Mark your calendar European friends: July 4th could soon be celebrated as independence-from-Meta’s-surveillance-capitalism-day… A long-anticipated judgement handed down today by the Court of Justice of the European Union (CJEU) looks to have comprehensively crushed the social media giant’s ability to keep flouting EU privacy law by denying users a free choice over its tracking and profiling.
The ruling tracks back to a pioneering order by Germany’s antitrust watchdog, the Federal Cartel Office (FCO), which spent years investigating Facebook’s business — making the case that privacy harm should be treated as an exploitative competition abuse too.
In its February 2019 order, the FCO told Facebook (as Meta still was back then) to stop combining data on users across its own suite of social platforms without their consent. Meta sought to block the order in the German courts — eventually sparking the referral on Meta’s so-called “superprofiling” to the CJEU in March 2021.
Now we have the top court’s take and, well, it’s not going to spark any celebrations at Meta HQ, that’s for sure.
The CJEU has not only agreed competition authorities can factor data protection into their antitrust assessments (which sounds wonky but really is vital because joint-working rather than regulatory silos is the path to effective oversight of platform power) — but has signalled that consent is the only appropriate legal basis for the tracking-and-profiling-driven ‘personalized’ content and behavioral advertising that Meta monetizes.
Here’s the relevant chunk from the press release:
As regards more generally the processing operation carried out by Meta Platforms Ireland, including the processing of ‘non-sensitive’ data, the Court examines next whether this is covered by the justifications, set out in the GDPR, allowing the processing of data carried out in the absence of the data subject’s consent to be made lawful. In that context, it finds that the need for the performance of the contract to which the data subject is party may justify the practice at issue only on condition that the data processing is objectively indispensable such that the main subject matter of the contract cannot be achieved if the processing in question does not occur. Subject to verification by the national court, the Court of Justice expresses doubts as to whether personalised content or the consistent and seamless use of the Meta group’s own services are capable of fulfilling those criteria.
Consent under EU data protection law means users must be offered a choice to deny this kind of tracking without having to forgo access to the core service. And this is exactly the choice Meta has historically denied its users. (Although — surprise, surprise! — just a few short weeks ahead of the CJEU judgement, doubtless anticipating what was coming, it announced new controls to let users limit its cross-site tracking, albeit with some reduction in functionality if they do deny the tracking so it remains to be seen whether Meta’s attempt to pre-empt the decision has gone far enough.)
Last year an advisor to the CJEU took a similar view on the substance of the Meta superprofiling referral. But while the advocate general’s opinion to the Court was non-legally binding, today’s ruling is bona fide hard law. And that means neither Meta nor EU data protection authorities can ignore it.
The latter is important because reluctance by certain DPAs to vigorously enforce the bloc’s General Data Protection Regulation (GDPR) on rule-flouting tech giants they’re supposed to oversee has led to cries that the regulation has failed — or at least been hopelessly stymied by forum shopping.
There’s no doubt GDPR enforcement on Big Tech has been a very painstaking process indeed. A major decision out of Ireland’s DPA in January finally found against Meta’s claim to rely on contractual necessity to run its behavioral advertising. But it took over four years since the original complaint was filed to get to that order (which Meta is also now appealing, so the process is still not concluded yet either).
Then, in March, responding to a compliance deadline in the Irish Data Protection Commission’s (DPC) order, Meta announced it would switch the legal basis it claims for the data-for-ads processing to another, non-consent-based basis — known as legitimate interest.
So, after years of privacy abuse complaints, regulatory inquiry and (eventual) enforcement Meta still opted against offering users a clear yes/no choice over its tracking — presumably anticipating being able to spin out the oversight process of its LI claim (and avoid having to reform its privacy-hostile business model) for another four years or so.
However the CJEU looks to have tossed a spanner in that latest GDPR evasion tactic since EU DPAs can’t ignore the Court’s direction. So Ireland shouldn’t just sit on its hands and let Meta do so by claiming a legitimate interest legal basis the CJEU has signalled is inappropriate in this context. And, well, when users are empowered to deny surveillance capitalism they do so in droves. (See, for e.g. Apple’s App Tracking Transparency impact on Meta’s ads business.)
