Meta fined over $400m for EU data misuse

Meta runs into the wall it's run into... several times before.
10 January 2023

Meta falls foul of the GDPR – again. Which part of European data law is giving it trouble?

New year, new you… same old multi-billion dollar tech giants flouting European data laws. As Meta (owner of Facebook, Instagram, and Messenger) finds itself hit with over $400m in data misuse fines that challenge the very basis of the way that ads on Facebook and Instagram have historically worked, we have to ask – what is it about “our house, our rules” that big Western tech finds too difficult to understand.

In December, 2021, US lawmakers kicked off a bipartisan attempt to either ban TikTok from America, or at least severely restrict its use, on the grounds that the safety and security of the data of American TikTok users could not be guaranteed.

Much of the rest of the world took a moment to pick its jaw off the floor.

The shock of the rest of the world was largely rooted in the entirely egregious history of Western tech giants with regard to safeguarding and appropriately using the data of their own platform users.

As recently as November, 2022 – barely one month earlier – Facebook had been issued with a $275 million fine for its use of data-scraping techniques in Europe, which fell foul of the EU’s General Data Protection Regulation (GDPR), proving that it is not in any sense necessary for a social media platform to have its headquarters in a country where the government can force you to give it your data in order for the platform to behave with little regard to the law.

Repeat offenders.

The list of similar breaches and fines goes back almost since the beginning of the GDPR.

And now, within the first two weeks of 2023, Meta has been hit with a $414 million dollar fine over its data usage policy, which has been judged in breach of the European GDPR rules.

The cost of doing business.

Naturally, Meta is appealing the decision – after all, no company wants to pay out over $400 million if it doesn’t have to. But the continued collision of US-based tech giants with EU law makes it clear that the fines, large as they are, are seen as the cost of doing business, rather than a deterrent to the giant platforms operating in exactly the way they see fit.

In the latest case, the Irish Data Protection Commission (DPC), which was also responsible for bringing the case in September 2022, explained that the way in which Meta “asked permission” to use peoples’ data to target ads on Facebook and Instagram was against the law.

The way in which the sites “ask permission” to use data for this purpose equates to the declaration “give us permission or you can’t use the platform.”

Easier to ask forgiveness than permission.

The DPC said that Facebook and Instagram do not have the right to “force consent” by using that “Our way or the highway” version of “permission.” There’s an irony there, in that traditionally in the four-dimensional world in the US, the owners of businesses have traditionally had the right to dictate terms to people wanting to use their premises (“No shoes, no shirt, no service” being the most obvious example).

But the DPC, which has frequently taken the lead in data breach cases in recent years as many of the big US tech giants have European headquarters based in Ireland, ruled that the cases of two complainants back in 2018 could be upheld – fining Meta the multi-million dollar sum as a result.

The original complainants (one in Austria and the other in Belgium) took issue with the way Meta dealt with the GDPR when it came into force. As a “quick fix” to the potential data privacy minefield the GDPR could involve for social media platforms that make the bulk of their money through targeted advertising, Facebook and Instagram updated their terms of service, setting out the premise that user data from the site would be used for the purposes of targeting advertising at users.

Those terms were fronted by a simple “I accept” button – and without pressing that button, the complainants claimed it was impossible to use either platform. That, the complainants argued, could not amount to true consent, but either coercion or force, as there was no way to opt out of the personalization of ads. And that breached the terms of the GDPR.

The conflict of privacy and profit.

The DPC substantively agreed with the complainants, and added that Meta was not clear enough with its users about exactly what they were “accepting” when they pressed the button that gave them continued access to the platforms in the wake of the GDPR coming into force.

Meta’s inevitable challenge to the DPC’s decision actually embodies a fundamental difference between the way social media platforms make their money – by access and use of individual user data to target them with advertisements that stand a better than average chance of being of interest to them – and the right of users to opt out of having their data, including their likes, dislikes, views etc, monetized for the benefit of the platform.

The battle may eventually come down to Meta either having to change its methods of monetization – which seems massively unlikely – or having to threaten to withdraw its platforms from use in the European Union. Again, that’s extremely unlikely, because it would be a major economic hit to lose European users (and the targeted ad revenue they represent).

The third way seems to be for Meta (and other US tech giants) to keep behaving in a way that lets it monetize its users’ data, and fight the fines down to the barest minimum whenever they arise, essentially ignoring the inconvenient law and paying Europe many millions of dollars to shut up and go away whenever it’s found guilty of breaching data regulations.

Which is something to remember the next time politicians pontificate about the dangers of China getting hold of US user data.