Meta faces tough year ahead on data protection

Meta Platforms faces another bruising year of global data protection enforcement in 2023, with a series of cases taking aim at its business model and the possibility of more hefty fines on the horizon.

The Big Tech giant is perhaps the most controversial large-scale processor of personal data in the world, with its Facebook, Instagram and WhatsApp services ingesting the data of more than 3.7 billion regular users around the world.

Since the General Data Protection Regulation came into force in May 2018, it has been the target of constant complaints and enforcement action in the EU. In the US, civil class-action lawsuits against it abound.

Now, those attempts to tame its power — predicated almost entirely on the mass-scale collection and use of personal data to target advertising — are starting to hit home. Meta has received hefty fines and paid significant settlements, but more are to come, as are cases that could throw wrenches in its data-processing machine.

Money, money, money

The last two months have been among the costliest periods for data protection in Meta’s history, with the former Facebook on the hook for $1.22 billion: $725 million the company agreed to pay in a record settlement on Dec. 22, $415 million in fines from the Irish Data Protection Commission Jan. 4, and another $90 million settlement in the US in mid-November for allegedly tracking its users’ activity across the Internet to better target them with ads when it suggested it wouldn’t do so.

Reflecting a continuing trend of ever-growing privacy settlements in the US, the proposed $725 million deal represents “the largest amount recovered by users in any U.S. data-privacy class action, including data-breach class actions,” the parties said in the filing for the December settlement.

But there’s more to come.

Meta Ireland’s directors’ reports and financial statements for 2021, released in November, show that it increased its estimate from approximately 1 billion euros ($1.06 billion) at the start of 2021 to approximately 3 billion euros by year-end, with the expectation that those fines would be paid in the following two years.

In 2022, Meta Platforms Ireland and its units received approximately 700 million euros in data protection fines. With Meta setting aside 3 billion euros for 2022 and 2023, the figures suggest more large penalties are imminent — potentially up to 2.25 billion euros next year.

And in the US, it’s possible Meta could be required to pay even more than it already has. There is some precedent for that. Another federal judge in San Francisco, US District Judge James Donato, forced the company then known as Facebook to add an additional $100 million to the $550 million it initially offered to pay for a facial recognition settlement before he would agree to the deal.

That risk is exacerbated by the fact that US District Judge Vince Chhabria, who has presided over the case leading to the $725 million settlement, has repeatedly grown visibly angry with Meta and its lawyers about their conduct over the past year. He said in court last year that the company should be sanctioned for “stonewalling” discovery in the class action and that its conduct was “particularly egregious.”

Meta is likely to be hit with up to several million dollars in litigation sanctions, but a new litigation risk has emerged in recent months: The company’s alleged collection of protected medical information through its “Pixel” tracking software — inadvertently, Meta says — from hundreds of healthcare websites and apps.

Business model

Damaging though fines and settlements are, Meta has deep pockets. Arguably more worrying for the firm are attempts to scupper its business model. In the EU, that's increasingly happening through enforcement targeted at its legal basis to process data.

Under the GDPR, there are six legal bases to process data, each of which are appropriate for different scenarios. The three relevant bases for most commercial organizations are consent, “legitimate interests,” and “performance of a contract.”

In December, the Irish Data Protection Commission reached a conclusion in two long-running probes into the legal basis that Meta units Facebook and Instagram use to process data.

The regulator ruled that Meta incorrectly relied on the “contract” legal basis for Facebook and Instagram. Because it used this legal basis when it shouldn’t have, it was unlawfully processing data for targeted advertising, the watchdog ruled.

Meta’s likely appeal of those findings won’t automatically suspend a three-month deadline to comply with the GDPR’s requirements on lawful data processing, meaning Meta will need to specifically ask for a suspension, MLex understands.

On a similar front, a side-effect of the US Cambridge Analytica case is that it has also revealed data-handling practices that Meta has battled for years to keep secret, including details of “friend-sharing” in which app developers gained access not only to the personal data of Facebook users who installed their app, but also the Facebook friends of those people.

Revelations such as these go to the heart of its data-driven business model and potentially expose it to further litigation and regulatory risk.

What’s more, Meta faces a host of other legal problems in North America, including a bid by the US Federal Trade Commission to block Meta's metaverse ambitions through its purchase of virtual reality fitness app developer Within, and a potential antitrust trial as soon as the end of this year in a suit filed by the FTC and a large group of states in 2020 over Facebook’s acquisitions of Instagram and WhatsApp.

Meta is sure to fight every battle tooth and nail, but regulators and litigators are slowly honing in on its lifeblood: its ability to capture personal data.