Meta: Personal data processed unlawfully

A years-long dispute between Meta, privacy activists, the Irish and other data protection authorities has come to an end: Meta was found to have unlawfully processed users’ personal data. The group must pay a fine of 390 million euros.

Years of dispute between company and authorities

The case has caused quite a stir in the past, with the Irish Data Protection Authority siding with Meta and tolerating the company’s practice. Civil society initiatives fought against it, as did data protection authorities in other EU countries. As a result, the European Data Protection Board had to be called upon to bring about a binding decision. The subject of the dispute was the processing of personal data by Meta. The company collects numerous personal data via both Facebook and Instagram in order to be able to offer personalized advertising. Meta does not obtain separate consent for this, but refers to the practice in its terms and conditions. The Irish data protection authority saw no problem in this, although the EU’s General Data Protection Regulation (GDPR) requires explicit consent.

Data protection activist Max Schrems sued Meta shortly after the GDPR came into force, resulting in a four-year dispute in which data protection authorities in other EU countries also pushed to end Meta’s practice. However, the Irish data protection authority, which has jurisdiction because Meta’s headquarters are in Ireland, objected. Ultimately, the European Data Protection Board ruled that the practice was illegal – and the Irish authority had to issue a fine accordingly. It has now complied with this decision. The last million-dollar fine against Meta was imposed as recently as November.

Consequences for Facebook and Instagram unclear

Furthermore, the decision means that Facebook and Instagram will have to obtain separate consent for the processing of personal data in the future. A transitional period of three months is granted for this. What this means for the services, however, is unclear. Meta’s business model is centrally based on offering personalized advertising. If users now reject the processing of their personal data en masse, a profitable business in the EU will no longer be possible. However, Schrems, who had filed a lawsuit against Meta, assumes that restricting services for all those who refuse the processing of their data is not legally permissible. Meta had already hinted at a withdrawal from the EU at the beginning of last year, but later discarded it. Whether the considerations will now become topical again remains to be seen.

New dispute flared up

A new dispute between the Irish and the other data protection authorities of the EU has meanwhile already flared up. For example, the Irish authority has announced that it will not comply with the European Data Protection Board’s request to investigate Meta’s compliance with relevant regulations in other areas as well. Ireland is questioning the binding force of this request and has appealed to the European Court of Justice in this regard.