A legal saga between Meta, Ireland and the European Union has reached a conclusion – at least for now – that forces the social media giant to remove data consent requirements from its terms of service in favor of explicit consent, and subjects it to a few hundred million more euros in fines for the trouble.
The Irish Data Protection Commision (DPC) said today that it has made a final decision fining Meta’s Irish operating arm a combined €390 million ($414 million) for violations of the EU’s General Data Protection Regulation, and directing it to “bring its data processing operations into compliance within a period of 3 months,” the DPC said.
€210m of the fine was imposed for violations stemming from Facebook, and €180m was imposed for Instagram violations. A third case involving Meta’s acquired OTT comms app, WhatsApp, is still pending a final outcome.
Five years of fighting over, pending appeals
The DPC’s decision comes after the European Data Protection Board (EDPB) ruled in December to overturn a previous decision from the DPC that allowed Meta to add data use consent into its terms of service, essentially bypassing the EU’s GDPR’s requirement for explicit consent.
In its statement discussing the decision, the DPC said that it believed Meta wasn’t required to rely on consent, but that the EDPB took “a different view” that Meta wasn’t entitled to rely on contract obligations as a basis for allowing collection of personal data to serve ads. Instead, the EDPB said it wanted explicit opt-in and -out options in Meta’s apps.
The EDPB, DPC said, decided instead that all of Meta’s user data processing from 2018 “to date … amounts to a contravention of Article 6 of the GDPR.”
The complaints decided today were filed in 2018 by Noyb, a privacy advocacy group headed by Austrian privacy lawyer Max Schrems. Noyb filed the complaints immediately after the GDPR came into force, and said in a statement that today’s decision is a major blow to Meta’s advertising business model, but with complications remaining.
In 10 years of litigation I have never seen a decision only being served to one party, but not the other
According to Schrems, the penalty being paid out by Meta will go to Ireland, “the state that has taken Meta’s side and delayed enforcement for more than four years.”
Noyb said it expects Meta to appeal the decision in Irish courts, but believes it has little chance of winning given the binding nature of the EDPB decision.
Nonetheless, it appears the DPC is also still in Meta’s corner, as it said in its statement regarding the decision that it had plans to “bring action for an annulment” of parts of the EDPB decision before the EU Court of Justice.
‘Confidential’ decision? Really?
The DPC said the EDPB directed it to conduct a fresh investigation of Facebook and Instagram’s data processing operations that “would examine special categories of personal data that may or may not be processed in the context of those operations.” The DPC argues that the EDPB lacks the authority to “instruct and direct an authority to engage in open-ended and speculative investigation.”
Noyb further claims that the DPC told it that it would be withholding release of the full decision to Noyb “despite [Noyb] being one of the two parties in the procedure,” citing confidentiality. Noyb said the DPC has previously said parties would receive the decision before any DPC publication.
“In 10 years of litigation I have never seen a decision only being served to one party, but not the other,” Schrems said, adding that the choice makes it look like the DPC and Meta are trying to jointly shape the narrative around the decision.
“It seems the cooperation between Meta and the Irish regulator is well and alive – despite being overruled by the EDPB,” Schrems said.
The addition of the Irish fines mean that Meta’s bill for privacy cases over the past year and a half has passed $1 billion. Even with Meta’s recent decline in profit and metaverse losses, that’s still just a drop in the bucket ®.