E.U. regulators have decided that social media giant Meta may not rely on “contract necessity” as a GDPR legal basis to collect Facebook, Instagram and WhatsApp users’ activity data without seeking consent. As a condition of the social platforms’ user agreements, Meta required accountholders to allow personalized ads and platform improvements based on their posting and commenting. The Irish Data Protection Commission’s order (DPC), published as three decisions on January 11 and 19, 2023, fined Meta $428 million, but its core impact is a harsh one in the current privacy atmosphere: it limits the company’s ability to use data it collects from its own apps.
The E.U. decisions may be the most forceful undermining of the two-decade-old proposition that providers of free internet services, like social media networks or search engines, can require users to pay for access with their personal data. “These decisions go to the very heart of the grand bargain between internet service providers and consumers to fund the free internet as we know it,” DLA Piper partner Ross McKean told the Cybersecurity Law Report. “The innovative digital services that have so successfully drawn us into the online world have been funded, pretty much exclusively, by the providers’ harvesting of consumers’ personal data to then serve ads back to them for lucrative revenue,” he observed.
Meta currently does not give Instagram or Facebook users a way to opt out of ads based on what they post, watch or comment on. The decisions against the social media giant address transparency and fairness violations and lack of a valid basis for processing. The company must update its apps’ user materials within three months to comply with GDPR. Meta has said it will appeal both the fines and the legal conclusions, citing “a lack of regulatory clarity” on use of contractual necessity as a lawful basis.
The DPC’s decisions, each running over 180 pages, show an intensifying power struggle among E.U. privacy regulators. The decisions each incorporate a binding order from the European Data Protection Board (EDPB), which overruled the DPC’s initial legal conclusions and fine. The DPC announced it will seek to annul one portion of the EDPB orders as an illegitimate “overreach,” the first such challenge to the EDPB’s authority.
This article examines the decisions, the key compliance implications for other companies, and includes insights from GDPR specialists at DLA Piper, Ropes & Gray and Wallace.
See “Two European Regulators Warn Behavioral Advertising Skates on Thin Ice” (Jan. 19, 2022).
The Arguments Over Contract Necessity as a Legal Basis for Behavioral Ads
The key legal question in the case was whether Instagram’s and Facebook’s collection of individuals’ behavioral data for personalized advertising was a necessary part of the platforms’ user agreements.
Max Schrems’ privacy rights group None of Your Business (NOYB) filed a complaint on May 25, 2018, the day after GDPR took effect. The complaint alleged that Meta’s contract necessity justification was an invalid way to force users’ consent. McKean noted that “contract necessity comes with fewer privacy rights for consumers” than two other common choices that each provide a right of refusal: an individual can withdraw consent or object to processing under “legitimate interest.”
See “Compliance Takeaways From the Latest GDPR Enforcement Statistics” (Feb. 2, 2022).
The Context for Facebook’s Choice of Legal Basis
Facebook’s choice of contract necessity was an unusual approach. “In the early days of GDPR, everybody was feeling their way on finding a lawful basis for processing,” said McKean. The extent to which contract necessity would serve as a valid basis for collecting user data was unclear. “Regulatory guidance took a narrow interpretation but that wasn’t legally binding and there was scant authority on point until the recent EDPB and Irish DPC decisions,” he noted.
“The conversations in digital marketing were all around consent or legitimate interests, both among companies and the regulators,” McKean recalled. In 2018, “people already were aware that GDPR standard consent was highly problematic with very low opt-in,” while legitimate interest required a complicated balancing test untested in the courts, he said.
Social media platforms at the time were drawing criticism for their cookie notices, McKean pointed out.
The DPC’s Analysis of Meta’s Contracts
In the draft decisions, the DPC circulated to other regulators, it concluded that processing users’ data for behavioral ads was necessary for Meta to satisfy its particular contract with users. This legal basis for processing meant the company could condition a person’s platform use on accepting personalized ads, the DPC said. Ireland leads the enforcement of GDPR for Meta and several other large technology companies whose European headquarters are in the country.
The DPC highlighted that Meta had made personalized advertising a central element of its bargain with users. The platforms’ user agreements clearly stated that Facebook was providing a holistic personalized experience of relevant content recommendations (like groups to join) and advertisements as a “core data use” of delivering these services. “Advertising … appears to be part of the substance and fundamental object of the contract. It is, in fact, the core element of the commercial transaction as between Facebook and Facebook users,” the DPC concluded.
The regulator made “no determination whether Meta’s contract would be impossible to perform in the absence of personalised advertising.” The DPC asserted it was not appropriate to judge “necessity” using the strict yardstick of impossibility. It added that it was making no determination about whether Meta was entitled to contractual freedom under national laws.
On January 19, 2023, the DPC announced it had decided to fine a third Meta-owned platform, WhatsApp, €5.5 million, rejecting its reliance on a contractual basis to process personal data – in its case, only for service and security improvements, not targeted ads.
