DPC imposes €390 million fine to Meta over GDPR breaches on targeted advertising
The Data Protection Commissioner (the DPC) recently issued two decisions imposing Meta Platforms Ireland Limited (Meta) a hefty fine of €390 million over the use of personal data for targeting ad practices employed by Facebook and Instagram respectively.
The DPC found that Meta’s reliance on the ‘contract’ legal basis in relation to the personal data processing for ad targeting on Facebook and Instagram amounted to a breach of Article 6 of the GDPR. In particular, Meta argued that it relied on contract as a legal basis as on accepting Meta’s updated Terms of Service, as “a contract was entered into” with the users and the “processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising”.
Subsequent to that, the DPC has directed Meta to bring its data processing operations into compliance within a period of three months.
This decision highlights the importance of determining the appropriate lawful basis for processing personal data under the GDPR and the consequences of failing to do so. In light of this decision, organisations should take the time to assess the appropriate lawful bases for processing before starting to process any personal data.
The DPC’s decision in relation to Facebook can be found here.
The DPC’s decision in relation to Instagram can be found here.
The DPC’s press release can be found here.