The Data Privacy Commissioner (DPC) said both must reassess
the legal basis on how they run advertising based on personal data.
Its statement said that Meta breached "its obligations
in relation to transparency" and used an incorrect legal basis "for
its processing of personal data for the purpose of behavioural
advertising."
The order on how both social media companies run advertising
was made in December by the EU's privacy watchdog in which it overruled the
Irish regulator's draft decision on that issue.
It related to a 2018 change in the terms of service at
Facebook and Instagram following the introduction of new EU privacy laws where
Meta sought to rely on the so-called "contract" legal basis for most
of its processing operations.
Having previously relied on the consent of users to the
processing of their personal data for targeted advertising, Meta instead
considered that a contract was entered into upon acceptance of the updated 2018
terms and that this made such advertising lawful.
The DPC, which is the lead privacy regulator for many of the
world's largest technology companies within the EU, directed Meta to bring its
data processing operations into compliance within three months.
The penalties brought the total fines levied against Meta to
date by the DPC to 1.3 billion euros ($1.38 billion). It currently has 11 other
inquiries open into Meta services.
The DPC said that as part of its decision, the EU's privacy
watchdog had purported to direct the Irish regulator to conduct a fresh
investigation that would span all of Facebook and Instagram's data processing
operations.