Calendarize it. European pals: July 4th could become independence-from-Meta-surveillance-capitalism day. Today’s long-awaited Court of Justice of the European Union (CJEU) ruling appears to have destroyed the social media giant’s ability to violate EU privacy law by denying users a choice over its tracking and profiling.
The ruling stems from a pioneering order by Germany’s antitrust watchdog, the Federal Cartel Office (FCO), which spent years investigating Facebook’s business and argued that privacy harm should be considered an exploitative competition abuse.
The FCO ordered Facebook (then Meta) to stop combining user data across its social platforms without consent in February 2019. Meta challenged the order in German courts, prompting the CJEU’s referral on Meta’s “superprofiling” in March 2021.
The top court’s ruling won’t make Meta HQ happy.
The CJEU has agreed that competition authorities can factor data protection into their antitrust assessments (which sounds wonky but is vital because joint-working rather than regulatory silos is the path to effective oversight of platform power) and that consent is the only legal basis for Meta’s tracking-and-profiling-driven “personalized” content and behavioral advertising.
Press release excerpt:
As regards more generally the processing operation carried out by Meta Platforms Ireland, including the processing of ‘non-sensitive’ data, the Court examines next whether this is covered by the justifications, set out in the GDPR, allowing the processing of data carried out in the absence of the data subject’s consent to be made lawful. In that context, it finds that the need for the performance of the contract to which the data subject is party may justify the practice at issue only on condition that the data processing is objectively indispensable such that the main subject matter of the contract cannot be achieved if the processing in question does not occur. Subject to verification by the national court, the Court of Justice expresses doubts as to whether personalised content or the consistent and seamless use of the Meta group’s own services are capable of fulfilling those criteria.
EU data protection law requires users to be able to opt out of this tracking without losing access to the core service. Meta has denied users this choice. (Surprise, surprise!—just a few weeks before the CJEU judgement, Meta announced new controls to let users limit its cross-site tracking, albeit with some reduction in functionality if they deny the tracking.)
A CJEU advisor agreed with the Meta superprofiling referral last year. Today’s ruling is binding, unlike the advocate general’s opinion to the Court. Meta and EU data protection authorities cannot ignore it.
The latter is crucial because some DPAs’ reluctance to vigorously enforce the bloc’s General Data Protection Regulation (GDPR) on rule-breaking tech giants has led to claims that the regulation has failed or been hopelessly stymied by forum shopping.
GDPR enforcement on Big Tech has been arduous. Ireland’s DPA ruled against Meta’s contractual necessity claim in January. That order, which Meta is appealing, took over four years to reach.
Meta changed its legal basis for data-for-ads processing from consent to legitimate interest in March to meet the Irish Data Protection Commission’s (DPC) compliance deadline.
After years of privacy abuse complaints, regulatory inquiry, and (eventual) enforcement, Meta still did not offer users a clear yes/no choice over its tracking, likely hoping to delay the oversight process of its LI claim for another four years and avoid having to reform its privacy-hostile business model.
Since EU DPAs must follow the CJEU, that latest GDPR evasion tactic appears to have failed. Ireland shouldn’t let Meta do so by claiming a legitimate interest legal basis the CJEU has indicated is inappropriate. Users deny surveillance capitalism in droves when empowered. Apple’s App Tracking Transparency affected Meta’s ads business.
The CJEU’s guidance on how the GDPR applies to ad-funded business models like Meta’s may end surveillance capitalism.
In its press release on the judgement, the Court writes (with emphasis): “[T]he personalised advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue, in the absence of the data subject’s consent.”
We will update this report if the Irish DPC responds to the CJEU ruling.
Given the market power of a dominant social network and its users, the CJEU noted in its press release that “this is for the operator to prove” that consent is valid, i.e., that the choice offered is truly free (not manipulated, such as by dark patterns or by otherwise penalizing the user, such as with a sub-par service for denying access to their data).
The Court also ruled that Meta cannot avoid the legal requirement to obtain explicit consent from users to process sensitive categories of personal data (such as political beliefs, sexual orientation, racial or ethnic origin, etc.) by visiting or interacting with web services.
Since Facebook clearly processes oodles of sensitive data without explicit consent, this aspect of the judgement could spark a new wave of litigation against Meta for processing such data without consent.
CJEU press release:
Furthermore, the Court observes that the data processing operation carried out by Meta Platforms Ireland appears also to concern special categories of data that may reveal, inter alia, racial or ethnic origin, political opinions, religious beliefs or sexual orientation, and the processing of which is in principle prohibited by the GDPR. It will be for the national court to determine whether some of the data collected may actually allow such information to be revealed, irrespective of whether that information concerns a user of that social network or any other natural person.
Max Schrems, the lawyer and privacy rights campaigner who filed the original complaint against Meta’s “forced consent,” called today “GDPR meltdown day for Meta” because the court closed all the “loopholes” the company’s lawyers had been pressing for five years.
This is "#GDPR meltdown day" for @Meta – CJEU basically closes all "loopholes" their lawyers have argued for the last five years.
We have put together a (very) first statement here: https://t.co/3Kk53rogEQ https://t.co/oqodQ2f34g
— Max Schrems 🇪🇺 (@maxschrems) July 4, 2023
Schrem’s privacy rights nonprofit, noyb, said the CJEU ruled Meta’s GDPR approach “illegal.”
Noyb must study this massive judgment. According to Schrems, Meta will now have to “seek proper consent and cannot use its dominant position to force people to agree to things they don’t want.”
“This will also have a positive impact on pending litigation between noyb and Meta in Ireland,” he added, referring to the Irish decision on Meta’s legal basis for ads.
BEUC, the European consumer organization, said the CJEU ruling “paves the way for more effective enforcement against dominant digital platforms”.
Meta didn’t respond yet. “We are evaluating the Court’s decision and will have more to say in due course,” a company spokesperson said.
Meta also referenced its January blog post, published after the GDPR breach finding and updated in March when it switched to LI: “To comply, from Wednesday 5 April we are changing the legal basis that we use to process certain first party data in Europe from ‘Contractual Necessity’ to ‘Legitimate Interests’. GDPR states that legal bases are equal and should not be ranked.