By Mark MacCarthy
On January 4, the Irish Data Protection Commission (DPC) fined Meta €390 million ($414 million) for violating Europe’s privacy law, the General Data Protection Regulation (GDPR), and directed the company to bring its data processing operations into compliance within 3 months. Shortly thereafter, the European Data Protection Board (EDPB), which consists of all the European data protection authorities, released the text of its binding decision that dictated the Irish DPC’s ruling. The key finding is that Meta cannot rely upon its contract with users as providing a sufficient legal basis for processing user data for personalized ads. If upheld on appeal, this decision might require social media companies and other online businesses to significantly revise their data-focused advertising business model in the name of protecting privacy.
I want to discuss the EDPB’s decision in two parts. In this post, I will first analyze its legal basis and assess its likely business implications. In the next part, I will consider whether this decision holds some lessons for policymakers as they seek to revise U.S. laws to protect privacy more adequately.
The European Privacy Approach
The European Union’s GDPR became effective in 2018. It requires companies to have a legal basis for data processing, the European term of art for collecting and using personal information. “Processing shall be lawful,” says Article 6 of GDPR, “only if and to the extent that at least one of the following applies,” and includes a list of legal bases for data processing.
The key bases are fulfillment of a contract, consent, and legitimate interest. Under fulfillment of a contract, processing is lawful only if it is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” Under consent, processing is lawful only if “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Under legitimate interest, processing is lawful only if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party…”
The interpretation of these key legal terms of contractual necessity, consent, and legitimate interest is complex and contested. But for the purpose of understanding the broad outlines of the EDPB’s decision, the uses of the different legal bases can be simplified as follows.
Contractual necessity applies when the company needs personal information to fulfill a contract that they have made with you to provide service. An online retail stores clearly needs users’ contact details in order to send the items they have purchased. The store can rely on contractual necessity in this case as the basis for collecting and using this information.
Consent is the legal basis to use if a company wants to process personal information that is not needed to provide service to the customer. If a company wants to collect users’ zip codes at the point of sale, it must ask the customers’ permission and tell them why it wants the information (understanding the company’s customer base for instance, or direct marketing). If the customers refuse, the company must still sell them what they want to buy. If the customers provide the store with their zip codes in these circumstances, they have consented, and the company can claim that as its legal basis for collecting the information.
Legitimate interest applies when neither of the other two apply. If a company wants to collect and use user information for direct marketing but has not obtained consent and does not need the information to provide a service, it can nevertheless obtain it and use it if it can show that it has a real business need for the information, an urgent need that overrides any interest the consumers have in protecting their privacy. The comment on legitimate interest in GDPR Recital 47 says that fraud prevention and direct marketing could be justified under legitimate interest. Neither consent nor contractual necessity would be required for data use justified under legitimate interest.
Further, Article 21 of GDPR limits the use of legitimate interest as a basis for direct marketing. This article provides users with an absolute right to object to direct marketing. A company can assert its legitimate interest as a basis for direct marketing, but as soon as a user objects it must honor this request to stop direct marketing. This right to object overrides any claim of business interest.
The European Data Protection Board’s Meta Decision
The Irish Data Protection Commission’s (DPC) January 4, 2023 announcement was the product of a complex process. Meta claimed to the Irish DPC that its legal basis for processing user data for personalized social media services and for advertising purposes was contractual necessity. The Irish DPC essentially agreed, but its decision was challenged by other European data protection authorities, which triggered a process of negotiation to seek a resolution of that dispute. The dispute resolution procedure failed and, pursuant to procedures set out in the GDPR, the issue was referred to the European Data Protection Board (EDPB), a body that consists of all the European Union’s data protection authorities. The EDPB is authorized to issue binding decisions to ensure that the national data protection authorities apply the provisions of the GDPR in a correct and consistent manner.
On December 9, 2022, the EDPB announced that it had “settled” the question of whether or not the processing of personal data for the performance of a contract is a suitable legal basis for social media behavioral advertising. In conformity with that binding decision, the Irish DPC announced in January, that it was reversing itself and rejecting contractual necessity as the basis for Meta’s processing of personal data for advertising purposes. While this decision is formally one made by the Irish DPC, it effectively was determined by the collective body of European data protection commissioners. A few days later on January 11, the Irish DPC released the text of its decision, and the following day the EDPB released the text of its binding decision that had dictated the Irish DPC’s ruling.
