Irish Data Protection Authority gives € 3.97 billion present to Meta? Authority allegedly unable to take financial benefit from Meta's GDPR violations into account.
On 04.01.2023, the Irish Data Protection Commission (DPC) announced a fine of € 390 million against Meta due to unlawful personalized advertising on Facebook and Instagram. A first analysis of the decisions now reveals that the DPC has turned a blind eye on the revenue generated from violating the GDPR when calculating its fine. This was despite a 2/3 majority vote of all EU authorities (the EDPB) having directed the Irish DPC to factor in Meta's billions of Euro of ill-gotten revenue. The DPC's maneuver saved Meta almost € 4 billion.
- noyb's letter to EDPB outlining the DPC's failure to comply with the EDPB decision (PDF)
- Table with relevant numbers (PDF)
- Facebook's public information on users and revenue (see "Earning Slides")
Background: Meta's violation of the GDPR. In a 4.5 year battle over the lack of a legal basis for providing personalized advertisement in the EU, noyb scored a major victory. The European Data Protection Board (EDPB) overturned the core element of a previous draft decision by the Irish DPC and held that Meta did not have a proper legal basis to process personal data for behavioural advertising. Meta's attempt to squeeze an "agreement" into the terms and conditions of Facebook and Instagram was found to be unlawful. Any processing based on this "bypass" since 25 May 2018 was therefore illegal. The EDPB told the DPC that an additional fine must "counterbalance the gains from the infringement" and ordered the DPC to "impose a fine that exceeds that amount".
New Development: DPC unable to estimate Meta's unlawful revenue? On 5 December 2022, the European Data Protection Board (EDPB) ordered the DPC to quantify how much revenue Meta had generated by infringing the GDPR, and to factor that sum in to its fine. However, the DPC simply ignored the unlawful revenue made by Meta and claimed that "the Commission is unable to ascertain an estimation of the matters" and that it is therefore "unable to take these matters into account". This is despite having the power to demand such information from Meta under Article 58(1) GDPR.
Max Schrems, Chair of noyb: "We all know about Meta's enormous revenue. It's astonishing that this was not taken into account by the DPC. The DPC didn't even use its statutory powers to ask Meta for the information. We therefore researched publicly available information and found that this factor alone should have increased the fine by € 3.97 billion."
Background on GDPR fines. Article 83 of the GDPR sets the rules for fines. Every fine must generally be "effective, proportionate and dissuasive", must take into account the "financial benefits gained ... from the infringement" but are also capped at 4% of the global turnover of the past year. In the case of Meta, this would amount to a maximum fine of € 4.36 billion. The EDPB consequently asked the DPC to investigate the "financial benefits" of Meta from violating Article 6(1) of the GDPR for about 4.5 years, as a fine that would be below these benefits could hardly be "effective, proportionate and dissuasive".
Max Schrems: "The maximum cap of 4% of global turnover was easily overrun by the revenue from unlawful processing in the past 4.5 years. It is easy to show from public information that the revenue factor alone would have required imposing the maximum fine."
Public information and a spreadsheet. Meta, being a publicly listed company, publishes most of the relevant financial data. According to reports by Meta itself, it made € 84,7 billion (US$ 91,59 billion) from advertising on the European continent between Q3 2018 and Q3 2022. Adjusted for user numbers in the EU only, this amounted to roughly € 72,5 billion (US$ 78,4 billion). While "behavioural advertisement" does not make up all the revenue of Meta's overall advertising, it is clear that in any realistic scenario, the revenue from "behavioural advertisement" in the EU overshot the maximum fine of € 4.36 billion.
Max Schrems: "By not even checking publicly available information, the DPC gifted € 3.97 billion to Meta. It took us an hour and a spreadsheet to make the calculation. I am sure the Irish taxpayers would not mind having that extra cash, if a DPC employee would have just opened a search engine and done some research."
Meta still makes up to € 68,17 billion from violating the GDPR. Even if the maximum fine of 4% would have been imposed, Meta would still have made up to € 68 billion from the violation of the GDPR since 2018, if it is assumed that basically every advertisement on Meta is currently "behavioural advertisement". This is mainly because the procedure was massively delayed by the DPC and took 4.5 years, while the maximum fine may only be calculated based on a single year. Meta's violation also likely overshot the 4% in each year, meaning that the revenue far exceeded the maximum fine per year.
Max Schrems: "Bottom line, it absolutely paid off for Meta to violate the GDPR and the Irish DPC made it even more profitable for Meta to violate EU law."
Letter to EDPB. noyb has now sent a letter to the EDPB detailing the problem in the DPC decision and all calculations. noyb is asking the EDPB to ensure that its decision is fully upheld by the DPC.