The European Data Protection Board’s (EDPB) decision — according to sources in the Wall Street Journal — settles an important legal question regarding personalized ads under the GDPR. In fact, the dispute regarding Meta’s data collection practices first started in 2018 when the GDPR came into force. Meta’s social platforms, such as Facebook and Instagram, track their users’ on-app activity — like the content they’ve engaged with — to send them targeted and personalized ads. However, these platforms did not take their users’ consent before doing so. Instead, the platforms relied on a different GDPR provision to justify their actions, claiming that personalized ads are a service they are contractually bound to deliver. The EDPB clarified that Meta cannot collect its users’ personal data without their express consent, a decision that could have a significant impact on its European revenue as Meta’s business model revolves primarily around targeted advertising. Meta will have the opportunity to appeal the regulator’s decision.
Background of the EDPB’s Decision
The Irish Data Protection Commission (DPC) is the lead authority that checks Meta’s privacy obligations in Europe, as the company has its EU headquarters in Ireland. In 2018, when the GDPR began being enforced, Meta (then Facebook) sought to bypass the requirement of consent to process users’ personal data. Max Schrems, digital rights activist and founder of noyb, lodged a complaint against Facebook with the Irish DPC. Last year, the Irish watchdog released a draft decision regarding Meta’s personalized ads policy. However, several other European privacy regulators issued objections to the DPC’s draft decisions. This situation required the EDPB to step in and issue a decision to settle the matter. However, the EDPB’s decision does not directly order Meta to change its practices. Instead, it means that the DPC must now issue public orders based on this decision, along with significant fines. The DPC has previously issued large fines against Meta and its platforms for a number of violations. This includes recent decisions connected to data scraping, a lack of transparency regarding WhatsApp data policies, and mishandling teens’ data on Instagram.
Schrems Says Decision a ‘Huge Blow’ to Meta’s EU Profits
Following the WSJ news report, noyb posted on its website celebrating the EDPB’s decision along with an analysis of what it means for Meta. “This is a huge blow to Meta’s profits in the EU,” said Max Schrems. “People now need to be asked if they want their data to be used for ads or not. They must have a ‘yes or no’ answer and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.” “This case is about a simple legal question. Despite the slow procedure, we are happy about the EDPB decision after all,” Schrems added. Meta, for its part, will have the chance to appeal the forthcoming decision from the Irish DPC. A company spokesperson said that EU law could allow alternative legal justifications for its personalized ads. “This is not the final decision and it is too early to speculate,” a Meta spokesperson told the WSJ. “We’ve engaged fully with the DPC on their inquiries and will continue to engage with them as they finalize their decision.” For readers concerned about privacy protection when using social media, especially Meta’s platforms, VPNOverview has compiled plenty of resources. The average user might be surprised at the tweaks they can make on WhatApp, Instagram and Facebook to optimize privacy settings.