Meta dodged a €4BN privacy fine over unlawful ads, argues GDPR complainant

A €390 million privacy fine for Meta announced earlier this month in the European Union -- for running behavioral ads on Facebook and Instagram in the region without a valid legal basis -- was several billion dollars smaller than it should have been, and orders of magnitude too tiny to be a deterrent for others going big on breaking the bloc's privacy laws, according to the not-for-profit which filed the original complaint over Facebook's 'forced consent' back in May 2018.

This week the privacy rights group, noyb, has written to the European Data Protection Board (EDPB) to raise fresh hell -- arguing that the Irish regulator which issued the final decision on its complaint against Meta's ads failed to follow the Board's instructions to investigate the financial benefits it accrued off of the unlawful data processing.

It argues the Irish Data Protection Commission (DPC) has failed to implement the EDPB's binding decision from December -- which instructed the regulator to both find the legal basis Meta had claimed for running behavioral ads unlawful and significantly increase the size of the fine the DPC had proposed in its earlier draft decision.

In the final decision which the DPC issued earlier this month, the DPC declined to act on the Board's direction to ascertain an estimate of the financial benefit Meta gained from targeting EU users with behavioral ads in breach of EU data protection law.

And while the Irish regulator did top-up the level of fine on Meta to €390 million -- versus the €28 million to €36 million it had originally proposed for transparency failures -- the revised fine neither reflects the seriousness of the systematic breach of European users' fundamental rights, per noyb -- nor does it implement the Board's requirement that the DPC determine the unlawful financial benefits accrued by Meta from running ads that break EU privacy law.

noyb notes that, per EDPB guidelines on calculation of fines (and the text of the final decision put out by the DPC incorporating the Board's binding decisions), the Irish regulator needed to ensure any fines “counterbalanc[e] the gains from the infringement” and also “impose a fine that exceeds that [unlawfully obtained] amount”.

"In the absence of directions, the [DPC] is unable to ascertain an estimation of the matters identified above. Accordingly, I am unable to take these matters into account for the purpose of this assessment,” is how the DPC's Helen Dixon dryly dismissed the EDPB's instruction -- a few lines of text that essentially let Meta off the hook on what noyb calculates should have been a penalty set at the maximum possible under the EU's General Data Protection Regulation (GDPR): 4% of annual revenue. (Or over €4 billion in Meta's case.)

noyb's letter lays out how it has estimated the total revenue Meta generated, over the 4.5+ year infringement period, on users in the European Economic Area (EEA) -- a figure it puts at circa €72.5 billion. It says it's arrived at this estimate by looking at the publicly listed company's financial reports (and adjusting revenue figures to only reflect users in the EEA, not the European continent as a whole) -- querying why the DPC's far more numerous staff couldn't have done the same.

"While 'behavioural advertisement' does not make up all the revenue of Meta's overall advertising, it is clear that in any realistic scenario, the revenue from 'behavioural advertisement' in the EU overshot the maximum [possible, under GDPR] fine of €4.36BN," noyb also argues.

In a statement, its honorary chairman, Max Schrems, adds: "By not even checking publicly available information, the DPC gifted €3.97BN to Meta."

"It took us an hour and a spread sheet to make the calculation," he went on. "I am sure the Irish taxpayers would not mind having that extra cash, if a DPC employee would have just opened a search engine and done some research."

noyb's letter also questions why the DPC apparently failed to use its statutory powers under the regulation to ask the data controller for any information required for the performance of its tasks -- which could have provided it with a precise route to estimate how wealthy Meta got by unlawfully processing Europeans' data.

"Given that SAs [supervisory authorities] can only fine based on the revenue of the last year, and the Irish DPC has taken more than 4.5 years to issue a final decision, Meta has made substantial revenue from violating the law, even if the maximum fine of 4% of the annual turnover is applied," noyb goes on. "The estimated revenue from advertisements in the EEA of €72,53BN, would only be reduced to €68,17BN if the full 4% would be applied. This clearly makes even a maximum fine of 4% not even remotely 'effective, proportionate and dissuasive' in comparison to the unlawful revenue made by Meta IE [Ireland].

