Meta—and many other Big Tech firms—just got an unwelcome Independence Day surprise, after the European Union’s top court blew up the legal basis for the Facebook owner's core business model of targeted advertising.
The direct result of the ruling will likely be a German ban on Meta’s customary combination of user data from its WhatsApp and Instagram platform—and data derived from tracking people as they visit third-party websites—with users’ Facebook data, to provide personalized advertising on the company’s longest-running social network.
But the ruling from the Court of Justice of the EU (CJEU) could fatally undermine Meta’s last remaining legal justification for providing targeted advertising anywhere in the EU. With Meta also facing a ban on exporting Europeans’ personal data to the U.S., its future in the region is seriously in doubt. And as much of Big Tech was relying on the same justification, there could be massive repercussions across the sector.
Antitrust + privacy
The case the CJEU just ruled on dates back several years. In early 2019, the German antitrust authority—the Bundeskartellamt or Federal Cartel Office—decided that Facebook was abusing its dominant position in the social-networking market, by combining data from different platforms to provide more targeted advertising.
The regulator said Facebook wasn’t really getting users’ voluntary consent for this extensive profiling, even though it was in the terms of use that they agreed to, because they had no choice but to agree, if they wanted to use the leading social network. Therefore, it argued, Facebook was both breaking the terms of the EU’s General Data Protection Regulation (GDPR) and illegally using its power as market leader to do so.
This was an unprecedented decision because it partially involved a competition authority wielding the power of the EU’s tough privacy law, which is usually enforced by data protection authorities. Facebook naturally appealed, which ultimately led to the CJEU ruling handed down Tuesday morning.
In its ruling, the CJEU confirmed that competition authorities such as the Bundeskartellamt can indeed look at a company’s compliance with other laws, such as the GDPR, when deciding if the company is breaking antitrust laws—although the competition regulator has to defer to whichever privacy regulator has jurisdiction over the company, if that watchdog has already ruled on the same issue.
That in itself has major implications for the future of antitrust and privacy enforcement in the EU—it bolsters a growing trend of regulators, including those in the U.S., seeing Big Tech’s data troves as a potential competition issue. "The judgment will have far-reaching effects on the business models used in the data economy," said Andreas Mundt, president of the Bundeskartellamt, in a statement welcoming the ruling.
"In a complex digitalized economy, more than ever we need authorities to think outside the box and to consider data protection when dominant companies break antitrust rules. This is a good step forward," said Ursula Pachl, deputy director general of the European Consumer Organisation (BEUC).
But the ruling’s real bombshell is its assertion that, without real consent from the user, Meta can’t claim it has a “legitimate interest” in processing people’s data for personalized advertising.
No ‘legitimate interest’
This is huge because, under the GDPR, companies have to claim some kind of legal basis—there's a list—if they want to process Europeans’ personal data. Over the years, Facebook/Meta’s viable options have been whittled away by regulatory decisions and court rulings, and a few months ago the company retreated to what it saw as its last option: having a “legitimate interest” in processing people’s personal data for ad targeting. The court just rejected that claim, saying Facebook needs real user consent for this mix-and-match profiling.
“We are evaluating the Court’s decision and will have more to say in due course,” said a spokesperson for Meta. (Tuesday is a federal holiday in the company’s native U.S.)
Privacy campaigners are ecstatic. Max Schrems, the activist lawyer whose long-running case against Facebook/Meta led the CJEU to invalidate multiple EU-U.S. data-sharing agreements—and triggered the looming ban on Meta sending Europeans’ data to the U.S.—said the latest ruling shows “Meta cannot simply bypass the GDPR with some paragraphs in its legal documents.”
“This will mean that Meta has to seek proper consent and cannot use its dominant position to force people to agree to things they don't want,” Schrems said in a statement. “This is a huge blow for Meta, but also for other online advertisement companies. It clarifies that various legal theories by the industry to bypass the GDPR are null and void."
This week also brought some fresh news regarding the prospects of a new EU-U.S. data-sharing agreement, which would at least allow Meta to keep exporting personal data to the U.S.—even if it finds itself unable to use it for personalized ads in Europe.
The CJEU sunk the previous agreements because U.S. companies cannot protect Europeans’ data from the prying eyes of U.S. spies, and because Europeans couldn’t meaningfully complain about this happening. The European Commission and the White House have come up with a replacement that they hope will get approval from EU countries, and U.S. Commerce Secretary Gina Raimondo said Monday that her side had now done what it had promised under that new agreement—the U.S. has added new safeguards to its intelligence activities, and Attorney General Merrick Garland has now authorized giving Europeans redress in the U.S., if the deal comes into effect.
It remains to be seen whether that will be enough to push EU countries to approve the deal. The EU’s data protection authorities have raised concerns about whether the new agreement really does give adequate protection to Europeans’ data when it goes to the U.S., and activists such as Schrems predict it would ultimately be scuppered by the CJEU, just like its predecessors.