Meta’s surveillance biz model targeted in UK ‘right to object’ GDPR lawsuit

Meta’s surveillance-based business model is facing an interesting legal challenge in the U.K. from an individual who’s suing over its continued processing of her data for ad targeting — despite her objection.

The legal challenge — which is being brought by human rights campaigner Tanya O’Carroll — is seeking a declaration that Meta is in breach of the regional General Data Protection Regulation (GDPR) by continuing to process her data and use it to profile her for ad targeting purposes.

She says the goal for the litigation is to use a claim over her individual rights to set a precedent to enforce the right of millions of Meta users by denying the adtech giant’s ability to track and profile people who object to its surveillance.

O’Carroll was the chief coordinator of the People vs. Big Tech campaign and a former director and co-founder of Amnesty Tech. She’s now a senior fellow at the law firm Foxglove.

Her lawsuit is not about seeking damages for privacy abuse — as is the case with another major U.K. legal challenge. It’s purely seeking to uphold (and thereby defend) individual rights. 

On paper, the European Union’s GDPR (which the U.K. transposed into national law in 2018, when local lawmakers also updated the national Data Protection Act) provides a suite of rights for individuals attached to their information — including a right to object to processing for direct marketing purposes and an unqualified right that personal data shall no longer be processed for such a purpose if the user objects.

Thing is, Meta does not offer users of its various social networking services an option to use its services without what it likes to refer to as “personalized advertising.”

Hence this legal challenge argues that it’s breaking the law by not doing so.

“We shouldn’t have to give up every detail of our personal lives just to connect with friends and family online. The law gives us the right to take back control over our personal data and stop Facebook surveilling and tracking us,” said O’Carroll in a statement.

The AWO data rights agency is representing O’Carroll. Its legal director, Ravi Naik, told TechCrunch: “Our client is objecting to any processing of her data for direct marketing purposes. That is an absolute right.”

Naik also confirmed the claimant is not seeking damages or money. “This is purely about the right to object, so non-monetary relief,” he said.

In a supporting statement, he added: “Meta is straining to concoct legal arguments to deny our client even has this right. But Tanya’s claim is straight-forward; it will hopefully breathe life back into the rights we are all guaranteed under the GDPR.”

As well as a declaration that Meta breaches the U.K. GDPR’s right to object, the claimant is seeking to force it to stop processing her data for the purpose of direct marketing — and stop related profiling of her, such as Meta drawing inferences about her to micro target ads or assigning ‘ad interests,’ ‘ad topics’ or ‘your topics’ for marketing purposes.

The claim document includes (long) lists of “ad interests” Meta assigned to O’Carroll between 16 June 2021 and 14 October 2022 — including a number of topics containing sensitive interests, despite changes it announced a year ago, when Meta said it would be removing as targeting options “topics that people may perceive as sensitive.”

Per the claimant, Meta said these changes were finalized by March 2022 — yet she found that a range of “sensitive Ad Interests” remained assigned to her as of October 14, 2022 — including topics related to politics and philosophical viewpoints; relationships and family matters; ancestry and identity; and psychological matters.

The claim document can be found here.

The case is being funded by Luminate, the Pierre and Pam Omidyar backed foundation — which is focused on supporting the rights of underrepresented people.

In a blog post about its involvement, Luminate wrote:

The case we are funding challenges Facebook’s demand that users accept personalised advertising as a condition for using the service. At its heart lies the fact that people have the right to choose to use social media to connect with family and friends, access information, or use services without being profiled. While the case is being brought by an individual in the UK, a win could set a precedent for millions of users of search engines and social media in the UK, EU, and beyond who have been forced to accept invasive surveillance and profiling as part of the online experience.

Meta was contacted for comment on the lawsuit.

A spokesman for the tech company told us:

We know that privacy is important to our users and we take this seriously. That’s why we build tools like Privacy Check-up and Ads Preferences, where we explain what data people have shared and show how they can exercise control over the type of ads they see.

‘Forced consent’ to ‘contract for ads’

This is not the first time a legality of processing type complaint has been leveled at Meta’s tracking and targeting business model.

Indeed, one of the first GDPR complaints filed after the pan-EU framework began to apply, back in May 2018, targeted what the complainant dubbed Facebook’s “forced consent” — arguing that since users were not offered a free choice to deny its tracking then consent was not being legally obtained under the GDPR.

Thing is, Meta has sought to bypass GDPR complaints targeting its surveillance-based business model by switching from an earlier claim to be obtaining user consent to process data to claiming users are actually in a contract with it to receive personalized ads.

Per the claim document, its argument for denying O’Carroll’s objection and demand to stop its processing of its data has also relied up on claiming that no one can object to its processing of their data for marketing since the core service is processing of their data for marketing.

Yet if you browse to, the marketing text that appears on the website does not tout a service that ‘helps you receive personalized ads.’ Instead it claims: “Facebook helps you connect and share with the people in your life” — with zero mention of ads (‘relevant’ or otherwise).

A draft GDPR decision by the Irish Data Protection Commission (DPC), Meta’s lead data protection supervisor in the EU, on the aforementioned ‘forced consent’ complaint — which was published just over a year ago — found Meta had infringed transparency requirements in the GDPR by not clearly communicating to users they were agreeing to its claimed ad contract when they signed up.

