In the latest instance of US Big Tech companies being hit with privacy fines in Europe, Facebook-parent Meta  has been slapped with hefty fines that amount to nearly €400 million ($414 million).

A fine of €210 million has been imposed on Meta’s Ireland business (in the case of Facebook), while it has been hit with another fine of €180 million (in the case of Instagram). In an official release, the Data Protection Commission (DPC) informed that the increased amount of the fines also reflected the views of the European Data Protection Board (EDPB) “in relation to Meta Ireland’s breaches of its obligations in relation to the fair and transparent processing of users’ personal data.”

To add to the fines, Meta’s Ireland business has been directed to bring its data processing operations into compliance with the GDPR and has been provided with a window of 3 months to do so, piling up the pressure on the company’s sources of revenue. The imposition of the financial penalties heralds the conclusion of two four-year-old probes that the DPC had been conducting over Meta’s violations of online privacy, infringing the General Data Protection Regulation (GDPR) in the EU, and illegally forcing users to accept personalized ads. The inquiries, for their part, stemmed from complaints filed in May 2018 – when the GDPR came into effect.

Meta Ireland had earlier relied on getting informed consent from users to process their personal data to serve them personalized advertisements. In advance of the GDPR coming into force, the company changed the Terms of Service for Facebook and Instagram, as well as the legal basis for processing the personal data of its users. Under the new rules – where Meta placed the legal consent within the terms of service – users were effectively forced to consent to the usage of their data or stop using Meta’s services. Meta considered that a contract was entered into upon acceptance of the updated 2018 terms that made such advertising lawful and that the processing of user data was essential to provide personalized ads.

If slamming Meta with hefty financial penalties was not enough, the results of the inquiries also leave the social media company scrambling for a new legal basis for its targeted advertising business. Not only does this defeat (on Meta’s part) shake up its business model of advertising, but it also serves as a warning for other firms who are trying to maintain their revenue from targeted advertising and continue to adhere to the law.

The latest development adds to Meta’s ever-increasing headaches (aka fines) in Europe when it comes to user privacy. Not only does it get slammed with fines– a total of $747 million was imposed in fines upon Meta last year, but it is now groping its way to revamp its business model to adhere to privacy and data protection laws. This comes even as the company had a poor outing in 2022, where its fortunes continued to fall amidst mass layoffs and a steep drop in its revenue and stock price.

For its part, Meta said that it was “disappointed” with the decisions. “We strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioral ads given the nature of our services,” said a spokesperson for Meta. “As a result, we will appeal the substance of the decision.”

“Since GDPR came into force, Meta has relied on Contractual Necessity to process the data needed to provide behavioural advertisements in the EU. We have always been open with regulators and courts about this, and in previous assessments of our services they did not object to the use of Contractual Necessity for this type of activity,” the company said in a blog post.