BREAKING: Meta (Facebook and Instagram) prohibited from using personal data for advertisement. Major blow to Meta’s business model in Europe, following noyb litigation. Fine for Meta more than tenfold from € 28 million to € 390 million. Third case on WhatsApp pending.
As confirmed by the Irish DPC, the European Data Protection Board (EDPB) has rejected the Irish DPC and Meta’s bypass of the GDPR based on noyb complaints against Facebook and Instagram. Meta is now prohibited to bypass the GDPR via a clause in the terms and conditions. Meta has to get “opt-in” consent for personalized advertisement and must provide users with a “yes/no” option. The decision on a third parallel case on WhatsApp is delayed until mid-January.
Key Facts:
- Two complaints filed by noyb on behalf of an Austrian and Belgian user on May 25th, 2018 (the day the GDPR became applicable) were decided today.
- A third complaint on WhatsApp on behalf of a German user was delayed to mid-January, according to an email by the DPC.
- Meta tried to “bypass” the consent requirement in the GDPR by adding a clause to the terms and conditions for advertisement.
- In December 2022, the EDPB overturned a previous draft decision by the Irish DPC that took the view that Meta’s bypass of the GDPR was legal.
- The final decision requires that Meta may not use personal data for ads based on an alleged “contract”. Users therefore need to be provided with a yes/no (“opt-in”) consent option, otherwise Meta may not use their data for personalized advertisement.
- The decision does not prohibit other forms of advertisement (like contextual ads, based on the content of a page).
- Meta’s use of personal data was illegal since May 2018.
- The fines for Facebook and Instragram total € 390 million. An additional fine for WhatsApp in the parallel procedure is to be expected.
Meta wanted to “bypass” GDPR. The GDPR allows for six legal bases to process data, one of which is consent under Article 6(1)(a). Meta tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the “service” that it contractually owes the users. The alleged switch of legal basis happened exactly on 25 May 2018 at midnight when the GDPR came into force. So-called “contractual necessity” under Article 6(1)(b) is usually understood narrowly and would e.g. allow an online shop to forward the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, took the view that it could just add random elements to the contract (such as personalized advertisement), to avoid a yes/no consent option for users.
Max Schrems: “Instead of having a ‘yes/no’ option for personalized ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”
€ 380 million in fines, DPC wanted € 28 to 36 million. In addition to an overall stop of personalized ads, the EDPB has insisted on a massive fine for Meta. After all, the company has based most commercial data processing on an intentional violation of the law. The EDPB has already issued Guidelines on the matter in 2019. Meta has already …….