Meta has been fined €390m ($414m) for violating EU data rules. The fine was handed down by the Irish Data Protection Commission (DPC) following complaints made by privacy campaigner Max Schrems in 2018.
Following the passing of the EU’s General Data Protection Regulation (GDPR), both Facebook and Instagram asked users to accept updated terms of service about how their data is used for ads. The platforms did not give users a choice; either they accepted or they could no longer use the platforms.
Schrems filed a complaint on behalf of two users in Austria and Belgium who argued that Meta (then Facebook) was forcing them to allow their data to be used for targeted ads.
The DPC ruled that Meta cannot “force consent” by saying that users have to accept its terms or stop using its platforms.
Meta argued that Instagram and Facebook are “inherently personalized” and that targeted ads are a “necessary and essential part” of the working of the platforms. The company said it was not forcing users to accept its terms, rather the platforms cannot work without data being used for targeted ads.
But the DPC said that the company was forcing users to consent and it was not transparent with users about how their data would be used and why.
Meta spokesperson Andy Stone tweeted that the company would appeal the decision.
Schrems wrote in response to the decision: “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not.
“They must have a ‘yes or no’ option and can change their mind at any time.”
Last month, the DPC fined Meta €265m ($281m) over a data breach that resulted in the personal data of hundreds of millions of Facebook users being published on the internet.