The EDPB ruling is the key one for understanding the basis of this decision. It finds in the record it reviewed in coming to its decision information that reveals “the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts…” (Par 96). This indicates immediately its suspicion of Meta’s data practices, revealing that it will need substantial evidence to indicate that this “massive” collection of data for personalized ads is needed to provide social media service.
“This reassertion of the fundamental premise of European privacy law that privacy is prior to business interests is a guiding principle of the decision.”
On the basis of the “objectives” and “normative context” of GDPR and of earlier European court decisions the EDPB concludes that GDPR “treats personal data as a fundamental right inherent to a data subject and his/her dignity, and not as a commodity data subjects can trade away through a contract.” (Par. 100, 101). This reassertion of the fundamental premise of European privacy law that privacy is prior to business interests is a guiding principle of the decision.
The EDPB recognizes that while data subjects cannot arbitrarily trade away their privacy, they are permitted under GDPR Article 6 to provide personal information needed to obtain a service. So, the EDPB turns to the question of “whether behavioural advertising is objectively necessary for Meta” to provide its service. (Par. 111). If it is, then Meta may claim contractual necessity; if it is not, then Meta may not.
EDPB then argues that personalized advertising is not needed to provide social media services. It asserts that if “there are realistic, less intrusive alternatives, the processing is not “necessary”. (par. 120). It considers that there are such alternatives including “contextual advertising based on geography, language and content, which do not involve intrusive measures such as profiling and tracking of users.” (Par. 121). Meta has found it useful for it business purposes to generate revenue through personalized ads. But that is not contractual necessity, since there are realistic alternative funding mechanisms. EDPB concludes that personalized advertising “is useful but not objectively necessary for performing the contractual service, even if it is necessary for the controller’s other business purposes.” (Par. 121).
EDPB also argues that processing for the purposes of personalized adverting cannot be necessary to provide social media services in light of the data subject’s “absolute right” to object to data processing for purposes of direct marketing under Article 21 of GDPR. Data processing for the purposes of personalized ads “cannot be necessary to perform a contract if a subject has the possibility to opt out from it at any time, and without providing any reason.” (Par 122).
EDPB notes that an important consideration in its rejection of Meta’s contractual necessity justification is that “the main purpose for which users use Facebook and accept the Facebook Terms of Service is to communicate with others, not to receive personalised advertisements.” (Par 124)
The consensus among analysts is that for the immediate future Meta will be able to continue to fund its operations through personalized ads. Matt Perault at New Street Research, for instances, considers that the EDPB judgment “won’t affect its ads business in the short run.” Meta’s reaction to the decision bears out this analysis. In a company-issued blog post, Meta says it thinks its legal justification of contractual necessity “respects” GDPR and complains about the lack of “regulatory clarity” on the issue. The company said it would appeal both the ruling and the size of the fines, noting that the European courts may yet reach “a different conclusion altogether.” Presumably, it would also ask a court to stay the implementation of the ruling during the pendency of the appeal, which would allow its personalized ad business to continue uninterrupted, potentially for years.
Even if Meta fails to obtain a stay, it is open to the company to revise its legal basis and to present an alternative justification for its data processing. This could be consent, but Meta seems uninterested in pursuing this option. In the same blog post, it says that the EDPB decision does not “mandate the use of Consent” as a legal basis for its data processing. It rejects the idea that it can no longer offer personalized ads unless each user’s agreement has been obtained. And it holds out the prospect of “another available legal basis under GDPR” for personalized advertising.
But the only plausible alternative legal basis other than consent or contractual necessity would be legitimate interest. Legitimate interest is a complex legal basis that would require Meta to show its legitimate interest in personalized advertising overrides “the interests or fundamental rights and freedoms of the data subject which require protection of personal data.” If Meta pursues that route, it could submit a justification to the Irish DPC based on legitimate interest and try to satisfy the heavy burden involved in defending that legal basis.
