Meta continues to resist giving EU users a free choice over tracking, but changes are on the way.

After significant privacy enforcement finally hit Meta's tracking ads business in Europe earlier this year, the tech giant has confirmed that it will be changing the legal basis it claims for microtargeting users in the region.
Meta continues to resist giving EU users a free choice over tracking, but changes are on the way.

After significant privacy enforcement finally hit Meta's tracking ads business in Europe earlier this year, the tech giant has confirmed that it will be changing the legal basis it claims for microtargeting users in the region.

It's not going to ask people for their up-front consent to its data-fuelled behavioral advertising. But it will have to offer users in the European Union an opt-out if they choose to exercise their right to object -- which is a first.

Back in January, Meta was fined about $410M after it was determined to have violated the EU's General Data Protection Regulation (GDPR) for lacking a valid lawful basis for behavioral advertising and violating the transparency and fairness principles of the regulation—and had three months to get its house in order.

In an update to its earlier blog post about the enforcement, Meta writes that — from April 5 — it will claim a "legitimate interests" (LI) basis for processing EU people's information to target them with advertising.

One of the six permissible legal grounds for processing personal data under the GDPR is legitimate interests. And at least half of those options are not relevant given the nature of Meta's commercial enterprise, which is not in the life-saving, public interest-based or legally required service businesses.

The tech giant had been insisting on another of the six to run tracking and profiling-based behavioural advertising- contractual necessity, but the EU regulators found that to be unlawful.

Meta denies the finding -- and is appealing the enforcement -- but a regulator-imposed three-month deadline to fix its GDPR compliance is looming early next month so it needs to do something to reset its claim of compliance in the meanwhile, i.e. while its army of lawyers try to figure out how to push water uphill.

In a blog update about the switch, Meta wrote:

In December, the Irish Data Protection Commission ruled that Facebook and Instagram must change their legal basis under GDPR to serve behavioral advertising in Europe. To be compliant, starting Wednesday 5 April we are changing the legal basis used to process certain first party data in Europe from 'Contractual Necessity' to 'Legitimate Interests'. GDPR explicitly states that there is no precedence in the order of legal bases, and no one should be more or less valid than any other.

It is important to note that this legal change will not prevent personalized advertising on our platform neither will it change how advertisers, businesses or users experience our products. Advertisers can continue using our platforms to reach potential customers and expand their business. We will also inform relevant users that, with regard to certain information, we have other options in terms of how we treat that information to display behavioral advertisements. This is the legal basis that similar platforms use, and our EU Privacy Policy and Terms of Service will be updated accordingly.

We believe the previous approach was GDPR compliant, and our appeal on both matters-the substance of the rulings and the fines continues. However, this change ensures that we comply with the DPC's decision.

Meta spokesperson, Al Tolan, was quoted as saying by TechCrunch when asked about the pending change to LI, "The new EU Privacy Policy goes live next week and will reflect a change in Legal Basis. I can also confirm that we have conducted a Legitimate Interests Assessment.".

Tolan refused to provide us with a copy of the amended privacy policy or LI assessment report when we asked to review those -- but insisted "we've complied with all regulatory guidance needed to rely on LI.".

But many EU data protection experts believe that Meta can't rely on LI for the tracking and profiling that underpins its behavioral ads business-and will, ultimately, have to ask users for consent in order to be compliant with EU privacy laws, which include both the older ePrivacy Directive and the GDPR.

Part of the problem with Meta relying on LI for a mass surveillance behavioral ads business is that this legal ground is intended to be reserved for processing that's strictly necessary-that is, one can't do it in a less intrusive way, such as doing contextual ad-targeting, rather than personal data-derived micro-targeting.

Data processors must also weigh individuals' rights and interests in a balancing tests (in this case to privacy and not being tracked). And any LI balancing test for Meta's surveillance ads business would have to do some serious gymnastics to try to claim the mass scale privacy intrusion of its commercial microtargeting outweighs EU citizens' fundament right to privacy.

While the ePrivacy Directive prohibits LI use for ad-tracking purposes; without "strictly necessary" cookies, consent standard applies here.

So, what Meta is being coerced to do 'here' does not appear to be going to solve the fundamental legal problem that it's finally facing in the EU now that privacy enforcement is starting to bite.

One day after the WSJ was the first to report on Meta's intention to move to LI, noyb-the organization which led the original "forced consent" GDPR complaints against Facebook, Instagram and WhatsApp back in May 2018-announced that it will "imminently" take action in response to what it characterized as the tech giant's new "illegal practice".

noyb is not stating what concrete action it will undertake. However, in a press release, its founder and chair Max Schrems said: "Meta is replacing one illegal practice by another illegal practice. noyb will take immediate legal action to end this farce since, as usual, the Irish Meta regulator will do nothing.". This is a ridiculous game and we will stop it as soon as possible. Like any other corporation, Meta must have an obvious yes/no switch for users, where they need to affirmatively say 'yes' if they want to give up their basic rights.

While some still argue that advertisement would override the fundamental rights of users, this is a minority view. We are not aware of anyone arguing that profiling and tracking at the scale of Meta just to get some ad clicks would fulfill that test. This system of using legitimate interest at least allows for opt-out, which makes it a slight improvement for users," said Schrems. 

