PL
All cases A Meta

€390M DPC fine

The end of "performance of contract" for Meta's behavioral advertising

Explainer · 60s

Meta €390M — the end of "performance of contract" for ads

Static animation (SVG + CSS). No audio. No trackers. Open in a new window ↗

A09 — €390M DPC fine: The end of “performance of contract” for Meta’s behavioral advertising

Category: Legal basis for processing / behavioral advertising / GDPR art. 6 Company/companies: Meta Platforms Ireland (Facebook, Instagram); related €5.5M WhatsApp fine Years: May 25, 2018 (NOYB complaint), 2018–2022 (proceedings), January 4, 2023 (fine announcement) Status: Concluded; Meta switched to “legitimate interest,” then to “consent or pay” (→ see A10) Card ID: A09

Metadata

FieldValue
Country/regionEU (DPC Ireland decision, binding across the EU)
Year revealedJanuary 4, 2023 (publication of decision)
Years of practiceMay 25, 2018 – April 4, 2023 (date of final cessation of “performance of contract” use)
Total fine€390,000,000 (€210M Facebook + €180M Instagram); including WhatsApp €5.5M = €395.5M
CurrencyEUR
Legal basisGDPR art. 6(1)(b) (performance of contract) — found inapplicable; art. 5(1)(a) (transparency); art. 12, 13
Whistleblower/discovererNOYB / Max Schrems (complaints filed on the day GDPR took effect, May 25, 2018)
Number affectedAll Facebook and Instagram users in the EEA — ~260M active users
Status (today)Meta has complied; dispute shifted to A10 (€200M DMA fine for “consent or pay”)

TL;DR

On January 4, 2023, Ireland’s Data Protection Commission (DPC) announced the conclusion of two inquiries into Meta Platforms Ireland regarding the processing of personal data on Facebook and Instagram for behavioral advertising purposes. The fine: €390M (€210M for Facebook + €180M for Instagram), plus €5.5M for WhatsApp announced the same week — totaling €395.5M. The basis: complaints filed with the DPC by NOYB / Max Schrems on May 25, 2018exactly the day GDPR took effect.

The heart of the case: from the day GDPR took effect, Meta stopped asking for consent from users for targeted advertising (the earlier model being voluntary opt-in) and instead adopted a covert legal maneuver — it claimed that behavioral advertising was part of the contract between Meta and the user. Meta updated its Terms of Service on May 25, 2018: users accepting the new TOS were “entering a contract” whose “performance” required data processing for advertising (GDPR art. 6(1)(b) — “processing is necessary for the performance of a contract”). No consent, no opt-out — behavioral advertising as the product itself.

The DPC originally sided with Meta (its 2021 draft decision proposed only €28–36M in fines solely for lack of transparency). Ten other European supervisory authorities (including the Dutch AP) disagreed. The case went to the EDPB (European Data Protection Board), which in a binding decision on December 5, 2022 overturned the DPC’s position and ruled that:

  1. Behavioral ads are not necessary for performing the FB/IG contract (the service is “connecting with friends,” not “viewing targeted ads”).
  2. Meta cannot rely on art. 6(1)(b).
  3. The DPC must reissue its decision with higher fines.

For Meta, this was a blow to the foundation of its EU business model. NOYB estimates: between 2018–2023, Meta earned ~$15–30 billion in the EU from unlawful behavioral advertising. The €390M fine represents a fraction of those profits — NOYB openly criticized the DPC for not calculating the gains from the infringement, as required by GDPR art. 83.

Meta first tried to pivot to a “legitimate interest” basis (April 2023). The EDPB rejected that too. In October 2023, Meta announced its “consent or pay” model: pay €9.99 per month or accept targeting. That brought Meta a €200M DMA fine (A10) and a “Schrems IV” NOYB complaint.

For EU citizens, this is a landmark case: Meta has no right to show you targeted ads without your informed consent. It is one of the most important GDPR decisions in history — bigger in its systemic consequences than the fine amount itself.

