Tech Gadget Central Latest Tech News and Reviews
Before moving through with any plans to impose behavioral ads on Twitter users in the European Union, Elon Musk should take heed of a recent significant privacy fine for Meta.
To wit: The European Data Protection Board (EPBD) has issued a strong warning to other companies after the publication of two final decisions against Meta by EU privacy regulators applying the EU’s General Data Protection Regulation (GDPR) to Facebook and Instagram. These decisions include a total of about $410M in fines (still with a third decision against WhatsApp due shortly) and orders to correct its unlawful data processing within three months.
“The EDPB binding decisions make it clear that Meta used personal data for behavioral advertising in violation of the law. The fulfilment of a claimed contract with Facebook and Instagram users does not need this advertising. The EDPB chair, Andrea Jelinek, stated in a statement that these judgments “may also have a significant influence on other platforms that have behavioural advertisements at the core of their business model.”
The Board also described the relationship between Meta and its users as “imbalanced,” citing “grave breaches” of transparency obligations that it claimed had “impacted the reasonable expectations of the users” and criticizing the tech giant for portraying its services to users “in a misleading manner.” The EDPB also found that these actions violated the GDPR’s fairness principle.
In order to ensure consistency in how the law is administered by regulators in Member States, the supervisory body monitors how the GDPR is being implemented in the EU. The Irish Data Protection Commission (DPC), the company’s lead data protection regulator for the GDPR, was forced to reverse a conclusion it had reached in its 2021 draft decision and find that Meta’s practice of requiring consent to tracking ads through a claim of contractual necessity is unlawful by issuing a binding decision that effectively overturned Meta’s fictitious claim of contractual necessity for behavioral ads.
The term “behavioral advertising” refers to a type of targeted advertising where the choice of ad is made based on tracking and profiling of specific users based on their online activity (and occasionally, combining offline data sets to further enrich these per-user profiles) — or, in terms of EU data protection law, by processing personal data, an activity requiring a valid legal basis. There are additional forms of tailored advertising available that don’t involve handling personal data (such contextually targeted advertising). As a result, the Board rejected Meta’s argument that intrusive surveillance and profiling of persons is a crucial part of its services.
The EDPB’s comments today regarding the “important impact” the Meta ads decision may have on other platforms appear to be relevant for TikTok as well. TikTok attempted to remove users’ ability to reject its tracking-ads last year, claiming it planned to change the legal basis for “personalized” advertising from consent to legitimate interest, but it quickly shelved the move in the face of privacy regulators’ concerns.
With these two significant GDPR decisions working against Meta’s “forced consent” standing, any attempt by TikTok to revive such a switch would only invite swift regulatory scrutiny; as a result, such a change in its purported legal basis is undoubtedly highly unlikely. This is especially true given that the video sharing platform is currently working to improve its reputation with EU legislators as the Commission begins using new oversight powers on digital platforms under the Digital Services Act (DSA) and Digital Marke
Therefore, just because Facebook has processed and made money off of the data of Europeans by running illegal ads for years doesn’t guarantee other ad-funded platforms will receive the same free pass from the bloc’s regulators. Finally, there is enforcement.
(For the record, Meta has stated that it will challenge both of the GDPR rulings. It also refutes the claim that it has no choice but to request the consent of European users for its behavioral advertisements, pointing out that the regulation permits “a range” of legal bases without indicating which of these constrained (and constrained) alternatives to consent might be acceptable. Therefore, um, public interest Facebook advertisements anyone?!)
Twitter, on the other hand, recently revealed that the iOS version of its app will by default display an algorithmic “For you” content feed, requiring users to actively swipe to view their usual chronological feed. This announcement raises concerns about the legal justification Twitter is using to force content personalization in front of users who might not want it. There are plenty of thought-provoking implications that can be drawn from Meta’s GDPR spanking.
Regional prospects for alternative strategies (and innovation) in the field of lawful targeted advertising are presented by this new GDPR enforcement dynamic, if we dare call it that. This includes tracking-based ads with valid user consent. Or techniques for ad targeting that don’t process any personal info. (Or, actually, which attempt to deny that they do.)
And we’re already seeing high-level initiatives to take advantage of the slow demise of lawless behavioral ads, such as Google’s proposal to switch from individual-level ad targeting to alternative “privacy-sandboxing” interest-targeting ads, or a recent proposal by European telcos to form a joint venture to provide mobile users with opt-in ad targeting (which the carriers claim would limit targeting to first party data and gather explicit user consent to the ads).
The legality of Meta’s ad-targeting operation is still an open question. However, it appears that maintaining infrastructure that has never cared to comply could be exceedingly costly.
The Irish regulator has accused the EDPB of jurisdictional overreach and announced that it is pursuing legal action to try to have that portion of the Board’s instruction revoked. The EDPB’s press release today also addresses the reason why it instructed the DPC to investigate Meta’s processing of sensitive data.
The Board stated that it looked into whether the DPC had given the concerns regarding the legitimacy of Meta’s advertisements the proper attention.
The complainant brought up the fact that Meta IE [Ireland] processes sensitive data. The IE DPA [also known as the DPC] did not evaluate the processing of sensitive data, and as a result, the EDPB lacked the factual evidence necessary to reach a conclusion regarding any potential breaches of the controller’s obligations under Art. 9 GDPR [which addresses the processing of special category data], the report states. “Since a result, the EDPB disagreed with the IE DPA’s proposed finding that Meta IE is not required by law to depend on consent to carry out the processing activities related in the distribution of its Facebook and Instagram services, as this could not be conclusively determined without additional research. As a result, the EDPB concluded that the IE DPA needed to conduct a fresh inquiry.
The DPC has repeatedly been charged with “fiddling about the edges” of GDPR complaints, such as by initiating more limited inquiries than those requested by the complainants (or not opening a probe at all). In a few instances, it is also being sued for inaction and has even been accused of criminal corruption. Therefore, it is noteworthy (and inconvenient for Ireland) that the EDPB’s binding ruling finds that the Irish regulator did not look into specific aspects of Meta’s data processing that were allegedly necessary for it to draw the inference that Meta was not required by law to rely on permission.
This education from the Board is a significant addition to Dublin’s list of red flags regarding the DPC’s strategy for GDPR enforcement.
However, considering that EU legislation guarantees the independence of data protection authorities, the EDPB’s directive that the DPC launch a brand-new inquiry into Meta’s data processing has drawn some skepticism.
Max Schrems, honorary chairman of noyb and a longtime critic of (especially) the DPC’s GDPR enforcement strategy but also, more generally, of how under-resourced EU DPAs are and how challenging it is for Europeans to exercise their rights, believes that this still demonstrates the system’s inefficiency.
Few would claim that GDPR enforcement is hassle-free, but as the rule approaches its fifth anniversary (this May), there is now a regular flow of judgements, some of which are significant and have ramifications for business models that are antagonistic to human rights. In spite of the fact that stories rarely come to a conclusion, it appears like the needle is moving (since years of legal appeals can follow).
The European Commission will be the focus of much attention this year as it implements two newer regulations on larger digital platforms (the aforementioned DSA and DMA). This new centralized enforcement structure was undoubtedly influenced by years of criticism of the GDPR’s slow and ineffective implementation.
Therefore, the legacy of Meta’s illegal advertisements and Ireland’s hesitation to enact legislation to stop its unconsented tracking and profiling already has a long shelf life.
