
Facebook parent company Meta have been slapped with a pair of fines totaling more than $400 million as the Irish privacy regulator concluded the company’s advertising and data handling practices were in breach of EU privacy laws.
The Irish Data Protection Commission said that Meta should be ordered to pay two fines one, a 210 million euro ($222.5 million) fine over violations of the European Union’s General Data Protection Regulation (GDPR), and the second, a 180 million euro fine related to breaches of the same law by Instagram.
Combined, the penalties amount to 390 million euros ($414 million).
The fines mark the conclusion of two lengthy investigations into Meta by the Irish regulator, which had been criticized over delays in the process. The IDPC began investigating the company on May 25, 2018, the day the EU’s GDPR came into effect.
GDPR places strict requirements on firms with regard to the processing of people’s information. Firms that run afoul of the rules risk facing penalties as high as 4% of global annual revenues.
In the ruling, the DPC said that Meta must bring its data processing operations into compliance within three months. The watchdog is the lead regulatory authority for Meta and several other U.S. tech giants, which hold their headquarters in Ireland.
Meta, which changed its name from Facebook in 2021, said in a statement that it planned to appeal the ruling. The decision does not amount to a ban on personalized advertising and businesses can continue using Meta’s platforms to target users with ads, it added.
Before now Meta relied on a user’s consent to process their information for the purposes of behavioral ads. However, after the entry into force of the GDPR, the company changed the terms of service for Facebook and Instagram, and switched the legal basis upon which it processes that information to something called “contractual necessity.”
In December, the European Data Protection Board, which coordinates regulatory action on data privacy across the bloc, said that Meta wasn’t entitled to rely on contracts as a legal basis for processing user data for targeted ads, effectively deeming the company’s advertising practices illegal.
The fines imposed by the IDPC were raised substantially from those proposed in a draft decision last October, in which the regulator suggested a levy of between 28 million and 36 million euros.