Huge win for privacy: Record fine against Facebook thanks to Max Schrems.

Meta must pay 1.2 billion euros for violating the EU regulation GDPR.

2023-05-24 / First published: 2022-12-09
Facebook business model to force users to agree to tracking and then posting personalized ads is illegal in Europe.
The EU has imposed a record fine of 1.2 billion euros on Facebook's parent company Meta for forwarding user data to the US. Meta has also been ordered to stop the data transfer. While this a huge win for privacy, Meta wants to take legal action against the fine.

Facebook's new record fine of 1.2 billion euros has been issued thanks to two very prominent figures: Max Schrems, who sued Facebook years ago for transferring personal data of EU citizens to the US, and Edward Snowden, who made public that US secret services can get data from US services like Meta rather easily - which is in violation with the European General Data Protection Regulation (GDPR).

Ten years after the revelations by NSA whistleblower Snowden, Facebook has finally been fined 1.2. billion euros for potentially disclosing data of EU citizens to US secret services: After pressure from the EU, the Irish data protection authority (DPC) has imposed a record fine of 1.2 billion euros on the social media platform.

The fine imposed by the DPC dwarfs the previous record fine of 746 million euros for Amazon issued by Luxembourg in 2022.

The reason for the fine was a complaint by Austrian data protection activist Max Schrems, who had repeatedly demanded consequences from the Snowden revelations, taking the matter all the way to the European Court of Justice. As a result, the Court has declared the Privacy Shield agreement between the U.S. and the EU as illegal.

The reason for nullifying Privacy Shield are still valid. The problem is that US laws do not adequately protect the data of European citizens as the surveillance programs in the US are not limited to what is strictly necessary.

Thus, Meta must stop any further transfer of European personal data to the United States, as the company remains subject to U.S. surveillance laws. The Silicon Valley tech giant has six months to comply with this ruling.

Ruling only applies to Facebook

Meta feels it has been unfairly fined and announced it will appeal. "This is not about a company's data protection practices - there is a fundamental legal conflict between U.S. government rules on access to data and European data protection rights, which policymakers are expected to resolve in the summer," Facebook says in a statement sent to the SPIEGEL.

Max Schrems, who has founded the non-profit org NOYB to continue his fight for privacy, agrees with that point: "Any other major U.S. cloud provider like Amazon, Google or Microsoft could be affected by a similar penalty under EU law."

"The Irish DPC did everything it could to prevent this decision, but was repeatedly rebuked by the European courts and institutions. It's kind of absurd that the record fine goes to Ireland - the EU member state that did everything it could to ensure that this penalty would not be imposed," Schrems explains.

Since the introduction of the GDPR in 2018, Meta has seen four billion euros in fines imposed by EU regulators.

Among the ten companies with the highest fines based on the GDPR, Meta is now represented six times - a negative record.

10 biggest GDPR fines so far

  1. Meta GDPR fine - 1.2 billion euros imposed by Ireland in May 2023

  2. Amazon GDPR fine – €746 million imposed by Luxembourg in July 2021

  3. Meta GDPR fine – €405 million imposed by Ireland in September 2022

  4. Meta GDPR fine – €390 million imposed by Ireland in January 2023

  5. Meta GDPR fine – €265 million imposed by Ireland in November 2022

  6. WhatsApp GDPR fine – €225 million imposed by Ireland in September 2021

  7. Google LLC GDPR fine- €90 million imposed by France in December 2021

  8. Google Ireland GDPR fine - €60 million imposed by France in December 2021

  9. Facebook Ireland GDPR fine - €60 million imposed by France in December 2021

  10. Google France GDPR fine – €50 million imposed by France in January 2019

Facebook business model illegal in EU

The record fine of 1.2 billion euros against Meta is only the final act in a long ongoing legal battle - which shows that the Facebook business model is illegal in Europe due to its data privacy violations and the risk that data of European citizens could fall into the hands of US secret services.

Earlier this year, in January 2023, Meta was already fined with 390 million euros. EU privacy regulators say Facebook and Instagram must not force users to agree to tracking by putting this requirement into their terms. This business model of Meta is illegal according to the GDPR.

Since Facebook - as well as other tech giants - do not focus on protecting our privacy or encrypt our data, all data that they gather can be easily passed on.

We have to remember: If it's free, you are the product.

Quote: If it’s free, you are the product.

TL;DR: Meta's practice of requiring users to consent to tracking via their terms is not legal according to the GDPR. Facebook, Instagram and WhatsApp must offer a Yes & No option so that users can actively give consent - or refuse. This is a huge blow to Meta's business model of surveillance-based advertising.

Lesson learnt from this: Stop waiting for Facebook, start using services that respect your right to privacy now.

The Irish Data Protection Commission (DPC) has confirmed in a press release that Meta's practice of enforced cookie agreements in Facebook and Instagram is illegal under the GDPR. The tech giant was fined € 390 million for this privacy violation - already half as much as Meta was fined in 2022 due to violations of the European GDPR, and 2023 has only just started. A final decision regarding WhatsApp is still outstanding.

This is another sign of Europe's stricter approach of handling privacy violations in regards to the GDPR.

Originally, the DPC wanted only € 28 to 36 million, about 10% of the final ruling. However, the European EDPB has overruled the DPC and insisted on massive fines for Meta - saying that Meta had intentionally violated the GDPR and people's privacy for their own profit.

