This Christmas is bound to be an expensive one for U.S. tech giant Meta.
The Big Tech firm looks set to soon face a huge regulatory bill for all three of its social networks, Facebook, WhatsApp and Instagram. Europe’s privacy regulator body, the European Data Protection Board, is expected to issue decisions on Monday that target the three platforms, after which Meta’s lead regulator in Ireland will issue a final decision within a month.
The detail and possible value of the monetary penalty will remain under wraps until then, but the triplet of fines could add up to over €2 billion, financial statements by Meta indicate — setting a new record for the highest fines under the European Union’s feared General Data Protection Regulation (GDPR) received by a single company in one go.
According to filings in Ireland, Meta has set aside €3 billion for EU privacy fines in 2022 and 2023. Its platform Instagram already got slapped with a €405 million fine in September for violating kids’ privacy, and Facebook so far has accumulated €282 million in penalties for data breaches as well as a €60 million hit from the French. That leaves well over €2 billion earmarked by the firm for regulatory action.
That’s a substantial hit for Meta, which announced last month it was laying off 11,000 employees globally amid lower sales and major costs linked to the firm’s pivot to the metaverse.
Beyond hitting Meta’s pocket, the three fines expected within weeks could also put a bomb under its broader business model. The decisions stem from complaints filed by Austrian activist Max Schrems accusing the company of failing to have proper legal grounds to process millions of Europeans’ data. If the final decisions invalidate Meta’s argument that it’s processing data as part of a contract with users, the company would have to seek another legal basis for its data-fuelled ad targeting model.
The cases have also revealed deep fissures between Europe’s data watchdogs.
Ireland’s data protection commission largely backed Meta’s argument that it could claim it needs data to fulfill a “contract” with its users to provide personalized ads, in its draft decision issued a year ago. But that reasoning has long put Ireland in the minority amongst its colleagues. The Norwegian data protection authority said the Irish interpretation would render European data protection law “pointless,” according to a document obtained by POLITICO last year. The Irish regulator was also alone in voting against EU guidelines that banned companies from using the contract legal basis to use data to target ads.
The three decisions are likely to lay into the Irish regulator’s initial position and, more worryingly for Meta, amp up the pressure for the company to go scrambling for new legal ways to gather and process data on Europeans.
Meta also still faces an ongoing, high-profile probe into the company’s transfers of Europeans’ data to the U.S.
Meta declined to comment. It can still appeal the fines coming out of the coming decisions.