An unprecedented shakeup in the advertising technology space has arrived in Europe. Changes are coming to adtech's approach to privacy and consent around personalized advertising after the European Data Protection Board issued an urgent binding decision to ban Meta's data processing for behavioral advertising.
The EDPB decision applies to Meta's Facebook and Instagram users across EU member states and European Economic Area countries. It stems from a request from Norway's data protection authority, Datatilsynet, to make a previously-issued interim ban in Norway permanent and extend its reach and impact to all of Europe. Norway's interim ban was applied in July and set to expire 3 Nov.
"Already in December 2022, the EDPB binding decisions clarified that contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioural advertising," EDPB Chair Anu Talus said in a statement. "In addition, Meta has been found by the (DPC) to not have demonstrated compliance with the orders imposed at the end of last year. It is high time for Meta to bring its processing into compliance and to stop unlawful processing."
Ireland's Data Protection Commission, Meta's lead supervisory authority in the EU, notified Meta of the EDPB binding decision 31 Oct., according to the EDPB. Datatilsynet Head of International Tobias Judin told the IAPP the two-week period for the DPC to serve the ban began 27 Oct. and Meta will be required to comply within a week of receipt.
Ahead of the EDPB decision being published, Meta announced 30 Oct. it is rolling out a subscription model for ad-free Facebook and Instagram services in the EU to comply with the EU General Data Protection Regulation and commit "to keeping people's information private and secure." The platform also sued Datatilsynet in the Oslo District Court 25 Oct. to remove the targeted advertising ban.
"The option for people to purchase a subscription for no ads balances the requirements of European regulators while giving users choice and allowing Meta to continue serving all people in the EU, EEA and Switzerland," Meta said in its subscription announcement. "In its ruling, the (Court of Justice of the European Union) expressly recognised that a subscription model, like the one we are announcing, is a valid form of consent for an ads funded service."
Judin indicated Norway does not recognize Meta's subscription initiative as GDPR compliant or sufficient to lift the ban.
"We have strong concerns regarding Meta's proposed 'consent' mechanism," Judin said. "Meta has been informed about these concerns, but for some reason they still chose to make their public announcement, disregarding critical comments already put forth by regulators."
EDPB Head of Information and Communications Greet Gysen told the IAPP Ireland's DPC "is currently evaluating" Meta's new consent approach and "it is too soon" for the EDPB to judge its compliance. The evaluation will occur "in narrow cooperation with concerned (supervisory authorities)," she said.
The changing advertising landscape
The fate of Meta's business model was sealed when Ireland's DPC issued its 390 million euro fine in January that included binding orders from the EDPB that mirror the complaint by Norway's DPA. The DPC said at the time that the decision focused on how "Meta Ireland is not entitled to rely on the 'contract' legal basis in connection with the delivery of behavioural advertising."
According to privacy technologist Gilbert Hill, CIPM, all adtech companies in the EU have been on unofficial notice since that January decision considering Meta's place and connections in the space.
"Any player in the 'lumascape' of 5,000 European adtech businesses plugs into Meta and/or another of their digital properties," Hill said. "And under GDPR, responsibility is shared among processors so yes, this does concern the entire ecosystem. It should provide an opportunity for all the stakeholders to look at some of the tools and business models suggested by privacy sandboxes in particular."
Meta's reliance on service agreements for user consent to process data is not a practice exclusive to its services. Luxembourg's National Commission for Data Protection fined Amazon 746 million euros for similar consent-related GDPR violations in July 2021. However, the fine was suspended in a ruling by the Administrative Court of Luxembourg later that year.
The European Commission also cited Google's targeted advertising practices as problematic and reportedly had plans in July to file an antitrust complaint to address the issues and break up the company's adtech business.
"I hope that the Norwegian DPA's decision will be the start of a meaningful, industry-driven change in the digital advertising market," AWO EU Policy Consultant Nick Botton said. "Our study argues that the decentralised nature and complexity of digital advertising means that the GDPR's enforcement structure is inadequate to deal with compliance problems in the market. I would love to be wrong on this though."
European Publishers Council Executive Director Angela Mills Wade said the latest binding decision "provides for consistency across the EU" while noting the January fine and binding order asked Meta to make necessary changes that it did not respond to. Despite discussions to act and reform practices since January, Meta "must now do so if they want to continue to operate within the law," Wade added.
New practice, same problem?
Meta spent the months following the DPC's decision pondering its next move to maintain a compliant ad-based business model, with its efforts being ramped up by Datatilsynet's interim ban. The company reportedly began circulating a plan to offer opt-outs to EU users in March before landing on its ad-free subscription model, which it formally proposed to EU regulators at the start of October.
The compliance of the new subscription model is based on a 4 July decision for the Court of Justice of the European Union in a case raised by the German Federal Cartel Office on the validity of Meta's reliance on user contracts for processing.
"Whether 'pay or okay' is acceptable needs to be assessed on a case-by-case basis, and in this case we think that it is not," Datatilsynet's Judin said. "Considering the power imbalance between Meta and its users, which is the primary concern of the CJEU in the Bundeskartellamt judgment, we doubt that the purported consents will be 'freely given' as required by the GDPR."
Subscription as means for consent and maintaining a business model raises questions regarding a perceived shift to "paying for privacy." Wade said DPAs are devising guidance on the matter and ongoing court cases, adding both are "likely to bring further clarity" to whether subscription-based consent is valid.
Botton opined Meta has other avenues it can explore before another "go around the block" with this matter potentially being raised back to the CJEU.
"Meta is one of the richest companies on earth, and could realistically start relying on contextual advertising more," Botton said. "It's unclear what the revenue impact of this would be, but I doubt that they would go bankrupt, given the competitive advantage they get from their large quantities of users."
Editor's note: A prior version of this story indicated social news aggregator Reddit removed EU user opt-out capabilities from its website. The platform did so for select jurisdictions, but opt-outs remain available to EU users.
