Personalized ads on Facebook, Instagram and WhatsApp are considered illegal if they have not been clearly and incontrovertibly authorized by the user. Meta cannot force users to accept the treatment aimed at personalized advertising, under penalty of excluding them from the service. Instead, users must be granted the so-called opt-in, i.e. the default option not to be tracked for the purposes of personalized advertising, unless they expressly consent to the processing. Meta must now adjust its contractual conditions, it has 3 months time.

On 4 January 2023, the Irish privacy authority (DPC) announced that it had confirmed the decision of the European Data Protection Board (EDPB) of December 5 last which, at the end of a long and bumpy journey, uphold Mark Schrems’ lawsuit against Meta/Facebook for violation of the GDPR in the matter of personalized advertising.

The Irish authority therefore complied, albeit obtorto collo, with the decision of the EDPB according to which Meta cannot force users to undergo personalized ads without their prior consent. Meta had always believed that, to bypass the GDPR obligation of consent, it was sufficient to insert an ad hoc clause in the conditions of the service, thus appealing to art. 6.1b of the GDPR according to which the processing of data is lawful if necessary for the execution of the contract. As if to say that targeted advertising and social networks live in symbiosis, thus somewhat obscuring the story telling  of the free service.

On May 25, 2018, just as the GDPR came into effect, Schrems’ organisation, Noyb, filed complaints against Meta in various European countries, including Austria, Belgium and Germany. However, the cases were managed by the Irish DPC authority, since Meta, like other large OTTs, has placed its European headquarters right on the island. Since this was a matter of great importance and which had an impact on numerous European markets, the decision had to be discussed with the other regulatory authorities; in the event of dissent, the matter had to be resolved by the European agency EDPB, pursuant to Article 65 of the GDPR. This is indeed what happened.

The Irish authority tended to agree with Meta, considering that it was a question of transparency rather than correct collection of consent. If this position had been confirmed, the case could have been closed simply by forcing Meta to modify some parts of its Privacy Policy, possibly with a fine. For Meta it would have been a victory, because the foundations of its business model would have remained intact. But this approach was not shared by the other data protection authorities and was ultimately rejected by the EDPB, which with its own decision defined the legal rules that the DPC should have followed to close the case with it.

According to EDPB, the consent for personalized advertising cannot be included in the generalized acceptance of the clauses of the social network service, but it must be expressed in a distinct and effective way. Meta now has 3 months to review its contractual conditions and, more generally, to rethink its targeted advertising model. It should be noted that the EDPB’s decision has not, however, also made “contextual” advertising illegal, i.e. the one we receive consistently with the pages we are visiting: when, for example, I browse on a group of motorbike lovers and ads appear on the same theme. But if I leave the motorcycle page and continue to receive the same ads, then it’s no longer contextual advertising, but targeted.

With the decision of 5 December, EDPB had also defined the criteria for the imposition of sanctions on Meta and in fact DPC imposed two (relating to the cases of Belgium and Austria) for the total sum of 390 million Euros. This is known from the DPC’s press release, while the Irish decision is not yet public. A third case relating to Germany is still pending.

DPC has often been accused of being too light on Big Tech, because it is assumed that Ireland would like to maintain good relations with the corporations that have chosen it for tax reasons and which, moreover, would appreciate benevolent treatment also in terms of privacy. In fact, Meta’s personalized advertising issue had been going on for 4 years with the Irish regulator, who, as already noted, seemed willing to support Meta’s position, but without success given the EDPB’s final decision. Activist Schrems accused DPC of siding with Meta: “During the course of the procedure, Meta has relied on ten confidential meetings with the Irish DPC in which the DPC has allowed Meta to use this “bypass”. It was later revealed that the DPC has even tried to influence relevant EDPB Guidelines in the interest of Meta”.

Certainly Meta will challenge the decision of the Irish regulator before the Irish courts, contesting the interpretation of the art. 6.1b of the GDPR: whether it is legitimate, or not, to assume that joining a social network includes acceptance of personalized advertising. The chances of success are slim, given the unequivocal decision of the EDPB; however, it cannot be excluded that, in the course of the various levels of judgement, the question is submitted to the evaluation of the European Court of Justice for an interpretative judgment.

On the other hand, Meta cannot appeal the EDPB’s decision, because a month ago the European Court of Justice ruled out that companies cannot attack this type of decision, which is directed not at them but at national regulators (DPC in this case).

Note: Meta announced that they continue to believe in the correctness of their legal position: https://about.fb.com/news/2023/01/how-meta-uses-legal-bases-for-processing-ads-in-the-eu/