European Union regulators on Wednesday hit Facebook parent Meta with hundreds of millions in fines for privacy violations and banned the company from forcing users in the 27-nation bloc to agree to personalized ads based on their online activity.
Ireland’s Data Protection Commission imposed two fines totaling 390 million euros ($414 million) in its decision in two cases that could shake up Meta’s business model of targeting users with ads based on what they do online. The company says it will appeal.
A decision in a third case involving Meta’s WhatsApp messaging service is expected later this month.
Meta and other Big Tech companies have come under pressure from the European Union’s privacy rules, which are some of the world’s strictest. Irish regulators have already slapped Meta with four other fines for data privacy infringements since 2021 that total more than 900 million euros and have a slew of other open cases against a number of Silicon Valley companies.
Meta also faces regulatory headaches from EU antitrust officials in Brussels flexing their muscles against tech giants: They accused the company last month of distorting competition in classified ads.
The Irish watchdog — Meta’s lead European data privacy regulator because its regional headquarters is in Dublin — fined the company 210 million euros for violations of EU data privacy rules involving Facebook and an additional 180 million euros for breaches involving Instagram.
The decision stems from complaints filed in May 2018 when the 27-nation bloc’s privacy rules, known as the General Data Protection Regulation, or GDPR, took effect.
Previously, Meta relied on getting informed consent from users to process their personal data to serve them with personalized, or behavioral, ads, which are based on what users search for online, the websites they visit or the videos they click on.
When GDPR came into force, the company changed the legal basis under which it processes user data by adding a clause to the terms of service for advertisements, effectively forcing users to agree that their data could be used. That violates EU privacy rules.
The Irish watchdog initially sided with Meta but changed its position after its draft decision was sent to a board of EU data protection regulators, many of whom objected.
In its final decision, the Irish watchdog said Meta “is not entitled to rely on the ‘contract’ legal basis” to deliver behavioral ads on Facebook and Instagram.
Meta said in a statement that “we strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.”
Meta has three months to ensure its “processing operations” comply with the EU rules, though the ruling doesn’t specify what the company has to do. Meta noted that the decision doesn’t prevent it from displaying personalized ads, it only covers the legal basis for handling user data.
Max Schrems, the Austrian lawyer and privacy activist who filed the complaints, said the ruling could deal a big blow to the company’s profits in the EU, because “people now need to be asked if they want their data to be used for ads or not” and can change their mind at any time.
“The decision also ensures a level playing field with other advertisers that also need to get opt-in consent,” he said.
Making changes to comply with the decision could add to costs for a company already facing rising business challenges. Meta reported two straight quarters of declining revenue as advertising sales dropped because of competition from TikTok, and it laid off 11,000 workers amid broader tech industry woes.