Meta was fined €390 million ($414 million) on Wednesday after a top European Union privacy regulator ruled the technology company’s policy of using private user information to personalize ads on Facebook and Instagram violated new data protection laws. The decision, announced by Ireland’s Data Protection Commission (DPC), gives the company three months to comply.
The decision marks the end of a four-year investigation into Meta’s advertising practices, prompted by the 2018 implementation of the EU’s General Data Protection Regulation (GDPR), a wide-ranging consumer protection law. The decision does not outline what specific steps the company must take to change its advertising policy, but the ruling will likely force Meta to ask customers for their consent before targeting ads based on personal data.
Though Meta has said it plans to appeal the decision, the ruling has the potential to strike a major blow to the company’s advertising strategy, Meta’s main revenue source. The possibility of a complete overhaul of its advertising strategy across Europe comes after Meta’s stock value plunged more than 66% in 2022.
A brief history of the GDPR
The General Data Protection Regulation is a landmark data protection bill enacted by the European Union in 2018 that aims to ensure a right to privacy for internet users. Considered one of the world’s strongest sets of data privacy regulations, the sprawling law includes 99 articles outlining a basic digital bill of rights.
The bill includes rules to protect individuals from excessive data manipulation, such as a provision that requires tech companies to identify the minimum amount of personal data they need to fulfill their purpose and not collect anything more. Additionally, the law enshrines the right to access any data collected by a private company, as well as the right to erase any data that is no longer necessary for the purpose it was collected.
The GDPR gives the EU broad authority to fine companies that don’t comply with regulations, ranging from mishandling of personal information to lapses in data security. The bill is noteworthy in adopting a progressive penalty structure, aiming to rein in multi-national, billion-dollar companies by levying fines based on a percentage of the firm’s total global revenues. Penalties can range from 2% to 4% depending on the severity of the offense.
The DPC and Meta, a not-so-brief history of penalties and fines
September 2021: Meta is fined $267 million by the DPC for violations by the Whatsapp messaging app of data protection regulations stipulated by the GDPR.
March 2022: Meta is fined $18.6 million by the DPC for a series of data breaches and security lapses across the company’s services.
September 2022: Meta is fined $430 million by the DPC after regulators rule that the way Instagram handles children’s data violates the GDPR.
November 2022: Meta is fined $275 million by the DPC after the personal data of more than 530 Facebook users was leaked online, including email addresses and phone numbers.
📰More countries are asking Google and Meta to save the news—by paying for it
🌐The genius of GDPR is that it forces companies to police each other