Jan. 4 (UPI) — Meta, the parent company of Facebook and Instagram, has been found in violation of European Union privacy laws for its handling of user data.
The Irish Data Protection Commission announced two fines against Meta Ireland on Wednesday, totaling about $414 million. The first fine is in regards to Facebook violating General Data Protection Regulation rules. The second is for similar violations through Instagram.
“Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months,” a press release from the IDPC said.
The DPC investigated complaints made in 2018, relating to both social media platforms, one from Austria and another from Belgium. Facebook and Instagram were accused of requiring users to consent to its data processing practices to use the services, in essence “forcing” their consent.
Data was then used by advertisers to engage in “behavioral” and “personalized” advertising targeted at users.
The DPC determined that Meta Ireland breached transparency requirements by not clearly defining what was being done with user data upon consent. It also found that Meta relied on the presumption that users were entering a contract by using its services, which Meta used to reason that it could process data without consent.
The agency said the personalized services tailored to users by processing their data is not necessary to provide service.
The DPC and GDPR were unable to reach a consensus on the findings alone. The European Data Protection Board was consulted and the terms of sanctions against Meta Ireland were changed, increasing the severity of fines to $414 million. The requirement for Meta to bring its practices into compliance within three months also remained as part of the sanctions.
“There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal basis is most appropriate in a given situation has been ongoing for some time,” Meta told CNBC through a spokesperson.
“That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioral ads given the nature of our services. As a result, we will appeal the substance of the decision.”
The EDPB directed the DPC to launch a new, full investigation into Facebook and Instagram data processing practices.