Mark your calendars, European friends: July 4th could soon be bellowed as independence-from-Meta's-surveillance-capitalism-day… A long-awaited judgement issued today by the Court of Justice of the European Union (CJEU) appears to have comprehensively crushed the social media giant's ability to keep flouting EU privacy law by denying users a free choice over its tracking and profiling.
The order, as one would expect, tracks back to an order pioneered by Germany's antitrust watchdog, the Federal Cartel Office (FCO), which spent years investigating Facebook's business-companies making the case that privacy harm should be treated as an exploitative competition abuse too.
In its February 2019 order, the FCO told Facebook (as Meta still was back then) to cease and desist from combining data on users across its social media platforms without their consent. Meta sought to prevent such an order in German courts — which eventually resulted in a referral of the dispute over Meta's so-called "superprofiling" to the CJEU in March 2021.
Now we have the take of the top court, and well, it's not going to start any celebrations at Meta HQ, that's for sure.
In short, the CJEU has merely said that competition authorities can take data protection into account in their antitrust assessments- a phrase that sounds wonky, but is genuinely important because only joint working rather than regulatory silos is going to work for effective oversight of platform power- and also said that consent alone is an appropriate legal basis for the tracking-and-profiling-driven 'personalized' content and behavioral advertising that Meta monetizes.
Here is the relevant chunk from the press release:
As regards more generally the processing operation carried out by Meta Platforms Ireland, including the processing of 'non-sensitive' data, the Court examines next whether this is covered by the justifications, set out in the GDPR, allowing the processing of data carried out in the absence of the data subject's consent to be made lawful. Under that rationale, it finds the practice at issue can be justified only where the need for performance of the contract to which the data subject is party justifies such requirement only insofar as the data processing was objectively indispensable in that the main subject matter of the contract can not be achieved if the processing in question does not occur. This is scrutinized by the Court of Justice and, should the national court accept this, whether it is possible to accept either personalised content or the consistent and seamless use of own services from the Meta group as falling within these standards.
By EU data protection law, consent will be necessary that alternative options are offered to the users so that they can reject this kind of tracking without losing access to the core service. And this is precisely the decision Meta has traditionally refused its users. (After all — shock, horror! — just a few short weeks in advance of the judgement by the CJEU, no doubt anticipating what was about to hit it, it produced new controls enabling users to limit its cross-site tracking, although with some reduction in functionality if they actually do deny the tracking so it remains to be seen whether Meta's attempt at pre-emption has gone far enough.)
Last year, an advocate general to the CJEU expressed a similar opinion on the merits of the Meta superprofiling referral. While his opinion to the Court wasn't technically binding, today's ruling is bona fide hard law. And that means neither Meta nor EU data protection authorities can ignore it.
The latter is all the more important because reluctance on the part of some DPAs to robustly enforce the bloc's General Data Protection Regulation (GDPR) on rule-flouting tech giants that are supposed to be overseen has led to cries that the regulation has failed — or at least has been hopelessly stymied by forum shopping.
It has indeed been very painfully slow in enforcement against Big Tech under GDPR. A big decision finally comes out of Ireland's DPA in January that found against Meta's claim to rely on contractual necessity to run its behavioural advertising. But took over four years since the original complaint was filed to get to this order (Meta is also appealing it, so process not even concluded yet).
Then, in March, after a deadline for compliance in an order issued by Ireland's data protection commission, Meta said it would alter the legal basis on which the company claims to process data for ads to a different, consent-less basis for doing so: legitimate interest.
So here we are - some nearly two decades after complaints about violating people's privacy, after regulatory inquiry and enforcement, Meta still chose not to give users clear yes/no control over its tracking - maybe hoping the oversight process on its LI claim (and avoiding changing its business model to something less hostile to privacy) will last another four years or so.
But the CJEU may have thrown a spanner in that latest GDPR evasion tactic, because EU DPAs cannot just look the other way in light of the Court's direction. So Ireland should not just sit on its hands and let Meta do so with such spurious claim of a legitimate interest legal basis the CJEU has given significant clues is inappropriate under these circumstances. And, well, when users are empowered to deny surveillance capitalism they do so in droves. The following particularly depends on the scenario. A clarity from the CJEU regarding how to apply the GDPR on ad-funded business models like Meta's may finally close this chapter on surveillance capitalism.
