Whilst we are separate from the EU GDPR now, what happens in Europe still has implications for us, and especially since Meta (Facebook, Instagram, etc) terms don’t yet always have separate sections for the UK.
Since Meta has its European headquarters in Ireland, the Irish Data Protection Commission (“IDPC”) leads on EU GDPR, and the IDPC has fined Meta 390 million euros in relation to how Meta asked for user permission to collect data for personalised advertising.
You can read a fuller explanation at https://iapp.org/news/a/irish-dpc-fines-meta-390m-euros-over-legal-basis-for-personalized-ads/ but the key points that the IDPC make seem to be:
- Meta Ireland was not entitled to rely on the ‘contract’ legal basis in connection with its delivery of personalised advertising as part of Facebook and Instagram
- This approach did not allow users to evidence consent by saying ‘yes’ or ‘no’, and being able to change their mind at any time
Naturally, Meta will appeal but if the decision is upheld, it could dramatically change Meta’s model, at least in the EU.
As with a number of data protection issues at the moment, we await the UK government’s opinion on this.