It’s going from bad to worse for Meta.
Still smarting from a drop-off in revenue, mass layoffs and a costly pivot to the metaverse, the tech giant now faces another existential threat — this time to its data-fueled advertising model.
In decisions on Wednesday targeting its Facebook and Instagram platforms, Meta is not only on the hook for fines totaling nearly €400 million, but it must also — quickly — find a new legal basis for its sprawling targeted advertising empire.
According to Meta’s lead regulatory authority in Ireland, Meta has three months to legalize its data-targeting model after European Union regulators found that the current legal basis for advertising that Facebook and Meta use is invalid. The orders heap yet more pressure on Meta’s revenue streams — just as the EU is finalizing a new rulebook that tightens the screws even further on internet advertising.
The decisions stem from complaints filed by Austrian privacy campaigner Max Schrems on the eve of the EU’s strict privacy code, the General Data Protection Regulation, in 2018. These accused the company of lacking proper legal grounds to process millions of Europeans’ data.
The decisions rebuke Meta’s claim that it could hoover up users’ data as part of a contract to provide them with personalized ads, and leave the tech giant scratching around for another legal route to target people with advertising.
Watch out, internet
The €210 million and €180 million fines for Facebook and Instagram, respectively, could also have ramifications far beyond Meta.
Many internet giants are grappling with how to maintain vital sources of targeted advertising revenue without falling afoul of the law. Video-sharing platform TikTok got into hot water last year when it tried to switch from relying on users’ consent to the “legitimate interests” legal basis for its ad targeting.
The question for many will be whether Meta and others must give users a clear option to reject personalized advertising without cutting off their access to their services. Campaigners like Schrems have argued that the current setup on many platforms forces users to accept ads to get access to the services.
A Meta spokesperson said the company was “disappointed” with the decisions but stressed that other legal options are available for it to process data, and that it did not anticipate having to rely on user consent.
“We strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services,” the Meta spokesperson said. “As a result, we will appeal the substance of the decision.”
Schrems welcomed the decision and disputed Meta’s claim that it is not inevitable that the company needs consent to use data for ads. “This is a huge blow to Meta’s profits in the EU. People now need to be asked if they want their data to be used for ads or not,” he said. “They must have a ‘yes or no’ option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent.”
As well as potentially putting a bomb under internet giants’ business models, the cases revealed deep fissures between Europe’s data protection authorities.
While the Irish Data Protection Commission initially endorsed Meta’s switch from relying on user consent to the contract legal basis in a draft decision in 2021, its view was overturned by Europe’s data regulator grouping, the European Data Protection Board (EDPB).
Sting in the tail
This standoff shows no signs of being resolved.
In its press release announcing the decisions Wednesday, the Irish Data Protection Commission said that it would be filing a legal action with the Court of Justice of the European Union to annul aspects of the EDPB’s directions that it said went beyond the scope of the initial case.
“The EDPB … has directed the DPC essentially to engage in a very open-ended and speculative investigation that involves all the Facebook and Instagram data processing operations. And we say that this is overreaching on the part of the EDPB,” said Irish Data Protection Commissioner Helen Dixon in an interview with POLITICO on Wednesday.
“We cannot create a scenario where we simply have no agency in our own role as a lead supervisory authority, where you have an entity assign itself a role in telling us what to do and indeed how to do it,” said Dixon, whose office is the lead authority for the vast majority of tech giants that have their EU headquarters in Dublin.
The EDPB did not immediately respond to requests for comment.
CORRECTION: A previous version of this article misstated Max Schrems’ disagreement with Meta over advertising.