The practices of acquiring permission from users of Facebook and Instagram to utilize their personal information for marketing purposes have been subject to a lengthy investigation. Finally, Meta has been penalized €390 million or $414 million for violating the General Data Protection Regulation (GDPR) of the European Union.
The Irish Data Protection Commission (DPC) started an investigation involving Meta and its subsidiaries on May 25, 2018 after receiving two complaints from Max Schrems and his organization NOYB; both of which are privacy and data rights campaigner. Allegedly, Meta had ignored the GDPR’s consent requirements by including a clause to Facebook and Instagram’s terms and conditions that demanded users of those websites to agree to behavioral marketing and other individualized services before they could use the websites. Users that didn’t concur to these terms and conditions of service are not allowed to use the platforms. The modification to the terms and conditions happened at 12:00 am on May 25, 2018, which is the same time when the GDPR was implemented.
The GDPR brought in new rights for EU residents with respect to their personal information. One of which is the need to get their permission prior to using their personal information for tracking and internet adverts. The complaints claimed that by including consent in the terms and conditions of service, Facebook and Instagram users were obligated into allowing the use of their personal information for marketing and other personalized services. The allegations likewise state that not enough details were given to users about the use of their information.
According to the one-stop-shop condition of the GDPR, just one data protection agency holds the responsibility to investigate complaints of GDPR violations whenever there’s cross-border processing of personal information. Ireland headed the investigation since EU base of Meta is located in Ireland. The DPC filed a draft decision to different EU privacy watchdogs that advised penalties of €23 million for Instagram and €36 million for Facebook for the supposed privacy violations; nonetheless, 10 data protection regulators argued the decision and so the two cases had been forwarded to the European Data Protection Board (EDPB). The EDPB decided that more discoveries of GDPR violations need to be acquired and that the financial penalties must be raised. The DPC then elevated the financial fines to €180 million for Instagram and €210 million for Facebook.
Meta along with its subsidiaries were penalized over €1.3 billion or $1.37 bn for GDPR violations. There’s another case decision due at the end of this month against WhatsApp, Meta’s subsidiary. A Meta spokesperson stated that they are dissatisfied with the DPC’s decisions since they believe their practices respect GDPR. Meta is going to appeal the substance of the decision and the penalties. Meta has set a €2 billion fund to pay for the financial penalties for GDPR violations that must be paid in the following year.