Timeline

  • May 25, 2018 — GDPR takes effect. Meta updates Facebook and Instagram TOS, asking all EU/EEA users to accept. The new TOS embed a clause stating the user is “entering a contract” with Meta whose performance requires data processing for personalized advertising.
  • May 25, 2018NOYB / Max Schrems files complaints about the same mechanism against Facebook, Instagram, WhatsApp (and Google; the last is not part of this case). Complaint title: “forced consent.” Complaints filed in Austria, Belgium, Germany, France.
  • Late 2018 — the case lands at DPC Ireland as lead authority.
  • 2019–2021 — prolonged DPC proceedings. In 2021 the DPC issues an internal draft decision: a fine of €28–36M solely for lack of transparency; acceptance of Meta’s position on the legal basis.
  • October 6, 2021 — the DPC publishes the draft decision. Ten European DPAs (including the Dutch AP, German, French) raise objections.
  • November 2021 – 2022 — consultation procedure under GDPR art. 60. No consensus.
  • December 5, 2022EDPB issues binding decisions 3/2022 and 4/2022 (under GDPR art. 65): the DPC must change its position, find that Meta had no right to rely on “performance of contract,” and increase the fine.
  • December 31, 2022 — the DPC issues a final decision aligned with the EDPB.
  • January 4, 2023 — public announcement of the €390M fine (€210M Facebook + €180M Instagram) + order to comply within 3 months.
  • January 19, 2023 — announcement of the €5.5M fine against WhatsApp (for an analogous infringement).
  • April 2023 — Meta announces a change in legal basis: no longer “performance of contract,” but “legitimate interest” (GDPR art. 6(1)(f)).
  • June–September 2023 — the Norwegian DPA Datatilsynet issues a temporary ban on Meta’s behavioral advertising in Norway; Meta files a lawsuit in Oslo District Court.
  • October 27, 2023EDPB issues an urgent binding decision prohibiting Meta from processing data for behavioral advertising across the EEA on the basis of “legitimate interest” or “contract.”
  • October 30, 2023 — Meta announces its “consent or pay” model: €9.99/month on the web, €12.99/month on iOS/Android for an ad-free and tracking-free version; alternatively, consent to targeting.
  • October 31, 2023 — the DPC formally delivers the EDPB’s prohibition to Meta.
  • 2024 — NOYB, BEUC (European Consumer Organisation), and other groups file complaints against “consent or pay” as invalid “consent.”
  • April 17, 2024 — EDPB publishes Opinion 08/2024 on “consent or pay”: in most cases, this is not valid consent under GDPR.
  • April 22, 2025European Commission imposes a €200M DMA fine on Meta for the “consent or pay” model (→ see card A10).
  • 2025–2026 — Meta appeals all decisions; litigation continues.

Mechanism

How it worked — Meta’s legal construct

GDPR art. 6(1) lists six possible legal bases for processing personal data:

  • (a) consent
  • (b) performance of contract
  • (c) legal obligation
  • (d) protection of vital interests
  • (e) task in the public interest
  • (f) legitimate interest

Before GDPR (until May 25, 2018), Meta relied on basis (a) consent for advertising. An opt-in system: users consented to personalized ads at signup.

For a decade before GDPR, consent was “buried in the TOS” — but formally, it was consent.

On May 25, 2018, the day GDPR took effect, Meta executed a legal maneuver: instead of asking all users for renewed consent (as required by GDPR art. 7 — “freely given” consent), it switched the legal basis to (b) — “performance of contract.” The argument:

  • The TOS is a contract between Meta and the user.
  • Facebook/Instagram’s service includes personalization, including personalized advertising.
  • Personalized advertising is necessary for performing that contract.
  • Therefore, no consent is needed.

This was a rhetorical revolution: behavioral advertising stopped being an “add-on feature” requiring consent — it became the essence of the product. Just as you don’t ask a customer for consent to deliver their parcel, because it is part of the delivery contract.

