noyb complaints: Meta's business model declared illegal in the EU according to WSJ. Facebook, Instagram and WhatsApp can no longer run personalized ads without user consent
As reported by The Wall Street Journal, the EDPB has decided that Meta cannot force users to agree to personalized ads. In May 2018, when the GDPR came into force in the EU, Meta Ireland Ltd. believed it could "bypass" the requirement to get opt-in consent from users, by simply adding a provision in the terms and conditions. On 25 May 2018, the digital rights organization noyb filed complaints with the relevant Data Protection Authorities (DPAs). Now, 4.5 years later, the European Data Protection Board (EDPB) found Meta's alleged "bypass" of the GDPR illegal. The EDPB also rejected the view of the Irish Data Protection Commission (DPC) who previously sided with Meta, after taking four years to investigate the case.
- Exclusive report by the Wall Street Journal
- Original complaints from 25 May 2018
- Background on the DPC's approval of the "consent bypass"
- Background how the DPC pushed the EDPB in the interest of Meta
- EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR
Key Facts. Here are the key takeaways:
- The current information is based on reporting by the Wall Street Journal, according to which the EDPB was "ruling that EU privacy law doesn’t allow Meta platforms, such as Instagram and Facebook, to use their terms of service as a justification for allowing such advertising."
- This decision is based on complaints filed by noyb on May 25th, 2018, the day the GDPR became applicable.
- The EDPB has issued a decision requiring the Irish DPC (the regulator for Meta in the EU) to issue a final decision within one month.
- The EDPB decision is not directed at the parties before the procedure, but at the Irish DPC.
- The EDPB has thereby overturned a previous draft decision by the Irish DPC that took the view that Meta's bypass of the GDPR was legal.
- The EDPB decision requires that Meta may not use personal data for ads based on an alleged "contract". Users therefore need to have a yes/no consent option.
- The EDPB decision does not prohibit other forms of advertisement (like contextual ads, based on the content of a page).
- The EDPB decision itself was not published, but will be published together with the final decision of the DPC in January 2023.
- The EDPB also requested a substantial fine, the exact amount is not known yet.
Meta wanted to "bypass" consent. The GDPR allows for six legal bases to process data, one of which is consent under Article 6(1)(a). Meta tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the "service" that it contractually owes the users. The alleged switch of legal basis happened exactly on 25 May 2018 at midnight when the GDPR started to apply. So-called "contractual necessity" under Article 6(1)(b) is usually understood narrowly and would e.g. allow an online shop to forward the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, took the view that it could just add random elements to the contract (such as personalized advertisement), to avoid a yes/no consent option for users.
Max Schrems: "Instead of having a yes/no option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way."
Substantial fine expected. In addition to an overall stop of personalized ads, the EDPB has insisted on a massive fine for Meta, according to the WSJ. After all, the company has based most commercial data processing on a legal basis that was clearly ruled out by the EDPB in explicit Guidelines in 2019, leading to clearly intentional violations of the law. Meta has already been hit with more than € 1 billion in GDPR fines so far. Meta has to pay this fine to the Irish state.
Max Schrems: "This procedure draws from a lot of resources of our donation-funded association. The case will probably hit the courts thereafter. However, the penalty will go to Ireland - the state that has taken Meta's side and has been delaying the procedure for over four years."
DPC and Meta cooperated on "bypass". During the course of the procedure, Meta has relied on ten confidential meetings with the Irish DPC in which the DPC has allegedly allowed Meta to use this "bypass". It was later revealed that the DPC has even tried to influence relevant EDPB Guidelines in the interest of Meta. Nonetheless, the other European DPAs rejected the DPC's view back in 2018 and again in the final EDPB decision. The case took more than 4.5 years and lead to hundreds of pages of reports and submissions, despite the case being about a rather simple legal question.
Max Schrems: "This case is about a simple legal question. Despite the slow procedure, we are happy about the EDPB decision after all."
Consequence: no personalized ads. The decision means that Meta must allow users to have a version of all apps that does not use personal data for ads. The decision would still allow Meta to use non-personal data (such as the content of a story) to personalize ads or to ask users for consent to ads via a yes/no option. Users must be able to withdraw consent at any time and Meta may not limit the service. While this will limit Meta's profits dramatically in the EU, it would not fully prohibit ads. Instead the decision will put Meta on the same level as other websites or apps, that need to provide a yes/no option to users.
Max Schrems: "This is a huge blow to Meta's profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a 'yes or no' answer and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent."
Next steps. The EDPB decision is delivered to the Irish DPC. The decision must then be served on Meta in Ireland and noyb in Austria within one month (so in January 2023). Meta can then appeal the decision, but the chances to win such an appeal are minimal after an EDPB decision. There is also two similar cases before the Court of Justice of the EU (CJEU) on Meta's consent bypass, that may settle the issue and all appeals for good. Users may also take action over the illegal use of their data for the past 4.5 years.
