Major EU privacy decisions over Meta’s legal base for advertising raise new complaints • TechCrunch
Privacy watchers want to understand the legal rationale underlying two important decisions against Meta in the first day of this month – dismissed Facebook and Instagram’s claims of the need for a contract as a valid legal basis for running behavioral ads against users in the European Union – detailed refinement is now possible after the complainant, privacy group noybpublished the decision documents online.
You can find page 188 Facebook’s decision here and 196 pages Instagram’s decision here — both feature editing done by Meta because it is allowed to remove commercially sensitive information, so some interesting details are missing.
(For example, a paragraph in the Facebook document where the company provided an estimate of the time it would take to apply the compliance orders was blacked out, along with another sentence in this section detailing the work involved. So we can only speculate whether words are really covered here – or just a line of screaming emojis.)
Meta’s main data protection regulator, the Irish Data Protection Commission (DPC), made the final decision but after just over a year of dispute with EU DPAs disagreeing with the decision of the surname. draft decision (no objection to Meta’s claim of contractual necessity for micro-targeted advertising); and finally, after making a binding decision by the European Data Protection Board (EDPB) — resolved the dispute by forcing the DPC to refuse Meta’s request for the necessity of a contract.
The EDPB also asked Meta to significantly increase the size of its financial penalty for violating the EU’s General Data Protection Regulation (GDPR).
So, while the Irish DPC’s name and trademarks appear on these documents, they are the product of a co-management process incorporated into the GDPR, through a collaborative mechanism to handle cross-border cases.
The details in the document prompted fresh attacks on the DPC over the agency’s much-criticed approach to GDPR enforcement – there’s no question as to why the Irish regulator modified the (binding) decision EDPB – which it said requested ata period of three months to comply with the order from when the order is served (aka sometime in December) — until the district’s decision is served (around January). Noyb argued: “It seems illegal for the DPC to walk away from the EDPB decision.
It also has the problem that the DPC is clearly narrowing the scope of the EDPB decision – to limit it to Only handle for ads.
“It appears that other aspects of the complaint have not been addressed by the DPC, which in itself may be illegal,” it suggested.
noyb also raised concerns about the extent of financial sanctions imposed by the Irish regulator — which the DPC was ordered by the EDPB to re-evaluate and significantly increased by its binding decision that violated the legal basis. (and GDPR’s fairness principle), not just as transparent as the original decision of the District People’s Committee.
The privacy group points out that the Irish regulator has chosen to impose the smallest penalty in relation to the “truly illegal processing of personal data of millions of EU users” – just €60 million in the case of In the case of Facebook and 50 million euros in the case of Instagram , represent a very small fraction of the revenue that Meta was able to generate during this time period while illegally processing people’s data.
noyb went on to warn that DPC decisions may not end a case that has dragged on more than 4.5 years since the original “required consent” complaints were filed back in May 2018. – as it considers that the regulator’s findings do not appear to adequately address its complaints because decisions focus on personalized advertising and do not address issues such as data use personal data to improve the Facebook platform or for personalized content (also requires a valid legal basis under European Union law).
Another issue worth noting is the DPC’s refusal to carry out the additional investigations requested by the EDPB — something the DPC is challenging by violating jurisdiction and seeking to cancel, as we reported. in the first day of this month.
It also flagged another conflict it said could lead to an appeal of the decision – pointing out that under Austrian or German law (aka noyb law), the complaint defines the scope of the procedure — while it says the DPC believes that under Irish law it may limit the scope of complaint, adding:noyb may have to appeal the decision on this basis.”
DPC has been contacted for comment.