BREAKING: Meta (Facebook and Instagram) prohibited from using personal data for advertisement. Major blow to Meta's business model in Europe, following noyb litigation. Fine for Meta more than tenfold from € 28 million to € 390 million. Third case on WhatsApp pending.
As confirmed by the Irish DPC, the European Data Protection Board (EDPB) has rejected the Irish DPC and Meta's bypass of the GDPR based on noyb complaints against Facebook and Instagram. Meta is now prohibited to bypass the GDPR via a clause in the terms and conditions. Meta has to get "opt-in" consent for personalized advertisement and must provide users with a "yes/no" option. The decision on a third parallel case on WhatsApp is delayed until mid-January.
- Explainer video on Meta's bypass (from December 2022)
- Original complaints by noyb from 2018
- Previous reporting on first information on the EDPB decision (Reuters)
Key Facts:
- Two complaints filed by noyb on behalf of an Austrian and Belgian user on May 25th, 2018 (the day the GDPR became applicable) were decided today.
- A third complaint on WhatsApp on behalf of a German user was delayed to mid-January, according to an email by the DPC.
- Meta tried to "bypass" the consent requirement in the GDPR by adding a clause to the terms and conditions for advertisement.
- In December 2022, the EDPB overturned a previous draft decision by the Irish DPC that took the view that Meta's bypass of the GDPR was legal.
- The final decision requires that Meta may not use personal data for ads based on an alleged "contract". Users therefore need to be provided with a yes/no ("opt-in") consent option, otherwise Meta may not use their data for personalized advertisement.
- The decision does not prohibit other forms of advertisement (like contextual ads, based on the content of a page).
- Meta's use of personal data was illegal since May 2018.
- The fines for Facebook and Instragram total € 390 million. An additional fine for WhatsApp in the parallel procedure is to be expected.
Meta wanted to "bypass" GDPR. The GDPR allows for six legal bases to process data, one of which is consent under Article 6(1)(a). Meta tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the "service" that it contractually owes the users. The alleged switch of legal basis happened exactly on 25 May 2018 at midnight when the GDPR came into force. So-called "contractual necessity" under Article 6(1)(b) is usually understood narrowly and would e.g. allow an online shop to forward the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, took the view that it could just add random elements to the contract (such as personalized advertisement), to avoid a yes/no consent option for users.
Max Schrems: "Instead of having a 'yes/no' option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way."
€ 380 million in fines, DPC wanted € 28 to 36 million. In addition to an overall stop of personalized ads, the EDPB has insisted on a massive fine for Meta. After all, the company has based most commercial data processing on an intentional violation of the law. The EDPB has already issued Guidelines on the matter in 2019. Meta has already been hit with more than € 900 million in GDPR fines in other cases before. The fine goes to the Irish state, not the complainant, noyb or the EDPB. The DPC has previously asked for € 28 to 36 million in a draft decision (see page 87 here), only 10% of the now final EDPB ruling.
Max Schrems: "The penalty will go to Ireland - the State that has taken Meta's side and delayed enforcement for more than four years. This case will likely be appealed by Meta, leading to more costs for noyb."
DPC and Meta cooperated and got overruled by EDPB. During the course of the procedure, Meta has relied on ten confidential meetings with the Irish DPC in which the DPC has allowed Meta to use this "bypass". It was later revealed that the DPC has even tried to influence relevant EDPB Guidelines in the interest of Meta. Nonetheless, the other European DPAs rejected the DPC's view internally in 2018, in Guidelines in 2019 and again in the final EDPB decision in December 2022. The case escalated to 4.5 years with hundreds of pages of reports and submissions, despite the case being about a rather simple legal question.
Max Schrems: "This case is about a simple legal question. Meta claims that the 'bypass' happened with the blessing of the DPC. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC got overruled."
DPC sees win on "transparency" issue? In the DPC's media statement the core issue if Meta may process user data for advertisement is buried in a smaller debate about transparency, where it found a violation.
"It is rather pathetic if the DPC now claims that other authorities agreed on a minor transparency issue.This would have just needed to change some text on the Meta website. The core issue was that Meta illegally processed user data for more than four years, the DPC shielded Meta and they got voted down on the EU level."
Consequence: no personalized ads, less profits. The decision means that Meta must allow users to have a version of all apps that does not use personal data for ads within three months. The decision would still allow Meta to use non-personal data (such as the content of a story) to personalize ads or to ask users for consent to ads via a 'yes/no' option. Users must be able to withdraw consent at any time and Meta may not limit the service if users choose to do so. While this will limit Meta's profits dramatically in the EU, it would not fully prohibit ads. Instead the decision will put Meta on the same level as other websites or apps, that need to provide a 'yes/no' option to users.
Max Schrems: "This is a huge blow to Meta's profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a 'yes or no' option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent."
DPC censors decision from plaintiff and public, ensuring that Meta and DPC control media narrative. In an amazing move, the DPC informed noyb today that despite being one of the two parties in the procedure, the DPC will not release the decision to noyb. The DPC suddenly cited alleged "confidentiality" of the decision as a reason. The decision should be released to the plaintiff at a later stage - possibly even after the deadline for an appeal has lapsed. This is contrary to previous information by the DPC that the parties would receive the decision before any publications by the DPC.
Max Schrems: "Getting overturned by the EDPB is a major blow to the DPC, now they seem to try to influence the public perception of this case. In ten years of litigation I have never seen a decision only being served to one party, but not the other. The DPC plays a very diabolic public relations game. By not allowing noyb or the public to read the decision, it tries to shape the narrative of the decision jointly with Meta. It seems the cooperation between Meta and the Irish regulator is well and alive - despite being overruled by the EDPB."
Next steps: DPC sues EDPB, Meta likely to appeal. Meta is expected to appeal the decision in the Irish Courts, but the chances to win such an appeal are minimal after a binding EDPB decision. There are also two similar cases before the Court of Justice of the EU (CJEU) on Meta's consent bypass, that may settle the issue and all appeals for good. In a side-story the DPC also announced that it may sue the EDPB on a related issue, as the EDPB required the DPC to take further investigative steps on Meta, beyond the decided complaints by noyb. The DPC takes the view that the EDPB does not have these powers and will try to get this decision annulled. Users may also take action over the illegal use of their data for the past 4.5 years.