Major privacy complaints targeting the legality of Meta’s core advertising business model in Europe have finally been settled via a dispute resolution mechanism baked into the EU’s General Data Protection Regulation (GDPR).
The complaints, which date back to May 2018, take aim at the tech giant’s so-called forced consent to continue tracking and targeting users by processing their personal data to build profiles for behavioral advertising, so the outcome could have major ramifications for how Meta operates if regulators order the company to amend its practices.
The GDPR also allows for large fines for major violations — up to 4% of global annual turnover.
The European Data Protection Board (EDPB), a steering body for the GDPR, confirmed today it has stepped in to three binding decisions in the three complaints against Meta platforms Facebook, Instagram and WhatsApp.
The trio of complaints were filed by European privacy campaign group noyb as soon as the GDPR entered into application across the EU. So it’s taken some 4.5 years just to get to this point.
The EU’s flagship data protection regulation has been much criticized for the slow pace of enforcement on major cross-border complaints against tech giants, and this clutch of strategic complaints is one of a handful of poster children for those gripes. But while decisions are now finally in sight, the wrangling could still continue — since Meta may appeal against any enforcement, both in Irish courts and in front of EU judiciary (in the case of the EDPB’s binding decisions), potentially putting any corrective orders on hold pending the outcome of its appeals.
What exactly has been decided? The EDPB is not disclosing that yet. The protocol it’s following means it passes its binding decisions back to the Irish Data Protection Commission (DPC), Meta’s lead privacy regulator in the EU, which must then apply them in the final decisions it will issue.
The DPC now has one month to issue final decisions and confirm any financial penalties. So we should get the full gory details by early next year.
The Wall Street Journal may offer a glimpse of what’s to come: It’s reporting that Meta’s ad model will face restrictions in the EU — citing “people familiar with the situation.”
It also reports the company will face “significant” fines for breaching the GDPR.
“The board’s rulings Monday, which haven’t yet been disclosed publicly, don’t directly order Meta to change practices but rather call for Ireland’s Data Protection Commission to issue public orders that reflect its decisions, along with significant fines,” the WSJ wrote, citing unnamed sources.
Covering the WSJ’s report, Reuters noted that shares in Meta fell 5.3% in morning trading following the development.
A spokesperson for the EDPB confirmed it cannot comment on the substance of the binding decisions it’s taken.
“In line with Art. 65 (5) GDPR, we cannot comment on the content of the decisions until after the Irish DPC has notified the controller of its final decisions,” she told TechCrunch. “As indicated in our press release, the EDPB looked into whether or not the processing of personal data for the performance of a contract is a suitable legal basis for behavioural advertising, but at this point in time we cannot confirm what the EDPB’s decision in this matter was.”
The DPC also declined to comment on the newspaper’s report — but deputy commissioner Graham Doyle confirmed to us that it will announce binding decisions on these complaints in early January.
We’ve also reached out to Meta for a response to the development.
Update: A Meta spokesperson sent this statement:
“This is not the final decision and it is too early to speculate. GDPR allows for a range of legal bases under which data can be processed, beyond consent or performance of a contract. Under the GDPR there is no hierarchy between these legal bases, and none should be considered better than any other. We’ve engaged fully with the DPC on their inquiries and will continue to engage with them as they finalise their decision.”
The company was recently spotted in a filing setting aside €3 billion for data protection fines in 2022 and 2023 — a large chunk of which has yet to land.
GDPR fines for Meta so far this year include a €265 million penalty for a Facebook data-scraping breach last month; €405 million for an Instagram violation of children’s privacy back in September; and €17 million for several 2018 Facebook data breaches issued in March — plus France’s data protection watchdog hit Meta with a €60 million penalty in January over Facebook cookie consent violations of the EU’s ePrivacy Directive — for a total of €747 million in publicly disclosed EU data protection and privacy fines…so, per its filing, the tech giant appears to be expecting 2023 to be considerably more expensive for its European business.
