On Wednesday, Meta Ireland was issued €210 million and €180 million fines by the Irish watchdog for breaches of the EU General Data Protection Regulation (GDPR) relating to its Facebook and Instagram services respectively. The court ruled that Meta is not transparent enough to users about its data usage, and that it “forces” users to consent to their data being used for personalised services and advertising.
The Data Protection Committee has given Meta three months to become GDPR compliant. This ruling, the latest Meta has faced in a litany of fines over data issues, is expected to have serious consequences for the company’s advertising, which provided 98% of the company’s revenue between July and September 2022.
The enquiry was launched in May 2018, when GDPR came into force. The case was brought forward by NOYB, a non-profit organisation focussed on digital rights in the EU, and had an Austrian and a Belgian complainant, in response to Meta’s updated Terms of Service. In anticipation of GDPR, Meta changed its Terms of Service for Facebook and Instagram. Crucially, if a user chose not to accept the new Terms, they would no longer have access to Facebook or Instagram.
According to GDPR, any data processing must comply with one of six legal bases. On updating their Terms of Service, Meta flagged that they would now be changing some of its bases to reflect this.
Where they had previously relied exclusively on “consent”, Meta now sought to rely on “contract” for most of its data processing operations. They argued that on accepting the Terms of Service, a user entered into a contract.
They also argued that personalised services and behavioural advertising were central to Facebook and Instagram, and that processing users’ data in connection with delivery of this was necessary in order to uphold the contract.
Conversely, the complainants argued that, in fact, Meta still was looking to rely on consent as its lawful basis, and that, by making accessibility to Meta’s services contingent on accepting the updated Terms of Service, Meta was “forcing” them to consent to the processing of their data for behavioural advertising and other personalised services. This, they claimed, was in breach of the GDPR.
At first, the Data Protection Commission found Meta in breach of GDPR through lack of transparency, but accepted the validity of Meta of relying on “contract.”
Ultimately, however, they were overruled by the European Data Protection Board (the EDPB), who found that Meta was not entitled to rely on the “contract” legal basis for its processing of personal data for behavioural advertising, ruling in favour of the complainants.
Related articles: Google vs. ChatGPT: Who Really Knows Best? | Meta to Pay Millions for Data Leak That Enabled Psychological Political Warfare | Should Twitter Have Moderated the Story About Hunter Biden’s Laptop? | The EU Hosted a ‘Gala’ Party in the Metaverse. Here’s How it Went |TikTok: China’s One-Way Mirror on the World?
This court case has uncovered some tension between European data protection bodies.
The European Data Protection Board ordered the Irish Data Protection Commission to conduct a fresh investigation which would span all of Facebook’s and Instagram’s data processing operations.
However, the Data Protection Commission has rejected this, stating that “It is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.” To this end, the Data Protection Commission intends to bring an action for annulment before the EU’s Court of Justice.
The fine itself is not necessarily remarkable. After all, Meta seems to be raking in a slew of fines related to data usage. In 2022 alone, Meta paid a total of €687 million in fines to the Data Protection Commission across three separate enquiries. This made up more than 80% of the Data Protection Commission’s fines that year. Across the Atlantic, the tech company paid $725 million to settle the Cambridge Analytica privacy scandal late last month.
What could be significant, however, is the ruling’s impact on personalised advertising, and the future of Meta.
It’s no secret that Meta draws most of its revenue from advertising. In Meta’s third quarter in 2022, advertising revenue made up $27.714 billion out of Meta’s total $27.237 billion. However, the company’s hold on advertising seems to be weakening, as new privacy policies come into play hitting the tech industry.
Changes to Apple’s privacy policy, as part of their privacy-centric branding, were a serious hit to the tech giant in 2021. The changes limited the data tracking capabilities of advertisers, and allowed iOs users to opt out of data sharing.
With 62% of iPhone users opting out, this amounted to a $10 billion loss to Meta in sales revenue, nearly 8% of Apple’s yearly revenue. Following this, Meta stock dropped 26%, compared to 18% for Snap (Snapchat’s parent company), 11% for Pinterest, and 8% for Twitter.
This discrepancy may be partly accounted for by flattening interest in the platform. Still, less than two months ago, Zuckerberg had to make more than 11,000 of the company’s staff redundant due to a post-pandemic downturn in online activity, after over-investing at the start of the pandemic.
Although GDPR only applies in the European Union, this ruling could have a real impact on Meta’s global privacy policy. Many tech companies choose to apply the EU’s data policy globally rather than come up with a separate, stricter privacy policy for Europe.
Simultaneously, advertising competition has been rising across the Internet. In December 2022, Meta’s and Alphabet’s (Google’s parent company) combined share of US advertising revenues dropped below 50% for the first time, to 48.4%. This is predicted to decline to 43.9% in 2024, as Apple, Amazon, and especially Tik Tok have all emerged as serious competitors.
Recently, much of Meta’s attention has been focussed on the “metaverse”, with Zuckerberg spending $10 billion on the project’s development each quarter. If the metaverse, something like a virtual reality rendering of the Internet, goes ahead, then its revenue may be more diversified, dealing in the sale of virtual goods and real estate. However, so far, investors don’t appear to be quite sold on the metaverse, and may be focussed on the more immediate issues.
Overall, this ruling by Ireland’s Data Protection Commission may have considerable implications that extend beyond the EU. Meta may be forced to seriously reconsider a large portion of its advertising revenue, and the modes of generating it.
Editor’s Note: The opinions expressed here by the authors are their own, not those of Impakter.com — In the Featured Photo: European Parliament’s leaders meet Mark Zuckerberg to discuss privacy in 2018, just before GDPR’s implementation. Featured Photo Credit: European Parliament