Meta is kicking off the New Year with more privacy fines and corrective orders hitting its business in Europe. The latest swathe of enforcement relates to a number of EU General Data Protection Regulation (GDPR) complaints over the legal basis it claims to run behavioral ads.
The Facebook owner's lead data protection watchdog in the region, the Irish Data Protection Commission (DPC), announced today that it's adopted final decisions on two of these long-running enquiries -- against Meta-owned social networking site, Facebook, and social photo-sharing service, Instagram.
The DPC's press release reveals financial penalties of €210 million (~$223 million) for Facebook and €180 million (~$191 milliion) for Instagram -- and confirms the European Data Protection Board (EDPB)'s binding decision last month on these complaints that contractual necessity is not an appropriate basis for processing personal data for behavioral ads.
These new sanctions add to a pile of privacy fines for Meta in Europe last year -- including a €265 million penalty for a Facebook data-scraping breach; €405 million for an Instagram violation of children’s privacy; €17 million for several historical Facebook data breaches; and a €60 million penalty over Facebook cookie consent violations — making for a total of €747 million in (publicly disclosed) EU data protection and privacy fines handed down to the adtech giant in 2022.
But now, in the first few days of 2023, Meta has landed financial penalties worth more than half last year's regional total -- and more sanctions could be coming shortly.
Corrective measures are also being applied, per the DPC's PR -- with Meta being ordered to bring its processing into compliance with the GDPR within three months.
This means it can no longer rely on a claim of contractual necessity to run behavioral ads -- and will instead have to ask users for their consent. (And cannot profile and target users who do refuse its surveillance ads.)
Commenting in a statement, Max Schrems, the founder of the European privacy rights group (noyb) that filed the original GDPR complaints, said: "This is a huge blow to Meta's profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a 'yes or no' option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent."
Given how central Meta's tracking and targeting ad model remains to its business, the tech giant is extremely likely to appeal the decisions -- and if it does that it could open up fresh delays while legal arguments against the now-ordered enforcement play out in the courts. So there could still be years of wrangling ahead before Meta submits to correction via EU privacy law.
The DPC's final decisions on these inquiries also still have not been published, so full details on differences of views between data protection authorities -- and other interesting tidbits, such as on how the size of the fines have been determined -- remain tbc.
But in a press release announcing the two final decisions, the DPC offers its own spin on the regulatory disagreements -- writing:
On the question as to whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs [concerned supervisory authorities] agreed with the DPC’s decisions, albeit that they considered the fines proposed by the DPC should be increased.
Ten of the 47 CSAs raised objections in relation to other elements of the draft decisions (one of which was subsequently withdrawn in the case of the draft decision relating to the Instagram service). In particular, this subset of CSAs took the view that Meta Ireland should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalised advertising (as part of the broader suite of personalised services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.
The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.
The DPC's PR also confirms the EDPB found an additional breach by Meta of the GDPR fairness principle (i.e., in addition to the transparency breach the DPC found which the Board upheld) -- hence it being directed to (further) increase the level of fines imposed.
A third decision against Meta-owned messaging platform WhatsApp (also over this legal basis issue) remains on the DPCs desk -- but is slated to arrive in a week or so. (We're told by the regulator this is owing to a short delay in the DPC receiving the binding decision on that complaint from the EDPB.)
noyb says it's expecting a fine for WhatsApp in that parallel procedure to be announced in mid January.
Update: Meta has published a blog post with a response to the decisions in which it claims its choice of legal basis for processing people's data for ads "respects GDPR." It also says it plans to appeal the decisions -- both on substance and the level of fines imposed.
"Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service," Meta writes, echoing the DPC's view that it's 'all or nothing' when it comes to ad-supported 'personalized' services.
"To date, we have relied on a legal basis called ‘Contractual Necessity’ to show people behavioural advertisements based on their activities on our platforms, subject to their safety and privacy settings. It would be highly unusual for a social media service not to be tailored to the individual user," it also argues -- without mentioning that prior to switching to a claim of contractual necessity in 2018, ahead of the GDPR coming into application, it had relied upon a claim of user consent for ads processing.
Meta's blog post also claims the DPC's decisions do not prevent personalised advertising on its platform; and do not mandate the use of consent for ads-based processing.
"The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect," it argues. "Similar businesses use a selection of legal bases to process data and we are assessing a variety of options that will allow us to continue offering a fully personalised service to our users."
Enforcement on forced consent
This clutch of Meta-focused complaints dates back to May 2018, when the GDPR came into application across the European Union -- after the European privacy rights campaign group, noyb, targeted the tech giant's use of so-called "forced consent" (aka, pushing sign-up terms on users that mean they either 'agree' to their data being processed for behavioral ads or they can't use the service).
