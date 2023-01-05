Irish Data Protection Authority, Under Pressure From Other EU Officials, Says Meta’s Clickwrap Agreement Is No Legal Basis For Targeted Ads
from the much-ado-about-something dept
Some big news out of the EU this week as the Irish data protection authority has fined Meta over $400 million, claiming it violated the GDPR. The full details of the ruling are not yet out (apparently, the officials are working with Meta over what needs to be redacted — which is not out of the ordinary in the EU, but still feels sketchy), but the basic idea is that Meta sought to get around some of the GDPR’s consent rules regarding using data for customization / targeting by including “consent” directly in the terms of service. The Irish regulator overseeing the case had initially indicated that this was legitimate, but apparently changed their minds.
Meta is pushing back on the ruling, claiming that the GDPR allows you to collect and process this data for personalization so long as it’s considered a “contractual necessity.”
GDPR allows for a range of legal bases under which data can be processed. The rules of GDPR are clear: there is no hierarchy between these legal bases – none should be considered better or more legitimate than any other. Which basis is most appropriate to use depends on the specific situation. Like many companies, Meta uses a combination of legal bases to provide various services.
Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service. To date, we have relied on a legal basis called ‘Contractual Necessity’ to show people behavioural advertisements based on their activities on our platforms, subject to their safety and privacy settings. It would be highly unusual for a social media service not to be tailored to the individual user.
That said, there’s a bit more background here that is worth understanding. As you may recall, last year, we noted that officials on the EU Commission were getting annoyed that the Irish data protection authority was seen as going easy on US internet companies. There has been a variety of efforts to update the GDPR to effectively give more power to either the Commission itself in Brussels, or possibly other country data protection authorities, to avoid the situation where US companies set up an EU “headquarters” in Ireland in order to be regulated by that DPA.
Given that, the Irish DPA has been somewhat under pressure to come up with a scalp to show the rest of the EU to prove that it’s “serious.” This is why we’ve mentioned that Elon Musk’s Twitter might be an easy target. But, as always, going after the “big guys,” is always preferable.
This might also explain why it looked like the Irish regulators were originally okay with Meta’s clickthrough / browserwrap arrangement, and then reversed course.
While it’s fun to see Meta struggle (especially given all the troubles its had recently after Apple effectively kneecapped a whole bunch of Meta’s data collection efforts) and face some consequences after playing fast and loose with data for years… it does feel like this kind of decision could have serious problematic consequences going forward. I’m loathe to give Meta any credit for anything that it does, but it’s kinda true that when people are signing in to most social media these days they do expect personalization.
Are there ways that Meta could give users a lot more control? Yes. Could Meta be more transparent about how it’s using data? Also yes. But I fear that the end result of this ruling is that we’re going to just end up with even more useless and annoying “cookie pop up” type warnings in which every company is going to feel the need to make you “opt-in” to personalization over and over again in a manner that is extremely annoying and does nothing to really protect anyone’s privacy.
But, alas, this is the state we live in today with the European approach to privacy laws, where most of the focus is just on getting companies to do something that is annoying for users, but which allows politicians to claim that they’re “protecting your privacy.”
Filed Under: browserwrap, clickwrap, eu, fines, gdpr, ireland, irish dpc, privacy
Companies: facebook, instagram, meta
Comments on “Irish Data Protection Authority, Under Pressure From Other EU Officials, Says Meta’s Clickwrap Agreement Is No Legal Basis For Targeted Ads”
I think the big issue here is that “personalization” and “targeting” are NOT the same thing. One is the user selecting what content they want to see and how they want to see it, and the other is Meta and their affiliates selecting who to share their content with based on those personalization metrics.
The end result might be the same, but the PII is being used and managed very differently for each of those scenarios — they aren’t the same, even though they may sometimes produce the same results from the same inputs.
Unfortunately, the GDPR is written in such a way that everyone can claim that their interpretation is the correct one, and the focus on actual data privacy regulation (as opposed to data holder regulation) can be lost.
shady law
Given that, the Irish DPA has been somewhat under pressure to come up with a scalp to show the rest of the EU to prove that it’s “serious.”
That seems kind of shady. Each case should be decided on its own legal merits, not under pressure to make a statement.
The GDPR is popular legislation that does its job. Corporate mouthpieces proposing initiatives to water it down means that it’s working. The comments to that Ars article highlight how the author is full of it, why the GDPR was needed, and how a lot of the arguments against its current form are really terrible arguments.
TD’s continual treatment of the GDPR as ineffectual, or as if it’s Europe wanting to hunt for scalps of big companies, it feels more and more disingenuous as time goes on.
Re:
Except how TD all the time comments on the need for better, stronger privacy protection and stuff.
The GDPR had some good ideas, but actual wording and implementation has been less than stellar.
That it annoys some large companies is ok, but it doesn’t seem to be herding them in the proper direction. More like they are developing antibiotic resistance.
The original American approach
It feels a bit strange (as a European reader) seeing all this concern over the GDPR from Americans. Sure these cookie banners are annoying. But I believe all companies collect waaaaay to much data about me. So what do we do about it?
a) give users the choice if they want to do business under these circumstances
b) force companies not to do any of this
c) ignore the whole situation
Naively I‘d have thought that a) would be preferred over b) by Americans as well. Aren’t you guys all about choice and not telling companies how to conduct their business? Personally I’m quite happy with c) (working as intended with the USB-C regulation). So I always feel a) is a compromise that acknowledges that Facebook isn’t going to 100% change everything for the EU. So at least we’re asked and then we click „accept all“.
I am a teacher. The kids are sooo annoyed when I start the „Manage cookies – Reject all – Accept“ hunt on YouTube during class. It’s funny and sad at the same time.
Re:
It’s like you didn’t read the article. Pass on having you as a teacher.
Also why would you need to manage cookies every time you start a video? Seriously what is that even.