On 4 February 2023, the Irish Data Protection Commissioner announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited regarding the delivery of its Instagram and Facebook services and issued fines of €390m. The decisions focused on whether or not Meta had a valid legal (lawful) basis for processing the personal data of users of the platforms for the purposes of behavioural advertising.
What does this mean in terms of the legal implications and consequences for the digital advertising market? Is digital advertising – a business model that has grown rapidly in recent years – still possible under the European Union’s privacy legislation and how does this affect the German and Dutch markets?
The fine
Parties using digital advertising, and particularly targeted advertising, often tread a fine line on data privacy compliance. With the enactment of the GDPR and the increasingly intensive processing of personal data by the industry, the conduct of the parties using digital advertising has come under a magnifying glass. High fines for breaches are now the norm rather than the exception, with consent, transparency and lawful basis the main issues for regulators.
Meta, the parent company of Instagram and Facebook, has been an obvious focus for data protection regulators (and particularly of the Irish DPC as its lead EU regulator). Following the final decisions issued by the DPC, Meta has been fined €180 million for breaches in relation to its Instagram service and €210m for breaches of the GDPR relating to its Facebook service. Final decisions were reached following binding decisions issued by the European Data Protection Board under the Article 65 procedure, which differed in several respects from the Irish DPC's initial decisions.
Legal Perspective
Under the EU GDPR, personal data may only be processed if a legal basis as set out in Article 6(1) applies. In the context of behavioural digital advertising, the most likely candidates are that the processing is done with the individual's consent, that the processing is carried out in the legitimate interests of the data controller (subject to conducting the appropriate balancing test), or that the processing is necessary for the performance of a contract. There are potential issues with all three of these bases in relation to behavioural advertising.
In Meta's case, it had relied on the lawful basis that the processing of personal data was necessary to perform a contract. Meta argued that when users agree to its terms of use, they enter into a contract with Meta. In order to offer the services free of charge, Meta must be able to show personalised ads. So, without processing user data to show those personalised ads, Meta cannot fulfil the contract and, therefore, the company is allowed to collect that data on the grounds of contractual necessity. While the Irish DPC agreed with this assessment, the EDPB and eventually also the DPC, ruled that Meta could not rely on contractual necessity as the legal basis for processing of personal data for behavioural advertising purposes.
Necessary for the performance of a contract
The contractual necessity lawful basis (Article 6(1)(b)) applies where the processing in question is objectively necessary for the performance of a contract with a data subject. Both Meta and the Irish DPC argued that "necessity does not mean that the processing must be "strictly necessary" for the performance of the contract, but rather that the processing is necessary to fulfil the entire agreement concluded between the parties, including optional or conditional elements of the contract".
The EDPB, however, says in its guidelines and in its Article 65 Meta decisions, that the concept of what is necessary for the performance of a contract is not at the company’s discretion. In other words, it is not an assessment of what is permitted by or written into the terms of contract. Assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing for the objective pursued, and of whether it is less intrusive compared to other options for achieving the same goal. If there are realistic, less intrusive alternatives, the processing is not necessary. Therefore, processing which is useful but not objectively necessary for performing the contractual service at the request of the data subject does not fall within the scope of this legal basis. The fact that it is necessary for the controller’s other business purposes is irrelevant.
The EDPB has specifically said that online behavioural advertising and associated tracking and profiling of data subjects is not generally necessary to perform a contract for online services. The mere fact that advertising indirectly funds free online services is not enough to establish contractual necessity. As a result, the EDPB and subsequently the Irish DPC, concluded that the contractual necessity lawful basis cannot be used by Meta to process personal data for behavioural digital advertising purposes. This kind of processing should instead be based on consent.
The Meta decisions reflect the views of a number of Member State regulators (for the obvious reason that they are represented in the EDPB), many of whom have produced country-level guidance on the issue. From a German law perspective, the approach taken by Meta also raises questions under national consumer laws. Under German consumer law, contractual terms that are particularly unusual or surprising under the relevant circumstances are invalid if the average consumer would not expect them in general terms and conditions.
Arguably, the majority of social media users are aware that the services they use are dependent on behavioural advertising and, therefore, that they are being tracked. Whether or not they are provided with sufficient levels of information to meet transparency requirements, particularly given the complexity of the digital advertising ecosystem, is another potential issue under German consumer protection law.
From a Dutch law perspective, there is also an argument that Facebook's terms relating to behavioural advertising are unlawful by virtue of being unreasonable. Chapter 5.3 of Book 6 of the Dutch Civil Code provides certain protections against unreasonably onerous clauses in terms and conditions. The specific circumstances of the case must be considered at all times, taking into account the position if the relevant term did not exist and the parties had to fall back on existing statutory laws, whether there is a significant imbalance between and parties, and whether the term could reasonably have been expected.
In the case of Meta's terms of use, in particular, there is a case to be made that there is a significant imbalance between Facebook or Instagram and its users and an argument that it is unreasonably onerous to expect the user to consent to behavioural advertising in order to use the platforms.
While arguments can and have been made on both sides, the clear signal from the EDPB (even without taking into account local applicable law), is that, for now, the processing of personal data for behavioural digital advertising purposes cannot be based on the contractual necessity lawful basis.
