Targeted ads by Facebook and Instagram violated EU privacy law, the Irish data regulator has found.
Facebook parent firm Meta has been fined $414 million by Ireland’s data regulator for tracking Facebook and Instagram users’ online activity for advertising purposes. The fine, imposed on Wednesday, brings the total penalties handed to Meta by Dublin to more than $1.3 billion in just over a year.
In a statement on its website, the Dublin-based Data Protection Commission (DPC) announced that Meta would be fined €210 million ($222.5 million) for breaches relating to Facebook, and €180 million ($191 million) for breaches related to Instagram, adding up to $416 million.
A separate investigation involving the Meta-owned WhatsApp messaging service is still underway.
Facebook and Instagram gathered information on users’ browsing history to target them with personalized ads, the DPC explained. When the EU’s General Data Protection Regulation (GDPR) came into force in 2018, Meta changed its terms of service, effectively forcing Facebook and Instagram to consent to their data being harvested. The DPC found that this change violated the GDPR.
Meta said in a statement that it plans to appeal the rulings and the fines.
Austrian lawyer Max Schrems, who filed the complaints against Meta in 2018, said the ruling could damage the firm’s EU profits, because “people now need to be asked if they want their data to be used for ads or not” and can withdraw their consent at any time.
The DPC has fined Meta a total of $1.36 billion since October 2021. The tech giant was hit with a $275 million penalty in November for a Facebook data breach affecting more than half a billion users. Meta was also forced to pay out $420 million in September, $17 million in March, and around $233 million in October 2021 for various violations.
Most major tech firms, including Google, Apple, Facebook, and Twitter, have their EU headquarters in Ireland, owing largely to the country’s low corporate tax rate. Accordingly, it has fallen on the DPC to ensure that these companies comply with the GDPR.
However, a 2021 report by the Irish Council for Civil Liberties found that, at the time of publication, the DPC had not yet taken action in 98% of GDPR cases referred to Ireland. “EU GDPR enforcement against Big Tech is paralyzed by Ireland’s failure to deliver draft decisions on major cross-border cases,” the account read.