Meta Advertising Ban - Decision Published

Forced Consent & Consent Bypass
 /  Wed, 01/11/2023 - 12:24
decision published

The Irish DPC issued its final decision on Meta's illegal processing of user data for personal advertising. Here is a download link and a first quick summary by noyb.

The DPC decision clearly shows massive disagreement between the Irish DPC and the EDPB.

Major fight between DPC and EU counterparts. The DPC decision makes it apparent that the Austrian, German, French, Italian, Dutch, Norwegian, Polish, Portuguese and Swedish authorities all raised formal objections against the DPC decision. Traditionally, however, authorities do not formally raise objections, if it is clear that the matter was already raised by a number of authorities. The DPC did not even care to amend the decision and adapt its positions, but simply just copied the EDPB position into the previous decision.

Max Schrems: "The decision reads like homework where the pupil did not even care to change mistakes, but merely copied the corrections of the teacher into a text."

DPC decision may not end case. The decision also doesn't seem to fully deal with the complaints by noyb, as the decision does not cover matters such as the use of personal data for improving the Facebook platform or for personalized content. The EDPB also demanded further investigations. Additionally, the underlying conflict is that under Austrian or German law, the complaint defines the scope of the procedure, the DPC however believes that under Irish law it may limit the scope of a complaint. noyb may have to appeal the decision on these grounds.

Minimal fine for actual violation of user rights? A rather shocking element concerns the extent of the fines. While the EDPB demanded a "significantly higher" fine, the DPC decided on the final numbers. While the DPC issued a fine of overall € 150 million on Facebook over transparency issues, the DPC only fined Meta € 60 million for their lack of any legal basis for the processing of millions of European user's data for about five years.

Max Schrems: "Apparently, the DPC is more concerned with screwing users in a transparent manner, than not screwing them at all."

More details in bullet points. The decision is divided into different sections dealing with different issues and a schedule that deals with procedural matters. A short summary of the main takeaways can be read below, with the paragraphs where you can find the point in the final Facebook decision. There may be slight differences for the Instagram decision, but we expect them to be largely similar.

If Meta may use consent (Issue 1 of the Decision)

  • The DPC tries to ignore the question if Meta intentionally mislead users by simply saying that this a transparency issue (§ 2.19), the DPC therefore rejects that is has not fully investigated the original complaint (§ 2.20).
  • The EDPB found that the DPC "ought to have included an examination of “[Facebook’s] processing operations, the categories of data processed (including to identify special categories of personal data that may be processed), and the purposes they serve", to fully determine the complaint.
  • The DPC continues to ignore the core issue of the complaints, namely if the clauses in the terms de facto amount to a hidden consent clause (falsa demonstratio). Instead, the DPC joined Meta's view that if the controller has never sought consent. If this is the case, there cannot be any consent (§ 3.10) and the matter is therefore not to be investigated, even if the allegation is that Meta has simply moved a consent clause into the terms and conditions.
  • The fact that a study among 1.000 users shows that more than 60% found this to be consent and less than 2% thought it is a contract, is continuously ignored by the DPC. The EDPB has highlighted the study to be important information that was not considered by the DPC and not included in the draft decision.
  • The EDPB overturned the DPC assessment on whether clicking "accept" on the Meta website was indeed to be assessed as "consent" under Article 6(1)(a) or a "contract" under 6(1)(b) GDPR.
  • The EDPB has demanded that the DPC removes all conclusions on "Issues 1" in the decision (see § 3.26). While the DPC continues to keep all its findings on pages 15 to 21 in the draft decision (against the EDPB position) the DPC added a single paragraph at the end of the section, saying that (despite keeping all the arguments against the EDPB view) she "makes no finding with regards to issue 1".

If Meta may use Article 6(1)(b) "contract" (Issue 2 of the Decision)

