There ain’t such thing as a free Facebook

Much has been said lately about the recent regulatory decision concerning GDPR fines for Facebook and Instagram by the Irish data protection authority (DPC), partially overruled and redirected by the European Data Protection Board (EDPB).

I was expecting the privacy activists at NOYB to salute this decision to the extent it was in line with their argumentation, and to criticise it to the extent it wasn’t. And so they did.

I was expecting Meta to question the decision and activist allegations, and to announce that the appeal is coming. And so it did.

I was also expecting a lot of excited cheers for those decisions on social networks. And so they came, in large numbers.

What I didn’t expect is that there would be little, if any, reflection, on what is exactly going on here and what would be the endgame.

Below, I will try to quickly reflect on the current focus of public discussion, what is at stake with the Meta ruling, and who decides on the legitimacy of social media monetisation models.

Is processing data to serve ads “necessary”?

The popular concern is whether Meta ran afoul of the EU’s General Data Protection Regulation (GDPR) by relying on a “wrong” basis for processing personal data to serve personalised ads.

Meta’s position, challenged by the EDPB and several national data protection authorities, was to rely on contractual necessity. Under the article 6(1)(b) of the GDPR, one may process personal data if that data is necessary to enter into or perform a certain contract.

Two interpretations of the law have been advanced in that regard.

The one supported by the Irish data protection authority and Meta is a broader one, relying on the CJEU Huber case. It suggests that data collection and processing may qualify as necessary under a specific contract even if it is not limited to a theoretical bare minimum. In the context of Meta’s specific contract with users, Meta relied on them agreeing to view personalised ads in exchange for enjoying social media functionality. Under that interpretation, necessity is viewed as taking into account the interests of both contracting parties: the users and the service provider.

The other, narrower, interpretation, is based on the opinion of the EDPB. This interpretation disregards the specific contract. It assumes that if, under some abstract (or, I would rather say, fantastic) conditions, one could imagine a contemporary social media service running without personalised ads, then processing the data to deliver the ads cannot be considered “necessary”.

It might be that Meta will still succeed in its appeals and in upholding its reliance on the broader interpretation of contractual necessity. There are good arguments in favour of that, reflected also in the DPC’s initial argumentation currently overruled by the EDPB.

The arguments advanced by the privacy activists, suggest, however, that it would be fairer to rely on an explicit, separate, and retractable consent to serve personalised ads. And where this consent is denied, they argue that the social media service provider would be still able to serve non-personalised, contextual ads (ads which are based on and appear with the content you are viewing). This poses a difficulty, however, as this might undermine the attractiveness of social media to both businesses and users.

Do we want to disempower the businesses and people alike?

We know that social media, including Facebook, exist because they rely on personalised advertising to keep their users engaged and core services running and profitable. This is the industry’s preferred business model, and it is likely to be the only viable one on a truly global scale.

Some industries have other preferred business models. Newspapers traditionally relied on selling hard copies and subscriptions and now try to mimic that online. But even there, the newer model of “pay or consent” is spreading, where you either consent to personalised advertising or pay for the subscription or a one-off content access fee.

People need to know what is happening around them, and they want to communicate with each other. But not everyone is able to afford paying for the services which enable that knowledge and communication.

Yet, without revenues to cover the infrastructure, staff salaries and various other costs, and to pay up dividends to the shareholders, any commercial service will fail. We’re not, and are not likely to be any time soon, living in some version of a fully automated luxury communism, where these trivial monetisation concerns cease to be relevant.

So it is only fair that people all over the world, and not only the privileged elites, are able to afford these services by granting access to their personal data to let the advertisers better know what products or services their customers might be interested in.

Who decides what business models are legitimate?

Privacy activists at NOYB say that the same goal could be accomplished by contextual advertising, where relevant ads are served on the basis of the content being displayed, thus obviating the need for personal data collection for that purpose.

But activists are not entrepreneurs. They don’t necessarily know what works, and what doesn’t work, in a real business. It is an open question whether contextual advertising would be something that Facebook users will enjoy or hate more, and whether it will be more or less appealing to businesses, especially small and family ones, which earn a living thanks to effective ad campaigns on Facebook among other things.

