Meta’s Tracking Woes Confirmed As It Intensifies Its Battle For Control Of The EU’s GDPR
In December 2022, we discussed the leak of an important ruling by EU privacy regulators regarding Meta’s micro-targeted advertising, a system entirely based on constant online surveillance. The two parts of the decision have now been published (Facebook ruling, Instagram ruling), and a more complete analysis of its likely impact has been made by Max Schrems, the privacy expert and activist who brought the original complaint against Meta and Google, just six minutes after the enforcement of the EU’s GDPR began in May 2018.
The GDPR allows for six legal bases to process data, one of which is consent under Article 6(1)(a). Meta tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the “service” that it contractually owes the users. The alleged switch of legal basis happened exactly on 25 May 2018 at midnight when the GDPR came into force. So-called “contractual necessity” under Article 6(1)(b) is usually understood narrowly and would e.g. allow an online shop to forward the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, took the view that it could just add random elements to the contract (such as personalized advertisement), to avoid a yes/no consent option for users.
Meta Trying to Be ‘Cute’ with GDPR
Meta’s argument is that when people sign up to Facebook and Instagram they want a personalized service, including personalized ads. In order to provide that service, Meta claims that it must collect personal data to power its micro-targeted advertising – making it a “contractual necessity” that does not require explicit consent.
The draft decision by the data protection authority with responsibility for the case, the Irish Data Protection Commission (DPC), accepted this argument. However, the supervisory European Data Protection Board (EDPB) disagreed, and has now ruled that Meta must instead provide its users with an explicit yes/no option that requires them to opt in if they wish to be tracked for the purpose of advertising.
Otherwise, user data cannot be used for micro-targeted ads. This is a general requirement that will also apply to other digital platforms operating in the EU. EDPB Chair Andrea Jelinek said:
These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model.
The ruling does not mean that targeted advertising will be banned unless there is user opt-in. As we pointed out many times, it is possible to use contextual advertising to provide tailored ads without infringing on the privacy of users, or building huge stores of personal data that risk being leaked. Meta’s argument that it “must” track users in order to provide the personalized advertising they sign up for is incorrect.
Micro-Targeted Advertising Is Incompatible with GDPR
Moreover, a detailed legal analysis carried out last year of “real-time bidding“, the main ad sales technique used by Meta and other companies, concluded that it is “difficult to reconcile with core tenets of the GDPR“. That’s yet another powerful reason for companies to adopt contextual advertising instead.
The EDPB imposed on Meta Ireland a fine of €210 million in the case of Facebook, and €180 million in the case of Instagram (an additional fine in respect of WhatsApp is expected). Significantly, this is around ten times higher than the fine that the DPC had proposed in its draft resolution of the complaint.
The increased sums are a further reflection of the fact that the official ruling by the EDPB represents a massive defeat for the Irish DPC, which has consistently taken Meta’s side in this case. In addition to approving the use of “contractual necessity” as a legal basis for collecting personal data, the DPC even went so far as to lobby other EU data protection authorities to make Meta’s GDPR bypass an officially recognized approach.
The DPC’s strong support for Meta during this complaint may relate to the disproportionate importance of Internet companies to the Irish economy, and a desire by the government there to keep the investments flowing. That support even manifests itself in the context of the latest EDPB decision. Although the DPC has now published its decisions, Schrems wrote that initially:
the DPC informed noyb … that despite being one of the two parties in the procedure, the DPC will not release the decision to noyb. The DPC suddenly cited alleged “confidentiality” of the decision as a reason. The decision should be released to the plaintiff at a later stage – possibly even after the deadline for an appeal has lapsed. This is contrary to previous information by the DPC that the parties would receive the decision before any publications by the DPC.
The Irish DPC Continues to Fight for Meta
As that mentions, Meta can appeal, and has already said that it will, against what it calls “the substance of the decision”. That presumably means that the requirement to implement the EDPB’s ruling within three months will be put on hold until after the appeal has been decided.
In another sign of the DPC’s determination to push its own interpretation of the GDPR, the Irish authority has announced that it “considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.”
This extraordinary move by the DPC is an indication that what is at stake here is nothing less than who gets to decide how data protection should be policed in the EU: whether it is individual authorities such as the DPC acting autonomously, or the EDPB imposing consistent, top-down rules.
The outcome of this battle for the soul of the GDPR will have important ramifications, as will the final ruling on Meta’s use of personal data, which will determine how the entire adtech world operates in the EU, and likely far beyond.
Featured image created with Stable Diffusion.