Meta’s Search for a (highly profitable) Legal Basis
Privacy Plus+
Privacy, Technology and Perspective
Meta’s Search for a (highly profitable) Legal Basis — “What is ‘Necessary’ to Performance of a Contract” Under the GDPR? This week, let’s consider the implications of the European Data Protection Board’s (EDPB) new decision in the long-running dispute among Meta, the Irish Data Protection Commission (DPC), other EU/EEA regulators, and activist Max Schrems’ organization “nyob” (“none of your business”), and the EDPB itself.
Background and Summary. Article 6 of the GDPR requires at least one “legal basis” as a precondition for Europeans’ personal data to be processed. Under Article 6(1)(a), “consent … for one or more specific purposes” is one possible basis, while under 6(1)(b), that the processing is “necessary for the performance of a contract” with the user is another.
(No matter what “legal basis” is claimed, however, there remain overriding duties of “transparency” and “fairness.”)
Briefly, Meta – the owner of Facebook, Instagram, and WhatsApp – relies on “contract necessity” as its GDPR-legal basis for sending personalized ads to users based on their behavior. Meta believes individualized service is the whole point of social media, so users’ contracts to engage on social media, perforce, must include their agreement to be tracked and served individualized ads. Unsurprisingly, on the very day the GDPR took effect, Max Schrems and noyb filed a complaint taking the opposite view, asserting that personalized, behavior-based advertisements aren’t “necessary” to the performance of Meta’s core services at all and that Meta is “forcing consent” from users.
Years of argument ensued. Meta’s chief regulator, the DPC, concluded that since Meta was not relying on 6(1)(a) “consent,” the “forced consent” argument did not apply and that Meta could rely instead on a 6(1)(b) “contract” legal basis. Per GDPR procedures, however, the DPC’s draft decision was circulated among its 47 (!) peer regulators – 10 of whom disagreed, believing that personalized ads aren’t “necessary” to perform the core elements of Meta’s service. When the peer regulators could not agree, the dispute was elevated to the EDPB, whose final decision as to Facebook and Instagram was announced recently. (The WhatsApp decision is expected soon.)
The EDPB has concluded that Meta cannot rely on 6(1)(b) “contract necessity” as a legal basis for behavioral advertising. Meta has ninety (90) days to get into compliance.
You can read the EDPB’s decision here:
You can read the DPC’s press release here:
“Transparency” seems to be the key. Everyone (except Meta) agrees that regardless of its “legal basis,” Meta has failed in its duty of transparency. So found, the DPC and the EDPB have strongly agreed, even directing an increase in the fines Meta must pay. In our view, contracts are a creature of consent, and it is abundantly clear under the GDPR (and many other emerging privacy laws) that consent must be clearly informed and given for “specific purposes” (Article 6(1)(a)). Was reluctance to be too specific about its behavioral tracking partly behind Meta’s decision, right before the GDPR took effect, to switch from a “consent” basis to a “contract” acceptance? Regardless, can a user effectively “contract” for services that involve personal data processing which is opaque? On the latter, at least, we read the EDPB – in fact, the whole GDPR regulatory community – as saying “no.”
For Meta, fines may not be the worst of it. Just in 2022, Meta was fined nearly 750 million Euros: €265 for a data scraping breach (Facebook), €405 over children’s privacy (Instagram), €17 for historical breaches (Facebook), and €60 over cookie consents (Facebook). This dispute adds another €390 to that melancholy subtotal -- pushing the total to over €1 billion, presumably with more to come over WhatsApp. This is still nowhere close to the GDPR’s ceiling, and Meta can afford it. But can Meta afford to change its European business model as dramatically as the EDPB insists? Will enough of its customers “consent” to continued behavioral tracking?
Undercurrents are moving powerfully. This isn’t a 2-sided argument. There are at least five (5) “sides” -- Meta, the DPC, 47 other regulators, the EDPB, and Max Schrems -- each with its turf, objectives, priorities, and perhaps hyperbole. The EDPB has ordered Ireland to launch a fresh investigation of Meta, spanning all of Meta’s processing and special categories of personal data that may or may not be processed in the context of these operations. The DPC objects strongly, denying that the EDPB has a general supervision role and that it has no jurisdiction to order the DPC to start an open-ended and speculative investigation. Meanwhile, Max Schrems and noyb have practically accused the DPC of corruption, by allowing Meta to see its proposed decisions ahead of time so it can object to anything “sensitive” that would be disclosed in them.
What’s next? Meta will certainly appeal the substance of the fines, their amount, and the interpretation of “necessity.” DPC says it will approach the European Court of Justice about the EDPB’s “overreach.” The other regulators will watch closely. Max Schrems will press on. No resolution timetable is in sight. But, in our view, the EDPB’s 90-day deadline will raise the stakes.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.