"Nevertheless the EDPB and the DPC are bound by Articles 83(1), (2)(k) and (5) GDPR at the same time, meaning that the maximum fine of 4% may not be overstepped but must also be used fully to comply with the conflicting requirements of the GDPR."

So -- tl;dr -- even the maximum possible financial penalty under GDPR would not have been remotely dissuasive to Meta in financial terms -- given how much more money it was minting by trampling all over European users' privacy. Yet, the kicker is, Meta didn't even get fined that (inadequate) maximum amount! Lol!

noyb's letter presents a neatly calculated and -- frankly -- damning assessment of high profile enforcement flaws in the GDPR. Flaws that enable Big Tech to play the system by forum shopping for 'friendly' regulators who can find endless ways to chew the cud around complaints and spin claims of protocol and procedure into a full blown dance of dalliance and delay, and whose convenient decisions can, at the last, be relied upon to help minimize any damage -- in a cynical mockery of due process that's turned the EU's flagship data protection framework into a paper tiger where Big Tech's users' rights are concerned.

noyb is calling on the EDPB to take "immediate action" against the DPC -- to ensure its binding decision "is fully implemented in [or, well, by] Ireland".

"Given the clear evidence that Meta IE [Ireland] has profited from the violation of Article 6(1) GDPR in vast excess of the maximum fine of 4% under Article 83(5) GDPR and the Irish DPC’s clear breach of the binding decision in this respect, we urge the EDPB and its members to take immediate action against the Irish DPC to ensure that the EDPB decision is fully implemented in Ireland," it urges.

However this (meta - ha!) complaint by noyb -- about the outcome of its 2018 complaint about Meta's ads -- most likely lands at the end of the road as far as regulators are concerned. Next stop: Class-action style litigation?

noyb's call joins a pile of complaints (and legal actions) targeting the Irish regulator's failure to rigorously enforce the GDPR against abusive Big Tech business models -- including litigation over inaction (also vis-à-vis the behavioral ads industry) and an accusation of criminal corruption (also from noyb), to name two of the barrage of slings and arrows fired at the DPC since the GDPR came into application (on paper) and complainants started the clock on their interminable wait for enforcement.

The DPC was contacted for comment on noyb's complaint to the EDPB -- but it declined to offer a response.

We also reached out to the EDPB. A spokeswoman for the Board told us it "takes note" of noyb's letter -- but declined further comment at this time.

It remains to be seen what action -- if any -- the steering body will take. Its powers are limited in this context since its competence to intervene in the GDPR enforcement process relates to any objections raised to a lead supervisor's draft decision (as happened in the Meta ads case).

After a final decision is issued the Board does not carry out a full re-evaluation of a case. So the chance of it being able to do much more here looks slim.

EU law enshrines the independence of Member States' data protection regulators so the Board essentially has to work with whatever it's given in a draft decision (and/or any objections raised by other DPAs). Which is why the DPC also sees mileage in challenging the portion of the Board's binding decision that instructed it to further investigate Meta's data processing -- as it argues that's jurisdictional overreach.

This structure effectively means a lead DPA can do considerable work to shape GDPR outcomes that impact users all over the bloc -- by, for starters, minimizing what they investigate and then, even if they do open a probe, by narrowly scoping these enquiries and limiting what they factor into their preliminary decisions.

In the case of Meta, the DPC did not provide any data on the estimated financial benefit it amassed from its unlawful behavioral ads. Which -- once again -- looks terribly convenient for the tech giant.

While there's not much Internet users can do about such a gaping enforcement gap -- aside from hoping litigation funders step in and spin up more class-action style lawsuits to sue for damages on these major breaches -- EU lawmakers themselves should be very concerned.

Concerned that a flagship piece of the EU's digital rulebook -- one that's now also a key component at the heart of an expanding tapestry of regulations the bloc has been building up in recent years around data governance, to try to foster trust and get more data flowing in the hopes of fuelling a revolution in homegrown AI innovation -- is proving to be such a jelly in the face of systematic law breaking.

Rules that can't protect or correct aren't going to impress anyone over the long run. And that means the paper tiger may yet have some teeth: If the GDPR enforcement failures keep stacking up, the sour taste that leaves for EU citizens tired of watching their rights trampled might risk toppling people's trust in the whole carefully constructed 'European project'.