Why the EDPB rejected this argument

The EDPB, in decisions 3/2022 and 4/2022 (December 5, 2022), argued:

Argument 1: The contract isn’t about that. On Facebook’s home page, Meta markets itself with the tagline “connect with friends and the world around you.” Instagram: “to bring you closer to the people and things you love.” Not a word about ads. So the contractual service is “connecting with friends,” not “viewing ads.” Advertising is a financing model, not the content of the contract.

Argument 2: “Necessity” is a high standard. Art. 6(1)(b) requires processing to be “necessary” for performing the contract. Not “useful,” not “convenient,” but necessary. You can run Facebook without ads (a subscription!). You can show contextual ads instead of behavioral ones. Behavioral advertising is not necessary to provide the Facebook/Instagram service.

Argument 3: The contract is with advertisers, not users. EDPB: “Meta has a contract with advertisers to show them users grouped demographically. That is a contract. But the user is not a party to that contract — they are its product, not its counterparty.”

Argument 4: The right to object under GDPR art. 21(2). If “performance of contract” were the basis, users couldn’t object. But GDPR art. 21(2) expressly grants an absolute right to object to direct marketing. So behavioral advertising must be based on consent, not contract.

Why this is a turning point for all of adtech

The decision isn’t only about Meta. Every company in the EU that used “performance of contract” for behavioral advertising — at risk. This includes:

  • Google (a separate process, separate case, but similar logic)
  • Twitter/X
  • TikTok
  • LinkedIn
  • Amazon
  • hundreds of smaller adtech firms

After the decision, many companies switched to consent as a legal basis — with the consequence of a drastic drop in acceptance (from forced “consent” rates of 95–99% to real consent rates of 3–15%).

Discovery

Who Max Schrems is (extended)

Max Schrems (described in detail in A07) has, since 2011, systematically used GDPR as a tool for strategic litigation. In 2017 he founded NOYB (None Of Your Business) — a Vienna-based nonprofit funded by member dues (roughly 3,000 members paying annual fees), Austrian and Dutch government grants, and private donations.

NOYB has a strategic portfolio of complaints against Big Tech — dozens against Meta, Google, Apple, Microsoft, TikTok, Instagram (before the rebranding to Meta Ireland). The complaints from May 25, 2018 were the cornerstone of that portfolio.

How the complaints of May 25, 2018 were born

Schrems describes the story: “When GDPR took effect, I opened Facebook and saw the ‘accept new TOS’ screen. I clicked and saw there was NO option ‘I do not agree.’ Only ‘continue’ — accepting. That meant only one thing: Meta assumes consent isn’t needed because advertising is part of the contract. That was the moment I understood I had to file a complaint on the first day GDPR applied.”

NOYB filed 4 complaints that same day:

  • Facebook (complaint to DPC Ireland)
  • Instagram (DPC Ireland)
  • WhatsApp (DPC Ireland)
  • Android/Google (CNIL France — separate proceedings)

First reports on the decision

  • January 4, 2023 — official DPC Ireland communiqué
  • January 4, 2023 — in parallel: Politico EU, Reuters, Financial Times, NYT, Bloomberg, Wired
  • January 4, 2023 — NOYB publishes the release “DPC fines Meta only EUR 390 million — EDPB is forcing revision”
  • January 19, 2023 — Natasha Lomas in TechCrunch: “Meta dodged a €4BN privacy fine over unlawful ads, argues GDPR complainant” — a widely cited, highly consequential article.

Key people

On the NOYB / complainants’ side

  • Max Schrems — founder of NOYB, the central figure (described in A07).
  • Monika Niedermaier, Katharina Raabe-Stuppnig — NOYB lawyers.
  • Romain Robert — senior lawyer at NOYB, specialist in adtech.

