Major privacy complaints against the legitimacy of Meta’s core advertising business model in Europe were finally resolved through a dispute resolution mechanism incorporated into the Data Protection Regulations. GDPR of the EU.
Complaints, originating from May 2018targeted the tech giant’s so-called “forced consent” to further track and target users by processing their personal data to build profiles for behavioral advertising , so the results could have major ramifications for the way Meta works if regulators ask the company to modify its practices.
GDPR also allows for large fines for serious violations — up to 4% of global annual revenue.
The European Data Protection Board (EDPB), the body that directs the GDPR, confirmed today it made three binding decisions in three complaints against the Meta platforms Facebook, Instagram and WhatsApp.
A trio of complaints were filed by the European privacy campaign group, noyb, shortly after GDPR was introduced across the EU. So it took about 4.5 years to get to this point.
The EU’s top data protection regulation has been widely criticized for its slow pace of enforcement on major cross-border claims against tech giants, and this strategic complaint group is one of them. little consequences for those claims. But while final decisions have been made, controversy can continue — as Meta can appeal any enforcement, both in Irish courts and before EU judicial authorities (in the case of binding decisions of the EDPB), has the ability to suspend any remedial orders pending the outcome of its appeal.
What exactly was decided? The EDPB has yet to disclose that. The protocol it follows means it passes its binding decisions back to the Irish Data Protection Commission (DPC), Meta’s top privacy regulator in the EU, which then must apply them in the final decisions it will make.
The District People’s Committee now has one month to make a final decision and confirm any financial penalties. So we’ll get the full gory details early next year.
The The Wall Street Journal could provide a glimpse of what’s to come: It reports that Meta’s advertising model will face restrictions in the EU — citing “people familiar with the situation”.
It also reports that the company will face “significant” fines for GDPR violations.
“Monday’s council rulings, which have not been publicly disclosed, do not directly order Meta to change its practices but instead call on Ireland’s Data Protection Commission to issue public orders. reflect their decisions, along with substantial fines,” the WSJ wrote, citing an (unnamed) source.
Includes WSJ report, Reuters note that shares of Meta fell 5.3% in morning trading following the action.
An EDPB spokesperson confirmed that it could not comment on the content of binding decisions it has made.
“According to Art. 65 (5) GDPR, we cannot comment on the content of the decisions until DPC Ireland has informed the controller of its final decisions,” she told TechCrunch. “As pointed out in Press ReleaseThe EDPB has considered whether the processing of personal data for contract performance is an appropriate legal basis for behavioral advertising, but at this time we are unable to confirm its decision. What is the EDPB in this regard.”
The DPC also declined to comment on the paper’s report — but deputy commissioner Graham Doyle confirmed to us that it will publish binding decisions on these complaints in early January.
We have also reached out to Meta for feedback on the development.
the company has recently discovered in one filing set aside €3BN for data protection fines in 2022 and 2023 – a large portion of which has yet to be imposed.
GDPR fines for Meta so far this year include a €265M fined for a Facebook data breach last month; €405M for a September violation of children’s privacy on Instagram; and €17 million for several 2018 Facebook data breaches issued in March – plus the French data protection watchdog hit Meta with €60 million penalty in January for Facebook’s cookie consent violations of the EU’s Electronic Privacy Directive — for a total of €747 million in EU privacy and data protection fines saved publicly exposed… so, according to its filing, the tech giant seems to be expecting 2023 to be significantly more expensive for its European business.
One thing is clear: A lot is at stake for the company.
As the EDPB press release confirms, its decisions “resolve”[s]Among other things, the question of whether the processing of personal data for the performance of a contract is an appropriate legal basis for behavioral advertising, in the case of Facebook and Instagram, and to improve service, in the case of WhatsApp or not”.
So depending on what has been decided, the Meta may eventually be forced ask users if they want to be tracked — an option the ad tech giant is currently refusing. On Facebook and Instagram, it agrees to be profiled and targeted — or not available to you at all.
If Meta is forced to ask users if they want “personalized” ads (its euphemism for surveillance ads) then that is certainly big news — given the rejection rate. when web users are actually selected compared to targeted advertising is often very high. (See, for example, Apple’s ‘track request’ feature Tracking Transparency for third-party iOS apps — where an ongoing opt-out rate is around 75%, according to the data.” Whether the Adjustment was released earlier this year and mentioned by media.)
The crux of noyb’s initial complaints against Meta services was that users were not given the option to opt-out of its ad processing — although GDPR stipulates that if consent is legally required to process personal data, it must be specific, informed and freely available. (No, er, bundle, manipulate and force!)
However – plot twists! — it later emerged that when GDPR was in place, Meta had quietly moved from asking for consent as the legal basis for this behavioral ad processing to saying it was necessary to do so contract — and claims Facebook and Instagram users are contracting with Meta to receive targeted advertising.
This argument implies that Meta’s core service is not social networking; That’s advertising. Noyb’s emeritus president and longtime privacy law is a thorn in the side of Facebook, Max Schrems, called it a particularly shameless attempt to bypass GDPR.
The draft decision of the Irish District People’s Committee on the complaints has been published by noyb last year (to the great chagrin of the DPC) revealed that the Irish regulator had no intention of objecting to Meta’s bypass of consent. However, other EU DPAs — potentially opposing the main supervisor’s draft decision under the GDPR’s one-stop-shop to deal with cross-border complaints — protested, and it led to months of controversy. on regulation when other EU regulators come up for review if they can agree.
It is clear that in this case the DPAs cannot find a consensus among themselves — so the EDPB will step in with binding decisions now. And the Board’s decision is final.
Responding to this development — and citing the WSJ report — noyb wrote in a Press Release that the EDPB reversed the DPC’s much-derided draft decision (which also proposed a small fine of $36 million), saying the decision “requires Meta not to use personal data for advertising.” based on an alleged ‘contract’.
“Therefore, users will need to have an agree/no option,” it said – naming the result “win” (even without knowing exactly how much of a “significant” penalty the EDPB is asking for. ).
Other forms of Meta advertising — such as contextual advertising in which targeting is based on the content of the page being viewed — are not prohibited by the EDPB’s decision, which, according to noyb, anticipates that nonetheless this decision would “significantly” limit Meta’s profits in the EU.
In a statement, Schrems said: “Instead of having a yes/no option for personalized advertising, [Meta] just transferred the agreed terms in the terms and conditions. This is not only unfair but also clearly illegal. We are not aware of any other company that has attempted to so arrogantly ignore GDPR.”
“This is a blow to Meta’s profits in the EU,” he added. “Now people need to be asked if they want their data used for advertising. They must have a ‘yes’ or ‘no’ answer and can change their mind at any time. This decision ensures a level playing field with other advertisers who also need to receive opt-in consent.”
Noyb’s take on development also poured cold water on the possibility of any Meta appeal against this GDPR regulation to its core business model — calling the company’s chance to win resistance. Such reporting is “minimal” because the final decisions have been made by the EDPB, an expert body responsible for ensuring the harmonized application of GDPR across the bloc (for example, by providing guidance on how to apply the rules in practice).
It also points to two similar cases that have occurred before the Court of Justice of the European Union (CJEU) for the disregard of Meta’s consent — suggesting that those cases “could resolve the matter and all All appeals are beneficial.
noyb further suggested that Meta could face legal action from users — “over the unauthorized use of their data over the past 4.5 years.”
Meta had to face some class action lawsuit citing privacy suitable in Europe. Further GDPR enforcement will only add impetus to damages claims as litigation sponsors sniff out victory.
