• The Irish Data Protection Commission fined Meta over $400 million Wednesday after finding its Facebook and Instagram services breached EU privacy rules.
• The fines mark the conclusion of two lengthy investigations into Meta by the Irish regulator, which had been criticized over delays in the process.
• The DPC said that Meta must bring its data processing operations into compliance within three months.

Facebook parent company Meta on Wednesday was slapped with a pair of fines totaling more than $400 million as the Irish privacy regulator concluded the company's advertising and data handling practices were in breach of EU privacy laws.

The Irish Data Protection Commission said that Meta should be ordered to pay two fines — one, a 210 million euro ($222.5 million) fine over violations of the European Union's General Data Protection Regulation, or GDPR, and the second, a 180 million euro fine related to breaches of the same law by Instagram.

Combined, the penalties amount to 390 million euros ($414 million).

The fines mark the conclusion of two lengthy investigations into Meta by the Irish regulator, which had been criticized over delays in the process. The DPC began investigating the company on May 25, 2018, the day the EU's GDPR came into effect.

GDPR places strict requirements on firms with regard to the processing of people's information. Firms that run afoul of the rules risk facing penalties as high as 4% of global annual revenues.

In the ruling Wednesday, the DPC said that Meta must bring its data processing operations into compliance within three months. The watchdog is the lead regulatory authority for Meta and several other U.S. tech giants, which hold their headquarters in Ireland.

Meta, which changed its name from Facebook in 2021, said in a statement Wednesday that it planned to appeal the ruling. The decision does not amount to a ban on personalized advertising and businesses can continue using Meta's platforms to target users with ads, it added.

"The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user's agreement has first been sought is incorrect," a Meta spokesperson told CNBC via email.

"There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal basis is most appropriate in a given situation has been ongoing for some time," the spokesperson added.

"That's why we strongly disagree with the DPC's final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision."

A 'huge blow' to Meta's EU profits

Previously, Meta relied on a user's consent to process their information for the purposes of behavioral ads. However, after the entry into force of the GDPR, the company changed the terms of service for Facebook and Instagram, and switched the legal basis upon which it processes that information to something called "contractual necessity."

That same year, Max Schrems, an Austrian privacy activist, submitted a complaint alleging this change forced users to accept the processing of their information for ad targeting in exchange for use of the platforms.

Schrems, in a statement Wednesday, said the DPC's decision Wednesday meant that Meta would have to develop a version of its apps that doesn't use personal data for advertising within three months.

He added Meta would still be allowed to ask users for consent to ads with a "yes/no" option, however.

"This is a huge blow to Meta's profits in the EU," Schrems said. "People now need to be asked if they want their data to be used for ads or not. They must have a 'yes or no' option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent."

In December, the European Data Protection Board, which coordinates regulatory action on data privacy across the bloc, said that Meta wasn't entitled to rely on contracts as a legal basis for processing user data for targeted ads, effectively deeming the company's advertising practices illegal.

Subsequent to that move, the DPC said it found Meta was "not entitled to rely on the 'contract' legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users' data to date, in purported reliance on the 'contract' legal basis, amounts to a contravention of Article 6 of the GDPR."

The fines imposed by the DPC were raised substantially from those proposed in a draft decision in October, in which the regulator suggested a levy of between 28 million and 36 million euros.