The EDPB’s Analysis
Ten of the other E.U. privacy regulators formally disputed the DPC’s interpretation during the GDPR cooperation process. Earlier EDPB guidance recommended a test of whether “the main subject-matter of the specific contract with the data subject cannot, as a matter of fact, be performed if the specific processing of the personal data in question does not occur.”
Ultimately, the EDPB overruled the DPC’s earlier decisions, concluding that the core part of the contracted service was its social network functionality, and that advertising was secondary, not necessary, to the performance of the apps’ contract with users.
See “Three Years In, GDPR Legal Landscape Remains in Flux” (Jun. 23, 2021).
Meta’s Statements and Financial Stakes
“We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines,” Meta said in a blog post. “The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area.” Meta added that it is assessing ways to continue giving users personalized services, but it denied a legal need to obtain users’ direct consent.
Meta uses its in-house user data to create customized audiences for selling personalized ads. The European portion of that business was almost a quarter of all Meta’s ad revenue, which totaled $83 billion through 2022’s third quarter.
Market analysts estimated that loss of the ability to use behavioral data for a large portion of its European users would cut its advertising prices by 10% to 25%. In 2021, when Meta lost behavioral data from iPhone users refusing to be tracked, its ad revenue fell 8%.
See “Ad Industry’s Third-Party Data Use Grew Despite Impending Cookie Shutdown” (Feb. 23, 2022).
A GDPR Appeal in a Common Law Jurisdiction
Meta would file its appeal in the courts of Ireland, one of two countries in the E.U. with common law. “The appeal will solely concern the GDPR and whether the DPC has interpreted it correctly,” explained Wallace partner Alexander Egerton.
How narrow a contract analysis the Irish courts will conduct, and what advisory weight it gives the EDPB’s prior guidance and conclusions, will shape the result.
Ireland’s courts might also seek an opinion from the Court of Justice of the European Union (CJEU) on E.U. law. This four-and-a-half year old case may run for another couple of years, during which Meta might be able to forestall making changes or even paying the fine.
See “Does the GDPR Disadvantage Non-E.U. Companies? The Benefits of a Lead Supervisory Authority (Part One of Two)” (Oct. 2, 2019); Part Two (Oct. 9, 2019).
The Impact of the EDPB’s Decision
“Any organization that is relying on advertising revenues from profiling consumers to fund its online services now has a fairly large question mark over its grand bargain with consumers, in the same way that we had questions raised over third-party cookies,” McKean said.
The EDPB’s narrow interpretation of contractual necessity “puts at risk consumer interests in free, progressive online services, and also constrains the European Charter freedom for organizations to carry on a business,” McKean opined.
Users exchanging personal data for free service has supported desirable search and social media technologies, which in turn promote use of all internet services. “Search and social media are the diving boards for consumers into the digital world. That’s where most consumers start their online journey,” McKean pointed out.
See “Consciously Coupling: Tackling the Juxtaposition Between Adtech and Privacy” (Feb. 19, 2020).
Three Compliance Themes of the Meta Case
The DPC’s detailed decisions are a broad help for compliance because they add to the slowly accumulating precedents for GDPR complaints, decisions and appeals, Ropes & Gray partner Rohan Massey observed. “Four-and-a-half years in to GDPR, it’s still early days. The greater clarity we have, the more efficient this process will be.”
See “H&M’s $41M GDPR Fine Underscores Importance of Employee Data Handling” (Oct. 14, 2020).
User Consent Must Not Be Implied, Even for First-Party Data
The decisions reinforce that data processing cannot be legitimate under GDPR if the data subject’s authorization is implied, Massey noted. To satisfy regulators now, “when a company bundles data processing into terms of service or a contract, users must have the ability to still say ‘I’m happy to use your services, but I’m not happy to have my data used in this way. Yes, I’m opting out of the behavioral advertising,’” he advised.
According to the EDPB, Meta “presented its services to users in a misleading manner, and … the relationship between Meta and its users was imbalanced.” The company, Egerton pointed, failed to show any indication “that if the people didn’t agree to the advertising data being created, that they could still use Facebook resources,” Egerton said.
Meta was not the only recent Big Tech case on consent. On January 4, 2023, French regulator CNIL fined Apple €8 million because of a prechecked default on a user’s choice regarding advertising data. CNIL said that Apple’s App Store had not sought sufficient consent before it read user information on iPhones and then created targeted ads.
The message in both the Apple and Meta cases is that a platform’s collection of data on its own sites, sometimes called first-party data, requires a full, explicit expression of user consent. “CNIL found with Apple that its consent [collection practice] was too chunky,” making it hard for users to opt out, Egerton noted. “Consent now is difficult under GDPR – it has a certain threshold to meet. It has to be unambiguous. It’s got to be entirely voluntary. You can’t link it to anything else,” nor have prechecks, he said.