  • The DPC denied to investigate all processing operations where Meta relies on Article 6(1)(b) as it would "not be open to a complainant ... to demand such an assessment". Facebook has consequently never delivered a list of all processing operations and the relevant legal basis. This may violate Austrian law, where the scope of a complaint is clearly a matter for the complainant. The DPC therefore only investigated the matter on the level of principle (§ 4.7), with a focus on "behavioral advertisement". This may make the decision challengeable, as other forms of personalization (like content personalization, improvement of the product and alike) or the processing of sensitive personal data under Article 9 GDPR were also raised, but not dealt with by the DPC investigation and decision.
  • The DPC sees no jurisdiction in interpreting what a "contract" is and feels that the DPC's jurisdiction is limited to the GDPR (§ 4.13). This is quite astonishing as determining what the contract contains is a logical precondition to determine if the processing is "necessary" to fulfil a contract. noyb has previously said that not assessing the contract amounts to a trick to not deal with the matter. The DPC "rejects, in the strongest terms, these serious allegations of mala fides, dishonesty and otherwise illegal conduct" by noyb when the contractual necessity was simply not investigated by the DPC. The DPC does not accept that not investigating what the contract contains would be a "denial of justice" (§ 4.16).
  • In § 4.26 to 4.55 the DPC repeats the disagreement between the DPC and the EDPB, where the DPC says that it may not assess the content of contracts and it would favour a wide interpretation, where anything put into a contract or terms and conditions is "necessary" under Article 6(1)(b) GDPR.
  • The EDPB seems to have relied on the CJEU references in C-252/21 and C-446/21 on factual findings on Meta's use of personal data for advertisement and alike, as the DPC refused to investigate the matter fully (page 37 and 38). There seems to be a major procedural problem, as the EDPB may simply lack the factual evidence to make a decision on the entire complaint, if the DPC continuously refuses to even just investigate the matter fully.
  • The DPC then just copies the EDPB decision into the DPC Draft Decision. The EDPB highlights:
    • The EDPB largely refuses the views of the DPC and highlights that the study by noyb shows that users do not see this as contract, but consent.
    • The EDPB also says that just because Meta choose to make profits via personalized ads, this does not make them "necessary" as Meta could also run ads based on context or other data.
    • The EDPB holds that the main purpose for which user use Meta services is communication, not for personalized ads.
    • In the view of the EDPB the position of the DPC and Meta could also encourage other operators to use Article 6(1)(b) as a bypass of the consent requirement.
    • The EDPB joins the view of the Austrian, German, French, Italian, Dutch, Norwegian, Polish, Portuguese and Swedish authorities, that behavioral advertisement is "objectively not necessary for the performance of Meta's alleged contract".
  • Without any further comment the DPC then finds (against everything she argued before) in § 4.56 that "as directed by the EDPB" she finds "that Facebook was not entitled to rely on Article 6(1)(b) GDPR" for the purpose of behavioral targeting.

Transparency of the "bypass"

  • The DPC has so far mainly taken the view that Meta should just have made the (in the view of the DPC otherwise legal) bypass of the GDPR more transparent. This would have meant that users would merely see an additional pop-up or alike, but would not have stopped Meta to abuse user data further. The lack of transparency is kept in the decision and explained in § 5.1 to § 5.77.
  • The EDPB however insisted that this also lead to a violation of Article 5(1)(a) GDPR, which in turn would also mean that the personal data of users should not have been processed.
  • The DPC again just copy/pasted the EDPB decision into her own decision and added one line, saying that according to the EDPB decision she had to make this additional finding.

The final orders:

  • The EDPB requested a three month period for complying with the order from the time the EDPB order is served. It prohibits Meta from using Article 6(1)(b) as described in the EDPB order.
  • The DPC specified that the EDPB decision must mean that "the processing" is limited to processing for advertisement only. It seems that other aspects of the complaint were not dealt with by the DPC, which in itself may be illegal.
  • The DPC amended the EDPB decision so that the three months deadline is not from the moment the EDPB decision was served on Meta (some time in December) but from the serving of the DPC decision (some time in January) (see § 8.11). This departure of the DPC from the EDPB decision seems to be unlawful.
  • The EDPB has fundamentally disagreed with the DPC's views on the fine. The German authority even called it "counterfactual" (page 91). At the same time the EDPB also did not have the evidence to find that Meta has "intentionally" violated the GDPR, as argued by the Swedish DPA.
  • The EDPB did not set a specific fine, but only required the DPC to have a "significantly higher" fine.
  • Pages 100 to 153 are dedicated to a reassessment of the increased fine by the DPC. The fine is divided into €80 million and €70 million for a lack of transparency and merely € 60 million in relation to the actual unlawful processing of personal data of millions of EU users under Article 6(1)(b) (§ 10.45).

 

Correction: The first version of this article mentioned that the DPC has departed from the EDPB decision in parts. Given that the full EDPB decision is now released, the relevant element seems to be in line with the EDPB decision and the comment was removed from the noyb.eu website.

Share