Meta has been handed a revised fine by the Irish Data Protection Commission (DPC) after it concluded its enquiries into the company for failure to comply with EU data protection legislation. Meta now faces a fine of around £340m, an increase from around £15m after the DPC announced its initial findings at the end of last year. 

The company, which owns Facebook and Instagram, has been monitored since 2018 when initial complaints were raised over the way in which users’ data was being processed. In advance of the introduction of the EU General Data Protection Regulation, Meta sought to update its terms of service to ensure compliance with privacy laws by asking to users to accept these updated terms, indicating that they accept how their personal data would be used for advertisements on both platforms. This meant that the company was relying on the contract element as a lawful basis under Article 6(b) of the EU GDPR for its processing activities (having previously relied on consent under Article 6(a)).

The new terms meant that any users who did not accept were unable to use Facebook or Instagram. Complaints were raised over the way in which the company was collecting consent and the DPC recently concluded that users were being ‘forced’ to accept the new terms of service. The European Data Protection Board also found that the company had violated its transparency obligations by not outlining its legal basis for the processing of users personal data clearly. 

What does the fine mean and what’s next for Meta?

Meta is now prohibited from gathering users’ personal data to tailor personal ads to its users. This latest decision does not prevent Meta from using non-personal data to personalise adverts and users may still be asked to consent to ads but they must be given the option to withdraw consent at any time. Meta must also limit a user’s ability to use either platform should they opt to withdraw consent. 

The DPC has directed that Meta has three months to ensure its data processing activities are compliant with the EU GDPR. We anticipate that further reports on its progress will be published in due course. Meta is also likely to appeal the decision, as the company says that it strongly believes that its approach respects the EU GDPR and that its appeal will be made on both the substance of the rulings and the fines. 

What should companies be doing to ensure they comply with data privacy rules?

While the decision to fine Meta came as a result of a breach under EU GDPR, the relevant data protection principles remain the same under the UK GDPR. The fine highlights the importance of ensuring compliance with Article 5 of the UK GDPR. Businesses should:

• Carry out a data mapping exercise to help establish what categories of personal data are being processed and ensure that data remains accurate and up to date;
• If special category data or criminal conviction data is processed, ensure they have the relevant appropriate policy documents; 
• Carry out regular data audits to ensure compliance with the relevant data protection principles under UK data protection legislation can be demonstrated; and
• Ensure that information provided to data subjects is accurate and up to date and reflects what data is being processed and how.  This is key to the principle of transparency. 

If you require assistance in relation to your company’s data processing activities, including information about determining a lawful basis, please contact me directly or if you would like to stay up to date with our latest articles, legal updates and events, join our data protection hub by going to: https://prettys.co.uk/join-data-protection-hub