Authors: Ewa Kurowska-Tober, Andrew Serwin, John Magee and Madison Swoy

A trio of forthcoming decisions against tech giant Meta may signal the end for Meta’s targeted ads model, though the issue is likely to rumble on for some time.

For many years, Meta has relied on contractual necessity (Article 6(1)(b) of the GDPR) as a legal basis for the processing of its users’ personal data in order to present personalised ads to them on the company’s platforms, such as Facebook or Instagram. This seemed to be the most suitable legal basis because it is probable that many users would refuse to allow the processing of their data if Meta relied on their consent or they would object to the processing if Meta used its own legitimate interest as the basis for doing so. Meta allows its users to opt out of targeted ads, which are based on personal data obtained from the websites and apps of third parties, but it does not offer a similar option in the case of ads based on data collected through its own platforms. However, European privacy regulators are currently looking closely at Meta’s practices and this approach may soon have to be changed.

On Tuesday, 6 December, it was reported that the European Data Protection Board (EDPB) has approved three decisions in proceedings following three complaints made against Facebook, Instagram, and WhatsApp concerning their use of targeted ads. Like many other American tech giants (e.g. Google and Apple), Meta’s European subsidiary is established in Ireland and its lead supervisory authority is the Irish Data Protection Commission (DPC). However, Meta’s data processing activities affect users in all EU Member States, and therefore other European data protection authorities and the EDPB also have a say on the decisions, under the GDPR’s consistency mechanism.

According to the three decisions, which have not yet been communicated to the public, Meta will have to stop relying on its terms of service as a justification for the use of targeted ads on its platforms. The decisions may be appealed, which means that Meta is likely to have several more years to continue with this approach, while at the same time develop alternative ad-displaying models. If the decisions are upheld by the Irish courts, many users are likely to opt out of the targeted ads, which account for a sizeable part of Meta’s revenue. The company argues that its model of personalising ads is necessary for the provision of its services and does not deprive the users of control over how their personal data is used, since they are free to decide whether they want to continue using Meta’s services.

Meta’s troubles were immediately recognised by investors and the value of the company’s shares fell 6.2% in mid-session trading on the day when the EDPB’s position on the upcoming decisions was reported. This adds to Meta’s long list of privacy-related problems – the DPC has already fined it EUR 405 million for a violation of children’s privacy by Instagram, EUR 265 million for a Facebook data-scraping breach, and EUR 17 million for a string of security lapses by Facebook. Facebook has also been hit with a EUR 60 million fine for cookie consent violations by the French data protection authority (CNIL) and faces a potential fine and suspension order for transferring its users’ data to the United States, which may be issued by the DPC following the long-running series of complaints and proceedings initiated by privacy activist Max Schrems.

Meta’s revenues have also been significantly affected by growing competition from the Chinese video-sharing platform TikTok, which is gaining popularity among younger users, and Apple’s decision to give iPhone users a choice of whether they want their activities in third-party apps like Facebook or Instagram to be tracked.

Considering that providing personalised ads has been the core of Meta’s business for many years and that they represent the most significant source of its revenue, the DPC’s decisions may be the most serious blow the company has ever suffered. They will impact not only Meta’s position on the EU market, but also the activities of other digital platforms which rely to a large extent on delivering targeted ads to their users.

Implications Around the World

Ireland. The decisions, once finalised and issued by the DPC, signal an increasing hardening of approach by the DPC against Meta and potentially other social media businesses for which the DPC acts as lead supervisory authority under the GDPR’s one-stop shop enforcement mechanism. While the DPC has been subject to some criticism around Europe for perceived delays in enforcement action against the tech giants, the series of decisions demonstrate the GDPR’s complex consistency mechanism in action, which was designed to take account of the concerns of all supervisory authorities. GDPR remains at an early stage and the series of decisions, each of which touch on novel issues of law, are likely to be appealed through the Irish courts.

United States. GDPR has served as a model for new data privacy laws across the United States and many U.S. companies are beginning to use the GDPR as a baseline to ensure compliance with the patchwork of state data privacy laws. Nonetheless, the U.S. state data privacy laws have almost completely eschewed the GDPR notion of “legal bases” for processing so the impact on U.S. users may not be substantial. However, we may see additional privacy controls roll out globally as a result of the EDPB’s decision, particularly around which advertisements users are shown in their feeds and Meta’s behavioral advertising model seems almost certain to take a massive hit company-wide.

We are watching this case closely and will provide our comments on any significant developments.