Meta Platforms
According to E.U. regulators, Meta effectively forces all users on its platforms to agree to data collection by including permissions in its terms of service.
"Users had insufficient clarity as to what processing operations were being carried out on their personal data," regulators with Ireland's Data Protection Commission (DPC) wrote in the announcement.
In 2018, the E.U. introduced the General Data Protection Regulation (GDPR), a law that requires online businesses to get consent from users before collecting their data. For violations of the GDPR on Facebook, Meta is being fined $223, while its violation on Instagram led to $191 million in fines.
"We strongly believe our approach respects G.D.P.R., and we're therefore disappointed by these decisions," Facebook wrote in a statement.
Meta wrote in a blog on its site that it plans on appealing the ruling and the fines against it. While the fines represent a drop in the bucket for Meta, the ruling may force it to make significant changes to its advertising policies in the E.U., threatening a significant portion of its ad revenue.
Made up of 27 nations and around 450 million people, the E.U. is one of Meta's largest markets. The bloc represents 5% to 7% of Meta's overall advertising revenue, which totalled $118 billion in 2021.
The ruling doesn't stipulate any specific actions that Meta needs to take, and the tech giant has three months to lay out its plan for coming into compliance with the law.
"It's important to note that these decisions do not prevent personalised advertising on our platform," Meta wrote on its site. "The decisions relate only to which legal basis Meta uses when offering certain advertising."
Privacy advocates have been calling on regulators to do more to enforce the GDPR, but there has been disagreement amongst authorities about how the law should be applied.
Initially, regulators in Ireland, where Meta's E.U. headquarters are located, ruled that Meta's inclusion of permissions in its terms of service was enough to comply with the GDPR. However, a board with representative from all E.U. member-nations later overruled that decision.
"There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal basis is most appropriate in a given situation has been ongoing for some time," Meta wrote.
Regarding whether or not the GDPR is being enforced too broadly, there are supporters on both sides of the argument .
The head of Ireland's DPC, Helen Dixon, told reporters that regulators shouldn't give in to demands from activists, calling on authorities to act as an "honest broker".
"We won't achieve results by simply seeking to rewrite the G.D.P.R. as we would have liked to have seen it written," Dixon said.
On the other hand, privacy advocates say that regulators aren't doing enough to work through the thousands of complaints made regarding data protection violations.
"On paper you have all these rights, but in reality the enforcement is just not happening," said Max Schrems, an Austrian data-protection activist and head of the nonprofit organization NOYB.
NOYB was responsible for the complaint that resulted in the recent decision against Meta.
This case is just one of the E.U.'s many investigations into Meta's actions surrounding data collection and allegedly anticompetitive practices. If regulators side against the tech company, it could be facing billions of dollars worth of fines.