Ireland's data privacy regulator fined Meta 390 million euros ($414 million) on Wednesday for breaches at its Facebook and Instagram services and said both must reassess the legal basis on how they run advertising based on personal data in the European Union.
The order on how both social media companies run advertising was made in December by the EU's privacy watchdog, according to a confidential decision seen by Reuters last month, in which it overruled the Irish regulator's draft decision on that issue.
It related to a 2018 change in the terms of service at Facebook and Instagram following the introduction of new EU privacy laws where Meta sought to rely on the so-called "contract" legal basis for most of its processing operations.
Having previously relied on the consent of users to the processing of their personal data for targeted advertising, Meta instead considered that a contract was entered into upon acceptance of the updated 2018 terms and that this made such advertising lawful.
Ireland's Data Privacy Commissioner (DPC), which is the lead privacy regulator for many of the world's largest technology companies within the EU, directed Meta to bring its data processing operations into compliance within three months.
The penalties brought the total fines levied against Meta to date by the DPC to 1.3 billion euros. It currently has 11 other inquiries open into Meta services.
The DPC said that as part of its decision, the EU's privacy watchdog had purported to direct the Irish regulator to conduct a fresh investigation that would span all of Facebook and Instagram's data processing operations.
The DPC said it was not open to the European Data Protection Board (EDPB) to direct an authority to engage in such investigations and that it intended to ask the EU Court of Justice to set aside the EDPB's direction as it may involve an "overreach."