To wit: In remarks today, following the publication of two final decisions against Meta by EU privacy regulators applying the EU’s General Data Protection Regulation (GDPR) to Facebook and Instagram — decisions which include a total of around $410 million in fines (still with a third decision against WhatsApp due shortly), along with orders to correct its unlawful data processing within three months — the European Data Protection Board (EPBD) has issued a clear warning to other businesses that seek to ignore EU data protection rules by not providing users with a choice over being subject to tracking for behavioural advertising.
“The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model,” said EDPB chair, Andrea Jelinek, in a statement.
The Board also dubbed the relationship between Meta and its users “imbalanced”, citing “grave breaches” of transparency obligations it said had “impacted the reasonable expectations of the users”, as well as criticizing the tech giant for presenting its services to users “in a misleading manner” — which led to the EDPB also finding a breach of the GDPR’s fairness principle as well as transparency failings.
The supervisory body oversees application of the EU’s GDPR with the aim of ensuring consistency in how the law is applied by regulators in Member States. And it was ultimately responsible for striking down Meta’s bogus claim of contractual necessity for behavioral ads — issuing a binding decision that forced the company’s lead data protection regulator for the GDPR, the Irish Data Protection Commission (DPC), to reverse a conclusion it had arrived at in its 2021 draft decision and find that Meta’s practice of forcing consent to tracking ads through a claim of contractual necessity is unlawful.
Behavioral advertising refers to a form of targeted advertising whereby the choice of ad served is determined as a result of tracking and profiling individual users via their online activity (and sometimes also by combining offline data-sets to further enrich these per-user profiles) — so, in EU data protection law terms, by processing personal data — an activity that requires a valid legal basis. Other types of targeted advertising which do not require processing personal data (such as contextually targeted advertising) are available. Hence Meta’s claim that intrusive tracking and profiling of individuals is a necessary core component of its services also failed to pass muster with the Board.
The EDPB’s remarks today — of the “important impact” the Meta ads decision could have on other platforms — also look relevant for TikTok which last year sought to remove users’ ability to refuse its tracking-ads — saying it planned to change the legal base for “personalized” advertising from consent to legitimate interest — before quickly freezing the move in the face of warnings from privacy regulators.
Any move by TikTok now to revive such a switch — with these two major GDPR decisions against Meta’s ‘forced consent’ standing — would only invite swift regulatory scrutiny so such a shift to its claimed legal basis is surely highly unlikely (not least as the video sharing platform is busy trying to burnish its image in front of EU lawmakers — as the Commission starts applying new oversight powers on digital platforms under the Digital Services Act (DSA) and Digital Markets Act (DMA)).
So just because Facebook has — for years — processed and profited off of Europeans’ data by running unlawful ads does not mean other ad-funded platforms are going to get the same free ride from the bloc’s regulators. Enforcement is here at last.
(For the record, Meta has said it will appeal the two GDPR decisions. It also denies they mean it has no option but to ask European users for their consent to its behavioral ads — pointing out that the regulation allows for “a range” of legal bases but without specifying which of these limited (and bounded) alternatives to consent might fly… So, er, public interest behavioral Facebook ads anyone?!)
Twitter, meanwhile, has also just announced its iOS app will default to a ‘For you’ algorithmic content feed — requiring users to actively swipe to view their usual chronological feed — which could raise questions over the legal basis the company is relying upon to push content personalization in front of users who may not want it. So there’s no shortage of interesting considerations flowing from Meta’s GDPR spanking.
This new GDPR enforcement dynamic (if we dare call it that) presents regional opportunities for other approaches (and innovation) in the area of lawful targeted advertising — whether that’s tracking based ads with valid user consent. Or forms of ad targeting that don’t involve any processing of personal data. (Or, well, which seek to claim they don’t.)
And we’re already seeing some high level moves to capitalize on the slow decline/demise of lawless behavioral ads, such as Google’s plan to switch away from individual-level ad targeting to alternative ‘privacy-sandboxing’ interest-targeting ads — or a new proposal by European telcos to band together on a joint venture to offer opt-in ad targeting of mobile users (which the carriers say would limit targeting to first party data and gather explicit user consent to the ads per advertiser/brand).
How Meta gets its ad-targeting operation in legal order, meanwhile, remains to be seen. But, well, fixing infrastructure that’s never cared to comply seems like it could be very expensive…
The EDPB’s press release today also addresses the reason why it instructed the DPC to investigate Meta’s processing of sensitive data — something that has led the Irish regulator to accuse the Board of jurisdictional overreach and announce that it’s taking legal action to try to annul that component of its instruction.
On this, the Board said it examined whether the complaints against the legality of Meta’s ads had been addressed with due diligence by the DPC.
“The complainant had raised the fact that sensitive data is processed by Meta IE [Ireland]. However, the IE DPA [aka the DPC] did not assess processing of sensitive data and therefore, the EDPB did not have sufficient factual evidence to enable it to make findings on any possible infringement of the controller’s obligations under Art. 9 GDPR [which deals with the processing of special category data],” it writes. “As a result, the EDPB disagreed with the IE DPA’s proposed conclusion that Meta IE is not legally obliged to rely on consent to carry out the processing activities involved in the delivery of its Facebook and Instagram services, as this could not be categorically concluded without further investigations. Therefore, the EDPB decided that the IE DPA must carry out a new investigation.”
The DPC has frequently been accused of ‘fiddling round the edges’ of GDPR complaints — such as by opening narrower enquiries than complainants had called for (or not opening a probe at all). It is also being sued for inaction (and has even faced allegations of criminal corruption) in a couple of cases. So it’s certainly notable (and awkward for Ireland) that the EDPB’s binding decision concludes the Irish regulator failed to investigate elements of Meta’s data processing it says were required for it to reach its proposed conclusion that Meta was not legally obliged to rely on consent.
As black marks against the DPC’s approach to GDPR enforcement go, this schooling from the Board is a major addition to Dublin’s tally.
Still, the EDPB’s instruction that the DPC open a whole new investigation of Meta’s data processing has invited some quizzical attention — given EU law provides for the independence of data protection authorities.
On this, noyb’s honorary chairman, Max Schrems — a long time critic of (especially) the DPC’s approach to GDPR enforcement but also, more generally, how poorly resources EU DPAs are and how difficult it is for Europeans to exercise their rights — suggests it still shows the system does not work.
Few would say GDPR enforcement is smooth sailing — but heading towards the fifth birthday of the regulation coming into application (this May) there is now a regular flow of decisions, including some major ones with implications for rights hostile business models. So the needle appears to be moving — even though the story rarely ends at a final decision (since years of legal appeals can follow).
A lot of attention to regulatory-working in the EU this year will also swivel onto the European Commission — to see how it enforces two newer regulations on larger digital platforms (the aforementioned DSA and DMA); a new centralized enforcement structure devised by the bloc’s lawmakers that was undoubtedly informed by years of criticism of slow and weak GDPR enforcement.
So the legacy of Meta’s lawless ads, and Ireland’s dilly-dallying to enforce against its consentless tracking-and-profiling, is already a lasting one.