Ireland's Data Protection Commission imposed two fines totaling 390 million euros in a decision that could shake up Meta's business model targeting users with ads based on what they do online.
The watchdog fined Meta 210 million euros for violations of the European Union's strict data privacy rules involving Facebook and an additional 180 million euros for breaches involving Instagram.
The fines were made under the General Data Protection Regulation, or GDPR. Previously, Meta relied on getting informed consent from users to process their personal data to serve them personalised, or behavioral, ads. But when GDPR came into force, the company changed the legal basis under which it processes user data by adding a clause to the terms of service for advertisements, effectively forcing users to agree that their data could be used. That violates EU privacy rules.
The Irish watchdog initially sided with Meta but changed its position after the draft decision was sent to a board of EU data protection regulators, many of whom objected.
In its final decision, the Irish watchdog said Meta "is not entitled to rely on the 'contract' legal basis to deliver behavioral adverts on Facebook and Instagram."
Meta said in a statement that "we strongly believe our approach respects GDPR, and we're therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines."
The Irish watchdog is Meta's lead European data privacy regulator because its regional headquarters is in Dublin.