On December 6, the EU's European Data Protection Board (EDPB) ruled that Meta Platforms Inc - namely Instagram, Facebook, and WhatsApp - shouldn’t ask permission to share personalized ads based on their online activity.
When the EU's General Data Protection Regulation (GDPR) took effect in May 2018, Meta Ireland Ltd. thought it could "bypass" the need for users to give their opt-in consent by only including a clause in the terms and conditions.
The appropriate Data Protection Authorities received complaints from the digital rights organization Noyb on May 25, 2018. (DPAs). After 4.5 years, the European Data Protection Board (EDPB) determined Meta's presumed "bypass" of the GDPR to be unlawful.
After spending four years examining the matter, efforts by the Irish Data Protection Commission (DPC) to try to approach Facebook in a way that could be GDPR compliant were also rejected by the EDPB.
Read more about this topic on the Noyb website.
In accordance with Article 6(1) of the GDPR, permission is one of the six legal bases for data processing. By claiming that advertisements constitute a component of the "service" that it contractually owes the users, Meta attempted to get around the permission needed for tracking and online advertising.
Max Schrems, Honorary Chairman of Noyb, stated that, "Instead of having a yes/no option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way."
The judgment does not directly require Meta to modify its procedures but rather requests that Ireland's Data Protection Commission (DPC) issue instructions to the public that reflect the judgment and impose hefty fines.
The ruling requires Meta to give users access to a version of every tool that doesn't collect their personal information for ads.
The ruling would still permit Meta to customize advertisements or to request users' agreement to ads via a yes/no choice while using non-personal data. Users must always have the option to revoke their consent, and Meta cannot restrict the service.
While drastically reducing Meta's revenues in the EU, this decision does not completely forbid ads. Instead, the choice will bring Meta on par with other websites or apps that must provide consumers with a yes/no option.
Although Meta didn’t provide an immediate response to the ruling, a spokesperson for the social media giant said, “This is not the final decision and it is too early to speculate. GDPR allows for a range of legal bases under which data can be processed, beyond consent or performance of a contract. Under the GDPR there is no hierarchy between these legal bases, and none should be considered better than any other. We’ve engaged fully with the DPC on their inquiries and will continue to engage with them as they finalize their decision."
Looking forward, the decision must be delivered to Meta in Ireland and Noyb in Austria within a month, that being January 2023. Meta can then challenge the ruling, although there is little possibility of success once an EDPB judgment has been made.
Numerous class action privacy lawsuits have already been filed against Meta in Europe. Meta had set aside $3 billion for fines related to data protection in 2022 and 2023, the majority of which had not yet been paid. The moment for damages claims will only increase as the GDPR is further enforced.
Meta was hit with nearly $400 million in fines after decisions against its Facebook and Instagram platforms on January 4.
The company also needs to find a new legal foundation for its sprawling targeted advertising model as soon as possible.
After European Union regulators determined that the present legal basis for advertising that Facebook and Instagram utilize is invalid, Meta has three months to legitimize its data-targeting strategy, according to the principal regulatory body for Meta in Ireland.
The orders put additional strain on Meta's sources of income just as the EU is completing a new set of regulations that will tighten restrictions around online advertising.
A representative for Meta said the tech giant was disappointed with the rulings but emphasized that it has other legal options for processing data and had not intended to rely on user consent.
“We strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioral ads given the nature of our services. As a result, we will appeal the substance of the decision.” Meta spokesperson said.
Max Schrems responded to Meta that, “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”
Gain World-Class Insights & Offer Innovative Privacy & Security
Receive a monthly summary of website intelligence news, advice, and also product updates. And don't worry, we won't tell sales!