Well, before proceeding with any plan to force behavioural ads on Twitter users in the European Union, Elon Musk should take note of a recent major privacy fine for Meta.
To wit: In comments this morning, after two last verdicts against Meta by EU privacy regulators applied the EU's General Data Protection Regulation (GDPR) to Facebook and Instagram — decisions which involve a combined total of about $410 million in penalties (and with a third decision against WhatsApp just around the corner), as well as orders to rectify the unlawful treatment of their data within three months — the European Data Protection Board (EPBD) issued a stern warning to all businesses looking to ignore EU data protection laws by depriving users of a choice over being surveilled to assist with behavioural advertising. "The EDPB binding decisions clarify that Meta unlawfully processed personal data for behavioural advertising. Such advertising is not necessary for the performance of an alleged contract with Facebook and Instagram users. These decisions may also have an important impact on other platforms that have behavioural ads at the centre of their business model," said EDPB chair, Andrea Jelinek, in a statement.
The Board also found the relation between Meta and the users "unbalanced", noting "grave breaches" of its transparency obligations which it said had "impacted the reasonable expectations of the users," but also faulted the tech giant for presenting its services to users "in a misleading manner" -- this led the EDPB also finding a breach of the GDPR's principle of fairness as well as transparency failings.
The supervisory authority would oversee the implementation of the EU's GDPR in a manner that would ensure consistency in the implementation of the law by regulators in all member states.
It was ultimately responsible for overturning Meta's bogus claim of contractual necessity for behavioral ads—a ruling with the force of res judicata-compelling the lead data protection regulator for the GDPR, the Irish Data Protection Commission (DPC), to flip a conclusion it had reached in its 2021 draft decision and conclude that Meta's practice of forcing consent to tracking ads through a claim of contractual necessity is unlawful. What has come to be known as 'behavioural' advertising is a form of targeted advertising whereby the selection of ad to serve is made based on tracking and profiling individual users through their online activity (and, in some cases, combining offline data-sets to enhance these per-user profiles) - so, in terms of EU data protection law, based on processing personal data - which activity requires a valid legal basis.
Alternative forms of targeted advertising that do not involve processing personal data, such as contextually targeted advertising, are available. This meant that the argument by Meta that intrusive tracking and profiling of persons was a necessary core feature of its services also fell foil of the Board. Comments from the EDPB today – that the Meta ads decision has an "important influence" on other platforms - also seem to be in point for TikTok, which last year attempted to strip users of their ability to opt out of its tracking-ads — asserting it would switch the legal underpinning for "personalized" advertising from consent to legitimate interest — before rapidly dialling back the move in the face of scolding from privacy regulators.
Any such move by TikTok today to revive such a shift — with those two key GDPR judgments against Meta's 'forced consent' standing — would only invite swift regulatory scrutiny so that such a shift to its claimed new legal basis is surely pretty unlikely (not least as the video-sharing platform is kept busy in an effort to buff up its profile in the eyes of the European lawmakers — as the Commission starts applying new oversight powers on digital platforms under the Digital Services Act (DSA) and Digital Markets Act (DMA)).
That just because Facebook has, for years, processed and profited from Europeans' data by running unlawful ads does not mean other ad-funded platforms will get the same free ride from regulators across the bloc. Enforcement is finally here.
(For the record, Meta has said it will appeal the two GDPR decisions. It also denies they mean it has no option but to ask European users for their consent to its behavioral ads — pointing out that the regulation allows for "a range" of legal bases but without specifying which of these limited (and bounded) alternatives to consent might fly… So, er, public interest behavioral Facebook ads anyone?!)
Twitter, meanwhile, has also now announced that its iOS application will operate a 'For you' algorithmic content feed as its default mode - meaning users have to actively swipe in order to access their usual chronological feed - and so may raise questions over the legal basis the company is relying on for pushing content personalization in front of users who may not want it. So there's no shortage of interesting considerations flowing from Meta's GDPR spanking.
Europe Hits TikTok Over Data Safety, Disinformation, DSA Compliance
This new GDPR enforcement dynamic, if we dare call it that, presents regional opportunities for other approaches — and innovation — in the area of lawful targeted advertising whether that's tracking-based ads with valid user consent. Or forms of ad targeting that do not involve any processing of personal data. Or, well, which seek to claim they don't.
And we're already beginning to see some high-level moves to capitalize on the slow decline/demise of lawless behavioral ads, such as Google's plan to switch away from individual-level ad targeting to alternative 'privacy-sandboxing' interest-targeting ads-or a new proposal by European telcos to band together on a joint venture to offer opt-in ad targeting of mobile users (which the carriers say would limit targeting to first party data and gather explicit user consent to the ads per advertiser/brand).
How Meta gets its ad-targeting operation in legal order, meanwhile, remains to be seen. But, well, fixing infrastructure that's never cared to comply seems like it could be very expensive…
On Meta's 'regulatory headwinds' and adtech's privacy reckoning
The EDPB's statement today also responds to why it tasked the DPC with investigating Meta's processing of sensitive data - something that's led the Irish regulator to claim the Board is making a jurisdictional overreach and that it's lodging legal action trying to annul that part of its instruction.
In this connection, the Board argued that it determined if the complaints against the legitimacy of Meta's advertisements had been raised with due diligence on the DPC.
"Sensitive data is processed by Meta IE, the complainant had pointed out.".
However, the DPA of the IE did not audit processing of sensitive data and accordingly, the EDPB could not rely on sufficient factual evidence to enable it making findings on any possible infringement of the controller's obligations under Art. 9 of the GDPR which deals with the processing of special category data, "it writes. This resulted in the EDPB turning down the IE DPA's proposed conclusion that Meta IE was not legally bound to rely on consent for the carrying out of the processing activities consisting of the delivery of its services of Facebook and Instagram because such a conclusion could not be arrived at categorically in the absence of more investigations. Consequently, the EDPB concluded that the IE DPA needed to carry out a new investigation. The DPC has also been accused of 'fiddling round the edges' of GDPR complaints-by opening narrower enquiries than complainants had called for (or not opening a probe at all).
It's also being sued for inaction-and even criminal corruption-in a couple of cases. So it's certainly significant (and embarrassing for Ireland) that the EDPB's binding decision concludes that the Irish regulator failed to inquire into elements of Meta's data processing it says were needed for it to reach its proposed conclusion that Meta was not legally obliged to rely on consent. As black marks against the DPC's approach to GDPR enforcement go, this schooling from the Board is a major addition to Dublin's tally.
However, the EDPB's instruction for the DPC to open a completely new investigation of Meta's data processing has attracted quite interesting attention - in light of EU law, which already secures the independence of data protection authorities.
On this, noyb's honorary chairman, Max Schrems, a long-time critic of, especially, the DPC's approach to enforcing the GDPR but also more generally how poorly resources EU DPAs are and how hard it is for Europeans to exercise their rights, suggests that this still shows the system doesn't work.
Few would say enforcement of the GDPR has been smooth sailing-but to the fifth anniversary since the regulation came into application, this May, a steady stream of decisions-of course some major ones with implications for rights-hostile business models-has finally arrived. So, the needle apparently moves-even if the story rarely ends with a final decision, since years of legal appeals may follow.
Much attention this year to EU regulatory-working will also swivel onto the European Commission — to see how it enforces two newer regulations on larger digital platforms: the aforementioned DSA and DMA; a new centralized enforcement structure devised by the bloc's lawmakers that was undoubtedly informed by years of criticism over slow and weak enforcement of the GDPR.
So the legacy of Meta's lawless ads, and Ireland's dilly-dallying to enforce against its consentless tracking-and-profiling, is already a lasting one.