Meta will no longer be allowed to run ads based on personal data without users’ consent, according to a confidential EU privacy watchdog decision.
The Irish data protection agency, which oversees Meta because its European headquarters is located in Dublin, has been given a month to issue a ruling based on the European Data Protection Board’s (EDPB) binding decision. The EDPB will also likely require the Irish body to hand out fines.
Facebook, among other players, has been hugely benefiting from data collection practices for years now, drawing regulatory scrutiny around the world. Cause once collected, that data was then used for serving related ads to the benefit of advertisers.
The case against Meta was triggered by a complaint by Austrian privacy activist Max Schrems in 2018.
“Instead of having a yes/no option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way,” Schrems said in a statement.
He added the EDPB’s ruling means that Meta must allow users to have a version of all apps that do not use personal data for ads while it would still be allowed to use non-personal data to personalize ads or simply ask users for consent.
Meta is in the middle of engaging with the Irish body, a Meta spokesperson said.
“GDPR allows for a range of legal bases under which data can be processed, beyond consent or performance of a contract. Under the GDPR, there is no hierarchy between these legal bases, and none should be considered better than any other,” the spokesperson said.
An EDPB spokeswoman declined to comment on the issue, but it did say that its reaction was needed after other national watchdogs disagreed with the Irish agency’s draft decision.
Its draft decision is focused on the lawfulness and transparency of processing for behavioral advertising, while its decision on WhatsApp concerns the lawfulness of processing for the purpose of the improvement of services.
“The DPC cannot comment on the contents of the decisions at this point. We have one month to adopt the EDPB’s binding decisions and will publish details then,” the Irish Data Protection Commission said.
Meta may have to change its business model, said Helena Brown, head of data & privacy at London-based law firm Addleshaw Goddard.
“The direction of travel seems to be that the European regulators will not allow Meta to hide behind ‘provision of services’ as its basis for using personal data for behavioral advertising,” she said.
“Meta may need to change its approach to seeking clear, explicit consent instead. It will be a challenge for Meta to be able to explain its practices in a way that such consent can be lawful and well-informed,” Brown said.
Like that’s not enough, Facebook also faced a challenge from Apple earlier this year. The Cupertino-based giant introduced new features that allowed iPhone users to block various trackers — Facebook’s Pixel tracker included.
Personally, we find these sorts of decisions to be too little too late, but we’ll take whatever they give us. We do advise everyone to “mind the gap” and go easy with sharing stuff on social networks. And, of course, use a VPN. 😉