The Irish Data Protection Commission (DPC), acting on behalf of the European Union, has accused Meta of failing to comply with the GDPR.
Meta, the parent company of Facebook, Instagram and WhatsApp, was fined €91 million by the Irish regulator on Friday for violating the European General Data Protection Regulation (GDPR) by failing to be transparent after a security breach affecting users' passwords.
In this new decision, the Irish Data Protection Commission (DPC), acting on behalf of the European Union, criticises Meta for not having put in place appropriate security measures upstream, but also for having taken too long to inform it of the problem.
Targeted advertising: European Union says Meta violates personal data rules
Meta could be fined up to 10%, a penalty that could exceed 12 billion euros.
Brussels on Monday paved the way for heavy financial sanctions against Meta, saying the social media giant was failing to comply with EU rules on the use of personal data for targeted advertising.
Meta is required to request users' consent in order to combine personal data from its various services for advertising profiling purposes.
To comply, the American group offered Facebook and Instagram users a paid subscription that allows them to avoid being targeted by advertising. On the other hand, if they wish to keep a free service, they must agree to provide their data.
“Meta has forced millions of users across the EU to make a binary choice: pay or consent. According to our preliminary findings, this is a violation” of the Digital Services Regulation (DMA), said Digital Commissioner Thierry Breton, on X.
The DMA, which came into full force at the beginning of March, "is there to give European users back the power to decide over their data," he stressed.
The Commission considers that Meta's model does not comply with the EU regulation, in particular because it "does not allow users to exercise their right to freely consent to the combination of their personal data" between its different platforms.
The opinion, issued following the opening of an investigation on March 25, is the second time a digital giant has been accused under the DMA -- after accusations published last Monday against Apple, whose App Store allegedly violates European competition rules.
Meta can now exercise its rights of defense by having access to the file and respond in writing to the preliminary conclusions.
If these were confirmed, the Commission would adopt a final decision of non-compliance by the end of March 2025.
Meta could then be fined up to 10% of its global turnover, which reached around 125 billion euros last year: a penalty that could exceed 12 billion euros... if Mark Zuckerberg's group does not comply with EU rules.
The DMA, which allows for faster and stronger action against abuses of competition by digital giants, was introduced to protect the emergence and growth of start-ups in Europe and offer more choice to consumers.
In addition to Apple, the new regulation applies to four other American giants – Alphabet, Amazon, Apple, Meta, Microsoft, but also to the social network TikTok, owned by the Chinese group ByteDance, as well as to the Dutch hotel reservation platform Booking.