Activists do not care about the users’ and advertisers’ experience on Facebook. But if Meta will be forced to adopt a new advertising approach, how would that affect the users and the businesses depending on Facebook advertisements? Is there a risk that both would flee the platform? Would the affected revenues still cover the costs? The costs of bread needed to keep the social media service running and improving in line with the users’ interests, not to mention the butter of shareholder dividend. Activists themselves note that a shift to contextual advertising “will limit Meta’s profits dramatically in the EU”.

But it is not up to the activists, or the data protection authorities, to decide what is or what is not, a legitimate business model, and what is the acceptable profit margin. The appropriateness of profit margins is exclusively up to the business owners and the market, and the legitimacy of business models is up to the legislators. And the legislators have spoken.

The Digital Content Directive, article 3(1), expressly acknowledges the legitimacy of a business practice where a person provides his or her data in exchange for the supply of digital content and services.

The Digital Services Act, which will largely be in effect from 17 February 2024, does not outlaw neither the news media’s most recent “pay or consent” model, nor the social media’s preferred “pay with your data” model. The Act indeed requires transparency about the factors influencing the selection of personalised advertising and prohibits targeting ads at minors or based on sensitive personal data. But it neither outlaws behavioural or other personalised advertising as such nor the way this is currently implemented in the Facebook’s business model.

OK, but what about fundamental rights?

One might say that my arguments about business model legitimacy above are ill-founded, as the Facebook users' rights to privacy and data protection are fundamental (articles 7 and 8 of the EU Charter of Fundamental Rights, CFREU) and therefore should have priority. But this objection would miss the important point that the right to conduct legitimate business is also fundamental (article 16 of the CFREU). And every lawyer will tell you that no fundamental right is absolute. While all of them exist in abstract, in a particular situation we must weigh them against each other to decide on which one prevails, to what extent, and why. And without analysing the case through the lens of not only data protection, but also contract, consumer and competition law one cannot honestly say a particular fundamental right should prevail.

While Meta has highlighted its reliance on article 16 of the CFREU, this matter was simply not considered by the EDPB, at all.

And what about transparency and fairness?

To be sure, there are legitimate concerns, which both the Irish data protection authority and the EDPB have addressed in this case. Namely, the transparency of communication: the social media provider should be very explicit about what categories of personal data are used for personalised advertising. Notices to that effect must be in plain language, obvious and very clear — both when signing up for the service, and when the users consult their privacy settings later on.

Furthermore, the Meta’s contract with customers may be analysed in terms of its fairness and validity. Courts, competition and market supervisory, as well as consumer protection authorities are empowered to find whether, in a context of a particular market player and particular circumstances, contractual conditions are unfair.

In particular, these authorities may consider whether the amount and categories of personal data provided against the provision of services are excessive and amount to the abuse of dominant market position or result in the unlawful infringement of consumer rights. One such inquiry is already ongoing.

Such considerations by authorities require a thorough analysis of the matter in terms of applicable contract, consumer protection and competition law, besindes data protection law, and weighing on which fundamental rights (the right to conduct legitimate business and the rights to privacy and data protection) should take precedence in this particular case, and to what extent. Such a competence, in my view, was not demonstrated by the EDPB in this case. In particular, no consideration was given to the provisions of the Digital Content Directive which substantiate the legitimacy of Meta’s business model as embedded in the contract with its users.

The absence of such analysis and consideration makes the validity of the respective part of the EDPB’s decision highly questionable.

To sum up

Social media service providers should properly disclose how exactly they use their users’ data for personalised advertising. Transparency might be lacking, and the data protection authorities are right to enforce it.

Still, there is no such thing as a free commercial social media service, at least when it is operating on a global scale. Social media service providers rely on the “pay with your data” business model for monetisation. This business model enables the people’s access to information and communication regardless of their wealth. It also gives businesses the opportunity to advertise to customers, deliver value and enable economic growth.

Furthermore, this business model is legitimate both under the current EU law and under the provisions of the Digital Services Act which come into effect on 17 February 2024.

For sure, a social media service provider’s contract with users may deserve regulatory review. But it principle such contracts may and should be permissible as a legal basis to process personal data for serving personalised ads on social media platforms, including behavioural advertising.