Meta Argues, Saying That Facebook And Instagram Use 'Legal Bases' For Advertisement Targeting

2022 is gone, and 2023 has only ran for a few days, before tech titan Meta is told to pay a huge fine.

The company founded by Mark Zuckerberg has been hit with a €390m fine for breaking EU data rules. According to the Irish Data Protection Commission (DPC), the way Meta asked permission to use peoples' data for ads on Facebook and Instagram was unlawful.

Meta, which owns both platforms, has three months to change how it obtains and uses data to target ads.

If it cannot, or is unable to appeal the decision, the company has to pay that amount, and could be forced to ask users to "opt in" to having their data used for targeted ads.

In a response to this, the company said that it is "disappointed," stressing that the decision does not prevent personalized advertising on its platforms.

Meta

In an announcement, the company said that:

"The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area. We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines. "

"There has also been inaccurate speculation and misreporting on what these decisions mean. We want to reassure users and businesses that they can continue to benefit from personalised advertising across the EU through Meta’s platforms."

The argument here is that, in the European Union, commercial entities have to have a legal basis to process user data.

Data processing here, occurs in a variety of situations, such as when data is stored, transferred or aggregated.

According to General Data Protection Regulation (GDPR), which regulates data protection and privacy in the EU and the European Economic Area, allows for a range of legal bases under which data can be processed.

The rules of GDPR are clear: there is no hierarchy between these legal bases – none should be considered better or more legitimate than any other. Which basis is most appropriate to use depends on the specific situation.

And here, Meta argues that it's just like any other company out there, which uses a combination of legal bases to provide various services.

"Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service. To date, we have relied on a legal basis called ‘Contractual Necessity’ to show people behavioural advertisements based on their activities on our platforms, subject to their safety and privacy settings. It would be highly unusual for a social media service not to be tailored to the individual user."

[block:block=87]

But the regulator doesn't think the same way.

They said that both Facebook and Instagram can not "force consent" by saying consumers have to accept how their data is used, or leave the platform.

And because Facebook and Instagram have European headquarters in Ireland, the the Irish Data Protection Commission (DPC) takes the lead in ensuring the two Meta companies comply with EU data law.

The DPC investigation was sparked by complaints made in 2018 by privacy campaigner Max Schrems, on behalf of two users in Austria and Belgium. The complaint was brought when GDPR came into operation.

In order to comply with GDPR, both Facebook and Instagram started asking users to click "I accept" as a consent to prove that they agreed to updated terms of service setting out how their data would be used in ads.

If users did not accept, they cannot use Facebook or Instagram.

The complainants here, said that Meta is giving people no choice but to consent to their data being used in targeted ads.

This in turn, breached the GDPR.

The DPC’s press release to detail the financial penalties of €210 million for Facebook and €180 million for Instagram. These sanctions add to previous fines Meta had to pay in Europe in 2022, including a €265 million penalty for a Facebook data-scraping breach; €405 million for an Instagram violation of children’s privacy; €17 million for several historical Facebook data breaches; and a €60 million penalty over Facebook cookie consent violations.

In total, Meta has to pay €747 million in (publicly disclosed) EU data protection and privacy fines.

This time, only in the first few days of 2023, Meta landed to yet another financial penalty, with more sanctions possibly around the corner.

Meta said that the lack of regulatory clarity on this issue, is the reason why regulators and policymakers debate around which legal bases are most appropriate in a given situation. And this in turn is affecting how companies operate in EU.

Mark Zuckerberg
"This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether. That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services."

"As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed."

Privacy advocates and campaigners said that DPC's decision is a major victory.

And if Meta fails, it should finally give users the real choice over how their data is used for ads.

What this means, Meta may have to change the way its core business work.

Just like many times before, when Meta doesn't want to pay or change anything, it's willing to defend its purpose whatever the cost.