The Data Protection Commission (DPC) was unable to fine Facebook and Instagram on the basis of profits earned from illegal data processing, a stance critics say may have deprived the Irish exchequer of a multibillion windfall.
In a revised decision forced by Europe’s highest data body, based on challenges by other regulators, the DPC has fined Facebook and Instagram €390 million in total for breaching European data rules (GDPR).
The fines, for breaches of transparency provisions and for using a flawed legal basis for data processing, were 561 per cent higher than the €59 million in fines the DPC originally proposed in a 2021 draft decision.
Though the DPC decision may be appealed, any eventual fines will fall to the State. They could have been considerably higher than €390 million given GDPR allows for fines of up to 4 per cent of global revenue in one financial year.
Drawing on accounts for 2021, Facebook and Instagram had joint revenues €153 billion, largely earned with behavioural advertising based on user data, meaning a theoretical maximum fine of €6.12 billion.
In its revised decision, the fines imposed by the DPC on Facebook and Instagram specifically for illegal data processing amounted to €60 million and €50 million respectively.
But in the e European Date Protection Board’s (EDPB) binding decision, published this week, the body asked the Irish regulator to ascertain how much money Meta made from illegal data collection since May 2018, when the complaint in question was filed.
In her final decision published last week, Irish commissioner Helen Dixon does not appear to have followed this request, writing that the EDPB provided “no directions ... as to the manner in which the Commission might seek to ascertain an estimation of ... the financial benefit”.
“In the absence of directions, the Commission is unable to ascertain an estimation of the matters identified above,” she added.
‘Major factor’
The Irish Times asked the DPC how it calculated its fines, and whether it had examined the level of Meta profits based on illegal data collection, but did not receive answers.
Austrian privacy campaigner Max Schrems, whose noyb privacy group filed the 2018 complaint, said the Irish regulator was “effectively rewarding Facebook and Instagram for breaking the law”.
According to Schrems’s calculations, based on public filings, Meta companies of Facebook, Instagram and WhatsApp earned €72 billion between 2018 and the third quarter of 2022, largely in advertising revenue.
“It is amazing that the DPC did not consult public information or use its powers to ask Meta for the profits, instead the DPC ignored this major factor when determining the fine,” he added.
Among many critical EDPB submissions, the Dutch data regulator argued that the original proposed DPC fines of €59 million were dwarfed by Meta revenues of approximately $228 million (€211 million) daily.
“Instead of dissuading future behaviour,” it argued, “the penalty would be simply regenerated in a few hours.”
In submissions cited in the EDPB report, Meta argued that turnover is “not a relevant consideration when determining the amount of the fine” and that reputational cost should also be taken into consideration.
The Irish DPC said Meta Ireland had a “genuinely held belief” it was adhering to EU law and that fines should reflect the fact that any breaches were neither intentional nor knowing.
The EDPB argued in its decision that turnover was just one factor in determining an appropriate fine but said that, to have a “sufficient deterrent effect ... the fine must not be negligible” of a firm’s “financial capacity”.
Many regulators insisted the original proposed DPC fines did not reflect the seriousness of the claims and that the Irish regulator presented no reasoning as to why its proposed fines were are commensurate.
The Swedish and German regulators pointed to similar decisions elsewhere justifying higher fines, including a Luxembourg data regulator fine of €746 million against Amazon.