The Irish regulator's draft decision on the complaints leaked back in October 2021 -- and, in contrast to the EDPB's binding decision, the DPC did not object to Meta's reliance on contractual necessity for running behavioral ads. Although it did find violations of the GDPR's transparency requirements, saying users were unlikely to have understood they were signing up to a Facebook ad contract when they clicked agree on its terms of service.
Hence the DPC originally proposed a smaller penalty (of just $36 million) vs. the more than 10x larger financial sting in final decisions emerging now (still with the WhatsApp final decision pending).
This far tougher enforcement has been arrived at (albeit, slowly) through the GDPR's cooperation mechanism -- which loops in other EU data protection authorities (who can, and in this case several did, object to a lead supervisor's draft decision); and casts the EDPB as final arbiter when regulators can't agree among themselves. So, in this case (and not for the first time), the DPC has been instructed to reach a different outcome than if it had been left to decide alone.
And -- as has happened several times before -- the standard of enforcement flowing from a collective regulatory process baked into GDPR is higher (and tougher) than it would have been with Ireland acting on its own.
The DPC's press release frames the outcome rather differently -- as a difference of legal interpretations -- with the regulator writing that the EDPB "took a different view on the 'legal basis' question"; and adding: "The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the 'contract' legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the 'contract' legal basis, amounts to a contravention of Article 6 of the GDPR."
It will be interesting to see whether Meta's lawyers seek to make hay with the DPC's (now publicly) stated view that Facebook and Instagram are "premised on, the provision of a personalised service that includes personalised or behavioural advertising" -- and its (convenient-for-Meta) conflation of personalised services and personalised advertising via an expressed stance that such a conjoined pairing is "central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service", as it puts it -- as the tech giant seeks to overturn this GDPR decision against the legal basis it's relied upon to run behavioral ads in the EU since 2018.
Curiously, the DPC's view on this (and Meta's!) ignores the existence of other forms of (non-privacy) violating ads which Meta could use to monetize its service -- such as contextual ads.
Its PR is also silent on the question of whether Meta will be ordered to delete all the data it's been illegally processing since 2018. But litigation funders are unlikely to ignore the opportunity to scale privacy class actions.
There's further drama unfolding around the DPC's announcement today, too: Schrems has tweeted to complain that the DPC told noyb it will not be sent the final decision until after Meta has had a chance to redact the document … "Never seen something like that in 10 years of litigation," he added. "F*cking crazy."
(Reminder: noyb filed a complaint of criminal corruption against the DPC back in 2021 -- accusing the regulator of corruption and “procedural blackmail” in relation to attempts to shut down the public release of documents related to GDPR complaints so this issue was already more than fraught.)
In a press release of its own, noyb's Schrems further hits out at what he described as the DPC's "very diabolic public relations game" -- writing: "Getting overturned by the EDPB is a major blow for the DPC, no[w] they seem to at least try to gain the public perception of this case. In 10 years of litigation I have never seen a decision only being served to one party but not the other. The DPC plays a very diabolic public relations game. By not allowing noyb or the public to read the decision, it tries to shape the narrative of the decision jointly with Meta. It seems the cooperation between Meta and the Irish regulator is well and alive -- despite being overruled by the EDPB."
In a further unusual move by the Irish regulator -- which only looks set to crank up criticism of its friction-generating approach to GDPR enforcement -- the DPC has announced it's launching an annulment action against certain "jurisdictional" elements of the EDPB decision.
It told TechCrunch it's not seeking to annul the Board's decision on the consent vs. contractual necessity issue. Rather it claims it's unhappy about other elements of the direction the Board issued, via the GDPR Article 65 dispute resolution process, and is accusing the steering body of overreaching its jurisdiction.
This action appears to have been instigated because the Board's binding decision also directs the DPC to conduct what the Irish regulator couches as "a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations."
Such an investigation -- were it to actually take place -- could really drive a stake through the heart of Meta's privacy-sucking business model in the EU, where legal experts have been warning for years the tech giant's consent-less tracking and profiling of citizens is in breach of the bloc's legal framework on data protection.
So it's certainly interesting that the DPC is keen to avoid having to open a wide-ranging investigation of Meta's data handling on the EDPB's instruction.
Its PR states that the decisions it's announced today "naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions" -- with the regulator explaining its objection thusly:
The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.
It remains to be seen what the EU's General Court will make of the DPC's complaint.
However a legal challenge by WhatsApp to an earlier EDPB binding decision on a separate GDPR inquiry -- which also substantially dialled up the level of enforcement it would have faced from an earlier DPC draft decision -- was ruled inadmissible by the court last month.