Clarity from the CJEU on how the GDPR must be applied on ad-funded business models like Meta’s may finally close this chapter on surveillance capitalism.
In its press release on the judgement, the Court writes (with emphasis): “[T]he personalised advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue, in the absence of the data subject’s consent.”
We’ve reached out to the Irish DPC for a response to the CJEU ruling and will update this report if we get one.
The CJEU has also opted to highlight the need to ensure that the quality of consent is valid — i.e. that the choice offered it truly free (not manipulated, such as by the use of dark patterns or through otherwise penalizing the user, such as with a sub-par service for denying access to their data) — given the imbalance between the market power of a dominant social network and its users, noting in its press release that “this is for the operator to prove”.
Furthermore, the Court has confirmed that Meta cannot simply dodge the legal requirement to obtain explicit consent from users to process so-called sensitive categories of personal data (such as political beliefs, sexual orientation, racial or ethnic origin etc.) — with the Court finding the fact of users visiting or interacting with web services does not mean they have manifestly made public their sensitive data (which would lift the requirement to obtain explicit consent).
This element of the judgement could fuel a new wave of litigation against Meta for processing users’ sensitive data without obtaining their explicit consent since Facebook clearly process oodles of such stuff — always without explicitly asking permission.
Again from the CJEU press release:
Furthermore, the Court observes that the data processing operation carried out by Meta Platforms Ireland appears also to concern special categories of data that may reveal, inter alia, racial or ethnic origin, political opinions, religious beliefs or sexual orientation, and the processing of which is in principle prohibited by the GDPR. It will be for the national court to determine whether some of the data collected may actually allow such information to be revealed, irrespective of whether that information concerns a user of that social network or any other natural person.
Max Schrems, the lawyer and privacy rights campaigner who was behind the original complaint against Meta’s “forced consent”, has dubbed today “GDPR meltdown day for Meta” — arguing the court has shut the door on all the “loopholes” the company’s lawyers have sought to press over the last five years.
In a fuller statement, noyb — Schrem’s privacy rights not-for-profit — said the CJEU has declared Meta’s GDPR approach “illegal”.
“noyb still has to study the details of this massive judgment. From the live reading of the holding, it seems that Meta/Facebook was barred from using anything but consent for crucial operations that it relies on to make profits in Europe,” it also wrote, with Schrems arguing Meta will now have to “seek proper consent and cannot use its dominant position to force people to agree to things they don’t want”.
“This will also have a positive impact on pending litigation between noyb and Meta in Ireland,” he added — referring to the aforementioned decision out of Ireland on Meta’s legal basis for ads.
BEUC, the European consumer organization, also welcomed the CJEU ruling — suggesting it “paves the way for more effective enforcement against dominant digital platforms”.
While in a statement the FCO’s president, Andreas Mundt, said the judgement “sends a strong signal for competition law enforcement in the digital economy, a field where data are decisive for market power”.
“When large internet companies use the very personal data of consumers, this usage can also be deemed abusive under competition law. In their application of competition law, competition authorities must also take data protection rules into consideration. The judgment will have far-reaching effects on the business models used in the data economy. When enforcing competition law, it is important that we continue to cooperate closely with the data protection authorities,” he added.
For its part, Meta didn’t offer much of a response to offer as yet. “We are evaluating the Court’s decision and will have more to say in due course,” a company spokesperson said.
Meta also pointed back to an earlier blog post, published after the GDPR breach finding in January and updated in March when it switched to LI, where the company wrote then: “To comply, from Wednesday 5 April we are changing the legal basis that we use to process certain first party data in Europe from ‘Contractual Necessity’ to ‘Legitimate Interests’. GDPR clearly states that there is no hierarchy between legal bases, and none should be considered more valid than any other.”
The litigation in Germany, where Meta is challenging the FCO’s order to limit its profiling of users — which was paused on the CJEU referral — will now be able to resume. How long it will take for that case to work through the German courts remains to be seen. But the CJEU ruling can be read as the writing on the wall for consent-less tracking in the EU.
This report was updated to include the FCO’s statement