Meta is facing new data retention restrictions on its EU advertising operations following a ruling by the top court.

The European Union's top court has vindicated a privacy challenge to Meta's data retention policies.
Meta is facing new data retention restrictions on its EU advertising operations following a ruling by the top court.

The European Union's top court has vindicated a privacy challenge to Meta's data retention policies. On Friday, the EU's Court of Justice ruled that social networks, including Facebook, could not keep people's information in use to target ads forever.
That ruling has major implications on the way Meta and other ad-funded social networks operate within the region.

The General Data Protection Regulation, in place within the bloc, contains data minimization principles: limits should be put on how long personal data can be kept. Violations of the regime may incur fines up to 4% of global annual turnover — which, in Meta's case, may place it on a hook for billions more in fines (NB: it is already at the top of the leaderboard of Big Tech GDPR violators).

The decision is based on an earlier opinion about the case published recently by one of the court's advisers in April. That earlier advice had already upheld the limits of retaining personal data for ad targeting.
Meta spokesman Matt Pollard said in response that the company is now waiting to hear the full judgment.

"We are eagerly awaiting judgment from the court, and we will have more to say in due course," he said in an email to TechCrunch. "Meta considers privacy to be its top priority and has invested over five billion Euros embedding privacy at the heart of all our products. Everyone on Facebook can access a wide range of settings and tools that enable people to manage how we use their information."

The adtech giant generates revenue by tracking and profiling users on its social media networks, both on its own services and in a more general way around the web, through a network of tracking technologies such as cookies and pixels and social plug-ins, to sell advertising services that target micro-segments. So any curbs on this to continuously profile web users in a major region for its business could douse its revenues.

Meta estimated last year that about 10% of its ad revenue worldwide is in the European Union.

Another win for Schrems v. Facebook
A court in Austria had referred the case to the CJEU after European privacy campaigner Max Schrems had lodged a complaint challenging Facebook's collection of data and legal basis of advertising among other issues.

Commenting on the win in a statement issued by Schrems' privacy rights nonprofit noyb, his lawyer Katharina Raabe-Stuppnig reacted: "We are very pleased by the ruling, although this result was highly expected."

"Meta has basically been building a huge data pool on users for 20 years now, and it is growing every day. However, EU law requires 'data minimisation'. Following this ruling only a small part of Meta's data pool will be allowed to be used for advertising — even when users consent to ads. This ruling also applies to any other online advertisement company, that does not have stringent data deletion practices," she added.

The challenge to Meta's ad business itself dates to 2014, but wasn't fully heard in Austria until 2020, noyb said. The Austrian supreme court then referred several legal questions to the CJEU last year. Some were answered via a separate challenge to Meta/Facebook, in a July 2023 CJEU ruling — which struck down the company's ability to claim a "legitimate interest" to process people's data for ads. There are two more questions still outstanding, which the CJEU has just answered. And there is more bad news for Meta's surveillance-based ad business: limits do apply.

The CJEU itself summarized this aspect of the ruling in a press release: "An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data.".

The decision appears significant on its face because of how ad-targeting businesses like Meta's work. Boiled down: The more of your data they can collect, the better— from their perspective.

A memo secretly crafted by Meta engineers and unearthed by Vice's Motherboard in 2022 likens the company's data collection practice to topping off bottles of ink into a vast lake. The aggregation of personal data by the company, this memo stated, lacks controls and does not lend itself to the ability to silo different types of data or to impose data retention limits.

Although Meta claimed at the time that the document "does not describe our extensive processes and controls to comply with privacy regulations," it describes an incomplete flowchart of the data processing process in Europe.

How exactly the adtech giant will be legally compelled to change its data storage practices after the CJEU ruling is not yet clear. But in one aspect, it is clear: it has to put limits on the law. "Companies have to develop data management protocols that shall gradually delete unnecessary data or stop using it," noyb suggests.

No more exploitation of sensitive data
The CJEU has made comment on a further question the Austrian court raised in the course of Schrems' litigation. The question ran that on data "manifestly made public" by the data subject, what was to be done with respect of it, and whether sensitive characteristics could be used to target people for advertisements as a result.

It held that they could not, and thus maintained the purpose limitation principle of the GDPR.

That would have a really chilling effect on free speech in case you would lose your right to data protection in the moment that you criticize unlawful processing of personal data in public, Raabe-Stuppnig declared, welcoming that "the CJEU has rejected this notion".

When asked about Meta's use of so-called special category data — known as sensitive personal information such as sexual orientation, health data and religious views, according to the EU law — Pollard explained that the company does not actually process this kind of information for the purpose of targeting ads.

"We don't use special categories of data that users share with us to personalize ads," he wrote. "We also prohibit advertisers from shared sensitive information in our terms and filter out any potentially sensitive information that we can detect. In addition, we've gone a step further to remove any advertiser targeting options based on topics perceived by users as sensitive."

This dimension of the CJEU ruling may have implications beyond the operational management of social media services. Tech behemoths like Meta have been feverishly trying to salvage personal data to use as AI training material in recent times. Internet scraping is another tactic AI developers have resorted to in an attempt to gather humungous volumes of data needed for the training of massive language models and other generative AI models.

In both these examples, the collection of peoples' data for a use for which the people whose data are collected are not informed may violate the purpose limitation principle under the GDPR.

Blog
|
2024-10-05 18:06:51