The Court of Justice of the European Union ruled on Tuesday, July 4 that the data processing of Meta, the parent company of Facebook, Instagram, and What’s App, is illegal under GDPR.
The ruling cited Meta’s practice of combining the data collected from individual users on various platforms to more precisely target advertisements as an abuse of its market dominance. In other words, Meta can’t process the data from Facebook, Instagram, and What’s App together to create user profiles employed in delivering advertisements.
The suit had been brought against Meta by Germany’s monopoly watchdog, the Bundeskartellamt, arguing that the GDPR empowered it to monitor unfair data collection and processing, and the court agreed.
“The judgment will have far-reaching effects on the business models used in the data economy,” tweeted Andreas Mundt, head of the Bundeskartellamt.
Meta said it was still considering how it would proceed following the ruling.
The consumer privacy watchdog group NOYB welcomed the ruling.
“We welcome the CJEU decision,” NOYB’s Max Schremes said in a statement. “It further clarifies that Meta cannot simply bypass the GDPR with some paragraphs in its legal documents.”
Meta has so far avoided a direct yes or no consent button to tracking and data collection on its platforms by including data collection in its terms of service on the legal basis that targeted advertising is part of its core services. The CJEU has undermined this legal standing, according to NOYB.
“This will mean that Meta has to seek proper consent and cannot use its dominant position to force people to agree to things they don’t want,” Schremes added.
Schremes also said that the ruling will support NOYB in an ongoing suit against Meta in Ireland.
The ruling landed on the same day the EU Commission presented a proposal for detailed regulations to facilitate enforcement of its flagship General Data Protection Regulation (GDPR) in cases that stretch across member states’ borders, a proposal that NOYB met with sharp criticism.
According to the EU Commission, the proposal is designed “to streamline cooperation between data protection authorities (DPAs) when enforcing the General Data Protection Regulation in cross-border cases.”
Under the proposed procedural regulations, the lead Data Protection Authority would be required to send a “summary of key issues” to the DPA in other countries involved in the case. It also clarifies what complainants need to submit and their rights to be heard both in instances where their case is rejected and during the procedure if the DPA finds they have a case. It also details the involvement with the DPA’s proceedings for businesses accused of GDPR violations, their rights to access the case file, and the content of the case file.
The Commission hopes the new rules “will smoothen cooperation and enhance the efficiency of enforcement.”
According to the Commission, the proposal stems from the 2020 annual report on the GDPR, which cited the different procedural rules in member states as problematic.
The consumer watchdog group NOYB called the proposal “flawed.”
“Currently the GDPR only tells DPAs to cooperate but lacks the details about how this cooperation should work. Unfortunately, the Commission proposal seems to be technically and materially flawed and rather strips citizens of existing rights than ensuring their enforcement,” it said in a statement on its website. “The proposal seems to be based mainly on (some) DPA’s demands to remove citizens from procedures to ‘simplify’ them.”
It criticised the proposal for merely trying “to plug individual holes in the system,” inadequacies that became evident during previous disputes over GDPR:
The Commission proposal does not take a systematic approach, delegating jurisdiction to Member States for certain parts of the procedure and ensuring that there are European minimum standards. Instead, the Commission proposal seems to implant certain European elements into existing laws—leading to a hybrid between EU and national laws and procedures.
In addition to being too narrow, according to NOYB, it also tips the balance in favour of businesses by allowing companies to be “heard throughout” the investigation while individuals are only heard “in a minimal manner.” It also criticises the proposal for allowing businesses access to the case file but not complainants.
“This could lead to cementing existing problems [set] before opaque regulators such as the DPC rather than solving them,” the group warned.
The Austria-based watchdog has filed cases throughout the EU, many leading to actions against data gatherers.
On Monday, July 3rd, three companies in Sweden were ordered to stop using Google Analytics, and one company was fined the equivalent of more than $1.1 million in a case brought by the NOYB.
Since the Court of Justice of the European Union struck down the data-sharing agreement between the EU and the U.S. under the GDPR, a new arrangement has yet to be reached, forcing companies using the American company’s data analysis program to find their own workaround for GDPR compliance.
But in what NOYB calls another blow to free speech in favour of corporations, the Irish parliament passed a law on June 29th that prohibits sharing information about possible GDPR violations under investigation by the Irish Data Protection Authority.
NOYB doubts the constitutionality of the controversial law that barely passed.
Now, it will likely become an EU-wide issue, and watchdogs like NOYB will be keeping an eye on it, too.