One thing is clear: A lot is at stake for the company.
As the EDPB’s press release confirms, its decisions “settle[s], among others, the question of whether or not the processing of personal data for the performance of a contract is a suitable legal basis for behavioural advertising, in the cases of Facebook and Instagram, and for service improvement, in the case of WhatsApp.”
So, depending on what’s been decided, Meta could finally be forced to ask users if they want to be tracked — a choice the adtech giant currently denies. On Facebook and Instagram it’s either agree to be profiled and targeted — or no service for you.
If Meta is forced to ask users if they want “personalized” ads (its favored euphemism for surveillance ads), that is definitely big news — given that rates of denials when web users are actually given a choice over targeted ads are typically very high. (See, e.g., Apple’s App Tracking Transparency “request to track” feature for third-party iOS apps, where denials were running at around 75%, per Adjust data released earlier this year and covered by MediaPost.)
The crux of noyb’s original complaints against Meta services was that users were not offered a choice to deny its processing for advertising — despite the GDPR stipulating that if consent is the legal basis being claimed for processing personal data, it must be specific, informed and freely given. (Not, er, bundled, manipulated and forced!)
However — plot twist! — it later emerged that as the GDPR came into application, Meta had quietly switched from claiming consent as its legal basis for this behavioral advertising processing to saying it is necessary for the performance of a contract — and claiming users of Facebook and Instagram are in a contract with Meta to receive targeting ads.
This argument implies that Meta’s core service is not social networking; it’s behavioral advertising. Max Schrems, noyb’s honorary chairman and long-time privacy law thorn in Facebook’s side, has called this an exceptionally shameless attempt to bypass the GDPR.
A draft decision by Ireland’s DPC on the complaints that was published by noyb last year (much to the DPC’s chagrin) revealed the Irish regulator had not been minded to object to Meta’s consent bypass. However, other EU DPAs — which are able to lodge objections to a lead supervisor’s draft decision under the GDPR’s one-stop-shop mechanism for dealing with cross-border complaints — did object, and months of regulatory wrangling followed as different EU regulators slugged it out to see if they could agree.
Evidently, in this case, the DPAs could not find consensus between themselves — hence the EDPB stepping in with binding decisions now. And the Board’s decision is final.
Responding to this development — and citing the WSJ’s reporting — noyb writes in a press release that the EDPB has overturned the DPC’s much derided draft decision (which had also only proposed a paltry fine of $36 million), saying the decision “requires that Meta may not use personal data for ads based on an alleged ‘contract.'”
“Users will therefore need to have a yes/no consent option,” it said — dubbing the outcome a “win” (even without knowing the exact size of the “substantial” fine it says was requested by the EDPB).
Other forms of advertising by Meta — like contextual ads where targeting is based on the content of the page being viewed — are not prohibited under the EDPB’s decision, per noyb, which predicts the decision will nonetheless “dramatically” limit Meta’s profits in the EU.
In a statement, Schrems said: “Instead of having a yes/no option for personalized ads, [Meta] just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”
“This is a huge blow to Meta’s profits in the EU,” he added. “People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes’ or ‘no’ answer and can change their mind at any time. The decision ensures a level playing field with other advertisers that also need to get opt-in consent.”
noyb’s take on the development also pours cold water on the prospect of any Meta appeal against this GDPR smackdown to its core business model — calling the chances of the company winning such an appeal “minimal” since the final decisions have been handed down by the EDPB, an expert body that’s responsible for ensuring harmonized application of the GDPR across the bloc (by, for example, providing guidance on how the rules should be applied in practice).
It also points to two similar cases already before the Court of Justice of the EU (CJEU) on Meta’s consent bypass — suggesting those “may settle the issue and all appeals for good.”
noyb further suggests Meta could face legal action from users — “over the illegal use of their data for the past 4.5 years.”
Meta is already facing a number of class action privacy-citing suits in Europe. Further GDPR enforcement will only dial up more momentum for damages claims as litigation funders scent victory.