The Data Protection Commission has recommended a fine of €36 million for Facebook Ireland over its General Data Protection Regulation (GDPR) transparency breaches.
The DPC will now share its draft decision with other EU regulators to come to a final decision. Other regulators have a month to lodge any objections.
Data Protection Commissioner Helen Dixon said "the infringements are serious in nature."
"The lack of transparency goes to the heart of data subject rights and risks undermining their effectiveness by not providing transparent information," she said.
Dixon highlighted how Facebook's GDPR breaches impacted over 50% of the population of the European Economic Area.
A 2018 complaint by Max Schrems alleges that Facebook "forced consent" from users to allow the social network to process their personal data. Users who refused to consent had no other choice but to delete their accounts.
The DPC found that Facebook were under no obligation to ask its users for their consent in order to process personal data but Facebook failed to inform its users of this legal basis.
Under GDPR, EU websites must communicate such information to its users in an easily accessible and concise manner.