The GDPR allows for six legal bases to process personal data. In the case Meta v Bundeskartellamt, the CJEU has today ruled on all of them - further clarifying the interpretation of the GDPR. The CJEU has largely closed the doors for Meta to use personal data beyond what is strictly necessary to provide the core products (such as messaging or sharing content) - all other processing (like advertisement and sharing personal data) requires freely given and fair consent by users.
- Judgment in German and French
- CJEU Press Release
- Previous decision by the EDPB leading to a € 320 million fine
- Background on the "forced consent" approach by Meta
- Background on Meta's move to "legitimate interest"
First Statement. noyb still has to study the details of this massive judgment. From the live reading of the holding, it seems that Meta/Facebook was barred from using anything but consent for crucial operations that it relies on to make profits in Europe.
Max Schrems: "We welcome the CJEU decision. It further clarifies that Meta cannot simply bypass the GDPR with some paragraphs in its legal documents. This will mean that Meta has to seek proper consent and cannot use its dominant position to force people to agree to things they don't want. This will also have a positive impact on pending litigation between noyb and Meta in Ireland."
Meta wanted to "bypass" GDPR. Article 6(1) GDPR allows for six legal bases to process data, one of which is consent under Article 6(1)(a), but Meta wanted to bypass the consent requirement via the other five legal basis. The CJEU has dealt with basically all of them - citing Article 6(1)(a) all the way to (f) in the judgment. Meta mainly tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the "service" that it contractually owes the users. The alleged switch of legal basis happened exactly on 25 May 2018 at midnight when the GDPR came into force. So-called "contractual necessity" under Article 6(1)(b) is usually understood narrowly and would e.g. allow an online shop to forward the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, took the view that it could just add random elements to the contract (such as personalized advertisement), to avoid a yes/no consent option for users.
Max Schrems: "Instead of having a 'yes/no' option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way."
Meta's move to "legitimate interest" also failed. After the ruling by the EDPB, prohibiting the "bypass" under Article 6(1)(b), Meta has moved on to Article 6(1)(f) GDPR this spring. The CJEU seems to also trash Meta's hopes to just move to a so-called "legitimate interest" for advertisement under Article 6(1)(f) GDPR. While the CJEU has not ruled out that a legitimate interests can exist (e.g. for network security), the judgment clarifies that there is no "legitimate interest" that would override the users rights when controllers try to provide advertisement. This basically limits any EU controller from running personalised advertisement other than on a freely given (yes/no) consent.
Max Schrems: "This is a huge blow for Meta, but also for other online advertisement companies. It clarifies that various legal theories by the industry to bypass the GDPR are null and void."