noyb win: Personalized Ads on Facebook, Instagram and WhatsApp declared illegal – NOYB

As reported by The Wall Street Journal, the EDPB has decided that Meta cannot force users to agree to personalized ads. In May 2018, when the GDPR came into force in the EU, Meta Ireland Ltd. believed it could “bypass” the requirement to get opt-in consent from users, by simply adding a provision in the terms and conditions. On 25 May 2018, the digital rights organization noyb filed complaints with the relevant Data Protection Authorities (DPAs). Now, 4.5 years later, the European Data Protection Board (EDPB) found Meta’s alleged “bypass” of the GDPR illegal. The EDPB also rejected the view of the Irish Data Protection Commission (DPC) who previously sided with Meta, after taking four years to investigate the case.
Key Facts. Here are the key takeaways:
Meta wanted to “bypass” consent. The GDPR allows for six legal bases to process data, one of which is consent under Article 6(1)(a). Meta tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the “service” that it contractually owes the users. The alleged switch of legal basis happened exactly on 25 May 2018 at midnight when the GDPR started to apply. So-called “contractual necessity” under Article 6(1)(b) is usually understood narrowly and would e.g. allow an online shop to forward the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, took the view that it could just add random elements to the contract (such as personalized advertisement), to avoid a yes/no consent option for users.
Max Schrems: “Instead of having a yes/no option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”
Substantial fine expected. In addition to an overall stop of personalized ads, the EDPB has insisted on a massive fine for Meta, according to the WSJ. After all, the company has based most commercial data processing on a legal basis that was clearly ruled out by the EDPB in explicit Guidelines in 2019, leading to clearly intentional violations of the law. Meta has already been hit with more than € 1 billion in GDPR fines so far. Meta has to pay this fine to the Irish state.
Max Schrems: “This procedure draws from a lot of resources of our donation-funded association. The case will probably hit the courts thereafter. However, the penalty will go to Ireland – the state that has taken Meta’s side and has been delaying the procedure for over four years.”
DPC and Meta cooperated on “bypass”. During the course of the procedure, Meta has relied on ten confidential meetings with the Irish DPC in which the DPC has allegedly allowed Meta to use this “bypass”. It was later revealed that the DPC has even tried to influence relevant EDPB Guidelines in the interest of Meta. Nonetheless, the other European DPAs rejected the DPC’s view back in 2018 and again in the final EDPB decision. The case took more than 4.5 years and lead to hundreds of pages of reports and submissions, despite the case being about a rather simple legal question.
Max Schrems: “This case is about a simple legal question. Despite the slow procedure, we are happy about the EDPB decision after all.
Consequence: no personalized ads. The decision means that Meta must allow users to have a version of all apps that does not use personal data for ads. The decision would still allow Meta to use non-personal data (such as the content of a story) to personalize ads or to ask users for consent to ads via a yes/no option. Users must be able to withdraw consent at any time and Meta may not limit the service. While this will limit Meta’s profits dramatically in the EU, it would not fully prohibit ads. Instead the decision will put Meta on the same level as other websites or apps, that need to provide a yes/no option to users.
Max Schrems: “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ answer and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”
Next steps. The EDPB decision is delivered to the Irish DPC. The decision must then be served on Meta in Ireland and noyb in Austria within one month (so in January 2023). Meta can then appeal the decision, but the chances to win such an appeal are minimal after an EDPB decision. There is also two similar cases before the Court of Justice of the EU (CJEU) on Meta’s consent bypass, that may settle the issue and all appeals for good. Users may also take action over the illegal use of their data for the past 4.5 years.
noyb funding goal
Apple hits back at European activist complaints against tracking tool
An Austrian privacy advocacy group drew a strongly critical response from Apple on Monday after it said an online tracking tool used in its devices breached European law.
101 Unternehmen leiten noch immer Daten an die USA weiter
Der Datenschutz-Verein noyb brachte 101 Beschwerden gegen den Datentransfer in die USA ein.
 
ZDF Magazin Royale vom 10. Dezember 2021
Expertentalk mit Datenschützer und Facebookbezwinger Max Schrems
Irish regulator proposes 36 mln euro Facebook privacy fine – document
The complaint, lodged by Austrian privacy activist Max Schrems, concerned the lawfulness of Facebook’s processing of personal data, specifically around its terms of service.
 
DPC seeking penalty of up to €36m against Facebook
The Data Protection Commission (DPC) has suggested a penalty of between €28 million and €36 million for Facebook in a draft decision made against the company. Austrian privacy and data rights campaigner Max Schrems’s NOYB organisation, which filed the original complaint against the technology giant, has published the commission’s draft decision online.

source

Leave a Reply

Your email address will not be published. Required fields are marked *