Meta fined €390 million by the Irish Data Protection Authority.

The Irish Data Protection Commission has fined Meta Platforms Ireland Limited ("Meta") €390 million for processing personal data on Facebook and Instagram in breach of the GDPR.

The decision, announced on 4 January 2023, is the result of investigations into two complaints lodged in Austria and Belgium respectively.

If they wish to continue to have access to Facebook and Instagram, users of these platforms are invited to click on "I accept" to indicate that they accept the terms of service and any updates.

Meta has taken the position that the processing of user data is necessary for the performance of the contract, which includes the provision of personalised services including personalised or behavioural advertising.

The complainants argued that by making access to Facebook and Instagram conditional on users accepting the updated terms of service, Meta was "forcing" them to consent to the processing of their personal data for the purposes of behavioural advertising and other personalised services.

The draft decisions prepared by the Irish Commission were submitted to the other national data protection authorities in the EU. In the absence of a consensus, the contentious points were decided by the European Data Protection Committee (EDPS).

The EDPS considered that Meta was not entitled to invoke "performance of contract" as the legal basis for processing carried out for behavioural advertising purposes.

The EDPS also confirmed the position of the Irish Commission regarding Meta's breach of its transparency obligation. Information on the purposes and legal bases of the processing operations carried out on Facebook and Instagram were not clearly disclosed to users.

Meta, which has 3 months to comply, has announced its intention to appeal.

A similar decision concerning WhatsApp is expected shortly.