Jannah Theme License is not validated, Go to the theme options page to validate the license, You need a single license for each domain name.

CJEU ruling on Meta referral could close chapter on surveillance capitalism

Mark your calendar European friends: July 4 may soon be celebrated as Independence Day from Meta surveillance capitalism… A long-awaited judgment delivered today by the Court of Justice of the European Union (CJEU) seems to have Completely crushed the social media giant’s ability to continue flouting EU privacy law by denying users free choice about its tracking and profiling.

The decision dates back to a pioneering order by Germany’s antitrust watchdog, the Federal Cartel Office (FCO), which has spent years investigating Facebook’s activities – arguing that privacy breaches should also be treated as an exploitative abuse of competition.

In its February 2019 order, the FCO told Facebook (as Meta still was at the time) to stop combining user data on its own suite of social platforms without their consent. Meta sought to block the order in German courts, which ultimately triggered Meta’s so-called “superprofiling” referral to the CJEU in March 2021.

Now we have the view from the highest court and, well, that won’t spark any celebrations at Meta HQ, that’s for sure.

The CJEU not only agreed that competition authorities can take data protection into account in their antitrust assessments (which sounds wonky but is really vital because working together rather than regulatory silos is the path to effective oversight power of the platform) – but pointed out that consent is the only proper legal basis for the “personalized” content focused on tracking and profiling and behavioral advertising that Meta monetizes.

Here is the relevant bit from the press release:

With regard more generally to the processing carried out by Meta Platforms Ireland, including the processing of “non-sensitive” data, the Court then examines whether it is covered by the justifications, set out in the GDPR, allowing the processing of data carried out in the absence of the consent of the person concerned to be made lawful. In this context, it finds that the need for the performance of the contract to which the data subject is a party can justify the disputed practice only on condition that the processing of the data is objectively essential so that the main object of the contract does not can be carried out if the processing in question does not take place. Subject to verification by the referring court, the Court of Justice expresses doubts as to the ability of personalized content or consistent and homogeneous use of the Meta group’s own services to meet these criteria.

Consent under European data protection law means that users must have the choice to opt out of this type of tracking without having to give up access to the core service. And that’s exactly the choice that Meta has historically denied its users. (Although – surprise, surprise! – just weeks before the CJEU’s judgment, no doubt anticipating what was to come, it announced new controls to allow users to limit its cross-site tracking, albeit with some reduced features if they opt out of tracking, so it remains to be seen whether Meta’s attempt to preempt the decision went far enough.)

Last year, a CJEU counsel took a similar view on the merits of the Meta superprofiling referral. But while the Advocate General’s opinion to the Court was not legally binding, today’s decision is authentic hard law. And that means neither Meta nor EU data protection authorities can ignore it.

This last point is important because the reluctance of some DPAs to vigorously enforce the bloc’s General Data Protection Regulation (GDPR) on tech giants flouting the rules they are supposed to oversee has led to cries that the regulation failed – or at least was hopelessly blocked by forum purchases.

There is no doubt that enforcing the GDPR on Big Tech was a very painstaking process. A major Irish DPA ruling in January finally ruled against Meta’s claim to rely on contractual necessity to run its behavioral advertising. But it’s taken more than four years since the original complaint was filed to get that order (which Meta is also appealing now, so the process isn’t over yet either).

Then, in March, in response to a compliance deadline in the Irish Data Protection Commission (DPC) order, Meta announced that it would change the legal basis it claims for data processing for ads. on another basis not based on consent – known as a legitimate interest.

So, after years of privacy complaints, regulatory investigation and (eventual) enforcement by Meta, Meta has always opted against offering users a clear yes/no choice over its tracking – presumably anticipating being able to spin the process of monitoring its LI claim (and avoid having to reform its privacy-hostile business model) for some time to come. about four years.

However, the CJEU seems to have thrown a wrench in this latest GDPR evasion tactic since EU DPAs cannot ignore the direction of the Court. Ireland should therefore not simply sit idly by and let Meta do so claiming a legal basis of legitimate interest which the CJEU has flagged as inappropriate in this context. And, well, when users are empowered to deny surveillance capitalism, they do so in droves. (See, for example: the impact of Apple’s application tracking transparency on Meta’s advertising activities.)

Clarity from the CJEU on how the GDPR should be applied to ad-supported business models like Meta’s could finally close this chapter on surveillance capitalism.

In its press release on the judgment, the Court writes (with emphasis): “[T]The personalized advertising by which the online social network Facebook finances its activity cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data in question, in the absence of the consent of the person concerned.

We have contacted the Irish DPC for a response to the CJEU ruling and will update this report if we receive one.

The CJEU also chose to underline the need to ensure that the quality of the consent is valid, i.e. that the choice offered to it is truly free (and not manipulated, as by the use of motives dark or by penalizing the user, such as with a below-average service to deny access to their data) – given the imbalance between the market power of a dominant social network and its users, noting in its statement of insists that “it’s up to the operator to prove”.

Furthermore, the Court confirmed that Meta cannot simply evade the legal obligation to obtain users’ explicit consent to process so-called sensitive categories of personal data (such as political beliefs, sexual orientation, race or ethnicity, etc.) – with the conclusion of the Court the fact that users visit or interact with web services does not mean that they have manifestly made their sensitive data public (which would waive the obligation to obtain a explicit consent).

This element of the ruling could fuel a new wave of litigation against Meta for processing users’ sensitive data without getting their explicit consent since Facebook clearly deals with heaps of these things – again without explicitly asking permission.

Still from the CJEU press release:

In addition, the Court observes that the data processing carried out by Meta Platforms Ireland also appears to concern special categories of data which may reveal, inter alia, racial or ethnic origin, political opinions, religious beliefs or sexual orientation. , and whose processing is in principle prohibited by the GDPR. It will be for the referring court to assess whether some of the data collected is indeed likely to allow the disclosure of such information, whether this information relates to a user of said social network or any other natural person.

Max Schrems, the lawyer and privacy rights activist who spearheaded the original complaint against Meta’s “forced consent”, dubbed today “the day the GDPR collapsed for Meta” – arguing that the court has closed the door to all the “loopholes” that the company’s lawyers have sought to press for over the past five years.

In a fuller statement, noyb – Schrem’s privacy rights nonprofit – said the CJEU had declared Meta’s GDPR approach “unlawful”.

“noyb has yet to study the details of this massive judgment. From the holding’s live reading, it appears that Meta/Facebook was not allowed to use anything other than consent for crucial operations it relies on to make profits in Europe,” a- he also wrote, Schrems asserting that Meta will now have to “seek consent and cannot use its dominant position to force people to agree to things they don’t want”.

“It will also have a positive impact on the ongoing litigation between noyb and Meta in Ireland,” he added – referring to the aforementioned decision in Ireland on Meta’s legal basis for advertisements.

BEUC, the European consumer organisation, also welcomed the CJEU’s ruling, suggesting it “paves the way for more effective enforcement against dominant digital platforms”.

For its part, Meta has yet to offer much of an answer to offer. “We are evaluating the court’s decision and will have more to say in due course,” a company spokesperson said.

Meta also recalled an earlier blog post, published after the GDPR breach was discovered in January and updated in March when it moved to LI, where the company then wrote: “To comply, from Wednesday April 5, we are changing the legal basis we use to process certain first-party data in Europe from ‘contractual necessity’ to ‘legitimate interests.’ GDPR clearly states that there is no hierarchy between the bases legal, and none should be considered more valid than another.


Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.

Back to top button