Meta's tracking ads business could suffer further legal blows across the European Union: A powerful adviser to the European Union's highest court decided Thursday that the continent's rules on privacy do prohibit how long people's data can be used for targeted advertising.
In the non-legally binding opinion, Advocate General Athanasios Rantos said use of personal data for advertising has to be limited.
This matters because Meta's business selling tracking ads is built off ingesting humongous amounts of personal data to build profiles of people to target them with advertising messages. Any constraints on how it can use personal data could limit its ability to profit off of people's attention.
A final judgment on the issue is still pending — such judgments typically arrive three to six months after an AG opinion — but the CJEU tends to follow the same line of thinking as its advisers.
Meanwhile, the CJEU should decide how EU law is applied, and so every ruling that it hands down is keenly watched since that is how courts further down the judicial ladder and regulatory authorities apply the law.
Into the proportionality framework
According to AG Rantos, data retention for advertising purposes must pay heed to the principle of proportionality since it is a general principle of EU law applied to the relevant privacy law framework by the General Data Protection Regulation, such as in their consideration for a valid basis to process. Among the primary requirements of this regulation is the establishment of a legal ground for the processing of information regarding persons.
In a press release, CJEU puts the words with emphasis: "Rantos proposes that the Court should rule that the GDPR precludes the processing of personal data for the purposes of targeted advertising without restriction as to time.". The extent to which the data retention period and the amount of data processed are justified having regard to the legitimate aim of processing those data for the purposes of personalised advertising, the national court must assess, inter alia in the light of the principle of proportionality. The Court of Justice of the European Union is asked to rule on two questions referred to it by a court in Austria. These refer to a lawsuit filed against Meta's adtech business in 2020 by lawyer and privacy campaigner Max Schrems. Schrems is a familiar figure in Europe, where he has won multiple rounds of battles against Meta-that have resulted in penalties worth more than a billion dollars for the tech giant since the GDPR took effect.
An internal memo by Meta engineers, obtained by Motherboard/Vice way back in 2022, painted a picture of a company that seemed unable to apply policies to limit its use of people's data after ingestion by its ads systems. "Built a system with open borders," the document said. Meta disputed the characterization, saying at the time the document "does not describe our extensive processes and controls to comply with privacy regulations."
But it is clear that Meta's core business model depends on its capacity to track and profile users of the web to operate its microtargeted advertising business. So any hard legal limits on its capacity to process and retain people's data could have huge implications for its profitability. To wit: Last year, Meta suggested around 10% of its worldwide ad revenue is generated in the EU.
In recent months, EU lawmakers and regulators also noticeably turned the screw on the adtech giant to abandon its addiction to surveillance advertising-with the Commission explicitly name-checking the existence of alternative ad models, such as contextual advertising, when it opened an investigation into Meta's binary "consent or pay" user offer last month, under the market power-focused Digital Markets Act.
An important GDPR steering committee issued its own guidance earlier this month on the issue, insisting that biggest ad platforms like Meta would need to actually provide end-users with a "meaningful choice" over choices they make affecting their privacy.
No gate-openers for sensitive data in ads
In today's opinion, AG Rantos has also opined on a second point that has been referred to the court: Whether making "manifestly" public certain personal information — in this case, info related to Schrems' sexual orientation — gives Meta carte blanche to retrospectively claim it can use the sensitive data for ad targeting.
Schrems had complained he received ads on Facebook targeting his sexuality. He subsequently discussed his sexuality publicly but had argued the GDPR principle of purpose limitation must be applied in parallel, referencing a core plank of the regulation that limits further processing of personal data (i.e., without a new valid legal basis such as obtaining the user's consent).
AG Rantos contraposes. In relation to that, this is how the press release comments on the point again with emphasis: "while data concerning sexual orientation fall into the category of data that enjoy particular protection and the processing of which is prohibited, that prohibition does not apply when the data are manifestly made public by the data subject. Nevertheless, this position does not in itself permit the processing of those data for the purposes of personalised advertising".
Well, today marks an initial reaction by the lead litigator, founder, and chairman of the European privacy rights nonprofit noyb, Schrems, who welcomed the opinion through his lawyer in the case against Meta, Katharina Raabe-Stuppnig.
As it is now, the entire online advertising industry stores everything forever. The law is quite clear that after a few days or weeks, processing must stop. For Meta, this would mean that a huge chunk of information they have collected over the last decade would become taboo for advertising, "she wrote in a statement highlighting the importance of limits on data retention for ads.
"Meta has essentially been collecting this humongous data pool on users for 20 years, and it is increasing day by day. EU law, however, requires 'data minimisation.' If the Court follows the opinion, only a small part of this pool will be allowed to be used for advertising — even if have consented to ads," she added.
On the question of further use of sensitive data made public she said, "This issue is highly relevant for anyone who makes a public statement. Do you retroactively waive your right to privacy for even totally unrelated information, or can only the statement itself be used for the purpose intended by the speaker? If the Court deems it to be a blanket 'waiver' of your rights, it would chill any online speech on Instagram, Facebook or Twitter."
Meta spokesman Matthew Pollard was contacted for its own reaction to the AG opinion. "We're looking forward to the ruling of the court," said the Meta official.
Company claims to have "overhauled privacy" since 2019, meaning that reportedly, it's spent €5 billion+ on EU-related privacy compliance issues and expanding user controls. "Since 2019, we have transformed privacy at Meta and invested over five billion Euros to make privacy a core part of our products," Meta stated through an emailed response. "All people who use Facebook have access to a wide array of controls and features that give people the ability to understand how we use their information in our services."
Also, regarding the sensitive data, Pollard brought forward another Meta's claim that "we do not use sensitive data that users provide us to personalize ads," as the statement puts it.
We also prohibit advertisers from disclosing sensitive information in our policies, and filter out all potentially sensitive information that we're able to identify, Meta further noted, adding: "Moreover, we've made moves aimed at removing any advertiser targeting options based on topics perceived by users to be sensitive.
In April 2021, Meta announced a policy change in this area — saying it would no longer allow advertisers to target users with ads based on sensitive categories such as their sexual orientation, race, political beliefs or religion. But an investigation by the data journalism nonprofit The Markup found in May 2022 that it was easy for advertisers to circumvent Meta's ban through "obvious proxies.".
A CJEU ruling last August 2022 comes to mind in which the court ruled then that sensitive inferences should be treated as sensitive personal data under the GDPR. Or, rather, a proxy for sexual orientation for the purposes of advertising should, in principle require the same stringent "explicit consent" for that form of targeting as would be required for the direct targeting of ads based on sexual orientation were those ads to be targeted at a person's sexual orientation in order to be lawful processing in the EU.