At the same time, however, the Irish watchdog’s draft decision appeared to be inclined to sidestep the core complaint over Meta bypassing the GDPR — with the DPC apparently opting to avoid weighing in on the tech giant’s tactic of relabeling an agreement on data use with users as a ‘contract,’ rather than consent.

This very long-running GDPR complaint over the legality of Meta’s data processing has still not resulted in a final decision — some 4.5 years after the complaint was made. So it remains to be seen where it will end up.

It won’t only be the DPC that decides the issue since other EU DPAs are able to object to draft decisions they disagree with. Although whether Meta’s surveillance business model will face a meaningful regulatory reckoning under this GDPR complaint route — or simply lead to yet another reboot and ongoing regulatory whack-a-mole — is not yet clear.

AWO’s Naik said the outcome of the legal basis complaints to enforce data protection rights against Meta’s surveillance business model are “irrelevant” to this separate ‘right to object’ complaint. “Any argument from Meta about lawfulness of processing is irrelevant to Tanya’s ‘right to object,’ so we do not need to worry where those cases go,” he told us.

Although he also predicted that if European data protection regulators do finally instruct Meta an ads contract is not viable, the company will likely seek to dodge any related enforcement by “just chang[ing] course.”

Whereas, he argues, by objecting to any processing of data for direct marketing the consequence of O’Carroll’s challenge is “more dramatic than the lawful basis argument, as it is an absolute bar.”

As a refresher, Article 21 (“right to object”) of the GDPR includes these two highly relevant clauses:

2.   Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3.   Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Nonetheless, it remains to be seen what U.K. courts will make of O’Carroll’s challenge and Meta’s claim that the right to object to use of data for marketing does not apply to its services.

Frustration with painstakingly slow enforcement of the GDPR against Big Tech is driving a growing wave of litigation around the region — including a number of legal challenges that seek to leverage rising antitrust concerns against tech giants.

O’Carroll’s GDPR-focused complaint makes passing nod to antitrust issues, with the PR announcement of the lawsuit citing a final report by the U.K.’s competition regulator, the CMA, published in July 2020 — looking at online platforms and digital advertising — which found Facebook “uses default settings to nudge people into using their services and giving up their data,” including having a requirement to “accept personalised advertising as a condition for using the service.”

It also notes the CMA observed: “Only a small minority (13%) say they are happy to share their data in return for relevant ads.”

However this antitrust element is not material to the crux of the lawsuit — which Naik confirmed is fully fixed on the GDPR’s absolute ‘right to object.’ So the suit’s success will not hinge on U.K. courts joining the dots between privacy law and antitrust concerns vis-a-vis Meta’s surveillance modus operandi.

In terms of timeframe, the litigation could take several years — depending on any appeals. Naik told us they aren’t able to put a timeframe on the complete outcome but suggested they could get a high court judgement in six to nine months.

One development that might cause concern for U.K. litigation centered on the GDPR is the government’s ongoing plan to reform (and potentially weaken) the domestic data protection regime.

The current secretary of state in charge of digital issues, Michelle Donelan, told the Conservative Party conference in October that the government would replace GDPR with a “truly” bespoke, British framework she claimed would simplify the rules to boost to business while also protecting people’s privacy and data. (However she did not spell out the exact changes ministers would make nor when they might bring a tweaked reform bill back to parliament — so much remains TBC about this U.K. GDPR ‘reform’ plan.)

Asked about the risk of a weakened framework undermining the litigation, Naik pointed out that the prior draft data reform bill did not touch the right to object — suggesting there’s therefore no danger of it being amended.

But if the U.K. government does seek to meddle with people’s right to deny use of their data for marketing it would be pretty clear which businesses had been front and center lobbying for such a ‘reform.’

Returning to the competition track, despite the CMA’s final report into online adtech raising substantial concerns more than two years ago, it (unfortunately) opted to wait for an expected (but also delayed) reform of U.K. competition rules to empower it to effectively clip the wings of Big Tech.

Delays to that domestic competition law reform may therefore also be driving an uptick in antitrust litigation and class-action-style suits against Big Tech in the U.K.

Since the CMA report was published, the regulator has ordered Meta to undo its acquisition of Giphy over competition concerns. Earlier this year, it also announced it was opening a probe of allegations of collusion between Google and Facebook (aka Meta) related to ad bidding — over an internal agreement dating back to 2018, reportedly called ‘Jedi Blue.’ So interventions are on the uptick.

But given the scale of concerns set out in the CMA’s online ads report it’s fair to expect further attention and action by the competition watchdog to Big Adtech — despite the continued failure of the U.K.’s data protection watchdog to take firm enforcement action over its own long-stated concerns about the lawfulness of behavioral advertising.

This report was updated to clarify remarks made by Naik in response to questions TechCrunch put to him about the legal basis of GDPR complaints against Meta after he made it clear his responses were not dismissive of those complaints but rather intended to emphasize that whatever the outcome is it’s irrelevant to this separate ‘right to object’ complaint.