For online services, a general maxim to keep in mind is that if you don’t have to pay a fee for the service, then you are the product. Facebook certainly follows this rule, as the site makes most of its money by selling user information to companies that will then use it for targeted consumer advertising.
These ads are the basis of a fine given to Meta, the parent company of Facebook and Instagram, by the Irish Data Protection Commission (DPC). This fine was doled out because of the company’s violation of EU privacy rules, and consists of of €210 million ($223 million) for Facebook and €180 million ($191 million) for Instagram.
The specific privacy rule that was violated was the EU’s General Data Protection Regulation (GDPR), which is supposed to increase people’s control and rights over their personal data. The law was enacted on 2 May, 2018, and the DPC immediately started investigating Facebook and Instagram’s ad practices after the passage. The Commission has been criticized over the long delay in declaring that these social media sites were violating privacy regulations, but at least the Commission came to the right conclusion in the end.
After the DPC ruled that Meta’s ad practices violate the GDPR, the Commission said that the company must bring itself into compliance with the regulation in three months. The penalty for continuing to violate the regulations could be 4% of the company’s annual global revenues. Spokespeople from Meta have said that they disagree with the DPC’s conclusion and plan to appeal the decision.
Right now, sites like Instagram and Facebook operate under “contractual necessity,” where the user must agree to share their personal data in order to use the site. Yet the DPC said that this practices in particular was a violation of the GDPR. When users are given the chance not to share their personal data as part of using these sites, it’s likely that many people would choose not to do so.
Such refusal of people to have their personal data sold off would have a significant impact on Meta’s profits in the EU region. So much of the company’s social media site revenue depends on targeted ads and harvesting user data.
Because it is so likely that Meta will appeal the DPC’s decision, the process of actually implementing the fines will possibly last months. In addition, given the power of a company like Meta, it is sadly within the realm of possibility that they could escape the fines altogether. But if the DPC manages to successfully fine Meta for its violation of EU privacy laws, then this case could be a major step forward for privacy rights online.
It is not inevitable that we live in a world where our personal data is sold off without our true consent. There are paths to stopping this practice in the relatively early stages, and reclaiming a bit of privacy for ourselves.