Meta has said it plans to appeal a decision that resulted in €390 million ($414 million) in fines from the Irish Data Protection Commission, levied Jan. 4 for violating European Union privacy rules by relying on terms of service to require users of its Facebook and Instagram platforms to accept personalized ads.
The Irish authority ordered Meta to bring its processing of personal data for advertising into compliance with the European Union’s General Data Protection Regulation, known as GDPR.
Meta may have to give consumers a choice to opt out from being shown advertisements that are based on information collected about how they use its platforms, privacy advocates have suggested. An opt-out mechanism could deal a blow to Meta’s business model of selling ads to cover costs of free-to-use services, though the company has underscored that the Irish regulator’s decision doesn’t prevent personalized advertising on its platforms.
The issue gets “right at the heart of their business model,” said Andrew Serwin, a partner at law firm DLA Piper who previously served as an expert witness for Ireland’s Data Protection Commissioner in a case concerning information flows between Europe and the US.
“If you’re getting to use the platform for free, can you fundamentally opt out of how they make it free?” Serwin asked.
Meta’s Alternatives
Meta is considering alternative arguments for the legal basis underpinning its use of data for personalized ads, potentially pivoting to an option that doesn’t rely on its terms of service.
“The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect,” the company said in a blog post after the Irish authority announced the fines.
Another option under the GDPR is for Meta to assert that it’s in the company’s “legitimate interests” to use personal data for advertising, though this claim would require balancing its business interests with the interests of individual users of its platforms, privacy professionals say.
“Legitimate interest is a gray area of GDPR,” said Daniel Barber, chief executive officer and co-founder of DataGrail, a privacy management platform that helps companies comply with regulatory requirements.
“Businesses have largely struggled with the analysis for that,” Barber said.
Meta might have a hard time meeting the criteria of the balancing test between business interests and individual interests, according to John Davisson, senior counsel and litigation director at the nonprofit Electronic Privacy Information Center.
Asking consumers to agree to targeted advertising as part of the terms of using a service “relies on coercive consent,” which could be considered a violation of the European data protection framework’s fairness principle, Davisson said.
It’s unlikely that Meta would encounter similar legal issues in the US, as state privacy laws don’t follow all of the GDPR’s provisions. If Meta rolls out new privacy controls in response to EU regulatory pressure, those user settings could be offered globally.
Clarification Needed
Meta’s appeal will have to work its way through court, which could take some time. There are two similar cases pending before the Court of Justice of the European Union that also deal with legal questions related to how Meta obtains users’ permission to use their data, according to a nonprofit led by Austrian privacy activist Max Schrems.
The nonprofit, NOYB, filed the complaints that led to the Irish authority’s latest fines against Meta. The tech giant has previously faced fines in Europe over issues including a data leak and improper handling of children’s personal data.
The nonprofit’s complaints against Meta were submitted in 2018, on the day that GDPR went into effect.
Businesses are still learning how to navigate the privacy regulation, according to Lartease Tiffith, executive vice president for public policy at the Interactive Advertising Bureau, a trade association.
“This is one of those areas that needs further clarification,” Tiffith said of the legal questions surrounding personalized advertising.
Even if consumers decline ads based on tracking their behavior online, advertisements that are served based on context, like showing ads for running shoes on a page about running, would still be permitted. Targeted ads also would be allowed with adequate consumer consent.
“This is not a death sentence for all ads,” said Odia Kagan, a partner at Fox Rothschild LLP who focuses on GDPR compliance. “This changes the concept of clicking ‘I accept’” as the right legal basis for personalized advertising, Kagan said.
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.