CNIL said it limited the fine because Apple began asking for such consent with iOS 15. Apple said it will appeal.
See “Apple Overhauls Privacy for iPhone Apps, but Will It Enforce Its Policies?” (Sep. 23, 2020).
Regulators Emphasize Article 5 Transparency and Fairness Principles
The Meta fines and decisions prioritized transparency. The company’s “grave breaches of transparency obligations impacted the reasonable expectations of the users,” the EDPB said. The decisions fined Facebook €160 for transparency violations and €60 for an invalid legal basis, and Instagram €130 and €50, respectively.
“We lawyers tend to just zero in on the lawful basis of processing, and once we have secured that, we’re very happy. What comes out of this judgment is that you have to be completely transparent and [fulfill] the other principles to be fine,” Egerton advised.
When Egerton counsels app companies, he recommends terms of service include a pop up with the privacy questions. Choosing contract or consent as the GDPR basis for processing may matter less than ensuring the end user’s choice is truly clear. “The lawful basis will be easy to identify if the transparency requirement is met. Article 5 trumps Article 6,” he noted.
Of the issues in this case, McKean noted, “where the regulators are on less controversial ground is transparency.” Meta had essentially conceded that it needed to improve its transparency, he said. The Meta brands are hardly the only ones that need to take that step. “Platforms haven’t been as transparent as they could and should be about the nature of the grand bargain and basis on which they are relying to process personal data. That is a fair criticism of many platforms,” he added.
Regulators Struggle for Power, Prolonging the Cases
Apple is just the latest example of the French regulator finding a way to act against an Ireland-based Big Tech company, Egerton noted. Other regulators have suspected that Ireland, where several U.S. companies headquarter their E.U. operations, “is giving Big Tech an easy ride to secure their revenue. There’s been a theme that the DPC is on the naughty step and other regulators are concerned,” he observed. In 2021, in the WhatsApp case, the EDPB ruled in favor of other E.U. regulators over the DPC’s choice of fine.
With Meta, the EDPB again overruled the DPC on the size of the fine – the DPC had proposed €36 million for Facebook’s infringements and €23 million for Instagram’s, for a total of €59 million. At least five other regulators urged a higher fine, citing the number of data subjects concerned and the essential status of this behavioral-ad data processing to Meta’s business model. The German regulators noted that in 2020, Meta generated €36 million in revenue in about 4 hours and 30 minutes. The EDPB ordered “a significantly higher fine” for the transparency infringements, and the DPC dedicated 66 pages of each decision to justifying the new amounts as proportionate, dissuasive and appropriate.
The EDPB also overruled the DPC on scope, ordering the regulator to conduct a new investigation of whether Meta processed sensitive data and, thus, was obliged to seek consent from users.
The DPC said it had discretion to select the issues to investigate under Irish law. However, the DPC acknowledged that it opened its investigation in response to the Austrian regulator forwarding the NOYB complaint, which includes the sensitive data allegation and others not addressed by the DPC. In a press release, the DPC argued that the investigation ordered by the EDPB “may involve an overreach” beyond the EDPB’s GPDR authority. As such, the DPC will seek to annul a portion of the EDPB’s binding order.
The DPC’s announced challenge raises a jurisdictional question, Egerton noted. The Irish position effectively is that “the EDPB role is to provide guidance, judgment, best practice,” along with adjudicating disputes between the E.U. member regulators, he said.
The EDPB might respond that its role is to protect GDPR to make sure it functions, including keeping countries from watering down the law, Egerton observed.
See “Disputed Twitter Fine Offers Breach Response Lessons” (Jan. 20, 2021).
Fretting Over Legal Basis Will Continue
It is common for companies to rely on legitimate interest as a legal basis to collect and use user data. Whether that approach is valid depends on a balancing test weighing a person’s fundamental rights and freedoms against the benefits and necessity of the processing. “There is always a challenge with the balancing test, as it hasn’t really been fully set out with jurisprudence yet as to exactly what the balancing test is,” Massey noted. Also, legitimate interest only works if all the data is non-special category data.
Consent is a more clearly understood concept because “it is viewed through three elements: sufficient information provided to the individual; consent given without undue influence or duress; and the ability for the individual to withdraw consent at any time as easily as it was given,” Massey said.
The GDPR standard for valid consent is extremely tough to meet. Opt-in rates remain stubbornly low, so “many organizations practice the ABC approach of ‘anything but consent,’” McKean said. The EDPB and DPC decisions denying contract necessity as a lawful basis to process are damaging because “chipping away at the alternatives to consent in practice means limited options to process personal data lawfully. That may have profound consequences for the many progressive and innovative online services funded by the harvesting of consumer personal data,” he said.
Did you enjoy this article?
Add the following topics to your interests and we'll recommend articles based on these interests.