Earlier this year, Meta, Facebook’s parent company, was slapped with several fines totaling more than 390 million euros ($400 million USD) as the Irish Data Protection Commission (DPC) said that its advertising and data handling practices are in violation of the European Union’s (EU) privacy laws. Meta’s European operations are based in Dublin, which is why the Ireland board is its EU regulator.
The DPC ordered the tech conglomerate to pay two fines. The first is a 210 million euro ($222.5 million USD) fine for the violation of the EU’s General Data Protection Regulation, also known as GDPR, and the second is a 180 million euro ($191.5 million USD) for breaches of the same law by Instagram.
It was determined that Meta’s offense was as follows: “incorporating user content to use data for targeted advertising purposes within its term of service, thus forcing anyone using Facebook or Instagram to give up their data as a condition of using the platform.” To Meta, this process is known as “contractual necessity.” The DPC found this to be in violation of the EU GDPR.
As of January 2023, the DPC has given Meta three months to bring its data processing operations into compliance. Meta announced its plans to appeal the ruling shortly after.
What is GDPR (General Data Protection Regulation)?
So, why are news outlets keeping tabs on this story and why should we even care about it? Simply put, it impacts individuals and organizations, and more specifically, how organizations collect data on individuals.
To understand its impact, it’s important to understand what GDPR actually is.
Implemented by the EU in May 2018, the GDPR is a regulation designed to strengthen and unify data protection for all individuals within the EU. The goal is to give EU citizens more control over their personal data and how it’s collected, used, and shared by businesses. It applies to any business operating with the EU as well as any business outside of it that processes the personal data of EU citizens. If businesses don’t comply with GDPR, they may be fined up to 20 million euros or 4% of their annual turnover, whichever amount is greater.
Who Does GDPR Apply to?
Under the regulation, businesses are required to obtain explicit consent from individuals before collecting, using, or sharing their personal data for personalized advertising. This means that businesses must provide clear and detailed information about how the personal data collected will be used and individuals must take affirmative action to opt in to the collection and use of their data.
GDPR places specific obligations on businesses, such as the need to appoint a data protection officer, incorporate organizational and technical measures to protect personal data, and notify individuals and certain supervisory authorities of breaches.
The regulation also impacts the ability to gather relevant data on clients and prospects for marketing purposes. If consent to use their personal data is not provided, they won’t be able to use it as part of their digital marketing strategy. As a result, marketers have been, and will continue to have to, come up with creative ways to collect, use, and share data in an effort to personalize advertising experiences.
While compliance with GDPR may be challenging, it does bring a slew of benefits to businesses. Compliance helps build trust with customers, improves processes for data management, and reduces the risk of data breaches. It’s also more cost-efficient. GDPR compliance saves businesses from shelling out massive amounts of money for violations (i.e. Meta).
How Does GDPR Impact Individuals?
GDPR significantly impacts individuals in the EU by providing them with greater control over their personal data. They have the right to access, rectify, and delete data, the right to object to certain types of data processing, and the right to be informed of certain types of breaches. Individuals also have the right to both consent to and withdraw from businesses collecting and processing their data.
Additional benefits of GDPR on individuals include increased transparency as businesses are required to disclose their data collection and usage practices, the right to request their personal data be erased under certain circumstances, and the right to lodge a formal complaint with a supervisory authority.
Future Outlook for GDPR
Like most things, the future of GDPR in the EU is uncertain, but it’s likely that it will continue to play a key role in protecting personal data. Whether that’s increased enforcement efforts, changes to the regulation as technology continues to advance, or an extension of the regulation to countries operating outside of the EU to ensure consistency in data protection, it will be interesting to how all of this plays out in 2023 and beyond.
Interested in learning about consumers’ privacy in the US, and more specifically California? Check out our blog post titled, “CCPA & CPRA: What You Need to Know About Consumers’ Privacy.”
*The content herein is for informational purposes only and is not intended to be taken as legal advice. If you have any legal concerns, we encourage you to seek competent legal counsel for advice.