BREAKING: Meta (Facebook and Instagram) prohibits the use of personal data for advertising purposes. A severe blow to Meta’s business model in Europe, following nob dispute. Fine for Meta more than tenfold from 28 to 390 million euros. Third case on WhatsApp in progress.
As confirmed by the Irish DPC, the European Data Protection Board (EDPB) rejected the Irish DPC and Meta’s GDPR circumvention based on nob complaints against Facebook and Instagram. Meta is now prohibited from circumventing the GDPR via a clause in the terms and conditions. Meta must get “opt-inconsent for personalized advertising and must provide users with a “yes/no” option. The decision on a third parallel case on WhatsApp is postponed until mid-January.
Highlights:
- Two complaints filed by nob on behalf of an Austrian and Belgian user on May 25, 2018 (the day the GDPR became applicable) have been decided today.
- A third complaint on WhatsApp on behalf of a German user was postponed to mid-January, according to an email from the DPC.
- Meta attempts to “work around” the consent requirement in the GDPR by adding a clause to the advertising terms and conditions.
- In December 2022, the EDPB reversed a previous draft decision by the Irish DPC which considered Meta’s circumvention of the GDPR to be legal.
- The final decision demands that Meta cannot use personal data for advertisements based on a so-called “contract”. Users must therefore have a yes/no consent option (“opt-in”), otherwise Meta cannot use their data for personalized advertising.
- The ruling does not prohibit other forms of advertising (such as contextual ads, based on page content).
- The use of personal data by Meta has been illegal since May 2018.
- The fines for Facebook and Instagram amount to 390 million euros. An additional fine for WhatsApp in the parallel procedure is to be expected.
Meta wanted to “bypass” GDPR. The GDPR provides six legal bases for processing data, one of which is consent under Article 6(1)(a). Meta tried to circumvent the consent requirement for online tracking and advertising by arguing that the ads are part of the “service” it contractually owes users. The alleged legal basis change happened exactly on May 25, 2018 at midnight, when the GDPR entered into force. The so-called “contractual necessity” within the meaning of Article 6 (1) (b) is generally understood in the narrow sense and would allow, for example, an online shop to pass on the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, felt that it could just add random things to the contract (like personalized advertising), to avoid a yes/no consent option for users.
Max Schrems:Instead of having a “yes/no” option for personalized ads, they just moved the consent clause to the terms and conditions. This is not only unfair but clearly illegal. We don’t know of any other company that has tried to ignore GDPR so arrogantly..”
380 million euros in fines, DPC wanted € 28 to 36 million. In addition to a general ban on personalized ads, the EDPB insisted on a massive fine for Meta. After all, the company has based most commercial data processing on an intentional violation of the law. The EDPS already issued guidelines on this in 2019. Meta has already been hit with over €900 million in GDPR fines in other cases before. The fine goes to the Irish State, not to the plaintiff, nob or the EDPS. The DPC had previously requested 28 to 36 million euros in a draft decision (see page 87 here), only 10% of the now final decision of the European Data Protection Board.
Max Schrems: “The penalty will go to Ireland – the state that sided with Meta and delayed enforcement for over four years. This case will likely be appealed by Meta, which will incur costs extras for noyb.”
DPC and Meta collaborated and were rejected by the EDPB. During the proceedings, Meta relied on ten confidential meetings with the Irish DPC during which the DPC authorized Meta to use this “bypass”. It was later revealed that the DPC even tried to influence the relevant EDPB guidelines in the interest of Meta. Nevertheless, the other European data protection authorities rejected the DPC’s view internally in 2018, in guidelines in 2019 and again in the final decision of the European Data Protection Board in December 2022. legal question simple enough.
Max Schrems:This case is about a simple legal issue. Meta claims the “bypass” happened with the blessing of the DPC. For years, the DPC dragged out the process and insisted that Meta could circumvent the GDPR, but it has now been overruled by other EU authorities. It is overall the fourth consecutive time that the Irish DPC has been cancelled.“
DPC sees winning on the issue of “transparency”? In the DPC’s media statement, the central question of whether Meta can process user data for advertising purposes is buried in a narrower debate about transparency, where it found a breach.
“It’s rather pathetic if the DPC is now claiming that other authorities agreed on a minor transparency issue. It would have just required changing some text on Meta’s website. The main issue was that Meta unlawfully processed user data for more than four years, DPC protected Meta and they were rejected at EU level.“
Consequence: no personalized ads, less profit. The ruling means Meta must allow users to have a version of all apps that don’t use personal data for ads within three months. The decision would still allow Meta to use non-personal data (such as story content) to personalize ads or ask users to consent to ads via a “yes/no” option. Users should be able to withdraw their consent at any time and Meta cannot limit the service if users choose to do so. While this will severely limit Meta’s earnings in the EU, it will not ban ads altogether. Instead, the ruling will put Meta on par with other websites or apps, which must provide a “yes/no” option to users.
Max Schrems:This is a blow to Meta’s earnings in the EU. Now you have to ask people if they want their data used for ads or not. They must have a “yes or no” option and can change their mind at any time. The decision also ensures a level playing field with other advertisers who must also obtain opt-in consent.”
DPC censors the complainant’s and the public’s decision, ensuring that Meta and DPC control the media narrative. In a surprising move, the DPC is informed nob Today, although being one of the two parties to the procedure, the DPC will not make public the decision of nob. The DPC suddenly cited the so-called “confidentiality” of the decision as the reason. The decision should be communicated to the applicant at a later stage – perhaps even after the appeal period has expired. This is contrary to previous information from the DPC that the parties would receive the decision prior to any publication by the DPC.
Max Schrems:Being overthrown by the EDPB is a blow to the DPC, now they seem to be trying to influence the public perception of this case. In ten years of litigation, I have never seen a decision served only on one party, but not on the other. The DPC is playing a very diabolical public relations game. By not allowing the noyb or the public to read the decision, he tries to shape the narrative of the decision in conjunction with Meta. It seems that the cooperation between Meta and the Irish regulator is alive and well – although it has been canceled by the EDPB.”
Next steps: DPC is suing the EDPB, Meta is likely to appeal. Meta is expected to appeal the decision in the Irish courts, but the chances of winning such an appeal are slim after a binding ruling from the EDPB. There are also two similar cases before the Court of Justice of the EU (CJEU) on Meta consent circumvention, which could settle the matter and all appeals definitively. In a side story, the DPC also announced that it may sue the EDPB over a related matter, as the EDPB has asked the DPC to take further investigative steps into Meta, beyond the complaints decided by nob. The DPC considers that the EDPS does not have these powers and will seek to have this decision overturned. Users can also take action regarding illegal use of their data over the past 4.5 years.
0 Comments