Facebook fined €390 mn for breaching EU privacy law: Why is the ruling significant?

The Irish DPC said EU authorities had concluded that the legal permission that Meta sought from users to collect their data for personalised advertising as part of its lengthy terms-of-service agreement essentially forced them to accept personalised ads, in violation of the GDPR. It said that Meta has to bring its data processing operations “into compliance within three months”.

The DPC ruling builds on a December statement by the European Data Protection Board — the body that oversees regulatory action on data privacy across the 27-nation bloc — that Meta was not entitled to simply rely on contracts as a legal basis for processing user data for targeted advertisements.

Why did the ruling come from the Irish regulator?

As per the GDPR, cross-border cases are to be handled by the data-protection authority in the country where the company is based, with the result that the Irish DPC is the lead regulatory authority for Meta and a number of other US tech majors that have their headquarters in Ireland.

Significance of the ruling

* One, this case is particularly significant given that the Irish DPC began investigating Facebook on May 25, 2018 — the day the GDPR came into effect. So, in a way, the outcome of the case buttresses the overarching theme of the EU’s landmark legislation: the right of the individual over her data and the need for a person to give explicit consent before their data can be processed.

* Two, this fine comes at a time when Meta’s forecasts for profits in 2023 have fallen nearly 50 per cent, according to data from Bloomberg. The company’s much-hyped Metaverse push is struggling, and the performance numbers reflect signs that both users and advertisers are moving away from the platforms (with perhaps the exception of Instagram Reels and messaging platform WhatsApp). And Meta, which changed its name from Facebook in 2021, has seen its share price tumble by nearly 60 per cent since the rebranding.

Also, in monetary terms, the fines imposed by the DPC ended up being substantially higher than a levy of €28-36 million that was proposed in a draft decision in October.

* Three, and perhaps most importantly, the DPC’s decision could imply that Meta would have to tweak its apps over the next three months to ensure that they do not leverage personal data for advertising. That could be a big blow to the company in terms of how its advertising model works: Meta earlier relied on a user’s consent to process this information for the purposes of behavioural ads, but tweaked the terms of service for both Facebook and Instagram on the processing of the information after the GDPR kicked in.

But these changes, activists allege, essentially forced users to accept the processing of their information for ad targeting for essentially using the platforms. All this has to be modified now to ensure compliance with the DPC ruling.

Impact of the ruling

It is possible that this ruling could force Meta to explicitly ask users in the EU if they want their data to be used for personalised ads or not. Essentially, it could mean Meta would have to get an “opt-in consent”, much like other advertisers operating in the EU have to do currently. Meta said in a statement after the January 4 ruling that it planned to appeal, and that the decision “does not amount to a ban on personalized advertising” and businesses can continue using Meta’s platforms to target users with ads.

This forced change for Meta comes on top of the blow to its digital advertising business that was delivered by Apple last year, which made it tougher for iPhone apps to track the online activity of users. Meta has said that Apple’s changes could cost it $10 billion in revenue losses in 2022, and could have implications for the coming years as well.

Also, the DPC ruling follows other regulatory action that Meta is facing. The US Federal Trade Commission is suing the company for alleged abuse of its “monopoly” in social networking, and the Commission is already scrutinising Meta’s proposed acquisition of Within, a maker of virtual reality fitness applications. In October, regulators in the UK ordered Meta to reverse its purchase of animated image maker Giphy that it had bought in 2020, according to data compiled by the Economist.

The likely ripple effect

Given that the EU is the de facto global technology regulator, the rulings based on the GDPR’s broader tenets could have resonance across geographies, including India. While the GDPR, which according to Graham Greenleaf, professor of Law & Information Systems at the University of New South Wales, has substantially influenced legislation in nearly 160 countries, is clearly focused on privacy and requires individuals to give explicit consent before their data can be processed, companies such as Meta have to now also contend with a pair of sub-legislation — the Digital Services Act (DSA) and the Digital Markets Act (DMA) — that take off from the GDPR’s overarching focus on the individual’s right over her data.

The DSA focuses on issues such as regulating hate speech, counterfeit goods etc., while the DMA defines a new category of “dominant gatekeeper” platforms, and is focused on non competitive practices and the abuse of dominance by these players.

The regulatory action against social media platforms could have a resonance in India too, where the government is currently working on a policy framework for the tech sector, which includes the new personal data protection bill that was unveiled late last year, a comprehensive digital India Act that would eventually replace the existing IT Act, and the new telecom Bill that was put in the public domain in October 2022.