Consent
It's worth noting that Facebook was unusual in its choice of contractual necessity to justify behavioural advertising. In the wake of the Meta decisions, however, businesses processing personal data for digital advertising purposes will almost always need stay clear and select an alternative legal basis. The most obvious is consent, as set out in Article 6(1)(a) GDPR, partly because of the ePrivacy Directive. This requires consent to non-essential storage of cookies and similar tracking technologies. Since behavioural tracking of users regularly takes place via cookies stored on the user's terminal device, consent is, in any event required.
Valid consent (whether under the GDPR or the ePrivacy Directive) is a high bar to achieve. Consent must be freely given, specific, informed and unambiguous. It must also be capable of being withdrawn as easily as it was given. If digital advertising providers want to rely on consent as a legal basis, users must be given a great deal of information in order for the consent to be specific and informed. This will include information about which data will be processed by whom, for how long, how and for what purpose. In the highly complex world of digital advertising, the risk is that providing this information leads to overlong declarations of consent that are even less likely to be read by web users suffering from 'consent fatigue'.
This becomes particularly challenging in the context of real time bidding (RTB) which can involve hundreds, even thousands of actors (as we explain here). Added to that is the issue around the requirement that consent must be capable of being withdrawn without detriment as easily as it was given which, again, is particularly difficult in the context of RTB. And yet digital advertising providers who try to stick to brief or general information can fall foul of regulators. Striking the right balance between too little and too much information is extremely difficult and further guidance from the EDPB or Member State DPAs would be welcome.
Consent is only considered to be freely given if the user has a genuine choice – another problem. For some Member State DPAs, this means a publisher must provide an online service that is also available without needing to consent to cookies. However, such a broad interpretation of voluntary consent is increasingly criticised, especially since it is not explicitly set out in the wording of the GDPR. Arguably, this approach is only appropriate if a service can be considered a monopoly or at least monopoly-like, eg because of its social relevance. If, on the other hand, a certain service is widely available through various service providers, the user can still freely choose between services, and consent is more likely to be freely given.
Interestingly, there was an argument that the EU's Digital Content Directive had thrown new light on the issue of freely given consent. The EU’s Digital Content Directive actually stipulates that payment with data is a permissible contract model. In cases where the contract requires a user to 'pay' in personal data, does the fact that the consumer is necessarily consenting by entering into the contract, have an impact on whether or not consent is freely given? In the context of digital advertising there is also a debate as to whether this law intends to say that for these contracts the processing of data is (always) necessary for the fulfilment of the contract as it constitutes user performance obligation of the contract.
The debate did not last long. In accordance with EU jurisprudence, the basic idea of the EU Directive (ie consumer protection) cannot be abused to circumvent the GDPR by making data processing a contractual obligation of the consumer and thus making it part of the exchange relationship. This would completely undermine the prohibition on coupling consent to the provision of a service under data protection law. It was never the intention of the consumer Directive to affect or modify provisions of the GDPR. Therefore, the GDPR needs to be given precedence and despite being able to 'pay with data', a consumer must still be able to give consent voluntarily.
For service providers who depend solely on digital advertising revenues, this is disappointing. The more consumer-friendly a consent screen is, the more likely it is that a user will not opt in and that the service provider (or publisher) will lose important advertising revenue. This is a vicious circle, which neither the EU nor the DPAs have satisfactorily resolved from a business point of view.
This is probably why newspaper publishers came up with the idea of a new business model, the 'pay or okay' principle, which is potentially less questionable from a privacy perspective. With this model, the user gets the choice of consenting to targeted advertising and getting a service or article for free, or paying for the full text/service either as a one off or with a subscription. Clearly the fee must be proportionate if the user is to be given real choice. From the user's point of view, this can be a fair compromise, and while this model is not uncontroversial in terms of privacy, it has already been approved by some DPAs and may gain further traction.
Legitimate interests
Meta announced at the end of March 2023, that it was moving to the lawful basis of legitimate interests for the purposes of behavioural advertising. This is a common choice given the difficulties with getting freely given, specific and informed consent in the context of digital advertising, although it cannot be used for the purpose of dropping cookies. However, again, there are potential difficulties. The EDPB/Irish DPC Meta behavioural advertising decisions did not discuss the use of legitimate interests in any detail, but in order to rely on it, a three-stage Legitimate Interest Assessment or LIA must be carried out to confirm that:
- the processing is in the legitimate interest of the controller (or third parties), or both
- the processing is necessary and proportionate for the purposes of the legitimate interest
- the legitimate interests of the controller or third parties are not overridden by the rights and freedoms of the data subject.
Whether or when the results of the LIA will confirm that legitimate interests is available for behavioural advertising is the subject of some debate among regulators. As we discuss here, a likely outcome of the changes IAB Europe will be required to make to its Transparency and Consent Framework, is the removal of the option to use legitimate interests as a lawful basis for delivering personalised ads. In the UK, the ICO's 2019 report on adtech (published when the UK was still in the EU) suggested that consent is the only appropriate lawful basis in practice for RTB relating to targeted ads – a not uncommon approach. Meta will be well aware of this and is reportedly taking the additional step of allowing its EU Facebook and Instagram users to complete an online form requesting that advertising be targeted at them on the basis of general categories of data.
What happens now?
The Meta decisions have not resolved privacy issues around digital advertising and legally compliant implementation remains a challenge. This is another reason why voices are becoming louder for the European legislator to provide clarity through revised regulations, without which, or pending technical or industry-led solutions, we are likely to see continuing scrutiny of the digital advertising industry's data privacy compliance. Businesses involved in digital advertising have to carefully consider their data processing practices and should take legal advice.