Meta’s ad tracking business could face new legal challenges in the European Union: an influential adviser to the bloc’s highest court said Thursday that the region’s privacy laws limit the duration during which people’s data can be used for targeted advertising purposes.
In his legally non-binding opinion, Advocate General Athanasios Rantos said the use of personal data for advertising purposes should be limited.
This is important because Meta’s ad tracking business relies on ingesting large amounts of personal data to create profiles of individuals in order to target them with advertising messages. Any limits on how it can use personal data could limit its ability to profit from people’s attention.
A final decision on this point remains pending – it usually arrives three to six months after the AG’s opinion – but the Court of Justice of the EU (CJEU) often takes a view similar to that of its advisers .
The role of the CJEU, meanwhile, is to clarify the application of EU law so that its rulings are closely watched as they determine how lower courts and regulators enforce the law.
Proportionality in the framework
According to AG Rantos, data retention for advertisements must take into account the principle of proportionality, a general principle of EU law that also applies to the bloc’s privacy framework, the General Data Protection Regulation (GDPR ), for example when determining a legal basis for processing. . A key requirement of the regulation is to have a legal basis for processing people’s information.
In a press release, the CJEU emphatically writes: “Rantos proposes that the Court declare that the GDPR objects to the processing of personal data for targeted advertising purposes without restriction of duration. The national court must assess, on the basis in particular of the principle of proportionality, to what extent the duration of data retention and the quantity of data processed are justified with regard to the legitimate purpose of processing these data for the purposes of personalized advertising.”
The CJEU is examining two legal questions referred to it by an Austrian court. These relate to a privacy challenge, dating back to 2020, brought against Meta’s adtech business by Max Schrems, a lawyer and privacy activist. Schrems is well known in Europe as he has already racked up several privacy victories against Meta, which led to sanctions that have cost the tech giant well over $1 billion in fines since taking effect. of the GDPR.
An internal memo from Meta engineers, obtained by Motherboard/Vice in 2022, painted a picture of a company unable to enforce policies aimed at limiting its use of people’s data after it was ingested by its advertising systems, because it had ” builds a system with open borders.” , as the document says. Although Meta disputed that characterization, saying at the time that the document “does not describe our extensive processes and controls for complying with privacy regulations.”
But it’s clear that Meta’s core business model relies on its ability to track and profile web users to exploit its micro-targeted advertising business. Therefore, any strict legal limits imposed on its ability to process and store people’s data could have serious consequences on its profitability. To wit: Last year, Meta suggested that around 10% of its global ad revenue was generated in the EU.
In recent months, European Union lawmakers and regulators have also increased pressure on the ad tech giant to abandon its reliance on surveillance advertising – with the Commission explicitly checking for the existence of alternative advertising models , such as contextual advertising, when opened. an investigation into Meta’s binary “consent or pay” user offer last month, as part of the market power-focused Digital Markets Act.
Meanwhile, a key GDPR governing body also published guidance on “consent or payment” earlier this month, emphasizing that big ad platforms like Meta must give users a “real choice” over decisions affecting their privacy.
No sensitive data, free for ads
In today’s opinion, AG Rantos also addressed a second issue that was before the court: whether making certain personal information “obviously” public – in this case, personal information linked to Schrems’ sexual orientation – gives Meta carte blanche to retrospectively claim it can use the sensitive data for ad targeting.
Schrems had complained about receiving Facebook ads targeting his sexuality. He subsequently publicly discussed his sexuality, but argued that the purpose limitation principle of the GDPR should be applied in parallel, referring to a key element of the regulation which limits the further processing of personal data (i.e. (ie without a new valid legal basis such as obtaining user consent). .
AG Rantos’s opinion seems to align with that of Schrems. Addressing this point, the press release notes (always with emphasis): “if data concerning sexual orientation falls into the category of data which benefits from particular protection and whose processing is prohibited, this prohibition does not apply when the data is clearly made public. by the person concerned. However, this position does not in itself allow the processing of these data for personalized advertising purposes.»
In an initial reaction to the AG’s opinions on the two legal issues, Schrems, founder and president of the European privacy non-profit organization noyb, welcomed the opinion, via his lawyer for the case against Meta, Katharina Raabe-Stuppnig.
“Right now, the online advertising industry simply stores everything forever. The law is clear: treatment must stop after a few days or weeks. For Meta, this would mean that much of the information collected over the past decade would become taboo for advertising,” she wrote in a statement emphasizing the importance of data retention limits for ads.
“For 20 years now, Meta has been building a huge pool of user data, and it’s growing every day. However, European legislation requires “data minimization”. If the Court follows the opinion, only a small portion of this pool may be used for advertising purposes, even if you have consented to the advertising,” she added.
Regarding the question of the further use of sensitive data made public, she said: “This question is extremely relevant for anyone making a public statement. Are you retroactively waiving your right to privacy, even for completely unrelated information, or can only the statement itself be used for the speaker’s intended purposes? If the Court interprets this as a blanket “waiver” of your rights, it will cripple all online speech on Instagram, Facebook or Twitter.”
Asked for his own reaction to the AG’s opinion, Meta spokesperson Matthew Pollard told TechCrunch he would wait for the court’s decision.
The company also claims to have “revamped privacy” since 2019, suggesting it has spent more than €5 billion on EU-related privacy compliance issues and expanding user controls. “Since 2019, we have reimagined privacy at Meta and invested more than five billion euros to build privacy into the heart of our products,” Meta wrote in an emailed statement. “Everyone who uses Facebook has access to a wide range of settings and tools that allow users to manage how we use their information.”
Regarding sensitive data, Pollard highlighted another claim by Meta that it “does not use sensitive data that users provide to us to personalize ads,” as the release puts it.
“We also prohibit advertisers from sharing sensitive information under our terms and we filter any potentially sensitive information that we are able to detect,” Meta also wrote, adding: “In addition, we have taken steps to remove all Advertiser targeting options based on topics perceived by users as sensitive.
In April 2021, Meta announced a policy change in this area, saying it would no longer allow advertisers to target users with ads based on sensitive categories such as their sexual orientation, race, political beliefs or religion. However, in May 2022, an investigation by The Markup, a data journalism nonprofit, found that it was easy for advertisers to circumvent the Meta ban by using “obvious proxies.”
A CJEU judgment handed down in August 2022 also seems very relevant here, as the court then affirmed that sensitive inferences should be treated as sensitive personal data within the meaning of the GDPR. Or, in other words, using a sexual orientation proxy to target ads requires obtaining the same strict level of “explicit consent” that direct targeting of ads on orientation would require. of a person for the processing to be lawful in the EU.
techcrunch
