Jan 05, 2023Ravie Lakshmanan
The Irish Data Protection Commission (DPC) has fined[1]
Meta Platforms €390 million (roughly $414 million) over its
handling of user data for serving personalized ads in what could be
a major blow to its ad-fueled business model.
To that end, the privacy regulator has ordered Meta Ireland to
pay two fines – a €210 million ($222.5 million) fine over
violations of the E.U. General Data Protection Regulation (GDPR[2]) related to Facebook,
and a €180 million ($191 million) for similar violations in
Instagram.
The latest enforcement comes in the wake of concerns that the
social media company used its Terms of Service to gain users’
forced consent to allow targeted advertising based on their online
activity. The complaints were filed on May 25, 2018, the date when
GDPR came into effect in the region.
It also arrives a month after the European Data Protection Board
(EDPB), an independent body that oversees the consistent
application of GDPR in the E.U., announced[3]
that it had reached binding decisions[4]
with regards to the matter.
The DPC ruling means that Meta is no longer allowed to rely on
contracts – i.e., accepting its Terms of Service – as a legal basis
for processing personal data for behavioral advertising,
effectively deeming the company’s advertising practices
illegal.
“Meta Ireland is not entitled to rely on the ‘contract’ legal
basis in connection with the delivery of behavioral advertising as
part of its Facebook and Instagram services, and that its
processing of users’ data to date, in purported reliance on the
‘contract’ legal basis, amounts to a contravention of Article 6 of
the GDPR,” the DPC said.
While Meta has argued that tailoring the ads it offers based on
data it has about users’ online behavior is a necessary part of the
personalized service it offers, the company has three months to
bring its data processing operations into compliance.
“Instead of having a ‘yes/no’ option for personalized ads, they
just moved the consent clause in the terms and conditions,” NOYB’s
Max Schrems, whose privacy non-profit filed the original complaint
against Meta, said[5]. “This is not just
unfair but clearly illegal.”
Meta, which has already suffered a decline in ad revenue over
the past year in part due to Apple’s privacy changes in iOS[6]
last year that require apps to ask for permission before tracking
users, said it was “disappointed” by the decision and that it
“strongly” believes its approach respects GDPR. The firm intends to
appeal the DPC’s findings.
“It’s important to note that these decisions do not prevent
personalized advertising on our platform,” the company pointed out[7]. “The decisions relate
only to which legal basis Meta uses when offering certain
advertising.”
The tech giant further characterized the suggestion that it can
no longer offer personalized ads to European users without their
opt-in approval as “incorrect,” stating there has been a lack of
regulatory clarity on the issue.
These new financial penalties add to a pile[8]
of privacy fines[9]
for Meta in Europe and the U.S. last year. In late December 2022,
it also agreed to pay $725 million[10] to settle a
class-action lawsuit that accused the company of giving
third-parties access to user data without their permission.
The class action lawsuit was prompted in 2018 after Facebook
disclosed that the information of 87 million users was improperly
shared with Cambridge Analytica, a British political consultancy
firm that used the harvested data to inform political
campaigns.
Apple is fined €8 million by France’s CNIL
In a related development, France’s privacy watchdog, the
Commission nationale de l’informatique et des libertés (CNIL), has
hit Apple with a €8 million fine[11] for not obtaining
iPhone users’ consent in iOS 14.6 prior to using identifiers to
present targeted ads.
“In addition, the user had to perform a large number of actions
to disable this setting since this possibility was not integrated
into the initialization path of the phone,” the agency said.
Apple said[12] it plans to appeal the
case, noting that it provides users “with a clear choice as to
whether or not they would like personalized ads.” It also stated
that the service only relies on first-party data.
Found this article interesting? Follow us on Twitter [13] and LinkedIn[14] to read more exclusive
content we post.
References
- ^
fined
(www.dataprotection.ie) - ^
GDPR
(en.wikipedia.org) - ^
announced
(edpb.europa.eu) - ^
binding
decisions (www.wsj.com) - ^
said (noyb.eu) - ^
privacy
changes in iOS (thehackernews.com) - ^
pointed
out (about.fb.com) - ^
pile
(thehackernews.com) - ^
privacy
fines (thehackernews.com) - ^
pay
$725 million (thehackernews.com) - ^
€8
million fine (www.cnil.fr) - ^
said
(twitter.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html