Last week, Ireland's Data Protection Commission fined Meta 390 million euros — 210 million euros against Facebook and 180 million euros against Instagram. In its decision, the DPC announced the platforms’ basis for seeking user permission to collect data for personalized advertising is invalid and gave the company three months to bring data processing operations into compliance with the EU General Data Protection Regulation.

Notably, the decision that Meta’s contract-based request for personalized advertising is unlawful highlights a divide between European regulators, reflects the ongoing transformation of the advertising technology space, and raises uncertainty around compliance of the GDPR.

“The decision reflects a deep and widening chasm between privacy regulators in the EU,” said Goodwin Procter Partner and IAPP Westin Emeritus Fellow Omer Tene, noting a fundamental disagreement between the DPC, supervisory authorities and the European Data Protection Board over contract as a legal basis for personalized advertising.

Regulatory uncertainty

The Irish DPC initially determined Meta — which required users to sign terms of service that included language enabling data processing for “personalised services and behavioural advertising” to access its platforms — did not rely on user consent as a lawful basis for personal data processing and complaints of “forced consent” could not “be sustained.” Ten of the "47 Concerned Supervisory Authorities" disagreed, and the EDPB ultimately determined Meta’s practice was unlawful.

In its announcement last week, the DPC reversed course and said its decisions “reflect the EDPB’s binding determinations.”

The authority also indicated it will pursue legal action against the EDPB before the Court of Justice of the European Union for what it called a regulatory “overreach.” The DPC said the EDPB directed it to conduct an investigation “that would span all of Facebook and Instagram’s data processing operations,” including an examination of “special categories of personal data that may or may not be processed,” calling the directive “problematic in jurisdictional terms” and inconsistent “with the structure of the cooperation and consistency arrangements laid down by the GDPR.”  

Meta said it is “disappointed” by the decisions and intends to appeal “both the substance of the rulings and the fines.”

In a blog post, the company said the debate around legal bases has “been ongoing for some time and businesses have faced a lack of regulatory certainty.” It said the decision “does not prevent personalised advertising” on its platforms, does not mandate the use of consent for such data processing, and advertisers can continue to use its platforms “to reach potential customers, grow their business and create new markets.”

“Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December (2022), it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed,” the company said.

The EDPB’s decision reflects “the majority view of European DPAs on the essential question of what processing of personal data can be considered as ‘necessary for the performance of a contract’” and will need careful reading when it is made public, Future of Privacy Forum Vice President of Global Privacy Gabriela Zanfir-Fortuna said.

“Privacy compliance teams across industries will likely want to have another look at all their operations based on contract, once the EDPB decisions are published," FPF's Gabriela Zanfir-Fortuna said. 

“The community spent a lot of time analyzing and understanding requirements for consent and legitimate interests in the past years, and not so much the ‘contract’ lawful ground, which raises very interesting questions of law," she said. “Privacy compliance teams across industries will likely want to have another look at all their operations based on contract, once the EDPB decisions are published.”

If upheld, Tene said the decisions signal a “readiness” by DPAs “to rewrite consumer contracts, including terms of use, to counter power imbalances and impose privacy protective measures.”

“Companies should devote strategic thinking to the selection of a legal basis for processing under GDPR. Each option has its costs and benefits. If the decision signals that DPAs expect websites to obtain opt-in consent for using first-party data, then it’s an escalation in how many interpreted GDPR so far,” he said.

“Companies should devote strategic thinking to the selection of a legal basis for processing under GDPR. Each option has its costs and benefits," Goodwin's Omer Tene said. 

IAPP Principal Researcher, Privacy Law and Policy Müge Fazlioglu, CIPP/E, CIPP/US, devised a chart outlining the scope of lawful bases for processing personal data under the GDPR, further considerations for determining when each applies and relevant recitals.

‘Another complication’ for adtech

Zanfir-Fortuna said the EDPB and DPC’s decisions, with the appeals process to come, will shape new targeted advertising models, adding the space is undergoing a “transformational phase,” while Tene said they create “another complication” for the adtech space, though it is not “insurmountable.”

Global Data Protection Lead at digital rights organization Access Now Estelle Massé, CIPP/E, said the decisions are “hugely significant” for online companies whose business model relies on targeted ads. She said companies should assess whether the way they deliver ads online is “legal and sustainable.”

“It confirms that the privacy invasive targeted-ads business model is slowly but surely ending and that privacy-friendly solutions will need to be found quickly,” she said of the decisions. “This means that companies should carefully look into ways to operationalize freely given, explicit and specific consent if they want to continue to use targeted ads. This is also an opportunity for the ad industry as a whole to rethink their reliance on targeted ads.”

The Interactive Advertising Bureau’s Executive Vice President for Public Policy Lartease Tiffith disagreed, saying he thinks “people are making a bigger deal about it than they should in terms of the impact today.”  

