On December 6, 2022, the European Data Protection Board (“EDPB”) announced it has adopted a trio dispute resolution decision concerning Meta Platforms Ireland Limited (“Meta”), addressing certain issues arising from the draft decision of the Irish Data Protection Commission (“DPC”) regarding Meta platforms – Facebook, Instagram and WhatsApp, and mainly, Meta’s lawful basis for processing personal data for behavioral advertising.
In its binding decisions, the EDPB settles, among others, the question of whether or not the processing of personal data for the performance of a contract is a suitable legal basis for behavioral advertising, in the cases of Facebook and Instagram, and for service improvement, in the case of WhatsApp.
As known, Meta’s business model and its revenues are mainly based on ads. Meta’s lawful basis for processing personal data for the purpose of behavioral ads, where such ads are based solely on information collected within Meta’s platforms, is the necessity for the performance of a contract (Art 6(1)(b) under the GDPR) – accordingly, and as opposed to common lawful basis used for such purposes such as consent and legitimate interests – Meta’s lawful basis does not, allegedly, requires Meta to request its users consent or allow users to object to the processing of their personal data or restrict such processing.
Meta relied on its terms of service as an alleged “contract” and the legal basis for presenting users with personalized ads based on their digital activity. According to Meta – any user who objects to the processing of personal data for behavioral ads as detailed above is provided with the choice to cease use of its platforms. Additionally, according to Meta, users are provided with the ability to opt-out of behavioral ads, where such ads are based on personal data obtained from third party sources.
According to some publications made in various media channels, including by the NOYB – the non-profit organization co-founded by the privacy activist Max Schrems which filled the complaints that are the subject of the EDBP decision – the EDBP found Meta liable for an infringement of the GDPR, and Meta’s “performance of a contract” as a lawful basis, as Meta attempted to bypass the consent requirement for tracking and online advertisement.
EDBP’s position in this regard was already indicated in its Guidelines 2/2019, stating that accepting a terms of service by a user and signing a contract with a customer are entirely different concepts, as they have different requirements and legal consequences – while processing personal data under the legal basis of a contract is lawful when it is objectively necessary for the performance of the contract or in order to take pre-contractual steps at the request of a data subject, processing data for behavioral advertising is not considered as strictly necessary for the performance of a contract for online services.
The EDBP’s final decision, expected to be made in January 2023, may include significant fine on Meta, and moreover, a crucial effect on Meta’s main revenue model as, if Meta will be required to change the lawful basis for behavioral advertising, significant number of users will opt-out or otherwise will not provide their consent.
This decision, if and when becomes final and binding (as it will subject to appeal), will further have a material effect on the AdTech ecosystem, and is part of a growing global interest in the AdTech community, together with the amended CCPA.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.