Fylgia Tech & Data Review #1
Fylgia’s Commercial Tech & Data team is delighted to announce the publication of the very first issue of Fylgia Tech & Data Review – your new favorite in-depth article series for everything tech and data related. Please enjoy our very first issue, which aims to unpack the Irish Data Protection Commission’s recent Meta decisions and discuss if there is still a future for free online services that survive mainly on ad generated income based on behavioral advertising.
The Future of Behavioral Advertising in light of the recent Meta decisions
The Irish Data Protection Commission (“DPC”) adopted final decisions in two inquiries into Meta’s Facebook and Instagram on 31 December 2022, fining the company a total of €390 million. The announcement on 4 January 2023 has created shock waves throughout the data protection community and the AdTech industry. Although the fine in the case is significant, it may be less interesting than the precedent that the DPC has set for data practices in the EU – and beyond.
Meta changed the Terms of Service for its Facebook and Instagram services in advance of the effective date of the GDPR. In contrast to its previous reliance on the consent of users as lawful basis for the processing of users’ personal data for behavioral and personalized advertising, Meta opted for ‘contractual necessity’. Meta considered that upon accepting the Terms of Service, the user entered a contract with the company, and that the processing of the user’s personal data to conduct behavioral advertising was necessary for the performance of the contract.
On the effective date of the GDPR, two complaints were made. The two EU complainants contended that, contrary to Meta’s stated position, that Meta was still relying on consent as the lawful basis for its processing of personal data for behavioral advertising purposes. The complainants argued that by conditioning the Facebook and Instagram services on acceptance of the updated Terms of Service, Meta was ‘forcing’ users to consent to the processing. The complainants argue that this was in breach of the GDPR.
The DPC’s Draft Decision
Following comprehensive investigations, the DPC prepared draft decisions in which it found that:
- Meta was in breach of its obligations in relation to transparency since the information in relation to the lawful basis relied upon was not clearly outlined to the users, with the result that users had insufficient clarity as to what processing operations were being carried out, for what purposes and on what lawful bases. The DPC concluded that a lack of transparency on such fundamental matters was in breach of the right of information in the GDPR, as well as a breach of the principle on ‘lawfulness, fairness, and transparency’; and that
- in the circumstances where it found that Meta did not in fact rely on users’ consent as a lawful basis for its processing, the ‘forced consent’ aspect of the complaints could not be sustained. Thereafter, the DPC went on to consider Meta’s reliance on ‘contractual necessity’ in connection with the delivery of its personalized services, including behavioral advertising. The DPC found that Meta was not required to rely on consent. Hence, the GDPR did not in principle preclude Meta’s reliance on ‘contractual necessity’ as the lawful basis.
As mandated by the GDPR, the draft decisions were submitted to the Concerned Supervisory Authorities (“CSAs”). On the question as to whether Meta had breached the transparency requirement, the CSAs agreed with the DPC’s decision. However, ten of the 47 CSAs raised objections in relation to other elements of the draft decisions. In particular, the subset of CSAs took the position that Meta should not be permitted to rely on ‘contractual necessity’ as the lawful basis for the delivery of behavioral advertising, as the processing could not be said to be necessary for the performance of the core element of the contract. The DPC disagreed, reflecting its view that the Facebook and Instagram services in fact do include and appear to be premised on the provision of a personalized service that includes personalized and behavioral advertising as integral parts of the services.
The consultation process made it clear that consensus could not be reached. The DPC decided, consistent with its obligations under the GDPR, to refer the inquiries to the European Data Protection Board (the “EDPB”).
The EDPB’s Binding Determination and the DPC’s Final Decisions
On 5 December 2022, the EDPB issued binding determinations on the dispute between the DPC and the CSAs. The EDPB did in fact side with the subset of CSAs and found that Meta was not entitled to rely on ‘contractual necessity’ as lawful basis for the processing. In addition, the EDPB ordered the DPC to conduct a new investigation into all of Facebook’s and Instagram’s data processing activities.
|<space>||In the DPC’s final decisions on 31 December 2022, the DPC incorporated the EDPB’s binding determinations that Meta’s reliance on ‘contractual necessity’ as the lawful basis for the processing in question was in breach of the GDPR. However, in announcing the final decisions on 4 January 2023, the DPC characterized the EDPB’s order to initiate a new investigation of Meta as an overreach. The DPC noted that this direction is not included in the final decisions and indicated that the DPC will bring an annulment action before the Court of Justice of the EU to set aside this element of the EDPB’s rulings.|
Takeaways from the Meta Decisions
As stated in the beginning of this article, the Meta decisions have created shock waves throughout the data protection community as well as the AdTech industry. The reason behind this is the precedent that the DPC has set for the future of behavioral advertising, as well as questions regarding the EDPB’s legal authority to order investigations. Below are our takeaways from the decisions.