Regulators

  • Helen Dixon — Data Protection Commissioner Ireland (2014–2024). Criticized for overly lenient treatment of Meta in 2021 (draft decision of €28–36M). She later defended: “The DPC proposed a fine larger than any DPA had imposed to that date. The EDPB just required more.”
  • Andrea Jelinek — EDPB chair until 2023. Under her leadership the EDPB issued binding decisions 3/2022 and 4/2022.
  • Anu Talus — EDPB chair from 2023.
  • Aleid Wolfsen — chair of the Dutch Autoriteit Persoonsgegevens (AP); one of the key figures who raised objections to the DPC’s draft and referred the matter to the EDPB.
  • Germany’s BfDI, France’s CNIL, Italy’s Garante — also raised objections.

On Meta’s side

  • Nick Clegg — then VP Global Affairs.
  • Jennifer Newstead — Chief Legal Officer.
  • Rob Sherman — Chief Privacy Counsel at Meta.

Experts

  • Gabriela Zanfir-Fortuna (Future of Privacy Forum) — post-decision commentary: “This is probably the most important enforcement decision since GDPR took effect — not because the fine is big, but because the changes Meta will have to make to its services are fundamental.”
  • Ulrich Kelber — the then-BfDI (Germany’s federal data protection commissioner), a consistent Meta critic.

Company response

Meta

Statement (January 4, 2023): “We strongly disagree with the DPC’s final decision and believe we fully comply with GDPR by relying on ‘Contractual Necessity’ for behavioral ads given the nature of our services. We will appeal.”

Practical actions (April 2023):

  • Change of legal basis from “performance of contract” to “legitimate interest” (GDPR art. 6(1)(f)). Users received a notice that the basis had changed — but still no opt-out option.
  • The EDPB banned this in October 2023.

Practical actions (October/November 2023):

  • Rollout of the “consent or pay” model — EU users are given a choice:
    • Accept targeted ads (consent)
    • Pay €9.99/month (web) or €12.99/month (iOS/Android) for an ad-free version
  • Meta argued: “This gives users a real choice, and it is compliant with GDPR.”

DPC appeal to the CJEU

Remarkably: the DPC was not satisfied with the EDPB decision that forced it to change its position. The DPC announced an “action for annulment” before the CJEU, challenging “jurisdictional” elements of the EDPB’s decision. The DPC: “The EDPB directed us to conduct an investigation covering all processing operations of Facebook and Instagram — this exceeds our competence.”

This is a rare instance where a national DPA challenges an EU body’s decision in court. The case has been referred to the CJEU; rulings are expected in 2026–2027.

Markets

Meta’s shares dropped about 2% after the announcement. Analysts: the fine is symbolic financially, but uncertainty over the foundations of the EU advertising model is significant. Meta disclosed that ~10% of global ad revenue comes from the EU/EEA.

Jurisdictions

  1. Ireland (DPC) — original proceedings
  2. EU (EDPB) — binding decisions 3/2022 and 4/2022
  3. Norway (Datatilsynet) — temporary national ban in 2023
  4. CJEU — DPC’s action for annulment of the EDPB decision (pending)
  5. Oslo District Court — Meta v. Datatilsynet (lawsuit, 2023)
  • GDPR art. 6(1)(b) — found inapplicable to Meta’s behavioral advertising
  • GDPR art. 5(1)(a) — transparency principle (breached)
  • GDPR art. 12, 13 — information obligations (breached)
  • GDPR art. 83(5) — fines (up to 4% of global turnover)
  • GDPR art. 65 — binding EDPB decision

Key stages

DateStage
May 25, 2018NOYB complaints
October 6, 2021DPC draft
December 5, 2022Binding EDPB decision
January 4, 2023Final DPC decision — €390M
April 2023Meta → “legitimate interest”
October 27, 2023EDPB prohibition
October 2023Meta → “consent or pay”
  • CJEU C-252/21 Meta v. Bundeskartellamt (July 4, 2023) — ruling in the German competition regulator’s case; confirms that combining data across Meta services without consent breaches GDPR. Strengthens NOYB’s position.
  • CJEU C-252/21 — the key ruling: “when a person clicks ‘I accept’ in order to use a service, one cannot automatically infer that they have consented to the processing of their data for advertising purposes.”

