Ireland’s Data Protection Commission (DPC) hit Meta Platforms with a total fine of €390 million for two separate data breaches, while directing the company to bring its processing operations into compliance within three months.
DPC announced in a statement it had concluded two inquiries into Meta’s data processing operations, for both Facebook and Instagram. For breaches of GDPR related to Facebook, it fined Meta €210 million, and €180 million for Instagram.
The inquires concern two complaints raised in Austria and Belgium about Facebook and Instagram respectively, “each one raising the same basic issues”, made on 25 May 2018, the date GDPR came into operation.
The complaints allege Meta forced users to agree to data processing before being allowed to use Facebook and Instagram, in breach of the newly deployed GDPR rules.
If the users’ did not accept the terms, the services would no longer have been accessible, explained DPC’s statement.
Interestingly, DPC actually did not believe the company had been in breach of GDPR when the complaints were initially raised. However, the issue was escalated to peer regulators in the EU and EEA, before being taken to the European Data Protection Board (EDPB) which ruled that action should be taken.
EDPB has also told DPC to launch a new investigation into all of Facebook and Meta’s data procession operations, placing a focus on the company’s use of personal data.
Meta said in a blog post that it believed its approach was in line with GDPR rules and intended to appeal the fine.
In September 2022, DPC also slapped a €405 million on Meta for alleged violations of rules related to handling teenagers data on Instagram.Subscribe to our daily newsletter Back