Update: Meta’s behavioural advertising vs GDPR

This is blog post #20 in our series on the GDPR and is a continuation of the blog post # 19 which ended with this:

  • After the Norwegian (NO) DPA (Data Protection Authority) imposed a ban on Meta’s behavioral advertising and put a fine on Meta, the company brought the case to Oslo District Court asking for provisional injunction – and lost.
  • Starting om August 14, the fine of NOK 1 million per day could last until November 3, unless the European Data Protection Board (EDPB) decided otherwise, as requested by the NO DPA.

And the story continues, currently in (at least) three different processes:

Scroll down and find that the noyb has on 28 November filed GDPR complaint aganst Meta’s “Pay or Okay”.

1. Enforcement notice against Meta from Ireland’s High Court

EDPB

Following the request by the NO DPA, the EDPB published on 27 October their conclusion and adopted an urgent binding decision, and instructed the Irish (IE) DPA to take, within two weeks, final measures to stop Meta’s processing of personal data for behavioral advertising across entire European Economic Area (EEA), arguing that reference to the user contract and legitimate interest is not valid legal basis for using personal data for behavioral advertising.

The GDPR states that consent for processing of personal data is not freely given when it is bundled to accessing a service, and when the processing of personal data is not necessary to that service.

IDPC

The Irish (IE) DPA notified Meta on 31 October the EDPB binding decision, giving Meta two weeks to comply.

Ahead of this, Meta announced on 30 October the new subscription model where users can pay monthly for ad-free Facebook and Instagram services in the EEA and Switzerland, but NO DPA has informed Meta that they have strong concerns regarding Meta’s “consent” mechanism. EDPB is evaluating, and (according to our knowledge) has not concluded yet. NO DPA is of course active in this process. [source]

The Irish (IE) DPA took action 10 November and served Meta with an enforcement notice saying that the company has seven days to cease processing data for behavioral advertising. If not, the company will be fined.

However, Meta has brought a High Court challenge, resulting in a permission for Meta to bring its judicial review action, and later also to grant Meta a temporary stay on the enforcement notice from coming into effect. When the matter will return to court is unclear.

2. Meta is taking a new case against the Norwegian Data Protection Authority

Datatilsynet

Following up on the decision from 14 July this year, where Meta was notified that they may impose a fine of up to NOK 1 million (approximately USD 100 000) if Meta did not comply with the GDPR regarding consent from users of Facebook and Instagram when the company use personal data for behavioral advertising, the fine started rolling from 14 August.

The NO DPA confirms that they have sent a claim of NOK 82 mill against Meta to the State Collection Agency, a unit within The Norwegian Tax Administration.

Meta claims that the ban is invalid, and for the second time, Meta is taking the case to Oslo District Court. They also claim that the compulsory fine has to be abolished.

However, Meta has later requested that the case be dismissed, and the NO DPA has agreed to this. But the case is not laid dead, because Meta kept open the possibility to raise the matter again, awaiting the outcome of the proceedings in the EDPB [source].

NO DPA (Datatilsynet) write in an email to a Norwegian newspaper (6 December 2023), that Meta has now reluctantly paid the fine. But it is not hard to guess that the last word is not said,

3. noyb files GDPR complaint against Meta over “Pay or Okay”

noyb

Recently (28 November), the Noyb – European Center for Digital Rights, a non-profit organization based in Vienna, Austria, filed a complaint against Meta with the Austrian data protection authority, on behalf of an anonymous complainant, who is unemployed and receives benefits, and lacks the financial means to pay Meta’s subscription fee €20.99 a month to access Facebook and Instagram. [source; source]

The noyb claims that paying up to €251.88 a year to retain their fundamental rights to data protection on Facebook and Instagram is unacceptable, and in addition, if such arrangement is not stopped, other tech companies will soon follow, according to noyb. [source].

With this, noyb opened up a wider concern and perspective on the matter, which may deserve another blog post. So, stay tuned.

BEUC

The European Consumer Organization (BEUC, Bureau Européen des Unions de Consommateurs), organizing Forbrukerrådet (The Norwegian Consumer Council) and similar organizations in Europe, has filed a complaint against Meta’s changes to its service in the EU, saying that the “pay-or-consent” model is “… an unfair choice for users, which runs afoul of EU consumer law on several counts and must be stopped.”

Forbrukerrådet

The complaint is filed with the network of Consumer Protection Authorities (Consumer Protection Commission, CPC) “on the grounds of Meta engaging in unfair commercial practices in multiple ways.”

Further, the BEUC press release contains a very to-the-point list of issues that are identified under consumer protection law, and put Meta in trouble: Aggressive practice; sense of urgency; misleading consumers to believe in less tracking an profiling, and to believe that not paying then the service is “free” while they are paying through the provision of their data; the consumers do not have a real choice, because quitting the service means losing their contacts and interaction history.

Forbrukertilsynet

In Norway it is Forbrukertilsynet (The Norwegian Consumer Authority) that is entitled to impose a compulsory fine if the consumer legislation has been breached.

In addition, BEUC is also assessing whether Meta is infringing the GDPR.

Wrapping up the whole thing

There is an intense battle going on: The power of the big technology companies over people and society, versus democratic principles and how they are embodied in European legislation.

Because we at Runbox have the privacy flag hoisted, we will continue to follow what is happening in the field, and continue to keep our customers updated.

The content of this article is intended to provide a general guide to the subject matter, and Runbox take no responsibility for its accuracy. It is advised that when using the information for any purpose other than personal that the sources provided are verified. Expert advice should be sought about your specific circumstances.

Leave a Reply

Your email address will not be published. Required fields are marked *