must stop serving personalized ads until they are GDPR compliant

must stop serving personalized ads until they are GDPR compliant

The European Data Protection Board (EDPB) said Meta must obtain consent from users for advertising purposes, rejecting a claim by Meta that its use of personal data is covered by contract law requirements.

Meta, which currently does not offer a registration option to its users as required by the GDPR, has been supported in its unsuccessful attempt to circumvent European data protection regulations by the Irish Data Protection Commission (DPC ). Along with other tech giants, Meta is headquartered in Ireland due to its low corporate tax rate.

The case dates back to 2018, when nyob, a legal nonprofit created by privacy activist and lawyer Max Schrems, filed complaints against Facebook, Instagram and WhatsApp (all now Meta companies) with other DPA data protection authorities in Europe.

The DPC had argued that Meta’s personalized advertisements constituted a “service” provided to its users and therefore contractual rules applied.

In December 2022, the EDPB, which represents European DPAs, reversed the Irish DPC’s finding that Meta was legally covered by contract law.

Today, according to a report by WSJthe EDPS has ruled that Meta cannot use the personal data of EU citizens for personalized advertising purposes until an activation process that complies with GDPR requirements is provided.

Additionally, the EDPB fined Facebook and Instagram a total of $400 million. A decision on WhatsApp’s use of personal data for advertising purposes is expected soon.

The Irish DPC has often been accused by other European DPAs of having too comfortable a relationship with tech companies residing within the country’s borders, although recently it has apparently toughened its stance, for example by imposing a fine 405 million euros to Instagram for failing to protect children’s data.

According to nyob, ten confidential meetings took place between Meta and the DPC during the proceedings, in which the DPC came out on the side of the company and circumvented the standard GDPR rules on consent.

Schrems has launched several successful legal campaigns against tech companies and their misuse of personal data. He said: “This case is about a simple legal matter. Meta claims the ‘bypass’ happened with the DPC’s blessing. For years, the DPC dragged out the case and insisted that Meta could circumvent the GDPR, but it has now been canceled by other EU authorities.This is globally the fourth time in a row that the Irish DPC has been cancelled.

Schrems claimed the DPC refused to release details of nyob’s decision and accused the regulator of playing “a very evil PR game”.

He added: “By not allowing noyb or the public to read the decision, he is trying to shape the narrative of the decision in conjunction with Meta. It appears the co-operation between Meta and the Irish regulator is alive and well – although it has been canceled by the EDPB”

According to the ruling, Meta must deliver versions of its apps that don’t use personal data for personalized ads within three months, with users able to withdraw consent at any time. Meta may still use other data for advertising purposes, but it will need to require users to register before it can use their personal data.

Meta is likely to challenge the decision, which would have a major impact on its business model in Europe, and with many countries using the GDPR as a model for their own data protection legislation, potentially elsewhere too.

We contacted DPC IRIS for comments.

Similar Posts