META (formerly Facebook, for those of us who are a little older) is facing a downpour of sanctions.
The American company has been fined 1.2 billion euros by the Data Commission Protection (the Irish equivalent of our French national CNIL).
On May 22, to celebrate the fifth anniversary of the implementation of the General Data Protection Regulation, our Irish neighbors fined META IRELAND a record amount for continuing to transfer personal data to the United States after the European Court of Justice invalidated the Privacy Shield.
META, which has 6 months to cease all data transfers to the United States, has already indicated that it intends to appeal the decision.
This sanction follows a long legal saga between the Data Protection Commission and META.
Indeed, throughout January 2023, the Data Commission Protection came to condemn META IRELAND for various practices contrary to the General Data Protection Regulation (yes, there it is again!).
META began the New Year with two rulings handed down on the same day (a dream come true for those of us accustomed to Commercial Courts) concerning Facebook and Instagram, whose targeted advertising practices are (!) incompatible with European data protection rules.
Specifically, Facebook and Instagram were accused of failing to obtain their users’ consent, and of lacking transparency in their data processing.
A reminder in passing of a rule we keep reminding the Firm of: “NO, consent cannot be included in general terms and conditions of use (or even of sale), as the simple act of clicking on the “I accept the general terms and conditions” button does not constitute consent.”
More concretely, Facebook has been fined 210 million euros and Instagram 180 million euros.
A total of 390 million euros, a “straw” for META, which, according to rumors, had set aside the modest sum of 2 billion euros for this dispute.
Facebook and Instagram have 3 months to comply.
A few days later, it was Whatsapp IRELAND’s turn to take on the Irish supervisory authority.
The messaging application is accused of forcing its users’ consent, in that they would no longer be able to access the service without accepting the privacy policy.
Our Irish neighbors also pointed out that the said privacy policy could not be analyzed as a contract, and therefore could not serve as a legal basis for processing.
For this lack of transparency, incompatible with the RGPD, Whatsapp has been fined 5.5 million euros and given 6 months to comply.