It all started back in 2018 with the Cambridge Analytica scandal – since then, Facebook (now Meta) and European data protection activists have been arguing about how the GDPR should be applied to platforms. The Irish data protection supervisory authority has presented a decision: Meta, the operator of Facebook, Instagram and WhatsApp, may not use personal data for advertising without asking for consent.
The decision is a major blow to Meta’s business model in Europe.
Background:
With the entry into force of the GDPR 2018, Facebook had inserted a clause into its terms of use where personal advertising was part of the service to the user – a corresponding consent was therefore not necessary.
The Irish data protection supervisory authority DPC initially agreed with Meta, but changed its position after numerous other national data protection supervisory authorities within the EU objected.
The original decision has now been formally revised. The justification: Meta was pressuring its users to accept conditions in the terms of use that were disadvantageous to them, as otherwise the services would no longer be available to them.
The Irish authority is now requiring Meta to change its practices in processing user data within the next three months. This means, among other things, that Meta must obtain consent for personalised advertising and offer its users a “yes/no” option for personalised advertising.
In addition, a massive fine was imposed on Meta: 390€ million (210€ million of the fine would be for the violation of EU directives at Facebook, the remaining 180€ million for violations at Instagram).
Meta responded disappointed: “We firmly believe that our approach respects the General Data Protection Regulation,” the US company stated and announced that it would appeal.