Penalties and settlements

DateAuthorityAmountJurisdictionBasis
January 4, 2023DPC Ireland€210,000,000 (Facebook)EUGDPR art. 6(1)(b), 5(1)(a)
January 4, 2023DPC Ireland€180,000,000 (Instagram)EUGDPR art. 6(1)(b), 5(1)(a)
January 19, 2023DPC Ireland€5,500,000 (WhatsApp)EUGDPR art. 6(1)(b)
Total€395,500,000

In addition: an order to comply within 3 months (not met on time → further fines).

Precedents and implications

For EU law

  • A landmark GDPR enforcement decision — the first that forced Meta into a fundamental change to its EU advertising model.
  • Strengthens the EDPB’s authority over national DPAs (similar to A07).
  • Foundation for further proceedings: A10 (€200M DMA consent or pay), NOYB cases against Instagram, LinkedIn, X.
  • Impulse for the EU AI Act (2024) and AI regulation — similar logic of “not every utility justifies processing.”

For US law

  • No direct impact, but an argument in the debate over the American Privacy Rights Act (APRA).
  • Reinforcement of CCPA / CPRA in California — a similar necessity-vs-convenience distinction.

For Big Tech practice

  • The end of “performance of contract” for adtech in the EU. All major players had to change their legal basis.
  • Growth of the “Pay or Okay” movement — like Meta, The Guardian, Der Spiegel, and Le Monde are rolling out subscriptions as an alternative to ads. The EU media ecosystem is now divided: some outlets see “pay or okay” as legitimate business, others (such as Germany’s Taz) — as coercion.
  • Regulatory fatigue — NOYB files complaints at a pace where most EU DPAs now have two-year backlogs in processing them.

Class actions

The case was resolved at the regulatory level, without classic class actions. However, there are indirect consequences:

CaseCourtStatusValueBasis
NOYB complaints v. Meta (consent or pay)Various DPAsPendingGDPR art. 7
Meta v. DatatilsynetOslo District CourtPending
DPC v. EDPB (action for annulment)CJEUPendingGDPR art. 65

Conclusions for citizens

Portal section — practical.

What does this mean for me?

As a Facebook / Instagram user in the EU, you were subjected, starting May 25, 2018, to unlawful data processing for behavioral advertising purposes — for nearly 5 years. Meta used your data without a valid legal basis. After the DPC’s January 2023 decision, Meta had to change its model: instead of default targeting, it introduced “consent or pay” (pay ~€10/month or agree to behavioral advertising). This too is being challenged (card A10), but right now, for you, there is a choice:

  1. Don’t pay and agree to behavioral ads (the default)
  2. Pay ~€10/month for a version without behavioral ads
  3. Leave the platform

How to protect yourself?

  1. Check your Meta ad preferences right now:
    • Settings → Account Center → About you → Ad interest categories
    • Delete all categories Meta has associated with you
    • You can’t disable profiling itself — you can only narrow the categories
  2. Use GDPR art. 21 — email dpo@meta.com demanding objection to processing for direct marketing. This is an absolute right. Meta must comply within 30 days.
  3. Submit an access request (art. 15) — see the full list of data Meta holds about you, including behavioral inferences (inferred data).
  4. Install tracker blockers — uBlock Origin, Privacy Badger, Brave browser.
  5. Turn on “Limit Ad Tracking” on iOS/Android — restricts the advertising identifier.

What rights do I have?