The EDPB’s Legal Authority
The EDPB is a body constructed to resolve disputes between the data protection authorities and to ensure consistent enforcement of the GDPR across the EU. An action by the DPC to annul part of the EDPB’s binding determination before the Court of Justice of the EU would hinge on whether the EDPB has the legal authority to order data protection authorities to bring new investigations. One could argue that the EDPB’s order is problematic in jurisdictional terms, as the EDPB does not have a general supervision role similar to that of national courts in respect of national independent authorities and that it is not EDPB’s rightful place to instruct and direct a national authority as the DPC to engage in open-ended, and somewhat speculative, investigations. Furthermore, the position that the EDPB holds on its legal authority in this instance does not appear consistent with the structure of cooperation and consistency arrangements as laid down by the GDPR.
The Future of Behavioral Advertising and “Free” Online Services
Although the fine imposed on Meta by the DPC is significant, the implications of the decisions for Meta and other social media platforms as well as other businesses relying on digital platforms are much more significant than a mere fine. Following the DPC’s decisions, Meta announced that it intends to appeal the decisions – which, as a result, means that we will not see the end of the discussion on whether ‘contractual necessity’ constitutes an appropriate lawful basis for behavioral advertising or not for many years to come.
|The final decisions included a requirement for Meta to bring Facebook’s and Instagram’s processing into compliance within three months. However, since Meta will likely appeal the decisions, it may continue to rely on ‘contractual necessity’ pending the final determination of an appellate process. All lawful bases are created equal in standing, but as we take away from these recent decisions – they really are not.||<space>||
As the decisions did not in fact prohibit behavioral advertising on the platforms, Meta could potentially opt for another lawful basis under the GDPR, such as legitimate interest. The issue, from a commercial standpoint and from Meta’s point of view, is that where legitimate interest is relied upon, the data subjects have the right to object to such processing. The right to object could potentially undermine Meta’s possibility to apply behavioral advertising on all its users and, as a result, decrease ad revenue. Therefore, the biggest, and potentially most impactful, takeaway from the Meta Decisions is that, generally, the processing of personal data for behavioral advertising is not necessary for the performance of a contract for online services and that ‘contractual necessity’ should be determined on a completely objective basis. It is the business model which must adapt itself to comply with the requirements of the GDPR, and not the other way around.
The business model including personalized and behavioral advertising has been a crucial driver of growth and revenue for not only Meta, but many other digital platforms. The appellate process will likely be closely followed by many in the data protection community, as well as the AdTech industry, and will have an impact on the future of “free” online services. If the DPC’s ruling stands, Meta will likely need to gather explicit consent from its users. It will also likely need to implement processes and the capability to disable behavioral advertising for users who do not consent while simultaneously convincing advertisers that the Facebook and Instagram platforms still are worthy of the advertisers’ budgets. This is a significant set back for services that, in the DPC’s own words, “[…] include, and indeed appear to be premised on, the provision of a personalized service that includes personalized or behavioral advertising”.
So, to conclude this article with a question best answered with a lawyer’s favorite words: is there a future for free online services that survive mainly on ad generated income based on behavioral advertising?
About the Author
Linda Mazaheri is an associate with Fylgia’s Commercial Tech & Data team. Her work consists of leading and implementing complex GDPR compliance projects, day-to-day privacy advice, data law, IT agreements and ventures, and telecoms. She has a proactive approach in her guidance and considers the goals for the clients’ practices, and how GDPR compliance projects and technology can be used to improve workflow and processes, connect different parts of the practice, reduce the probability of mistakes, save time, and increase effectiveness.
Please click here for more information about Linda Mazaheri.
Fylgia’s Commercial Tech & Data team
Fylgia’s Commercial Tech & Data team is specialized in Data Privacy, Data Protection, Data law, IT and Telecoms. The team has extensive experience with matters related to AI, cloud services, NFT, crypto, data analytics/big data, telecoms, and digital services. The team continuously represents tech focused companies and ventures in complex deals related to IT and data.
Please click here for more information about Fylgia’s Commercial Tech & Data team.