The fine the Data Protection Commission (DPC) handed out to Meta earlier this month is far too small. The Irish privacy watchdog has yet to include the income that the parent company of Facebook and Instagram has earned by violating European privacy legislation for years in calculating the fine. As a result, the DPC has given Meta a ‘gift’ of almost 4 billion euros.
That is the opinion of the Austrian privacy foundation Noyb.
Meta is fined 390 million euros.
After the General Data Protection Regulation (GDPR) came into force in May 2018, the DPC received two complaints about Meta. The company did not correctly ask Facebook and Instagram users for permission to collect user data in order to offer personalized advertisements. Meta amended its terms and conditions, saying users were contracting with the company when they used the platform. According to European privacy rules, Meta should have explicitly asked for permission for this.
Due to years of unlawfully offering targeted advertisements on Facebook and Instagram, the Irish regulator handed out a fine of 390 million euros earlier this month: 210 million euros will be charged to Facebook, and Instagram must pay the remaining 180 million euros.
The DPC has given Meta three months to change how it collects user data. The tech company said in a response that it would appeal.
Noyb: ‘The fine should have been a lot higher.’
Noyb – an acronym that stands for None of your business – said afterwards that the verdict was “a huge blow” to Meta. “People should now be asked whether they want their data used for advertising, and they should have a ‘yes or no’ option and can change their mind anytime. The decision also ensures a level playing field with other advertisers who must also receive opt-in permission,” said Max Schrems, the foundation’s chairman.
Still, the Austrian privacy movement is not satisfied with the ruling. The foundation believes that the fine should have been many times higher. The DPC did not include the illegal income that Meta cashed in by violating the GDPR for years, a good decision. As a result, the technology company received a ‘gift’ of 3.97 billion euros.
“We all know about Meta’s huge revenue. Amazingly, the DPC didn’t consider that, and the DPC didn’t even use its legal powers to ask Meta for the information. We, therefore, examined publicly available information and found that this factor alone should have increased the fine by EUR 3.97 billion,” says Schrems.
Noyb wants EDPB to call the Irish regulator to account.
The European rules prescribe that a fine must be ‘effective, proportionate and dissuasive’. This means a regulator may impose a penalty of up to 20 million euros or a fine equal to a maximum of 4 per cent of global turnover. Depending on which amount is higher.
Noyb calculated that Meta earned an amount of 72.5 billion euros from personalized advertisements in Europe between the third quarter of 2018 and the third quarter of 2022. Even if the DPC had imposed a 4 per cent fine on Meta, the company would still have made $68 billion by violating the GDPR. “The bottom line is that it paid off for Meta to breach the GDPR, and the Irish DPC made it even more profitable for Meta to breach European law,” said Schrems.
To draw attention to this, Noyb has sent an open letter (pdf) to the European Data Protection Board (EDPB). This is the umbrella organization where all national supervisors of the EU member states are represented. In it, all calculations are mentioned in detail. The Privacy Foundation asks the EDPB to ensure that the DPC fully enforces its decision.
Find more articles here
Follow us on Facebook here