Judicial decisions follow and look alike for Meta.
Facebook's parent company was fined 5.5 million euros by the Irish regulator on Thursday for violating European data regulation (GDPR) with its WhatsApp messaging.
This is the second financial sanction for the group this month after that of 390 million euros received at the beginning of January.
In this new decision, the Irish Data Protection Commission (DPC) found that the digital giant failed to meet its "transparency obligations" and relied on an incorrect legal basis "for its processing of personal data for service improvement and security purposes.
Concretely, this sanction is based on reasons similar to that announced at the beginning of January, which targeted the social networks Facebook and Instagram.
But the previous decision also accused these Meta subsidiaries of failures related to the processing of personal data for targeted advertising purposes, thus threatening to weigh on the group's advertising revenues.
Meta immediately announced its intention to appeal and was quick to add that the penalty did not prevent personalized advertising.
The privacy association Noyb, at the origin of these procedures launched in 2018, had accused the group of reinterpreting consent "as a simple civil law contract", which does not allow, in particular, to refuse this type of individualized advertisements.
The fine is much lower this time, because it does not relate to targeted advertising but also because "the DPC had already imposed a very substantial fine of 225 million euros on WhatsApp" for facts which related "to the same period,” she said.
The regulator had indeed criticized WhatsApp, in September 2021, for having failed in its transparency obligations, in particular on data transfers to other companies in the group.
This Thursday, the regulator, which acts on behalf of the EU, gave the Californian group six months to comply.
Meta announced that he would also appeal Thursday's decision, saying in a statement sent to AFP that "the operation (of WhatsApp) is both technically and legally compliant" with European regulations.
Personal information revealed?
But the Noyb association judges on the contrary that the new sanction does not go far enough, explaining in a press release that "if WhatsApp does not provide personalized advertisements, it provides
metadata
to Facebook and Instagram".
The latter, if they do not betray the content of the messages, "reveal a lot of information" about the user's interlocutors and their habits, "which can then be used to personalize advertising" on the group's other platforms, affirms the 'association.
Read alsoWhat do hackers do with our personal data?
The Irish Data Protection Authority has jurisdiction to act on behalf of the EU because Meta's European headquarters are in Ireland, like many Silicon Valley giants, whose presence is crucial to the country's economic activity. .
But the DPC is too benevolent, according to many of its peers: in October 2021, it had proposed a draft decision which validated the legal basis used by Meta and suggested a fine of up to 36 million euros for Facebook and at most 23 million for Instagram for lack of transparency.
The French Cnil and other regulators had expressed their disagreement, judging this sanction much too weak.
They had asked the European Data Protection Board (EDPB), the European regulator for the sector, to judge the dispute, and the latter ruled in their favor on the question of the legal basis in three binding decisions, calling on the DPC to to be more severe.
The Irish police had also sentenced Meta in September to a fine of 405 million euros for failures in the processing of minors' data, and in November to the tune of 265 million euros for not having sufficiently protected the data of minors. its users.
At the same time, the EDPS also asked the DPC to carry out a new investigation to find out more about the use of personal data by Meta.
But the Irish authority considers that the European regulator does not have the power to order it "to engage in an open and speculative investigation", according to its press release, and is preparing to bring an action for annulment of this request before European justice.