META to pay $414 million to Ireland for GDPR violation
The Irish Data Protection Commission (DPC) announced last week that it would be fining Meta’s Irish branch a combined total of $414 million for violating the EU’s General Data Protection Regulation. Violations from Facebook resulted in $222 million while Instagram was fined $192 million. There is a third case against Meta’s WhatsApp that is yet to be decided.
The decision marks the end of two lengthy investigations into Meta by the Irish commission that have been criticised over delays in execution and potential biases. The inquiry into Meta was launched after Noyb, a privacy advocacy group led by Austrian privacy lawyer Max Schrems filed complaints following the implementation of the GDPR in 2018.
Schrems is one of the people who believe the Irish commission has been working with Meta to delay the process. He says the decision is a major blow to Meta but finds it odd that the fine will go to Ireland, “the state that has taken Meta's side and delayed enforcement for more than four years.”
Schrems says that the DPC has also declined to release the full decision of the ruling to his advocacy group citing confidentiality and yet Noyb was one of the two parties involved in the proceedings.
“In 10 years of litigation I have never seen a decision only being served to one party, but not the other," Schrems said. He said that it makes him think the DPC and Meta are working together to shape the narrative of the decision.
In December last year, the European Data Protection Board (EDBP) had to step in to overturn a decision by the DPC that would allow Meta to Meta to bypass GDPR’s requirement for explicit content by including data use consent into the terms and service.
This might explain why Noyb thinks the state of Ireland is on Meta’s side.
To back their decision the DPC said that they didn’t believe Meta should rely on consent to collect personal data for personalised ads. The EDBP maintains that Meta has to include explicit opt-in and opt-out options for users in their apps.
It appears that the DPC is still backing Meta. After the ruling, the commission announced that it would "bring an action for an annulment" of parts of the EDPB decision before the EU Court of Justice.
The DPC said it was instructed by the EDPB to conduct a new investigation of Facebook and Instagram's data processing operations with a focus on “special categories of personal data that may or may not be processed in the context of those operations." However, the DPC does not believe that the EDPB has the authority to make these demands and so the battle between the two bodies continues.
Meta is expected to bring their data processing operations into compliance in 3 months. However, the company believes that their approach respects the GDPR and have indicated that they will appeal both the substance of the ruling and the fine.