The Irish DPC order says that Meta must “bring its processing operations into compliance with GDPR” within three months. Meta could argue, however, that it had complied with the ruling by providing this alternative legal basis of legitimate interest and should be allowed to provide personalized ads until the Irish DPC has had a chance to evaluate this new claim, which could take months or years. The Irish DPC may very well accept this argument, which would provide a significant delay in any operational changes. It is worth remembering that the objection to Meta’s contractual necessity justification was filed four years ago and will likely continue several more years with appeals.
In the longer term, however, Meta faces a seemingly insuperable hurdle in maintaining its personalized ad business in its current form, even if it succeeds in its legitimate interest justification. This is because Article 21 of GDPR provides an absolute right for users to object to the processing of their personal information for direct marketing, which would include personalized ads on social media. Even if Meta successfully invokes legitimate interest to justify the use of personal information for personalized ads, it must still honor this absolute right for users to object.
Will Meta change its existing ad model to comply?
Observing this right to object is likely to mean that Meta would have to offer its users the alternative of receiving the personalized social media services without also receiving personalized ads. Providing users with a choice, however, is extraordinarily risky for Meta’s personalized ad business. When Apple gave its app store users a yes or no choice on whether they wanted apps to track them for purposes of serving ads, 96% of U.S. citizens rejected personalized ad tracking. It is for this reason that analysts are concerned that in the long run Meta’s personalized ad model is in trouble. Dan Ives, an analyst at Wedbush Securities, for instance, thinks that the ruling could put “5 to 7 percent of Meta’s overall advertising revenue at risk.”
The alternative to a social media service paid for by personalized ads might well become an increasingly important part of Meta’s business model. The company could seek to fund this alternative through contextual ads alone. But it could also offer users an alternative of paying a fee to receive a personalized social media service free of targeted ads, a model that is widely followed in other services such as streaming music. Whether the fee could be set so high ($100 a month, for instance) that as a practical matter it forced users to accept personalized ads would be a question for the Irish DPC to address when it approves or rejects Meta’s proposal for coming into compliance with GDPR. Assessing the commercial necessity of Meta’s rates would force the agency into the new and uncomfortable position of economic regulator supervising the rates that Meta could charge its users.
“The ruling imposes no limitation on algorithmic amplification based on personal information.”
Despite the potentially far-reaching nature of the ruling for Meta’s personalized ad business, it is also worth remembering that it might not mean that the company will collect any less personal information or no longer construct detailed profiles of its users. The ruling simply says that Meta cannot collect information or construct profiles for the purpose of serving personalized ads under its contractual necessity basis. The ruling seems to allow Meta to continue to collect and use personal information on the basis of its terms of service for the purpose of providing personalized social media services. So, users who accept Meta’s terms of service will still be allowing the company to collect and analyze information derived from their use of the social media platform for the purpose of ranking, prioritizing, and recommending material posted by other users. Nothing in the decision appears to mean that Meta will have to stop offering algorithmically driven social media service. It would not, for example, be required to provide a chronological feed as one or the only alternative for its users. The ruling imposes no limitation on algorithmic amplification based on personal information.
Moreover, the ruling does not say that Facebook or Instagram must be ad-free. The ads that appear on these services that many find to be annoying and intrusive will likely continue and might even increase. But now these ads would not be personalized. They would be static ads that would be shown indifferently to all users or targeted contextually to all users in a certain location or who speak a given language. Even a fee-based service might contain these non-personal ads.
Privacy advocates might then wonder what they have concretely gained from this apparent victory. Social media surveillance likely will not diminish, nor will the bombardment of users by distracting and confusing commercial advertising. Still, an important precedent has been set, one that vindicates the primacy of privacy rights. The decision delivers a message to all social media companies and other digital companies that they must respect the privacy interests of their users first. Their commercial interests are secondary. To paraphrase the great philosopher of human rights, Immanuel Kant, businesses must first be certain that they are respecting people’s fundamental rights, including their privacy rights. Only then are they entitled to look around for ways to satisfy their economic interests.
In a forthcoming blog, I will look at whether U.S. policymakers should reimagine for the U.S. context the European privacy requirement to demonstrate a legal basis for personal data use and if so, what the implications might be for the data practices of social media companies and other digital companies in the U.S.
Meta is a general unrestricted donor to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the author and are not influenced by any donation.