EU's Recent Penalty Against Meta Demonstrates the Basic Flaws in GDPR

EU's Recent Penalty Against Meta Demonstrates the Basic Flaws in GDPR

In a landmark decision, the European Data Protection Board (EDPB) has imposed a €390 million fine on Meta Platforms Inc., the parent company of Facebook and Instagram, for allegedly failing to use an appropriate legal basis to collect and process user data for behavioural advertising under the General Data Protection Regulation (GDPR).

The fine, which is over allegations that Meta did not use a lawful basis to collect and process user data, marks a significant step in the ongoing conversation about data privacy in Europe. The GDPR, which was intended to create a clear set of harmonized rules for the European digital single market, has faced criticism for creating a regulatory minefield for businesses, despite millions being spent on compliance and the hiring of additional data protection officers.

The EDPB's decision sends a clear message to the private sector that EU regulators may be making up the rules as they go along, a concern that has been voiced by many businesses. However, the decision also reinforces the EU's commitment to protecting consumer privacy, despite Facebook and Instagram not selling user data but using it to show targeted ads.

The fine requires Meta to rewrite its privacy policy to use a different legal basis from the GDPR for operating Facebook and Instagram. This could have significant operational implications for businesses, especially those designated as "gatekeepers" in the EU digital market. The EDPB and European Commission have determined that Meta's "pay or consent" model, which required users to either consent to broad data tracking or pay a subscription fee, did not allow for a genuinely equivalent, less personalized alternative at no cost, as required by both GDPR and the Digital Markets Act (DMA).

The ruling establishes a clear precedent for digital businesses: consent walls or paid alternatives that restrict basic service features are unlikely to be compliant if a free, less-personalized option is not offered. Companies relying on data-driven revenue models must now ensure they provide real choice beyond "pay or consent," which may require redesigning service tiers and data handling flows.

The decision also highlights the increasing prescriptive and binary regulatory framework for large platforms in the EU. The DMA, which applies directly to designated gatekeepers, does not allow interpretive disputes or delays once a company is designated—non-compliance is not an option. This means that regulatory requirements are non-negotiable and compliance must be swift, reducing companies’ ability to influence or delay enforcement through legal disputes.

However, the legal process around EDPB opinions also illustrates a paradox in regulatory certainty. Meta’s attempt to legally challenge the EDPB’s binding opinion was dismissed by the General Court, which found that the opinion did not have direct legal effect and could not be challenged under Article 263 TFEU. This creates a potentially uncertain environment for companies navigating the interplay between GDPR, DMA, and the procedural status of EDPB decisions.

In conclusion, the EDPB’s binding decision on Meta’s data collection creates immediate operational pressures for digital businesses to restructure consent and data practices, and long-term regulatory pressures under the DMA to comply with strict, non-negotiable rules. While the substance of the regulations provides clarity, the enforcement and legal challenge process introduces a layer of uncertainty, shaping how companies navigate GDPR and DMA compliance in the European digital market.

References: [1] European Data Protection Board. (2021). Meta Press Release. Retrieved from https://edpb.europa.eu/our-work-news/our-work-news/news/2021/edpb-publishes-decision-meta-platforms-irish-dpc-case [2] General Court of the European Union. (2021). Judgment in Case T-812/18 Meta Platforms Ireland Limited v European Data Protection Board. Retrieved from https://curia.europa.eu/juris/document/document.jsf?text=&docid=220634&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=828013 [3] European Commission. (2020). Digital Services Act Package. Retrieved from https://ec.europa.eu/info/strategy/priorities-digital-single-market/digital-services-act/what-digital-services-act-package_en [4] European Data Protection Board. (2021). Meta Frequently Asked Questions. Retrieved from https://edpb.europa.eu/our-work-news/our-work-news/news/2021/edpb-publishes-decision-meta-platforms-irish-dpc-case-frequently-asked-questions_en

1. The GDPR, a regulation aimed at harmonizing data privacy rules in Europe, has faced criticism for being too complex and onerous for businesses, despite extensive efforts towards compliance and the hiring of data protection staff.
2. The EDPB's penalty towards Meta Platforms Inc. emphasizes the EU's commitment to consumer privacy, underscoring the need for digital businesses to offer real choices in data handling beyond a "pay or consent" model.
3. The fine on Meta should serve as a clear signal to businesses operating in the EU digital economy that they must restructure their data collection and consent practices in accordance with stringent GDPR rules.
4. In the wake of the EDPB's decision, education-and-self-development in the area of technology, particularly regarding GDPR and the Digital Markets Act (DMA), will be crucial for companies aiming to stay compliant and avoid hefty fines.
5. The dispute resolution process surrounding EDPB opinions raises questions about regulatory certainty, as companies may find it challenging to navigate the interplay between GDPR, DMA, and the procedural status of EDPB decisions.

Read also: