply with its transparency rules for data transfers.

And in France, the CNIL national data watchdog fined Facebook 60 million euros in January 2022 for its use of online “cookies”, the digital trackers used to target advertising.

The latest DPC fines are dwarfed by Meta’s multi-billion-dollar earnings, but the company has been ravaged by a global advertising slump and stagnating user numbers.

Meta said in November that it would axe more than 11,000 staff after profits more than halved to $4.4 billion in the third quarter.

AFP