Meta was fined €390 million ($414 million) and given three months to bring its data processing operations into compliance by the Irish Data Protection Commission (DPC) on January 4 for violating Europe’s privacy law, the General Data Protection Regulation (GDPR). The Irish DPC’s ruling was based on a binding decision issued by the European Data Protection Board (EDPB), an organisation composed of all European data protection authorities. The most important conclusion is that Meta cannot use its user contracts as a basis for using user data to target advertisements. If this ruling stands after an appeal, it could force social media and other online businesses to radically alter their data-driven advertising model.
This is a two-part explanation of the EDPB’s ruling. First, I’ll discuss its legal foundation and then evaluate its potential economic effects. Next, I’ll evaluate whether this ruling can inform efforts to strengthen privacy protections in the United States through legislative action.
PRIVACY IN THE EUROPEAN WAY OF THINKING
GDPR, the EU’s new data privacy law, went into effect this year. Data processing, the European jargon term for collecting and using personal information, is something that businesses in the region are required to have a legal basis for. Article 6 of the General Data Protection Regulation states, “Processing shall be lawful only if and to the extent that at least one of the following applies.”
Agreement, permission, and a proper interest are the primary justifications. To the extent that processing is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject’s request prior to entering into a contract,” it is lawful. To qualify as lawful processing under consent, “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Only if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party…” can processing be considered to be in the legitimate interest category.
Key legal concepts such as contractual necessity, consent, and legitimate interest are difficult to define and often the subject of legal disputes. However, for the sake of comprehending the EDPB’s decision in its broad strokes, the following simplification of the various legal bases’ applications is offered.
The Law of Necessity in Contracts
If the company needs your personal data to provide a service that you have ordered from them, then they have a “contractual necessity” to collect such data. Internet shops can’t fulfil orders without customers’ addresses, so they must collect that information. In this case, the store may collect and use this information on the basis of contractual necessity.
The processing of personal data that is not necessary for the provision of a service to a customer requires a lawful basis, and that is consent. At the point of sale, a business needs customers’ consent to collect their zip codes and must disclose the intended use of the data (such as market research or targeted advertising). Even if customers say no, businesses still have to provide those products. Customers’ consent to the store’s collection of their zip codes under these circumstances can be inferred from their disclosure of that information.
Whenever neither of the preceding two options is applicable, legitimate interest comes into play. Even if a company hasn’t asked for or received explicit consent to collect and use a user’s personal information for direct marketing purposes, it may do so if it can demonstrate a “urgent business need” for the data that is greater than the consumers’ desire for privacy. Recital 47 of the General Data Protection Regulation notes that legitimate interests can be a justification for processing personal data for the purposes of fraud prevention and direct marketing. For data use justified under legitimate interest, neither consent nor contractual necessity is required.
Even more so, direct marketing based on legitimate interest is constrained by Article 21 of the General Data Protection Regulation. Users have the right to completely opt out of receiving any kind of direct marketing communications from the author of this article. While a company’s legitimate interest may provide the basis for direct marketing, it must comply with a user’s request to cease such communications once they have made such a request. You can’t argue business necessity over this objection right.
THE META DECISION OF THE EUROPEAN DATA PROTECTION BOARD
The January 4, 2023 announcement by the Irish Data Protection Commission (DPC) was the result of extensive deliberation. Meta argued before the Irish DPC that it had a “contractual necessity” to process user data for individualised social media services and advertising. Despite the fact that the Irish DPC essentially agreed, its decision was challenged by other European data protection authorities, prompting a round of negotiations to find a way to settle the disagreement. The dispute resolution procedure was unsuccessful, so the matter was escalated to the European Data Protection Board (EDPB), an organisation made up of data protection authorities from each member state of the European Union. The European Data Protection Board (EDPB) has the authority to issue legally binding decisions to ensure that the national data protection authorities apply the provisions of the General Data Protection Regulation (GDPR) correctly and consistently.
The European Data Protection Board (“EDPB”) “settled” the question of whether or not processing personal data for the performance of a contract provides an adequate legal basis for social media behavioural advertising on December 9, 2022. In January, the Irish DPC announced that it was reversing course and no longer accepting contractual necessity as a legal basis for Meta to process personal data for advertising purposes, making the earlier decision null and void. Although officially made by the Irish DPC, this decision reflects the collective will of the European Union’s DPCs. On January 11, the Irish DPC published the text of its decision, and on January 12, the EDPB published the text of its binding decision that had dictated the Irish DPC’s ruling.
The EDPB decision is central to comprehending the rationale behind this choice. Information revealing “the complexity, massive scale, and intrusiveness of the behavioural advertising practise that Meta IE conducts…” is found in the record it reviewed in coming to its decision. (Par 96). This immediately reveals its suspicion of Meta’s data practises and suggests it will require substantial evidence to show that this “massive” collection of data for personalised ads is necessary to provide social media service.