Facebook Fined for Breaching EU Privacy Law


    In News

    • Recently, Facebook’s parent company Meta has been imposed with two sets of fines totalling €390 million.

    Key Points Of Ruling in Ireland

    • The Irish privacy regulator concluded that the company’s advertising and data handling practices were in breach of the EU’s overarching privacy law
    • The Irish DPC is the lead regulatory authority for Meta and a number of other US tech majors that have their headquarters in Ireland.
    • Concerns:
      • Imposition of Personalised Ads: The legal permission that Meta sought from users to collect their data for personalised advertising as part of its lengthy terms-of-service agreement essentially forced them to accept personalised ads, in violation of the GDPR. 
    • The Irish Data Protection Commission (DPC) said that Meta should be ordered to pay two fines — 
      • a €210 million fine over violations of the EU’s General Data Protection Regulation (GDPR), and 
      • a €180 million fine linked to breaches of the GDPR by Instagram.
    • Meta was not entitled to simply rely on contracts as a legal basis for processing user data for targeted advertisements.
    • It said that Meta has to bring its data processing operations “into compliance within three months”.

    Significance of the Ruling

    • Emphasis on Protection of Individuals’ Data: 
      • This case is particularly significant given that the Irish DPC began investigating Facebook on May 25, 2018 — the day the GDPR came into effect. 
      • So, it is supporting the overarching theme of the EU’s landmark legislation: the right of the individual over her data and the need for a person to give explicit consent before their data can be processed.
    • Restricting Use of personal data for advertising:
      • The DPC’s decision could imply that Meta would have to tweak its apps over the next three months to ensure that they do not leverage personal data for advertising. 
      • That could be a big blow to the company in terms of how its advertising model works: Meta earlier relied on a user’s consent to process this information for the purposes of behavioural ads, but tweaked the terms of service for both Facebook and Instagram on the processing of the information after the GDPR kicked in.
    • Financial Hardships for Meta:
      • This fine comes at a time when Meta’s forecasts for profits in 2023 have fallen nearly 50 percent. 
      • The company’s much-hyped Metaverse push is struggling, and the performance numbers reflect signs that both users and advertisers are moving away from the platforms.
      • Meta, which changed its name from Facebook in 2021, has seen its share price tumble by nearly 60 percent since the rebranding.

    EU’s General Data Protection Regulation (GDPR)

    • It is a law passed by the 28-member bloc in 2018. (now 27)
    • The GDPR is the toughest privacy and security law in the world. 
    • Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
    • As per the GDPR, cross-border cases are to be handled by the data-protection authority in the country where the company is based.
    • European Data Protection Board: The body that oversees regulatory action on data privacy across the 27-nation bloc.

    Data Protection Law in India

    • The data protection Bill has been in the works since 2018 when a panel led by Justice B N Srikrishna had prepared a draft version of the Bill.  
    • The government made revisions to this draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019. 
      • Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (JPC) submitted its report on the Bill after two years in December, 2021. 
    • The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC. 
    • In August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.
    • Now, the government is expected to introduce the Bill in Parliament in the budget session of 2023.

    Way Ahead

    • While protecting the rights of the data principal, data protection laws need to ensure that the compliances for data fiduciaries are not so onerous as to make even legitimate processing impractical. 
    • The challenge lies in finding an adequate balance between the right to privacy of data principles and reasonable exceptions, especially where government processing of personal data is concerned. 

    Source: IE