Meta has been fined more than $400 million for ad targeting practices

Irish regulators on Wednesday fined Facebook parent Meta millions of dollars for online privacy breaches and banned the company from forcing European users to consent to personalized ads based on their online activities.

The Irish Data Protection Commission issued two fines totaling €390 million ($414 million) in two cases that could shatter Meta’s business model, which targets users with ads based on their online activities.

The supervisor fined Meta €210 million for violating the European Union’s strict data protection rules on Facebook and another €180 million for violations on Instagram.

It is the Commission’s latest fine for Meta for data protection breaches, after four more fines totaling more than €900 million have been imposed on the company since 2021.

The decision follows complaints filed in May 2018 when the EU’s 27-nation data protection rules, known as the General Data Protection Regulation, or GDPR, came into effect.

Previously, Meta relied on obtaining informed consent from users to process their personal information to serve them personalized or behavioral ads. When the GDPR came into force, the company changed the legal basis on which it processes user data by adding a clause to the advertising terms of service, effectively forcing users to consent to the use of their data. This violates EU data protection regulations.

The Irish regulator initially sided with Meta, but changed its position after the draft decision was sent to a panel of EU data protection authorities, many of whom objected.

In its final decision, the Irish regulator said that Meta “is not entitled to rely on the legal basis of ‘contract’ to deliver behavioral advertising on Facebook and Instagram.”

Meta said in a statement that “we firmly believe that our approach respects the GDPR and as such we are disappointed with these decisions and intend to appeal both the content of the judgments and the fines.”

The Irish supervisory authority is Meta’s leading European data protection authority as its regional headquarters are in Dublin.