By Padraic Halpin
DUBLIN (Reuters) -Meta must reassess the legal basis on how Facebook (NASDAQ:META) and Instagram use personal data to target advertising in the European Union, its lead privacy regulator in the bloc said on Wednesday when it fined the social media giant 390 million euros ($414 million) for the breaches.
Meta said it intended to appeal both the substance of the rulings and the fines imposed, and that the decisions do not prevent personalised advertising on its platforms.
The order on personalised advertising was made in December by the EU’s privacy watchdog, according to a decision seen by Reuters, in which it overruled a draft ruling by Ireland’s Data Privacy Commissioner (DPC), Meta’s lead EU privacy regulator.
It related to a 2018 change in the terms of service at Facebook and Instagram following the introduction of new EU privacy laws where Meta sought to rely on the so-called “contract” legal basis for most of its processing operations.
Having previously relied on the consent of users to the processing of their personal data for targeted advertising, the DPC said Meta instead considered that a contract was entered into upon acceptance of the updated 2018 terms and that this made such advertising lawful.
The DPC, which is the lead privacy regulator for many of the world’s largest technology companies within the EU, directed Meta to bring its data processing operations into compliance within three months.
Meta said it strongly believes that its approach respects EU privacy laws that allow for a range of legal bases under which data can be processed and that the decisions also do not mandate the use of consent for the processing of data.
“We want to reassure users and businesses that they can continue to benefit from personalised advertising across the EU through Meta’s platforms,” Meta said in a statement.
The penalties brought the total fines levied against Meta to date by the Irish regulator to 1.3 billion euros. It currently has 11 other inquiries open into Meta services.
The DPC said that as part of its decision, the EU’s privacy watchdog had purported to direct the Irish regulator to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations.
The DPC said it was not open to the European Data Protection Board (EDPB) to direct an authority to engage in such investigations and that it intended to ask the EU Court of Justice to set aside the EDPB’s direction as it may involve an “overreach”.
($1 = 0.9423 euros)