In 2025, we have compiled some of the fines, ongoing legal proceedings, and other updates to explain in a simple way what is happening with this company that we all use.
emember that Meta Platforms Inc. is the parent company that controls Facebook, Instagram, WhatsApp, and Messenger, so yes… this definitely affects you!
Update! Meta must minimize its use of personal data
On Friday, October 4th, 2024, the Court of Justice of the European Union (EUCJ) fully upheld an individual's lawsuit against Meta regarding its Facebook service. The plaintiff claimed that the platform was showing him ads related to his sexual orientation, even though he had never shared that information with the platform.
The case revolved around whether making personal information public through another channel gives the platform permission to process that data for personalized advertising purposes. The court ruled that the use of personal data for online advertising must be "minimized" and that public data can only be processed for its originally intended purposes.
This ruling means that Meta can no longer use data collected since 2004 indefinitely for advertising, regardless of user consent. Additionally, the court rejected the idea that public criticism of data management allows the processing of personal information. This decision protects the right to privacy and prevents people from losing data protection simply for speaking publicly about illegal data processing.
In 2008, tax reasons led Meta to establish its European operations center on the Irish island, but now it faces an active Data Protection Authority (DPA)—the Irish Data Protection Authority. This organization, which is the only one with the territorial authority to impose privacy-related fines on the company, has sanctioned Meta with multimillion-euro fines on multiple occasions. These penalties have resulted from self-initiated investigations, support for other European DPAs, or complaints from NGOs and similar organizations.
Here is a summary of the fines Meta has faced:
Meta was fined €91 million by the Irish Data Protection Commission (DPC) in October 2024 for storing certain Facebook user passwords in plain text within its internal systems. (Proper security measures require at least basic cryptographic protection, obviously.)
This incident, which occurred in 2019, represented another violation of General Data Protection Regulation (GDPR) rules, specifically Article 5(1)(f), which states that personal data must be processed in a manner that ensures appropriate security. This includes protection against unauthorized or unlawful processing and accidental loss, destruction, or damage.
Graham Doyle, Deputy Commissioner of the DPC, highlighted the seriousness of Meta’s mistake in storing passwords in plain text, emphasizing the risks of potential misuse. A Meta spokesperson stated that the company took "immediate action" after discovering the error in its password management processes and worked constructively with the DPC throughout the investigation.
Meta has not only received the largest fine for GDPR violations since its enforcement but also holds the record for the highest number of major fines.
Meta’s controversy regarding Artificial Intelligence (AI) focused on its intention to process EU/EEA user data to train AI models using public content from Facebook and Instagram. This raised concerns about privacy and GDPR compliance, leading an NGO to file 11 complaints with data protection authorities (one of them in Spain!).
In response, the European Data Protection Board (EDPB) issued several resolutions:
Due to all these regulatory changes, Meta has had to adjust its products to comply with European regulations.
In the past six months, Meta has modified Facebook metrics, removing demographic data such as age and gender for privacy reasons. It has also focused on individual post metrics, limiting historical data to 90 days and excluding certain ads. This impacts total reported clicks and engagement.
To separate organic and paid engagement, users must now connect specific advertising accounts. These changes affect analytics platforms like Sprout Social and Hootsuite, which can no longer access certain page-level engagement metrics.