The Irish Data Protection Commission (DPC) has announced fines totalling €390 million against Facebook and Instagram following the conclusion of two inquiries into the platforms' parent company Meta.
The breaches relate to the processing of personal data for the purposes of behavioural advertising.
A €210m fine has been imposed on Facebook, while Instagram has been hit with a €180m penalty.
The platforms have also been ordered to bring their processing systems into compliance.
A ruling in a related case concerning WhatsApp is expected to be issued next week.
Meta has now been fined more than €1.3 billion by the DPC in the last 18 months.
Responding to the latest rulings, Meta said it will appeal the decisions.
"We strongly believe our approach respects GDPR, and we're therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines," a Meta spokesperson said.
"These decisions do not prevent targeted or personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising," the spokesperson added.
The investigations began following complaints that Facebook and Instagram users were unable to continue using the services without agreeing to the relevant 'Terms of Service'.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
The complainants argued that this constituted "forced consent" and that the associated data processing, from which users could not opt-out, in particular data processing to facilitate behavioural advertising, was in breach of the General Data Protection Regulation (GDPR).
The complainants further argued that the nature and extent of the data processing carried out on foot of the Terms of Service was unclear and not transparent and therefore also in breach of the GDPR.
When the DPC submitted its draft decisions to its fellow European data watchdogs, ten of the authorities raised objections and the matter was referred to the European Data Protection Board (EDPB).
The EDPB ordered the DPC to amend its draft decisions to include additional findings of infringement and to increase its proposed fines.
The DPC had originally proposed a fine of €36m for Facebook and a fine of €23m for Instagram.
The DPC has said it will take an action for annulment of elements of the EDPB decisions before the Court of Justice of the European Union.
The Irish data authority is taking issue with a direction from the EDPB to conduct a fresh investigation into Facebook and Instagram's data processing operations.
"The direction is then problematic in jurisdictional terms and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR," the DPC said in a statement.
"To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB's directions," the DPC said.
The Data Protection Commissioner Helen Dixon said the EDPB was seeking to rewrite the legislative framework.
"For that reason, it is necessary for us now to lodge an annulment action in our view on this," Ms Dixon said.
"Otherwise, our role as a lead supervisory authority becomes impossible and unworkable," she added.
In November 2022, Meta was fined €265m by the DPC following a data breach which saw the personal details of hundreds of millions of Facebook users published online.
In September 2022, Meta lodged an appeal in the High Court against a record fine of €405m imposed on Instagram by the DPC.
It was the largest fine ever handed down by the Irish data watchdog and was issued for breaches relating to the processing of children's data.
In September 2021, the DPC fined Meta-owned WhatsApp €225m for infringements of data protection rules.