Meta’s latest GDPR fine: A victory for consent
Posted: January 6, 2023
Meta received a €490m fine on 4 January 2023 for GDPR violations involving how Facebook and Instagram target ads.
The penalty concluded an investigation that has been going on for over four-and-a-half years following a complaint from privacy activist Max Schrems in May 2018. that has highly significant implications for Meta and other online service providers.
But the fine, while large, is not the biggest problem for Meta.
The most consequential aspect of this decision—for Meta and many other companies—is the interpretation of how the GDPR’s “lawfulness of processing rules” apply to digital advertising.
The Meta decision is an endorsement of the EU’s consent and transparency rules, reinforcing the importance of giving users clear choices.
The story behind the fine
Before the GDPR took effect in May 2018, there was the Data Protection Directive (DPD).
The DPD, while still a world-leading data protection law, had a slightly looser definition of “consent” than its successor.
Back in those days, Meta (then called “Facebook”) would request consent for targeted advertising from its users when they signed up for a Facebook or Instagram account.
Although, perhaps “consent” is the wrong word—because if the user declined to consent to ad-targeting, they would be prohibited from opening a Facebook account.
Fearing that its consent-request method would no longer be permissible under the newly-passed GDPR, Meta reportedly asked the Irish Data Protection Commission (DPC) for advice.
The DPC apparently suggested that Meta consider changing the legal basis for its ad-targeting purposes from “consent” to “contract”.
So on the day before the GDPR took effect, Meta inserted a clause into its terms of service, stating that accepting targeted ads was now a precondition for using its services. And the next day, Schrems lodged his complaint with the Irish DPC.
‘Necessary’ for a contract?
Schrems characterised Meta’s new approach as a way of “bypassing consent”. He argued that because processing his personal data wasn’t necessary to provide the Facebook service, Meta couldn’t rely on “contract” for this purpose.
After all, the relevant provision—Article 6(1)(b) of the GDPR—states that in order for reliance on “contract” to be valid, the processing must be “necessary for the performance of a contract to which the data subject is party…”
Are targeted ads “necessary” for Meta to provide Facebook and Instagram? Meta argued that they are—both to provide personalised advertising per Meta’s contract with its users, and in support of the company’s business model.
The DPC initially agreed with this approach. However, other EU regulators did not.
DPC vs EDPB
The European Data Protection Board (EDPB) is made up of representatives from each of the EU’s data protection authorities (DPAs).
Under the GDPR’s “cooperation and consistency” mechanism, EDPB members can review and object to any DPA’s draft decision. This has happened in several of Ireland’s decisions against Meta—and it happened in this one, too.
Ten other DPAs disagreed with the DPC’s interpretation of “contract”, pointing to the EDPB’s own guidelines to support their claim.
These 2019 guidelines state that “contract” is not a suitable legal basis if the processing is “necessary for the controller’s wider business model”, rather than “necessary to perform each of the individual services which the data subject has actively requested or signed up for”.
(Incidentally, documents shared by Schrems in 2021 revealed that the DPC strongly resisted this interpretation during the drafting of the guidelines).
As such, the EDPB intervened, forcing the DPC to rewrite its draft and find that Meta was not allowed to rely on “contract” for targeting ads across Facebook and Instagram.
The implications of the decision
The decision could be one of the most significant GDPR cases yet—not because of the amount of the penalty (which is the third-largest ever), but because of the implications for online advertising.
If Meta is not allowed to rely on “contract” for targeting ads, the company may have to revert to “consent”.
And this time around, “consent” will mean GDPR-standard consent, which must be:
- Freely given
- Specific
- Informed
- Unambiguous
- Given via a clear, affirmative action
- Easy to withdraw
This would mean Meta providing transparent information about its cookie practices up front—and offering its users a genuine choice over how their personal data is used.
Legitimate interests?
It’s worth noting that while the DPC’s full decision hasn’t been released yet, Meta claims that the regulator has not required the company to adopt any specific legal basis.
Meta has a three-month deadline to “bring its processing operations into compliance”, but has apparently not been ordered specifically to ask users for consent.
It’s possible that Meta will attempt to use “legitimate interests” to effectively opt its users into ad-targeting by default.
However, this might not be a good approach in the long term. When another social media company, TikTok, tried to switch to “legitimate interests” for ad-targeting, the Italian DPA quickly intervened to prevent this on the grounds that it would violate the EU’s ePrivacy Directive.
The ePrivacy Directive requires online services to get consent before setting non-essential cookies. And unlike with the GDPR, enforcement of the ePrivacy Directive is not restricted to the DPA in a controller’s “main establishment” (in Meta’s case, Ireland).
Unless Meta hopes to delay compliance with further complaints and appeals (which is possible), adopting “legitimate interests” might not be the best response to the decision.
An endorsement of consent
The Meta fine could further reshape the digital advertising world, reinforcing the EU’s rules around consent and transparency.
Companies that offer a meaningful choice to their users should be in a better position in this consent-focused digital landscape.
Beyond Europe, too, more and more markets require businesses to provide clear notice and obtain active consent regarding personalised ads or analytics. Regulators in Europe and beyond are increasingly active in enforcing these rules.
And these legal obligations aside, being trustworthy and transparent helps companies gain respect and build a stronger relationship with customers.