Privacy advocates have the opportunity to analyze the regulatory reasoning behind two recent decisions against Meta that rejected Facebook and Instagram’s legal argument for behavioral advertising. noyb, a privacy rights group, has published corresponding documents online.
The Facebook and Instagram decisions are available here – 188 pages for the former and 196 for the latter. Meta was permitted to redact certain commercially sensitive information, so some key details may be absent.
We can only speculate what’s been redacted from the Facebook document—whether words or just a line of emojis.
After more than a year of dispute between Meta and EU Data Protection Authorities (DPAs) over the use of microtargeted ads, the Irish Data Protection Commission (DPC), Meta’s lead regulator, issued its final decision. This followed a binding decision by the European Data Protection Board that forced DPC to reject Meta’s claim of contractual necessity.
The EDPB ordered Meta to drastically raise the fine for violating GDPR.
The Irish Data Protection Commission (DPC) is involved in a co-regulatory process dictated by the GDPR, which uses a cooperation system to handle cross-border cases.
The DPC has been heavily criticized for its approach to GDPR enforcement, and noyb is questioning why the Irish regulator amended a binding EDPB decision that requested a three month period for compliance with the order from December (when it was served) to January (when the DPC’s decision was made). noyb believes this departure from what was decided by EDPB is unlawful.
The DPC is criticized for allegedly constricting the EDPB’s decision to just data processing for advertising.
The DPC’s failure to address other aspects of the complaint may be illegal, according to the report.
noyb questions the financial penalty set by the Irish regulator, which – according to a binding decision from EDPB – must be reassessed and significantly increased due to a breach of legal basis (and GDPR’s fairness principle) beyond transparency as previously determined by DPC.
The privacy group critiques the Irish regulator for only levying a minimal fine–€60M for Facebook and €50M for Instagram–for unlawfully processing data from millions of EU users, considering how much revenue Meta has made during this time.
noyb cautions that resolution of the long-running case stemming from initial complaints lodged in May 2018 regarding “forced consent” may not be reached even after the DPC’s ruling, as their focus on targeted ads doesn’t tackle other issues such as using private data to improve Facebook or for personalized content (which necessitates lawful authorization under EU law).
The DPC has denied the EDPB’s request to carry out more investigations, arguing it is a jurisdictional overreach. This was reported in earlier this month.
noyb could appeal the decision on the grounds that under Austrian or German law, the complaint defines procedure scope; however, Irish law may limit it.
The DPC was asked for comment.