Meta dodges €4BN privacy fine over illegal ads, says GDPR complainant

 

Among the important factors here is the period between the first GDPR complaints filed over Facebook's creepy ads and its final rulings from its lead EU data protection authority, the Irish Data Protection Commission, which came in over four years later — during which time Facebook/Meta got to keep on raking it in the lucrative-yet-unevenly-lazy practice of tracking, profiling, and monetizing Europeans' eyeballs, raking in far, far more in profits than it's being asked to hand over in fines.

This means - if you throw out your morals and ethics - basic arithmetic works in favor of lawbreaking. And, if we may use that mercantile logic, it would mean that Meta's 'compliance strategy,' if we may call it that, seems to rely on jumping from one dubious claim of compliance to the next to get itself another rack of years so it can continue monetizing people's privacy while the EU's regulatory bodies try to keep up and/or fight with each other.

This has essentially been the regulatory game of 'whack-a-mole' to date. However, there is reason to believe this strategy is running out of road.

So for one thing, Meta has far more GDPR complaints and enforcement actions pending-not least a landmark ruling on suspension of its EU-US data flows. And the more of these rulings come down and set precedent, arguably the less room Meta has to wiggle into loopholes to avoid privacy requirements. The regulations are just getting more baked in.

Second, TikTok only just attempted a switch from consent to LI — and was promptly pounced on by a range of EU regulators, warning that the step would not be compliant, forcing it to back away from the plan.

But so while Meta is looking to leap from a spurious claim of contractual necessity to a dubious at best claim of LI — before which it apparently relied also on a faux claim of consent, since it was not actually giving users a free choice over its tracking which the GDPR requires for consent to be a valid basis — it's hard to see how it can do something EU regulators literally just blasted TikTok, another ad-driven social network, when it tried doing that.

On the GDPR front, if Irish DPC decides to turn a blind eye on that compliance switcheroo despite having earlier engaged with TikTok over a similar move, it risks looking like it is unfairly favoring Meta against competitors it supervises-over which could invite a whole new host of legal problems for a regulator already saddled with plenty of those.

We asked the DPC questions about Meta's plan to switch to LI, and deputy commissioner Graham Doyle told us it's not saying anything publicly for now — reasoning Meta has till next week to send its compliance report in line with the decision it issued in January.

Third, the ePrivacy Directive differs from the GDPR in another way: it has no centralized enforcement mechanism — that is to say, EU regulators are all provided with the power to intervene in their own markets if they believe infringements may be taking place. (For example, last summer the Italian DPA issued a warning to TikTok in relation to its use of LI — its case was based on the ePrivacy Directive; an intervention that apparently proved effective at nipping TikTok's plan in the bud.)

So if Meta does this it doesn't have to wait around to see if the Irish DPC is going to do anything about it – DPAs in EU Member States, like Italy and France, can act as quickly as they like, under ePrivacy, which gives them powers to issue dissuasive fines for any breaches they identify. (And France has been busy on that front where cookie breaches are concerned — including with recent fines for Facebook dark patterns.)

While it remains to be seen whether Meta will buy itself more years, plural, to avoiding giving EU users an up-front say over whether it can violate their privacy rights or not, switching to LI does come with one hard immediate requirement: It will have to offer EU users a way to object to the processing. So that means there will finally be a route for EU users to opt out of its tracking and profiling —which is, in and of itself a big win, if not still the full package privacy advocates have been fighting for.

In its blog post, Meta refers to this only vaguely, through a mention of opt-out-writing: "Relevant users will also be informed about this modification, which will provide them with other options regarding how we process particular information in order to serve behavioural ads."

According to people familiar with Meta's planning, cites the WSJ, the tech giant will offer users in the bloc an opt out of "certain highly personalised ads" — letting them choose a version of its services that target them with ads based on what reporting calls "broad categories, such as their age range and general location" — so, presumably, some form of contextual targeting — without using tracking data such as what videos they watch or content they click on inside its apps.

According to the newspaper, Meta will offer the opt-out only on behavioral ads to users in the EU-so users in the US will continue not to be offered any choice, per the newspaper.

Users who want to opt out of Meta's tracking and profiling-based behavioral advertising will need to submit a form objecting to its use of in-app activity for ads -- which it says it will review before implementing, the WSJ reports.

If true, that fact also has an interesting feel to it, since—under the GDPR—the right to object to direct marketing is absolute and, as the ICO guidance notes, "you must stop processing when someone objects", so it's not clear what exactly there would be to assess. (NB: Meta is also being sued in a class-action style in the U.K. over this very point).

This would mean the tech giant has to be dragged, kicking and screaming, to give the European Union a bare-bones opt-out for its tracking users. That would make the number of users going out to claim their privacy intriguing.

Where users are given privacy the most, they tend to seize it; an example is iOS users who refused tracking by third-party apps after Apple demanded that applications on its platform request permission from people to track them. Of course much depends on how Meta frames the opt-out - given its taste for dark pattern design.

Still, a choice to deny privacy abuse is coming. And for a surveillance giant like Meta there doesn't seem a way back from this kind of tipping point-short of a total business model reform.

Blog
|
2024-11-11 22:15:56