Meta relied on an incorrect legal basis “for its processing of personal data for the purposes of service improvement and security,”
Social media giant Meta has been fined an additional 5.5 million euros ($5.9 million) for breaches of EU data protection regulations by its instant messaging platform WhatsApp, Ireland’s regulator announced Thursday.
The penalty follows a 390 million euro fine for Meta-owned media platforms Instagram and Facebook two weeks ago after they were found to have scorned the same EU rules.
In its new decision, the Irish Data Protection Commission (DPC) found the group acted “in breach of its obligations in relation to transparency,” the watchdog said in a statement.
In addition, Meta relied on an incorrect legal basis “for its processing of personal data for the purposes of service improvement and security,” the DPC added, giving the group six months to bring its data operations into compliance.
The breaches are similar to those explained in the regulator’s action against Meta earlier in January.
But the earlier decision also accused the Meta platforms of breaking rules over the processing of personal data for the purpose of targeted advertising.
In that instance the company, co-founded by social media magnate Mark Zuckerberg, was given only three months to respond to comply with the Irish regulator.
Meta announced its intention to appeal the 4 January decision, adding the regulatory ruling did not prevent targeted or personalised advertising.
The DPC said its more recent fine was considerably less because of a 225 million euro fine imposed on WhatsApp “for breaches of this and other transparency obligations over the same period of time”.
Thursday’s WhatsApp fine was also far lower because it did not relate to targeted advertising.
The Irish regulator had fined Meta 405 million euros in September for failures in handling the data of minors, and 265 million euros in November for not sufficiently protecting users’ data.
This latest round of fines follows the adoption of three binding decisions by the European Data Protection Board (EDPB), the EU’s data protection regulator, in early December.
The Vienna-based privacy group NOYB, which brought the three complaints against Meta, had accused the social media behemoth of reinterpreting consent as a civil law contract, which stopped users from refusing targeted advertising.
In October 2021, the Irish authority had proposed a draft decision that validated the legal basis used by the group and suggested a fine of up to 36 million euros for Facebook and up to 23 million euros for Instagram, over their lack of transparency.
France’s CNIL regulator and other European bodies disagreed with the draft sanction, which they considered to be far too low.
They asked the EDPB to judge the dispute with the EU data regulator deciding in their favour.
The EDPB has also asked the Irish regulator to investigate Meta’s use of personal data.
However in its statement the DPC pushed back saying that the EU body does not have the power to “direct an authority to engage in open-ended and speculative investigation”.
The regulator said it will seek to annul the EDPB’s request before the European Union’s Court of Justice.
The latest DPC fines are dwarfed by Meta’s multi-billion-dollar earnings, but the company has been ravaged by a global advertising slump and stagnating user numbers.
Meta said in November that it would axe more than 11,000 staff after profits more than halved to $4.4 billion in the third quarter.
The group’s European operations are based in Dublin, along with a number of global tech giants including Apple and Google, so Ireland’s data protection agency is the lead regulator responsible for holding them to account.
(Except for the headline, this story has not been edited by our staff and is published from a syndicated feed.)