Never ending cat-and-mouse game between Big Tech and the Data Protection Commission

Late last year, the Data Protection Commission (DPC) imposed a monster fine of a whopping 390 million euros on Meta, the parent company of Facebook and Instagram, for violating European privacy rules (GDPR). The US technology company served users of Facebook and Instagram ready-made personalised ads without explicitly asking users' consent. Meta already announced it would appeal the decision.

Facebook and Instagram's business model

Facebook and Instagram's business model primarily relies on advertising, with a focus on personalised advertising that is tailored to the user's search and browsing behavior. This allows for ads to be highly responsive to individual consumer needs.

To provide such ads, Meta has been collecting personal information from Facebook and Instagram users for years. In order to comply with European privacy regulations (GDPR), Facebook and Instagram required all members to agree to amended terms and conditions. This is where the issue of privacy arises. To fully understand Meta's violation of privacy rules, we have to examine the GDPR legislation.

GDPR in a nutshell

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force for all EU member states, unifying all the different national privacy regulations of all European member states. The GDPR regulates the protection of the personal data of natural persons. All companies and public authorities processing such data in the EU have since been subject to the obligations of this regulation.

In summary, every organisation must ensure lawful, proper, and transparent processing of personal data. Transparency implies that every organisation informs the data subject about the lawful processing of their personal data. In addition, data processing can only be considered lawful if a legal basis is present. The GDPR provides for 6 legal grounds (also called processing grounds), of which "the consent of the data subject" and "the necessity for the contract to which the data subject is a party" are 2 important ones.

If a company fails to comply with these privacy rules, a fine can be imposed by the Personal Data Authority. The fine can go up to a maximum of 20 million euros or 4% of the global annual turnover if it is a large company.

Where did Meta go wrong?

Meta believed it was taking a clever approach. After the implementation of GDPR in 2018, Meta modified the terms of service for its Facebook and Instagram services and thus the legal grounds it used to justify the processing of user data. Meta had previously relied on user consent for the processing of personal data as part of their services, including personalised ads. Since the amendment of their terms and conditions, Meta relied on the legal basis "performance of the contract". All existing and new users were thus required to accept the new terms of use, if not, you were excluded from the social media services. However, the Irish Data Protection Commission (DPC) has ruled that Meta circumvented the consent requirement by moving a consent clause into the terms of use and thus stating that all ads are part of the contractual services.

In addition to a fine of 390 million euros, Meta must bring its data processing for Facebook and Instagram in line with European privacy rules within 3 months. Meta is thus obliged to find another processing basis for its personalised ads. In other words, Meta will be obliged to explicitly seek consent from its users whether they want their data to be used for ads or not. This is a serious blow to Meta's profits in the EU. Meta already announced it will appeal.

The moral of the story

This is not the first time big tech companies have been fined for circumventing European privacy laws. Below you can find a chart showing the highest fines imposed for violating the GDPR. Moreover, there are a lot of investigations ongoing against these US tech companies. The cat-and-mouse game between the Data Protection Commission and these companies will continue for a while, but it seems that the companies will have to bury the privacy hatchet at some point. Not only are the fines not to be trifled with, but in the end the companies will be required to comply with privacy laws anyway.

Big Tech Big Fines©

Therefore, it is essential for all companies to take proactive steps to avoid similar situations and recognize the significance of a robust GDPR compliance strategy from the start. This will require providing sufficient resources and recruiting the right data privacy profiles. Adhering to compliance regulations incurs costs, but failing to comply incurs even greater costs.

Want to read more about the topic compliance? See related posts below.

Authored by Fien Stepman en Kim De Witte - 26 Jan 2023

Related posts

YouConnect nv

T +32 2 612 80 85
BE 0521.697.672

Brussels office

Silversquare North
Boulevard Roi Albert II 4 - 1000 Brussels

Antwerp office

MeetDistrict The Link
Posthofbrug 6/8 - 2600 Antwerp

Ghent office

Main office
Nederkouter 124 - 9000 Ghent

Corporate headquarters

Rue du Congrès 35 - 1000 Brussels

made by
check out your favourite jobs