GDPR vs. Meta Platforms: is it time to change the business model?

“You need to set up targeted ads correctly” is a phrase any business that wants to find effective channels to promote its products or services hears today. On average, we spend about 7 hours a day on the Internet, so social media platforms have become a top sales channel. According to the Better Regulation Delivery Office, several years ago, the e-commerce market in Ukraine alone was worth about UAH 50 billion a year.

It’s not a secret that the tech giant Meta Platforms (Facebook) collects about its users all the information it can. Everyone with an account has authorized Meta Platforms to record all their activities on the site. But this is just the tip of the iceberg. Meta Platforms collects data outside of its websites as well: information such as IP address, browser type, viewed ads, frequency of visits to certain websites, and much more is also stored by various online resources, including Facebook Pixel, and then transmitted to Meta Platforms, which processes terabytes of information every second, creating a detailed portrait of each user. By virtue of the control over users’ data, Facebook, Instagram, TikTok, Pinterest, etc., have become, on the one hand, an ideal platform for business interaction with customers and, on the other hand, personal data controllers whose processing scale is quite impressive.

Meta Platforms’ advertising revenue accounts for the largest share of its total revenue. The company’s financials for 2021 showed that more than 90% of the $118 billion the company earned came from the sale of personalized advertising. And it was only in 2022 that Meta Platforms’ earnings report recognized the first year-over-year decline in advertising revenue in the company’s history, a trend that is expected to continue due to global economic issues affecting the digital advertising market as well.

Why is this important, and what does GDPR have to do with it? 

The General Data Protection Regulation, or GDPR, prohibits data controllers from forcing users to consent to personal data collection in exchange for a service.

Meta Platforms allowed users to opt out of ad personalization for many years based on data from other websites and mobile apps. However, it did not provide this option for data obtained on its own platforms, such as information about what content a user liked on Instagram. The reason is simple: if users could reject such a personalization, Meta would have less information to build target audiences and sell personalized advertising.

At the same time, out of the six legal bases for processing personal data under the GDPR, Meta Platforms has relied on the performance of a contract (Article 6(1)(b) GDPR) to provide users with the services for displaying personalized advertising based on their activity since 2018.

During the dispute with the regulatory authority, Meta Platforms argued that Facebook publicly positions itself not only as a social network but also as a provider of personalized advertising services. That is why Meta Platforms enters into an agreement with users in the form of the Terms of Service (Facebook’s Terms of Service and Instagram’s Terms of Use), which provides for the provision of such a service, and, therefore, the collection of personal data for the display of personalized advertising is a necessary aspect of the platform’s operation, is conditioned by contractual necessity, and therefore falls under the exception that allows the company to collect personal data for the provision of services. 

In a draft decision published last year, the Irish supervisory authority (DPC) supported this view, noting that personalized advertising ” is, in fact, the core element of the commercial transaction as between Facebook and Facebook users. It follows that this is a commercially essential element of the contract. As this information is both clearly set out and publicly available, it is difficult to argue that this is not part of the mutual expectations of a prospective user and of Facebook. Finally, it is clear that the service is advertised (and widely understood) as one funded by personalized advertising, and so any reasonable user would expect and understand that this was the bargain being struck, even if they might prefer that the market would offer them better alternative choices.”.

At the same time, the DPC found that Facebook violated Articles 5(1)(a), 12(1), and 13(1)(c) of the GDPR by failing to properly notify users of the legal basis for processing their personal data and by failing to provide the information required by users in a simple and easy-to-understand manner. Providing a legal assessment of Facebook’s terms of use, the DPC concluded that “there is no single composite text or layered route available to the user such as would allow them to quickly and easily understand the full extent of processing operations that will take place as regards their personal data arising from their acceptance of the Terms of Service. Each additional layer presents the user with similar information to that already provided as well as some new information which is not easy to identify, as the language used is similar to the information that has been provided before. The user should not have to work so hard to access the prescribed information; nor should there be ambiguity as to whether all sources of information have been exhausted.”.

In December 2022, the EU data protection regulator, the European Data Protection Board (EDPB), which considered the draft decision of the Irish DPC, partially supported the DPC’s position and issued a decision against Meta Platforms Ireland Limited (Meta IE), according to which Meta Platforms (Facebook, Instagram) is prohibited from using its terms of service, and in fact, such a legal basis as the performance of a contract (Art. 6 (1) (b) GDPR) – for the forced collection of personal data and further ad targeting to Facebook and Instagram users. 

It is worth noting that the EDPB has previously clarified in its documents that the performance of a contract cannot be considered a proper legal basis for displaying personalized advertising on the Internet, and the applicability of Article 6(1)(b) GDPR should be assessed separately in the context of each service provided, taking into account what personal data is objectively necessary to provide the service requested by the data subject. Such an assessment may reveal that processing specific personal data is not objectively necessary for providing individual services but is essential for the broader concept of the controller’s business model. In such a case, Article 6(1)(b) GDPR cannot be considered a proper legal basis.

Thus, the EDPB’s decision potentially limits the amount of data that Meta can use to sell personalized advertising, as Meta will no longer be able to rely on Article 6(1)(b) of the GDPR and will have to choose another legal basis for processing users’ personal data for personalized advertising. It is worth reminding that the GDPR provides an exhaustive list of six legal bases. Therefore, potentially, Meta Platforms should start using consent to the processing of personal data (Article 6(1)(a) of the GDPR), the legal nature of which allows for its free provision and free withdrawal, which will effectively allow users to refuse to provide their data for the personalization of advertising at any time, and at the same time, will continue to reduce advertising revenues. As a reminder, in 2022, Meta Platforms had already lost about $10 billion in advertising sales when Apple started requiring mobile applications to allow users to opt out of cross-platform data tracking.

What conclusions should be drawn?  

Firstly, neither the GDPR nor the EDPB explicitly prohibit the personalization of advertising but only create preconditions for businesses to treat their customers’ data fairly, based on respect for fundamental human rights and freedoms in the data-driven economy era. This means no company should be able to mislead users when obtaining their consent to the terms of service. Users should be allowed to decide how their information will be used, including for the advertised targeting.

Secondly, the global trend towards more profound legislative regulation of the digital world is steadily gaining momentum. It will continue to strengthen, and therefore holding tech giants accountable is an entirely natural process that only confirms the fact that it is time to change the business models that have worked before and respect the right of users to share only the data that meets their reasonable expectations from a particular platform. In this regard, the EDPB has a clear position that the processing of personal data should be carried out specifically within each service provided by the company and cannot be justified by the company’s business model. Meanwhile, Meta Platforms has faced some class action lawsuits for privacy violations, particularly in the UK. Further application of the GDPR will only add impetus to the filing of claims for damages.



    Your question to IT lawyers