Key GDPR rights (tenth anniversary in 2028!):

  • Art. 6 — the right to have your data processed only on a valid legal basis. Behavioral advertising requires consent or a narrowly construed legitimate interest.
  • Art. 7 — consent must be freely given, informed, unambiguous, specific, and revocable. Forced consent (“accept the TOS or you can’t use it”) is unlawful.
  • Art. 21(2) — an absolute right to object to direct marketing.
  • Art. 22 — the right not to be subject to automated decisions, including profiling.
  • Art. 82 — the right to compensation for harm (after the CJEU’s VB v. NAP ruling, 2023, even fear of misuse = non-material damage).

Where to file a complaint?

  • Poland: UODO, uodo.gov.pl — complaints can be filed electronically
  • NOYB: noyb.eu — supports collective complaints from Polish citizens
  • BEUC: European Consumer Organisation — coordinates consumer complaints

Note for mediators, lawyers, marketers, and business owners

This case has direct implications for anyone running online marketing:

  1. If you run Meta Ads / Google Ads / TikTok Ads campaigns — you are a joint controller of data together with the platform. Your GDPR liability is joint and several.
  2. If you embed the Meta Pixel on a company website — your site transfers visitors’ data to Meta, where it is processed without a valid legal basis. In 2024–2025, more than a dozen EU DPAs imposed fines on companies for Meta Pixel without valid cookie consent.
  3. Update your privacy policies — information about the legal basis must be clear and specific (see: the DPC decision required a “clear linkage from: personal data → processing operations → purposes → legal basis”).
  4. For mediators — professional and commercial disputes are increasingly raising the thread of “unlawful behavioral advertising as competitive harm.” This is a new class of disputes.

Context

  • Complaint filed May 25, 2018 — exactly the day GDPR took effect. Max Schrems personally clicked “accept” on Facebook and Instagram to have proof of the “forced consent” manipulation. Then within 24 hours he drafted the complaints.
  • NOYB argued the fine should have been ~€4 billion (4% of Meta’s 2022 global turnover — $116 billion). €390M is 0.3% of turnover, far below the maximum. NOYB: “Once again the DPC protects Meta — this is a structural problem with the Irish DPA.”
  • The DPC did not calculate Meta’s gains from unlawful processing — this was a central NOYB objection. GDPR art. 83 requires a “deterrent effect” — the fine must reflect the gains from the infringement. NOYB estimates: Meta has earned ~$15–30 billion in the EU from unlawful behavioral advertising since 2018.
  • The DPC openly challenged the EDPB decision — an unprecedented move by a national regulator against an EU body. The CJEU case is a deep test of the integrity of GDPR enforcement.
  • The first fine of May 25, 2018 — Facebook received zero complaints in the opening days of GDPR. NOYB was the only organization prepared to act immediately. Without Schrems, the GDPR system would have had a far weaker start.
  • Meta changed its legal basis 3 times in 6 months: contract (until January 2023) → legitimate interest (April 2023) → consent or pay (October 2023). Every change was forced by a regulator.
  • The Dutch AP was key to escalating the case to the EDPB. Aleid Wolfsen (chair) publicly criticized DPC Ireland: “If the DPC cannot enforce GDPR against the largest company in its jurisdiction, then the entire one-stop-shop system is a fiction.”
  • Gabriela Zanfir-Fortuna (Future of Privacy Forum) described the case as “the most important GDPR decision in history,” more important than the €1.2 billion fine itself (A07). Because it changes the business model, not just imposes a financial sanction.
  • WhatsApp also received a fine (€5.5M), but for a different reason: it had adopted “legitimate interest” for security personalization (anti-spam), and the EDPB ruled this should have been consent.
  • The EU Parliament’s LIBE committee called on the European Commission to initiate infringement proceedings against Ireland for systemic neglect of GDPR enforcement (2023–2024). The procedure was not opened, but it became a political issue.
  • Meta’s “consent or pay” subscription — at €9.99–12.99 per month was criticized as grossly high relative to Meta’s actual revenue per average EU user (~€60/year = €5/month). NOYB: “Meta is arbitrarily pricing privacy at twice its value — this is de facto coercion.”
  • Polish context: UODO President Jan Nowak (in office 2019–2023) consistently backed the EDPB’s stricter position on Meta. The Polish UODO was among the DPAs that raised objections to the DPC’s draft.

