Meta: Personal data processed unlawfully

A years-long dispute between Meta, privacy campaigners and Irish and other data protection authorities has come to an end: Meta has been found to have illegally processed users’ personal data. The group must pay a fine of 390 million euros.

Years of contention between the company and the authorities

The case has caused quite a stir in the past, with Ireland’s Data Protection Authority siding with Meta and tolerating the company’s practices. Civil society initiatives have fought against it, as have data protection authorities in other EU countries. As a result, the European Data Protection Council had to be called in to make a binding decision. The subject of the dispute was the processing of personal data by Meta. The company collects various personal data across both Facebook and Instagram to be able to serve you personalized ads. Meta does not obtain separate approval for this, but does refer to the practice in its terms and conditions. The Irish Data Protection Authority found no problem with this, although the EU’s General Data Protection Regulation (GDPR) requires explicit consent.

Data protection activist Max Schrems sued Meta shortly after the GDPR came into effect, resulting in a four-year dispute in which data protection authorities in other EU countries also pushed for an end to Meta’s practice. However, the Irish Data Protection Authority, which has jurisdiction because Meta is headquartered in Ireland, objected. In the end, the European Data Protection Council decided that this practice was illegal – and the Irish authority had to issue a fine accordingly. I have now complied with this decision. The last $1 million fine was imposed on Meta as recently as November.

The consequences for Facebook and Instagram are not clear

Furthermore, the decision means that Facebook and Instagram will have to obtain separate consent to process personal data in the future. A transitional period of three months is granted for this. What this means for services, however, is not clear. Meta’s business model is centrally based on serving personalized ads. If users now refuse to collectively process their personal data, it will not be possible to create a profitable business in the EU. However, Schrems, who sued Meta, posits that restricting services to all those who refuse to have their data processed is not legally permissible. Meta had already hinted at withdrawal from the European Union at the beginning of last year, but later brushed it off. It remains to be seen whether the considerations will now become topical again.

A new dispute broke out

Meanwhile, a new dispute has already erupted between the Irish authorities and other EU data protection authorities. For example, the Irish authority has announced that it will not comply with the European Data Protection Council’s request to investigate Meta’s compliance with relevant regulations in other regions as well. Ireland questions the binding force of this request and has appealed to the European Court of Justice in this regard.