EU judgment sinks Meta’s argument for targeted ads

Targeted ads not justifiable

Regarding the processing of non-sensitive data used by Meta for targeted advertising, the CJEU considered whether or not this is covered by justifications in the GDPR that allow the processing of data in the absence of consent.

Article 6(1)(b) of the GDPR establishes that practice could only be justified on condition that if the data is not processed, the contract between the user and the service operator can’t be fulfilled.

This contractual necessity for data processing is usually understood rather more narrowly. For example, it enables an online retailer to provide a customer’s address to a courier, which is clearly necessary data processing under the terms of the contract between the store and the customer.

Meta had relied on Article 6(1)(b) as its main justification for data processing for targeted advertising by claiming that targeted advertising was part of the service it contractually owes its users – a clause it introduced as part of a change to its terms of service (ToS) made at the stroke of midnight on 25 May 2018, which is the precise second the GDPR first came into force.

Max Schrems, founder of Austria-based data protection campaign group NOYB, argued that Meta seemed to have taken the view that it could just “add random elements” to the contract, i.e. its ToS, covering personalised advertising, to avoid offering users a yes or no consent option.

“Instead of having a ‘yes/no’ option for personalised ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way,” said Schrems.

In practice, said the CJEU, there are serious doubts as to whether or not offering personalised content, or the consistent and seamless use of Meta’s services are capable of compliance with Article6(1)(b)

Meta’s reliance on Article 6(1)(b) had previously been ruled against by the European Data Protection Board (EDPB) in January 2023. Following this, it changed its argument to centre Article 6(1)(f), which concerns legitimate interests for data processing.

But the CJEU has also shut this down, additionally stating that personalised, targeted advertising cannot justify the processing of user data without the user’s consent as a legitimate interest either.

Schrems explained that while the CJEU has not ruled that legitimate interests can exist in certain circumstances, the judgment has clarified that no such interest can override a user’s rights when controllers are providing advertisements. This, he said, appears to mean that no data controller operating in the EU can now run targeted advertising based on anything other than freely given consent.

Schrems explained that ultimately, Meta had essentially tried to bypass GDPR using five of the six legal bases for data processing covered under Article 6(1) of the GDPR, all of which have been covered in the CJEU’s judgment.

“This is a huge blow for Meta, but also for other online advertisement companies. It clarifies that various legal theories by the industry to bypass the GDPR are null and void,” he said.

He welcomed the CJEU’s overall decision, which he said clarified that Meta cannot bypass the GDPR by changing paragraphs in its legal documents as it wishes.

“This will mean that Meta has to seek proper consent and cannot use its dominant position to force people to agree to things they don’t want. This will also have a positive impact on pending litigation between NOYB and Meta in Ireland,” said Schrems.

Computer Weekly understands Meta is evaluating the ruling and will have more to say in due course. It had not responded to a request for comment at the time of writing.

EC to adopt new rules to strengthen cross-border GDPR cases

At the same time, the European Commission (EC) has today proposed a new law that it said will streamline cooperation between member state data protection authorities (DPAs) when dealing with cross-border GDPR cases.

Among the proposals are an obligation for the lead DPA on an investigation to summarise key issues for its counterparts across the EU to reduce the scope for disagreements and enable consensus-building.

For individual EU citizens, the proposals will clarify what they need to do when complaining to their national DPA under the GDPR, and their process rights during an investigation, hopefully bringing swifter resolution to cases and more legal certainty for all.

“Five years ago, the world’s most ambitious and innovative data protection law entered into force. Five years on, GDPR has become a landmark legislation in the EU, inspiring global standards. It is clear that enforcement of GDPR works, but the procedures in cross-border cases can be still improved,” said EC commissioner for justice, Didier Reynders.

“Today, we have come forward with this proposal to show that we can do better to have quicker and more efficient handling of cases. We have listened to the voices of the European Data Protection Board, data protection authorities, civil society, and the industry. Our proposal addresses their calls and builds on our own findings to better protect Europeans’ right to privacy, provide legal certainty to businesses, and streamline cooperation between data protection authorities on the ground.”