EU privacy regulators instruct Irish DPC to revise decision in Meta rulings

Decision may lead to huge fines against Facebook owner and limit its ability to collect data for ad targeting

The disputes arose after other European regulators raised objections to the DPC’s findings, which were then submitted to the EDPB under its dispute resolution mechanism. Photograph: Dara Mac Dónaill
The disputes arose after other European regulators raised objections to the DPC’s findings, which were then submitted to the EDPB under its dispute resolution mechanism. Photograph: Dara Mac Dónaill

European privacy regulators have instructed the Irish Data Protection Commission (DPC) to issue a revised decision that could significantly limit Facebook and Instagram owner Meta’s ability to gather information from its users to tailor and sell advertising, The Irish Times understands.

This could result in the DPC being forced to issue huge fines against the social media giant. Meta has set aside €2 billion to discharge expected European fines over the next year, company documents filed in Dublin recently revealed.

In what could be a blow for the Irish regulator, Europe’s overarching privacy body, the European Data Protection Board (EDPB), announced on Tuesday that it has adopted three binding dispute resolution decisions concerning Meta Platforms Ireland.

While the details of the board’s decision have not been made public, a source told The Irish Times that the resolutions relate to three decisions the DPC – the lead regulator for Facebook in the European Union because the company is headquartered in Dublin – has made against Meta platforms Facebook, Instagram and WhatsApp over the past year or so under the General Data Protection Regulation (GDPR).

READ MORE

The disputes arose after other European regulators raised objections to the DPC’s findings, which were then submitted to the EDPB under its dispute-resolution mechanism.

The DPC had proposed fining the platforms for not being transparent with users about what Meta does with their data. However, it also found that the social media giant does not necessarily require the consent of its users in order to process their data and that it can rely on the argument that it is fulfilling a contract with its users to provide personalised ads.

Objections to reasoning

A number of regulators, including the Norwegian data authority, objected to this reasoning, which they said would undermine GDPR.

The EDPD has now ruled that EU privacy law does not allow the platforms to use the so-called “contract basis” for collecting data used to target, tailor and sell advertising.

What will the easing of bankers’ pay restrictions do for competition dynamics?

Listen | 46:27

After Finance Minister Paschal Donohoe's surprise move to ease restrictions on pay and bonuses in the banking sector, we look at what it might mean for the three domestic banks and their international competitors. Markets Correspondent, Joe Brennan, also takes us through the rest of the headline-grabbing details in the 220 page Retail Banking Review. Ciaran is also joined by the Irish Times' Karlin Lillington to discuss the €265m fine handed down to Meta this week over its data protection breach. With fines now totalling over €900m, will it have made Mark Zuckerberg sit up and notice?

It means that Meta could be forced to give users the option to opt out of ad targeting, which could deal a consequential blow to its advertising revenues.

The Irish DPC now has one month to adopt the three decisions, which could significantly increase the quantum of fines the regulator recommends against the Meta platforms.

After the revised decision is delivered to the company, Meta can then appeal the decision but it may also face further legal action from individual users over its use of their data.

A spokesman for the DPC said it would not be appropriate to comment on the matter until its revised decision has been made in the next month.

Not final

A spokeswoman for Meta said that Tuesday’s EDPB decision is not final.

“As part of the process, the EDPB can issue a decision on the matter – which is what they have done today,” she said. “This is not the final decision. The final decision is expected in January and will be taken by the IDPC. We will be sharing a statement then.”

Fine time again for Meta so why should we entrust out personal data to the company?Opens in new window ]

PRINCIPAL ANALYST DEBRA AHO WILLIAMSON COMMENTED:

“The EU regulators’ decision, if it is upheld, would have a dramatic impact on Meta’s revenue in Europe, kneecapping its ability to use information about its users’ on-platform activities in order to sell targeted advertising,” said Debra Aho Williamson, an analyst with Insider Intelligence, noting that Europe had already been the region with Meta’s largest losses in users and revenue.

“However, we expect Meta to fight vigorously to defend its business, and it could be months, if not years, before any impact is truly felt.”

The EDPB’s decision relates to three separate DPC rulings: one against Facebook in October 2021 and the other two, against Instagram and WhatsApp, in April this year.

All three decisions were based on 2018 complaints made by Austrian data privacy activist Max Schrems. He argued that Meta used “forced consent” to process personal data, specifically in relation to its terms of services.

It was alleged at the time that users were given a choice between consenting to the terms of service or deleting their Facebook account.

In a statement on his website, Mr Schrems said: “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ answer and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”

Ian Curran

Ian Curran

Ian Curran is a Business reporter with The Irish Times