article featured image


In what might be a severe blow to its ad-fueled business model, the Irish Data Protection Commission (DPC) has fined Facebook’s parent company Meta $414 million for its management of user data for distributing personalized ads.

Privacy regulators ordered Meta Ireland to pay two fines, one over violations of the E.U. General Data Protection Regulation (GDPR) in relation to Facebook, and another for violations of the same nature in Instagram. Meta Ireland has also been informed to bring its data processing operations into compliance within a period of three months.

Concerns that the social media business used its Terms of Service to coerce users into allowing targeted advertising based on their online activities led to the current situation. On May 25, 2018, the region’s implementation date for GDPR, the complaints were made.

The decision arrives a month after the European Data Protection Board (EDPB) announced that it had reached binding decisions with regard to the matter.

How Is the Ruling Affecting Meta?

As reported by The Hacker News, the DPC decision effectively makes Meta’s advertising practices illegal because it may no longer use contracts, such as signing its Terms of Service, as a justification for processing personal data for behavioral advertising.

Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. Meta Ireland is not entitled to rely on the ‘contract’ legal basis in connection with the delivery of behavioral advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the ‘contract’ legal basis, amounts to a contravention of Article 6 of the GDPR,

Irish DPC (Source)

Meta claims that personalizing the adverts it serves based on data it has about consumers’ online behavior is a fundamental component of the tailored service it offers.

NOYB’s Max Schrems, whose privacy non-profit filed the original complaint against Meta, declared that the tactics used by the company were “not just unfair but clearly illegal”.

Meta said it was “disappointed” by the decision and that it “strongly” believes its approach respects GDPR. The company has already seen a decline in ad revenue over the past year, in part because of Apple‘s privacy changes in iOS last year that require apps to ask for permission before tracking users. The DPC’s conclusions will be appealed by the firm.

The parent company of Facebook and Instagram released a statement where it pointed out that “these decisions do not prevent personalized advertising on our platform,” but that the decisions relate only to which legal basis Meta uses when offering such advertising.

The latest financial penalties come on top of the several privacy fines that Meta received last year. In December 2022, the internet giant agreed to pay $725 million to settle a class-action lawsuit accusing the company of providing customer data to third parties without their consent.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo