In this new decision, the Irish Commission for Data Protection, which acts on behalf of the European Union, believes that the digital giant has not respected its “obligations in terms of transparency”.
Meta, Facebook parent company, received, Thursday, January 19, a fine of 5.5 million euros from the Irish regulator for having violated the European data regulations (RGPD) with its WhatsApp messaging, a sanction however limited compared to that of 390 million euros received in early January.
In this new decision, the Irish data protection commission ( DPC ), which acts on behalf of the European Union (EU), believes that the digital giant has not respected its “transparency obligations”.
In addition, Meta was based on an erroneous legal basis “for its processing of personal data for improving service and security,” continues the regulator in a press release, which gives the Californian group six months for ” Put your data processing operations in compliance “.
similar patterns
This sanction is based on reasons similar to that announced in early January which aimed at Facebook and Instagram social networks. But the previous decision also criticized these META subsidiaries with shortcomings related to the processing of personal data for targeted advertising purposes, a decision likely to inflict on the group’s advertising revenue. Meta had immediately announced her intention to appeal and hastened to add that the sanction did not prevent targeted or personalized advertising.
The fine is this time much less, in particular because it does not relate to targeted advertising, but also because “the DPC had already inflicted a very substantial fine of 225 million euros on WhatsApp” for Facts that carried “over the same period”, she asserts.
The regulator had indeed imposed a heavy sanction in WhatsApp in September 2021 to have failed in its transparency obligations, in particular on data transfers to other companies in the group.
The Irish gendarme also sentenced Meta in September to a fine of 405 million euros for shortcomings in the processing of minors data, and in November up to 265 million euros for not having protected the data from its users.
The new fines imposed in January follow the adoption in early December of three binding decisions of the European Data Protection Committee (CEPD), the European regulator of the sector.
sanction far too low
The association for the defense of private life Noyb, which is the source of three complaints against the group, filed on May 25, 2018, date of entry into force of the GDPR, had accused Meta of reinterpreting consent “as a Simple civil law contract “, which does not allow, in particular, to refuse targeted advertising.
The Irish data protection authority is competent to act on behalf of the EU because the European seat of Meta is in Ireland, like many giants of Silicon Valley, whose presence is crucial for the economy Irish.
The DPC shows more kindness than its peers: in October 2021, it had proposed a decision -making project which validated the legal basis used by the group and suggested a fine of 36 million euros maximum for Facebook and at least 23 million for Instagram for lack of transparency.
The French CNIL and other regulators had expressed their disagreement, deeming this sanction far too weak. They had asked the CEPD to judge the dispute, and the latter agreed with the question of the legal basis.
At the same time, the CEPD also asked the DPC to conduct a new survey to deepen the use of personal data by META. But the Irish authority considers that the European regulator does not have the power to order it “to engage in an open and speculative investigation”, according to its press release, and is about to introduce an appeal to the annulment of this request before European justice.