Sources

  1. Data Protection Commission Ireland, “Irish Data Protection Commission announces conclusion of two inquiries into Meta Ireland,” January 4, 2023. URL: https://www.dataprotection.ie/en/news-media/press-releases/irish-data-protection-commission-announces-conclusion-two-inquiries-meta-ireland (accessed: 2026-04-17)

  2. European Data Protection Board, “Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service,” December 5, 2022. URL: https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-32022-dispute_en (accessed: 2026-04-17)

  3. European Data Protection Board, “Binding Decision 4/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Instagram service,” December 5, 2022. URL: https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-42022-dispute_en (accessed: 2026-04-17)

  4. NOYB, “DPC fines Meta only €390 million — EDPB is forcing revision,” January 4, 2023. URL: https://noyb.eu/en/dpc-fines-meta-only-eu-390-million-edpb-forcing-revision (accessed: 2026-04-17)

  5. Natasha Lomas, “Meta dodged a €4BN privacy fine over unlawful ads, argues GDPR complainant,” TechCrunch, January 19, 2023. URL: https://techcrunch.com/2023/01/19/meta-ads-noyb-epdb-gdpr-complaint/ (accessed: 2026-04-17)

  6. Hunton Andrews Kurth, “Meta Fined €390 Million by Irish DPC for Alleged Breaches of GDPR, Including in Behavioral Advertising Context,” January 20, 2023. URL: https://www.hunton.com/privacy-and-information-security-law/meta-fined-e390-million-by-irish-dpc-for-alleged-breaches-of-gdpr-including-in-behavioral-advertising-context (accessed: 2026-04-17)

  7. Stibbe, “Meta Ireland fined €390 million for unlawful legal basis,” January 26, 2023. URL: https://www.stibbe.com/publications-and-insights/meta-ireland-fined-eu390-million-for-unlawful-legal-basis (accessed: 2026-04-17)

  8. McCann FitzGerald, “Data Protection Commission fines Meta €395.5 million over GDPR infringements in Terms of Use,” January 27, 2023. URL: https://www.mccannfitzgerald.com/knowledge/data-privacy-and-cyber-risk/data-protection-commission-fines-meta-over-gdpr-infringements (accessed: 2026-04-17)

  9. CJEU, judgment in Case C-252/21 Meta Platforms Inc. and others v. Bundeskartellamt, July 4, 2023. URL: https://curia.europa.eu/juris/document/document.jsf?docid=275125&doclang=EN (accessed: 2026-04-17)

  10. European Data Protection Board, “Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models implemented by Large Online Platforms,” April 17, 2024. URL: https://edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-082024-valid-consent-context-consent-or_en (accessed: 2026-04-17)

  11. European Data Protection Board, “Urgent Binding Decision 01/2023 on the request of the Norwegian SA concerning Meta Platforms Ireland Limited,” October 27, 2023. URL: https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-66/urgent-binding-decision-012023-request_en (accessed: 2026-04-17)

  12. Datatilsynet (Norway), “Vedtak om forbud mot adferdsbasert markedsføring” (decision banning behavioral advertising), July 14, 2023.

  13. NOYB, original complaint against Facebook, May 25, 2018 — document available on NOYB’s website.

  14. Wyrick Robbins Privacy Blog, “Less Is More, Too Much Is Not Enough: What the Irish DPC’s €390 Million Fine Against Meta Could Mean for Your Privacy Notice,” January 19, 2023.

  15. Data Privacy Manager, “DPC fines META €390 million for violation of the GDPR,” January 18, 2023.

Last updated: 2026-04-17 Card in database: A09_kara_390mln.md

Related cases

Cases that share a company, mechanism, legal precedent or jurisdiction.