On 4 January 2023, Meta Ireland Limited (Meta Ireland) was fined €390 million (€210 million in respect of Facebook and €180 million in respect of Instagram) by the Irish Data Protection Authority (Irish DPA) and has been directed to bring its data processing operations into compliance within a period of three months of the decision. Meta Ireland was slapped with these eye-wateringly high fines because it failed to comply with its obligations found at the heart of the EU General Data Protection Regulation (GDPR), specifically that personal data must be processed lawfully, fairly and in a transparent manner, for a suitable legal basis.
The Irish DPA undertook their investigation into Meta Ireland as a result of two complaints filed on 25 May 2018 (the day the GDPR came into force!). It concluded its investigations, but following disagreements between Concerned Supervisory Authorities around the initial draft decision, the European Data Protection Board (the EDPB) issued binding determinations on the matter. The final decision issued concluded that (i) Meta Ireland had not provided sufficient clarity to users around what processing operations were being carried out on users’ personal data, for what purposes and on what legal basis; and (ii) Meta Ireland was not entitled to rely on the “contract” basis for processing personal data for the purposes of behavioral advertising.
Interestingly, the EDPB additionally directed the Irish DPA to conduct a new investigation into all of Meta Ireland’s processing operations and use of special category data. However, there are questions around whether the EDPB has jurisdiction to instruct and direct an authority to engage in an “open-ended and speculative investigation”. It is yet to be seen for Meta whether this is all over, or whether they need to prepare for further investigations and top up their rainy day pot for possible future fines!