After the record fine by the Irish data protection supervisory authority DPC last May (we reported), we can now report on another significant setback for Meta: It lost an important case before the European Court of Justice (ECJ) for the non- compliance in processing Facebook user data (judgment of 4 July 2023, case no. C-252/21).
Hidden “user consent” to the use of “off-Facebook data” found invalid
The proceedings dealt with the processing of so-called “off-Facebook data”: This is data that Meta collects outside its Facebook social network through its other services (e.g., Instagram) or through third-party websites and apps via integrations of its “business tools” (e.g., the Facebook plugin for corporate websites) and which is then associated with the respective Facebook accounts. Users “accepted” this processing of their personal data via mandatory consent to the Facebook terms and conditions and thus also to Meta’s privacy policy when they signed up for Facebook. Meta used this data in particular for advertising purposes.
Meta cannot invoke performance of contract or legitimate interests
The European Court of Justice has now put an end to this practice.
- According to the ECJ, Meta cannot rely on the fulfilment of the Facebook user agreement (art. 6 (1) (b) GDPR) as the legal basis for processing user data for advertising purposes. In this respect, the ECJ emphasised that data processing can only be considered “necessary for the performance of the contract” if it is objectively indispensable, i.e. the contract cannot be performed otherwise. The ECJ was doubtful of this in the present case: For example, personalisation of (advertising) content is useful for Facebook users, but not necessary to be able to offer the services to them, since there is the equivalent alternative of providing the services without personalisation. The seamless use of other Meta services, another argument put forward by Meta, also did not appear to the ECJ to be necessary for the contract, as their use was not mandatory to set up a Facebook account.
- The ECJ also doubted Meta’s legitimate interest in processing user data for personalised advertising (art. 6 (1) (f) GDPR). The ECJ stated that according to recital 47 of the GDPR, the purpose of direct marketing can be considered a legitimate interest. However, even if a social network such as Facebook is free of charge, a user cannot reasonably expect that its operator will process their personal data for personalised advertising without their consent. It must therefore be assumed that the interests of the user outweigh the interest of operators in personalising ads to finance their operations.
In the ruling, the ECJ also commented on the possible sensitivity of the Facebook user data concerned under art. 9 (1) GDPR and the right of action of the Bundeskartellamt (German Federal Cartel Office), which had initiated the proceedings against Meta.
What does the ruling mean for businesses?
In our view, the ruling is not much of a surprise, as it confirms the view that has prevailed for some time and which was recently consolidated with the decision of the Belgian supervisory authority APD regarding the TCF 2.0 advertising standard, meaning that data can generally only be processed for advertising purposes with the consent of the user – with the narrow exception of direct marketing.
Meta has now taken countermeasures and announced that it will obtain consent for behavioural advertising in the future. However, it is questionable whether it will be able to do soin compliance with the GDPR.
For businesses, the ruling reaffirms that they must provide interfaces in their web applications (websites and apps) to obtain and store user consent in a legally secure manner, most prominently as via so-called consent management platforms (“CMPs”).
If required, we can support you in setting up a legally compliant consent management system.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)