Meta's Privacy Fine (in Plain English)

I've read a lot of posts and articles about the €390m fine that was announced yesterday against Meta in Ireland, including headlines such as "Meta's Ad Practices Ruled Illegal Under E.U. Law ", "Meta Prohibited from use of Personal Data for Advertisement " and many other "doomsday clickbait". Since there are some technicalities and privacy nuances here, including potential broader implications, let me take a stab at explaining the issue in "human speak".

What happened?

The first thing you need to know is that Meta uses people's personal data to personalize ads. We all know this. You browse the web for dishwashers, suddenly your entire Facebook & IG feeds are bombarded with ads for dishwashers. Based on the profile they've built on you (according to some accounts Meta may collect tens of thousands of data points on each user!), they can show you ads for things they know you'll be interested in.

The second thing you need to know is that under Europe's GDPR, companies who process personal data have to rely on what's called a "lawful basis" for every processing activity. Think of it as a hat-rack - each time you process someone's personal data, you need to be able to "hang your hat" on one of the lawful bases (of which there are 6 in total). There are two relevant lawful bases in this case - contractual necessity and consent.

Contractual necessity is simple - it's when a company needs to process your personal data in order to fulfil the contract it has with you. If you ordered dog food online, the pet store needs your address in order to deliver the food. Without it, they won't be able to fulfil the contract.

Consent, on the other hand, seems simple, but it's actually pretty complicated. According to the GDPR, consent must be: 1) freely given, 2) specific, 3) informed and 4) unambiguous. And (as if that wasn't tough enough) the company must allow the individual giving the consent to revoke it at any time.

Given that Meta's entire business model relies on using personal data for targeted ads, they couldn't "hang their hat" on consent - it's too high of a bar to clear (how would you get meaningful consent for something so complex?) and it gives too much power to the user to opt-out (by revoking their consent). This would seriously harm their revenue.

So, they came up with a bit of "legal acrobatics". In their terms of service, Meta added a clause that said that by using its services, the user agrees that their data will be used for targeted ads. But wait, you may say, that seems a lot like consent. Ahh, but that isn't consent, you see. Since it's in the contract, Meta claims that it is a necessary part of the conditions of their contract with the user to serve the user personalized ads. Et violas, contractual necessity.

As you can imagine, these "legal gymnastics" did not amuse EU regulators, who were divided on the issue. Some said "hold on, Facebook targeting users with ads based on their personal data isn't necessary for the performance of the contract. The contract is simply to let users use the Facebook and IG platforms". Others, such as the Irish regulator said "yeah, that's fine, you can rely on contractual necessity for this activity".

In the end other EU regulators intervened, as did the European Data Protection Board, and forced the Irish regulator's hand to hand down the fine and, more importantly, rule that Meta could not rely on contractual necessity to serve users personalized ads.

What's going to happen next?

Appeals, appeals, appeals. This will likely be stuck in the courts for years. The Irish regulator is annoyed over what it considers an overreach by the other authorities. Meta will most definitely be appealing this decision, as this decision has major implications for its ability to target users with personalized ads.

Why is this Case Sooo important?

As with any privacy case, the more interesting discussion is about the broader implications. Meta's entire business model relies on the ability to target users with ads. Its revenue is largely reliant on being able to serve personalized ads (Facebook’s ad revenues in 2021 hit $115 billion ). If Meta needs to start collecting GDPR-level consent from each user to serve them with targeted ads (and allowing users to opt-out), this will surely be a very large blow for their business.

This issue has broader implications as well. How far can we "stretch" the legal basis of contractual necessity? If my entire business is reliant on processing personal data in exchange for providing a service, and if I am required to obtain GDPR-level consent from each user I'll go out of business - would that enough to allow me to rely on contractual necessity? (I have my answer to this question, which I think you can guess??).

There has also been talk for a long time about the disagreement between the various EU regulators, each of which takes a different approach to enforcing the GDPR - how can these differences be reconciled? Will this case be the straw that breaks the camel's back? Some in the field even see this as a warning sign for privacy developments in the US - which is currently grappling with a state-by-state vs. federal approach to privacy regulations.

Long story short, this case is far from over. But it wouldn't be an exaggeration to say that Meta's very business model is currently under attack in the EU. Who will ultimately win? Only time will tell. In the meantime, maybe they should pivot to VR or something... Oh, wait...

#Meta #GDPR #privacy #data #dataprotection #personalizedads #facebook #instagram #dataprivacy #privacypro #ccpa #cpra