European Union regulators on Wednesday hit Facebook parent Meta with hundreds of millions in fines for privacy violations and banned the company from forcing users in the 27-nation bloc to agree to personalised ads based on their online activity.
Ireland's Data Protection Commission imposed two fines with a combined value of €390m in its decision in two cases that could shake up Meta's business model of targeting users with ads based on what they do online. The company says it will appeal.
A decision in a third case involving Meta's WhatsApp messaging service is expected later this month.
Meta and other Big Tech companies have come under pressure from the European Union's privacy rules, which are some of the world's strictest.
The Irish watchdog — Meta’s lead European data privacy regulator because its regional headquarters is in Dublin — fined the company 210 million euros for violations of EU data privacy rules involving Facebook and an additional 180 million euros for breaches involving Instagram.
The decision stems from complaints filed in May 2018 when the 27-nation bloc's privacy rules, known as the General Data Protection Regulation, or GDPR, took effect.
Previously, Meta relied on getting informed consent from users to process their personal data to serve them with personalised, or behavioural, ads, which are based on what users search for online, the websites they visit or the videos they click on.
When GDPR came into force, the company changed the legal basis under which it processes user data by adding a clause to the terms of service for advertisements, effectively forcing users to agree that their data could be used. That violates EU privacy rules.
The Irish watchdog initially sided with Meta but changed its position after its draft decision was sent to a board of EU data protection regulators, many of whom objected.
In its final decision, the Irish watchdog said Meta “is not entitled to rely on the ‘contract’ legal basis" to deliver behavioural ads on Facebook and Instagram.
Meta said in a statement that “we strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
Meta has three months to ensure its “processing operations" comply with the EU rules, though the ruling doesn't specify what the company has to do. Meta noted that the decision doesn't prevent it from displaying personalised ads, it only covers the legal basis for handling user data.
Max Schrems, the Austrian lawyer and privacy activist who filed the complaints, said the ruling could deal a big blow to the company's profits in the EU, because “people now need to be asked if they want their data to be used for ads or not” and can change their mind at any time.
"The decision also ensures a level playing field with other advertisers that also need to get opt-in consent,” he said.