January 9, 2023

Ireland’s Data Protection Commission fines Meta more than $400 million for alleged GDPR breaches

On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced two fines – totaling €390 million ($414 million) – against Meta Platforms Ireland Ltd. (“Meta Ireland”).  The DPC alleged that, as the parent of Facebook and Instagram, Meta Ireland violated the General Data Protection Regulation (“GDPR”) by enabling “behavioral advertising” as a condition of service on each such platform.  In addition to the monetary penalty, the DPC directed Meta Ireland to bring its data processing operations into compliance with the GDPR within three months.

In particular, the DPC determined there was “insufficient clarity” regarding the legal basis under which Meta Ireland processed personal data (per GDPR Article 6) and the purposes for such processing operations.  The DPC rejected the contention that Meta Ireland’s processing of personal data for behavioral advertising was lawfully subject to a contractual relationship, asserting instead that users’ acceptance of the Terms of Service constituted a form of “forced consent.”  The DPC acknowledged, in principle, that the GDPR does not preclude reliance on a contract as a legal basis; however, it found that Meta Ireland’s argument could not be sustained in this instance. 

In response, Meta released a statement strongly disagreeing with the DPC’s decision, and expressing its intent to appeal both the substantive findings and the fines.  Moreover, the statement underscored that the decision did not preclude personalized advertising on Meta platforms, but rather, the decision pertains only to the legal basis under which Meta offers such advertising. 

DPC Press Release | Meta Statement