Facebook and Instagram's business model
Facebook and Instagram's business model primarily relies on advertising, with a focus on personalised advertising that is tailored to the user's search and browsing behavior. This allows for ads to be highly responsive to individual consumer needs.
To provide such ads, Meta has been collecting personal information from Facebook and Instagram users for years. In order to comply with European privacy regulations (GDPR), Facebook and Instagram required all members to agree to amended terms and conditions. This is where the issue of privacy arises. To fully understand Meta's violation of privacy rules, we have to examine the GDPR legislation.
GDPR in a nutshell
On 25 May 2018, the General Data Protection Regulation (GDPR) came into force for all EU member states, unifying all the different national privacy regulations of all European member states. The GDPR regulates the protection of the personal data of natural persons. All companies and public authorities processing such data in the EU have since been subject to the obligations of this regulation.
In summary, every organisation must ensure lawful, proper, and transparent processing of personal data. Transparency implies that every organisation informs the data subject about the lawful processing of their personal data. In addition, data processing can only be considered lawful if a legal basis is present. The GDPR provides for 6 legal grounds (also called processing grounds), of which "the consent of the data subject" and "the necessity for the contract to which the data subject is a party" are 2 important ones.
If a company fails to comply with these privacy rules, a fine can be imposed by the Personal Data Authority. The fine can go up to a maximum of 20 million euros or 4% of the global annual turnover if it is a large company.
Where did Meta go wrong?
Meta believed it was taking a clever approach. After the implementation of GDPR in 2018, Meta modified the terms of service for its Facebook and Instagram services and thus the legal grounds it used to justify the processing of user data. Meta had previously relied on user consent for the processing of personal data as part of their services, including personalised ads. Since the amendment of their terms and conditions, Meta relied on the legal basis "performance of the contract". All existing and new users were thus required to accept the new terms of use, if not, you were excluded from the social media services. However, the Irish Data Protection Commission (DPC) has ruled that Meta circumvented the consent requirement by moving a consent clause into the terms of use and thus stating that all ads are part of the contractual services.
In addition to a fine of 390 million euros, Meta must bring its data processing for Facebook and Instagram in line with European privacy rules within 3 months. Meta is thus obliged to find another processing basis for its personalised ads. In other words, Meta will be obliged to explicitly seek consent from its users whether they want their data to be used for ads or not. This is a serious blow to Meta's profits in the EU. Meta already announced it will appeal.
The moral of the story
This is not the first time big tech companies have been fined for circumventing European privacy laws. Below you can find a chart showing the highest fines imposed for violating the GDPR. Moreover, there are a lot of investigations ongoing against these US tech companies. The cat-and-mouse game between the Data Protection Commission and these companies will continue for a while, but it seems that the companies will have to bury the privacy hatchet at some point. Not only are the fines not to be trifled with, but in the end the companies will be required to comply with privacy laws anyway.
© https://www.statista.com/chart/25691/highest-fines-for-gdpr-breaches/