Meta fined 390M euros in latest European privacy crackdown

LONDON (AP) — European Union regulators hit Facebook parent Meta with hundreds of millions in fines Wednesday for privacy violations and barred the company from forcing users in the 27-nation bloc to accept personalized ads based on their activity on internet.

Ireland’s Data Protection Commission imposed two fines totaling €390 million ($414 million) in its ruling in two cases that could shake up Meta’s business model of targeting users with ads based on what they do in the Internet. The company says it will appeal.

A decision on a third case involving Meta’s messaging service WhatsApp is expected later this month.

Meta and other Big Tech companies are under pressure from European Union privacy rules, which are some of the strictest in the world. Irish regulators have already hit Meta with four more fines for data privacy breaches since 2021, totaling more than €900m, and have a host of other cases open against a number of Silicon Valley companies.

Meta also faces regulatory headaches from EU antitrust officials in Brussels flexing their muscle against the tech giants: They accused the company last month of distorting competition in classified ads.

The Irish watchdog – Meta’s main European data privacy regulator because its regional headquarters is in Dublin – fined the company €210 million for breaches of EU data privacy rules involving Facebook and an additional €180 million for violations involving Instagram.

The ruling stems from complaints filed in May 2018 when the 27-nation bloc’s privacy rules, known as the General Data Protection Regulation, or GDPR, came into force.

Previously, Meta relied on obtaining informed consent from users to process their personal data to serve them with personalized or behavioral advertising, which is based on what users search for online, websites that they visit or the videos they click on.

When the GDPR came into force, the company changed the legal basis under which it processes user data by adding a clause in its terms of service for advertising, effectively forcing users to agree that their data can be used. This violates EU privacy rules.

The Irish watchdog initially sided with Meta, but changed its stance after its draft decision was sent to a board of EU data protection regulators, many of whom objected.

In its final ruling, the Irish watchdog said Meta “is not entitled to rely on the legal basis of ‘contract'” to serve behavioral ads on Facebook and Instagram.

Meta said in a statement that “we strongly believe that our approach complies with the GDPR and are therefore disappointed by these decisions and intend to appeal both the substance of the decisions and the fines.”

Meta has three months to ensure its “processing operations” comply with EU rules, although the ruling does not specify what the company must do. Meta noted that the ruling does not prevent it from displaying personalized ads, it only covers the legal basis for handling user data.

Max Schrems, the Austrian lawyer and privacy activist who filed the complaints, said the ruling could deal a major blow to the company’s profits in the EU because “people now have to be asked whether they want their data to be used for advertising or no ” and they can change their mind at any time.

“The ruling also ensures a level playing field with other advertisers who must also obtain consent to opt-in,” he said.

Making changes in line with the decision could add costs to a company already facing mounting business challenges. Meta reported two consecutive quarters of declining revenue as ad sales fell due to competition from TikTok and laid off 11,000 workers amid broader tech industry woes.