“This wasn’t a slam dunk case, clearly. What we have is a lot of regulatory uncertainty, there is still some ambiguity and there are clarifications that are needed,” he said, adding there is still a lot to be learned from the EDPB’s decision when it’s released in full. “Our position is you can use different bases, whether it’s consent or legitimate interest or others, and there’s no one better, and I think there’s different viewpoints on the applications of these things. We don’t want to continue to have something where it’s subject to ambiguity.”

He called varying interpretations of the law among DPAs a “problem” and said it’s time to start thinking about changes to the GDPR, like establishing clear and concise language around the requirements for consent and clarity around enforcement, for instance.

"This wasn’t a slam dunk case, clearly. What we have is a lot of regulatory uncertainty, there is still some ambiguity and there are clarifications that are needed," IAB's Lartease Tiffith said. 

The legal challenges will unfold and the CJEU will ultimately issue a decision, but that is likely years away, he said, adding, “rather than dealing with that regulatory uncertainty it would be great if we had something that made it clearer.”

Criteo Vice President Government Affairs and Public Policy Nathalie Laneret, CIPP/E, CIPM, said the decisions do not impact how the advertising technology company operates as it has never relied on contractual necessity as a legal basis under the GDPR. However, she said it “may reduce the availability of legal bases companies can rely on for their processing activities.”

“Consent and legitimate interest, for instance, are other possible legal bases that can be relied on by the advertising ecosystem. It is necessary that GDPR legal bases are interpreted in a flexible manner to align with the wide varieties of business activities and relationships of the rich and complex advertising ecosystem,” she said.

It is necessary that GDPR legal bases are interpreted in a flexible manner to align with the wide varieties of business activities and relationships of the rich and complex advertising ecosystem,” Criteo's Nathalie Laneret said. 

Laneret said there is a “wide variety” of business-to-business service providers that do not have a direct relationship with individuals but need to be able to rely on a valid legal basis to process personal data when acting as controllers or joint controllers.

“When the consent legal basis is used, these actors in the value chain must be able to rely on the contractual commitments of their business partners to obtain valid consent,” she said. “Otherwise, the interpretation of the GDPR would also create some competition distortion between the different actors depending on whether or not they have a direct relationship with individuals.”

Moving forward

Awaiting the release of the EDPB’s full decision and the potential legal fallout, Fox Rothschild Partner, Chair of GDPR Compliance and International Privacy Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP, PLS, said companies should focus on providing “appropriate disclosure, in real time, not buried in long terms of use, in language that is clear and easily understood by the consumer” and when discussing sharing information with third parties, provide choice.

With the ambiguity and inconsistency in the interpretation and enforcement of the GDPR, Lanaret said implementing compliance programs is a “big challenge” for companies working to do so in good faith and based on their understanding of the law.

“This calls for enhanced collaboration and open and constructive discussions between DPAs and industries to better align views on how GDPR should be understood taking into account business models specifics,” she said. “Companies generally prefer to have legal certainty and it is better to have these discussions proactively as part of the setting up of a code of conduct or in a regulatory sandbox rather than at the enforcement stage.”

While companies should review their legal bases for data processing in light of the decision, Laneret said, at the same time, DPAs should “capture the dynamics of the different industries they regulate” when applying the GDPR.

“Especially those of data-driven business models,” she said. “In the adtech sector for instance, data processing to enable audience measurement is the backbone of effective advertising and should be possible under the legitimate interest legal basis. Relying on the legitimate interest legal basis does not mean that data is not protected, of course, as all other GDPR provisions continue to apply. It is also important that DPAs properly balance the benefits of the adtech business model — in particular, equal access to free content on the internet, media diversity and free speech — with the protection of personal data. The same applies, in fact, to all industries.”  

“Whichever way we look at it, questions and issues keep popping up about the validity of legal bases used by online companies for targeted ads. The targeted-ad debate is surely not over but it is clearly headed into a direction that would provide more control to people over the way companies use their data, as it should be,” Access Now's Estelle Massé said.

Access Now's Massé said there is also “still a lot to discuss” regarding companies’ ad practices, including how companies like Meta can ensure compliance with not just the GDPR but the ePrivacy Directive. Massé said data collected and used for ad targeting through tracking would likely fall under the scope of the directive, “which mandates the use of consent as a legal basis.”

It is also worth noting that Meta and other large companies identified as “gatekeepers” under the EU’s Digital Markets Act, will soon be subject to other restraints on their advertising practices.

“Whichever way we look at it, questions and issues keep popping up about the validity of legal bases used by online companies for targeted ads. The targeted-ad debate is surely not over but it is clearly headed into a direction that would provide more control to people over the way companies use their data, as it should be,” Massé said.

The IAPP will host a discussion Jan. 12 on LinkedIn Live diving into what privacy professionals need to know about the decisions.