In this post-judgment declaration, the Court writes (with emphasis): "The personalized advertising through which Facebook finances its activity, cannot be the justification of the processing of the data in question, as a legitimate interest pursued by Meta Platforms Ireland, in the absence of the data subject's consent.".
We have emailed the Irish DPC for their comment on the CJEU ruling and will update this report should we hear back.
The CJEU has also made the decision to again focus its judgment on the quality of consent being valid, that is: there was, in fact, an effective and not manipulated choice — for example, not by dark patterns or otherwise penalizing the user for denying access to their data — given the imbalance between the market power of a social network and its users, noting in its press release that "this is for the operator to prove".
The Court also confirmed that Meta can't simply escape a legal duty to obtain explicit consent regarding so-called sensitive categories of personal data (such as political beliefs, sexual orientation, racial or ethnic origin etc.) — the Court finding that the fact that users visited or interacted with web services does not mean that they had manifestly made public their sensitive data (which would have lifted the need for explicit consent).
That aspect of the decision might fuel an entirely new onslaught of lawsuits against Meta for processing users' sensitive data without their express consent, as Facebook obviously process oodles of such stuff — always without explicitly asking permission.
Again, from the CJEU press release:
The Court mentions in this respect that the data processing operation conducted by Meta Platforms Ireland also further appears to concern special categories of data which reveal, inter alia, racial or ethnic origin, political opinions, religious beliefs or sexual orientation and the processing of which is in principle prohibited by the GDPR. It will be up to the national court itself to determine whether some of these data collected may indeed allow information to be released regardless of whether that information pertains to a user of that social network or any other natural person.
This lawyer and privacy rights campaigner, who launched the complaints against Meta on the "forced consent," describes today as "GDPR meltdown day for Meta." According to him, the court has shut its doors to all the loopholes that Meta's lawyers have tried to use over the last five years.
This is the "#GDPR meltdown day" for @Meta-CJEU basically closes all "loopholes" their lawyers have argued for the last five years.
The (very) first statement we've prepared can be accessed here: https://t.co/3Kk53rogEQ https://t.co/oqodQ2f34g
In its full statement, the noyb, a not-for-profit organization of Schrem's regarding his rights to privacy, declared that the CJEU has declared Meta's approach to GDPR "illegal".
"noyb still has to study the details of this massive judgment. From the live reading of the holding, it seems that Meta/Facebook was barred from using anything but consent for crucial operations that it relies on to make profits in Europe," it also wrote, with Schrems arguing Meta will now have to "seek proper consent and cannot use its dominant position to force people to agree to things they don't want".
"This will also positively impact pending litigation between noyb and Meta in Ireland," he added — referring to the aforementioned decision out of Ireland on Meta's legal basis for ads.
The European consumer organization, BEUC, also praised the CJEU ruling — suggesting it "paves the way for more effective enforcement against dominant digital platforms".
According to a statement, FCO president Andreas Mundt explained the judgment "sends a strong signal for competition law enforcement in the digital economy, an area in which data decide market power.".
"When large internet companies use the very personal data of consumers, this usage can also be deemed abusive under competition law. In their application of competition law, competition authorities must also take data protection rules into consideration. The judgment will have far-reaching effects on the business models used in the data economy. When enforcing competition law, it is important that we continue to cooperate closely with the data protection authorities," he added.
For its part, Meta didn't have much to say to offer as yet. "We are evaluating the Court's decision and will have more to say in due course," a company spokesperson said.
Meta also cited an earlier blog post dated January -and updated in March-after the finding of the GDPR breach-when the company wrote then: "To comply, from Wednesday 5 April we are changing the legal basis that we use to process certain first party data in Europe from 'Contractual Necessity' to 'Legitimate Interests'.". GDPR clearly states that there is no hierarchy between legal bases, and none should be considered more valid than any other.”
The litigation in Germany, which challenges the FCO's order to limit its profiling of users — which was paused on the CJEU referral — will now be able to resume. How long it will take for that case to work through the German courts remains to be seen. But the CJEU ruling can be read as the writing on the wall for consent-less tracking in the EU.