In this new decision, the Irish Data Protection Commission ( DPC ), which acts on behalf of the European Union (EU), considers that the digital giant has not respected its "transparency obligations" .
In addition, Meta relied on an incorrect legal basis "for its processing of personal data for service improvement and security purposes ," the regulator continued in a statement, giving the Californian group six months to "bring its data processing operations into compliance . "
Read also: Article reserved for our subscribers Personal data: Meta ordered to change its practices in Europe
Similar patterns
The sanction is based on similar grounds to the one overseas chinese in australia data announced in early January targeting social networks Facebook and Instagram. But the previous decision also accused these Meta subsidiaries of failings related to the processing of personal data for targeted advertising purposes, a decision likely to deal a blow to the group's advertising revenues. Meta immediately announced its intention to appeal and was quick to add that the sanction did not prevent targeted or personalized advertising.
The fine is much lower this time, in particular because it does not relate to targeted advertising, but also because "the DPC had already imposed a very substantial fine of 225 million euros on WhatsApp" for facts which related "to the same period" , she argues.
Read also: Article reserved for our subscribers Meta layoffs a setback for Mark Zuckerberg
The regulator had in fact imposed a heavy sanction on WhatsApp in September 2021 for failing to meet its transparency obligations, in particular on data transfers to other companies in the group.
The Irish police also fined Meta €405 million in September for failings in the processing of minors' data, and €265 million in November for failing to adequately protect its users' data.
The new fines imposed in January follow the adoption in early December of three binding decisions by the European Data Protection Board (EDPB), the European regulator of the sector.
Penalty much too weak
The privacy protection association Noyb, which filed three complaints against the group on May 25, 2018, the date the GDPR came into force, had accused Meta of reinterpreting consent "as a simple civil law contract" , which does not allow, in particular, to refuse targeted advertising.
The World
Special offer for students and teachers
Access all our content unlimited from €6.99/month instead of €12.99.
Subscribe
The Irish data protection authority has jurisdiction to act on behalf of the EU because Meta's European headquarters are in Ireland, like many Silicon Valley giants, whose presence is crucial to the Irish economy.
The DPC is showing more benevolence than its peers: in October 2021, it proposed a draft decision that validated the legal basis used by the group and suggested a fine of up to 36 million euros for Facebook and at least 23 million for Instagram for lack of transparency.
The French CNIL and other regulators had expressed their disagreement, considering this sanction much too weak. They had asked the EDPB to judge the dispute, and the latter agreed with them on the question of the legal basis.
