Lengthy privacy notices included in a social media platform’s terms of service can do little to help it comply with transparency requirements under European law, according to recently revealed documents from a case in which Meta was fined €390 million ($414 million).
The documents have been released by noyb, the privacy law campaign group founded by Max Schrems, the lawyer who has twice successfully challenged US-EU data sharing, including the cases (Schrems I and II) that defeated the US Safe Harbor and Privacy Shield agreements.
Despite nominally winning the case, noyb said it might further pursue its claim because, in its view, Ireland’s Data Protection Commission (DPC) gave Meta too long to comply with the ruling and imposed fines that were too low.
A legal saga between Meta, Ireland and the European Union reached a landmark earlier this month when the DPC meted out a combined €390 million ($414 million) fine for violations of the EU’s General Data Protection Regulation, and directed the social media group to “bring its data processing operations into compliance within a period of 3 months.”
The DPC’s verdict followed the European Data Protection Board’s (EDPB) ruling in December to overturn a previous decision from the DPC that allowed Meta to add data use consent into its terms of service, seemingly in an attempt to bypass the EU’s GDPR’s requirement for explicit consent.
The ruling assessed the question of whether, for the purposes of personalized ads, Meta provided sufficient notice to users about how