Blow for Meta: must stop serving personalised ads until it's GDPR compliant
Meta fined $400m by European regulators and told to stop serving ads based on personal data until it's properly compliant with GDPR's consent requirements, including opt-in
The European Data Protection Board (EDPB) has said that Meta must obtain opt-in consent from users for advertising purposes, rejecting a claim by Meta that its use of personal data is covered by contractual law requirements.
Meta, which does not currently provide an opt-in option for its users as required by GDPR, was supported in its unsuccessful attempt to bypass Europe's data protection regulation by the Irish Data Protection Commission (DPC). Along with other tech giants, Meta has its headquarters in Ireland because of its low corporate tax rate.
The case dates back to 2018, when nyob, a legal non-profit set up by privacy activist and lawyer Max Schrems, raised complaints against Facebook, Instagram and WhatsApp (all now Meta companies) with other data protection authorities DPAs in Europe.
The DPC had argued that Meta's personalised ads constitute a "service" provided to its users and that contract rules therefore apply.
In December 2022, the EDPB, which represents European DPAs, overruled the Irish DPC's finding that Meta was legally covered by contract law.
Today, according to a report in the WSJ, the EDPB ruled that Meta may not use European citizens' personal data for personalized advertising until an opt in process is provided that accords with the GDPR requirements.
In addition the EDPB fined Facebook and Instagram a total of $400 million. A ruling on WhatsApp's use of personal data for advertising is expected soon.
``
The Irish DPC has frequently been accused by other European DPAs of having too cosy a relationship with the tech companies residing within the country's borders, although recently it has seemingly toughened its stance, for example fining Instagram €405 million for failing to protect children's data.
According to nyob , ten confidential meetings took place between Meta and the DPC during the course of the proceedings, over which time the DPC came down on the side of the company and its bypassing of the standard GDPR rules for consent.
Schrems has launched multiple successful legal campaigns against technology companies and their misuse of personal data. He said: "This case is about a simple legal question. Meta claims that the 'bypass' happened with the blessing of the DPC. For years the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC got overruled."
Schrems claimed the DPC had refused to release the details of the decision to nyob and accused the regulator of playing "a very diabolic public relations game".
He added: "By not allowing noyb or the public to read the decision, it tries to shape the narrative of the decision jointly with Meta. It seems the cooperation between Meta and the Irish regulator is well and alive - despite being overruled by the EDPB"
According to the ruling, Meta must provide versions of its apps that do not use personal data for personalised ads within three months, with users able to withdraw consent at any time. Meta will still be able to use of other data for advertising purposes, but it will need to ask users to opt in before it can use their personal data.
Meta is likely to contest the ruling, which would have a major impact on its business model in Europe, and with many countries using GDPR as a blueprint for their own data protection legislation, potentially elsewhere too.
We have contacted the IRIS DPC for comment.