Facebook and Instagram's business model primarily relies on advertising, with a focus on personalised advertising that is tailored to the user's search and browsing behavior. This allows for ads to be highly responsive to individual consumer needs.
To provide such ads, Meta has been collecting personal information from Facebook and Instagram users for years. In order to comply with European privacy regulations (GDPR), Facebook and Instagram required all members to agree to amended terms and conditions. This is where the issue of privacy arises. To fully understand Meta's violation of privacy rules, we have to examine the GDPR legislation.
On 25 May 2018, the General Data Protection Regulation (GDPR) came into force for all EU member states, unifying all the different national privacy regulations of all European member states. The GDPR regulates the protection of the personal data of natural persons. All companies and public authorities processing such data in the EU have since been subject to the obligations of this regulation.
In summary, every organisation must ensure lawful, proper, and transparent processing of personal data. Transparency implies that every organisation informs the data subject about the lawful processing of their personal data. In addition, data processing can only be considered lawful if a legal basis is present. The GDPR provides for 6 legal grounds (also called processing grounds), of which "the consent of the data subject" and "the necessity for the contract to which the data subject is a party" are 2 important ones.
If a company fails to comply with these privacy rules, a fine can be imposed by the Personal Data Authority. The fine can go up to a maximum of 20 million euros or 4% of the global annual turnover if it is a large company.
In addition to a fine of 390 million euros, Meta must bring its data processing for Facebook and Instagram in line with European privacy rules within 3 months. Meta is thus obliged to find another processing basis for its personalised ads. In other words, Meta will be obliged to explicitly seek consent from its users whether they want their data to be used for ads or not. This is a serious blow to Meta's profits in the EU. Meta already announced it will appeal.
This is not the first time big tech companies have been fined for circumventing European privacy laws. Below you can find a chart showing the highest fines imposed for violating the GDPR. Moreover, there are a lot of investigations ongoing against these US tech companies. The cat-and-mouse game between the Data Protection Commission and these companies will continue for a while, but it seems that the companies will have to bury the privacy hatchet at some point. Not only are the fines not to be trifled with, but in the end the companies will be required to comply with privacy laws anyway.
Therefore, it is essential for all companies to take proactive steps to avoid similar situations and recognize the significance of a robust GDPR compliance strategy from the start. This will require providing sufficient resources and recruiting the right data privacy profiles. Adhering to compliance regulations incurs costs, but failing to comply incurs even greater costs.
Want to read more about the topic compliance? See related posts below.
Boulevard Roi Albert II 4 - 1000 Brussels
Spaces Berchem Station Post X
Borsbeeksebrug 34 - 2600 Antwerp
Nederkouter 124 - 9000 Ghent
Rue du Congrès 35 - 1000 Brussels