Max Schrems from the NGO NOYB, who sued Meta for their privacy violations, says:

"The penalty will go to Ireland - the State that has taken Meta's side and delayed enforcement for more than four years. This case will likely be appealed by Meta, leading to more costs for noyb."

Read more on the legal struggle to achieve privacy in Europe on the NOYB homepage.

Meta's business model - to force users to agree to tracking via their terms - has been declared illegal in the EU. Facebook, Instagram and WhatsApp can no longer run personalized ads without active user consent.

Original post

Decision of EU privacy regulators

In a far-reaching decision on Monday, EU privacy regulators, said that Meta Platforms Inc. must not force users to agree to personalized ads based on their online activity. The ruling could enormously limit the data that Meta can use to sell targeted ads.

Simply putting a paragraph into the terms of service - to which users have to agree - is not sufficient according to the General Data Protection Regulation (GDPR). Such terms are no justification to collect data and post targeted ads. Instead, Meta platforms Facebook, Instagram and WhatsApp must give users a clear Yes & No choice where they can actively agree to being tracked - or refuse.

The tech giant’s so-called forced consent to continue tracking and targeting users by processing their personal data to build profiles for behavioral advertising has been added to Meta's terms after the publication of the GDPR in 2018. Now it has been declared illegal by EU privacy watchdogs.

EU decision makes requiring tracking via terms illegal.

This decision followed complaints that were filed by European privacy NGO noyb as soon as the GDPR came into force in May 2018. It took the EU about 4.5 years to finally decide on the issue.

The reason for this lengthy process is that the Irish Data Protection Commission (DPC) has originally declared that Meta's updated terms meet the requirements by the GDPR. Ireland is Meta's main privacy regulator in the bloc because that is where Meta’s European headquarters is based.

Meta explained that its updated terms rely on the GDPR concept of "contractual necessity". The GDPR mostly prohibits companies from forcing users to turn over personal information to use their services. The only exception is when that information is necessary to execute a contract: For instance, a car sharing app needs to know your location so that it can show cars near you.

Meta relied on that contractual provision of the GDPR, to which the Irish privacy regulator initially agreed.

But now, the EU privacy regulators are passing the decision back to the DPC saying that the "contractual necessity" is not met by apps like Facebook, Instagram and WhatsApp and that it is the DPC's obligation to enforce proper privacy rights for European citizens.

The DPC now has one month to issue a final decision, along with significant fines.


The impact of the EU's decision that Facebook's current tracking practice is illegal is huge: It directly affects Facebook's business model. Right now, Facebook and Instagram profit a lot from the fact that people must give them their private data to use the service. In turn, Meta uses this data to create profiles and to post targeted ads, a gold mine for the Silicon Valley giant.

However, the EU's decision will limit Facebook's access to this gold mine and, thus, directly impact revenue.

A sign of how bad this decision is for Meta's profits is last year's decision by Apple. In 2021, Apple required iPhone app developers to ask users whether they want their usage to be tracked. And - unsurprisingly - lots of iPhone users declined being tracked and profiled.

As a consequence Meta's revenue in 2021 was reduced by 8% just because iPhone users were not willing to share their private data with Facebook, Instagram and WhatsApp anymore.

Reducing Facebook's tracking online hugely benefits the privacy of users and simultaneously harms Meta's revenue. People's data is worth much more to Big Tech than many think.

EU limits Facebook tracking

The latest EU decision is another sign of a growing interest of EU authorities to limit surveillance-based tracking. Finally, people and politicians are waking up to the dangers of behavioral advertising, and EU officials are starting to regulate it in a way to protect people's privacy.

To companies such as Facebook, Google and Amazon, this business, however, is worth billions of dollars each year.

Learn here how your are being profiled online and how you can stop it.

Regardless, even California - where most Big Tech companies are located - has adopted great privacy laws that allow users to opt out of what it calls cross-contextual behavioral advertising.

Maybe the reason for this legislation is that Californians know best how harmful tracking and behavioral advertising is as this business model originated there.

Consequences for users

The EU decision will not have direct consequences for users, unfortunately, as it can be appealed to. Such an appeal would lead to a lengthy judicial process.

If upheld, though, this decision will make it much harder for Facebook and other platforms to show users ads based on what they click, like, share and watch within these platforms' own apps.

While Meta is already allowing users to opt out of personalizing ads based on data from other websites and apps, it has never given any such option for ads based on data about user activity on its own platforms.

For Facebook - and other Big Tech companies - limiting the access to user tracking would be a huge blow as building audiences for personalized ads make up the bulk of revenue for such companies.

"This is not the final decision and it is too early to speculate," said a Meta spokesman to the Wall Street Journal, adding that EU law could allow for other legal justifications for targeting its ads. "We’ve engaged fully with the DPC on their inquiries and will continue to engage with them as they finalize their decision."

Nevertheless, the GDPR allows for large fines for major violations — up to 4% of global annual turnover.

Growing privacy enforcements

While the EU's GDPR started being enforceable already in May 2018, political enforcement has only started to ramp up in the last couple of months. By now, many Big Tech companies have been hit with hefty fines.

The Irish DPC has fined Meta more than $900 million in four other cases in the last 15 months, and currently has 10 additional inquiries into the company.

Meta's Irish subsidiary had allotted nearly 3 billion Euros for privacy fines in the EU last year - up by €1.97 billion from a year earlier, according to Irish corporate filings.

Regardless, up to now it seems much more profitable for Silicon Valley giants to just pay the fines - instead of changing their business model.

This means we must keep fighting to stop ad-based tracking. Start now by adding an adblocker to your browser!