Meta’s tracking ads business could face further legal setbacks in the European Union: An influential aide to the bloc’s top court confirmed on Thursday that the region’s data protection laws limit the amount of time people’s data can be used for targeted advertising may be used.
In the non-legally binding opinion, Advocate General Athanasios Rantos said the use of personal data for advertising purposes must be limited.
This is important because Meta’s tracking ads business relies on collecting large amounts of personal data to profile individuals and target them with advertising messages. Any restrictions on the use of personal data could limit the company’s ability to benefit from people’s attention.
A final decision on this point has yet to be made – it usually comes three to six months after the AG’s opinion – but the Court of Justice of the European Union (ECJ) often takes a similar view to its advisers.
The ECJ’s job, meanwhile, is to clarify the application of EU law, so its rulings are closely watched as they guide how lower courts and regulators uphold the law.
Proportionality within the framework
According to AG Rantos, data retention for ads must take into account the principle of proportionality, a general principle of EU law that also applies to the bloc’s data protection framework, the General Data Protection Regulation (GDPR) – for example, when establishing a legal basis for processing. A key requirement of the regulation is to have a legal basis for handling personal data.
In a press release, the ECJ writes emphatically: “Rantos suggests that the court should decide that the GDPR excludes the processing of personal data for an unlimited period of time for the purpose of targeted advertising. The national dish must, inter alia, assess, on the basis of the principle of proportionality, the extent to which the duration of data storage and the amount of data processed are justified in view of the legitimate objective of processing those data for the purposes of personalized advertising.”
The ECJ is examining two legal questions submitted to it by a court in Austria. This concerns a data protection lawsuit from 2020 that Max Schrems, a lawyer and data protection activist, brought against Meta’s adtech business. Schrems is well known in Europe, having already scored several data protection victories against Meta – resulting in penalties that have cost the tech giant well over a billion dollars in fines since GDPR came into effect.
An internal memo from meta engineers obtained by Motherboard/Vice back in 2022 painted a picture of a company unable to apply policies to limit the use of personal data after it was included in its advertising systems, as it had “built a system with open borders”. , as the document said. Although Meta disputed the characterization, claiming at the time that the document “does not describe our extensive data protection compliance processes and controls.”
But it’s clear that Meta’s core business model relies on its ability to track and profile web users to power its microtargeted advertising business. Therefore, strict legal restrictions on its ability to process and retain personal data could have a significant impact on its profitability. That means: Last year, Meta said that around 10% of its global advertising revenue was generated in the EU.
In recent months, European Union lawmakers and regulators have also significantly increased pressure on the adtech giant to give up its addiction to surveillance advertising – with the Commission specifically name-checking the existence of alternative advertising models, such as contextual advertising, when it opened last month an investigation into Meta’s binary “consent or pay” user offering under the market power-focused Digital Markets Act.
A key GDPR steering committee also issued guidance on consent or pay earlier this month, emphasizing that major advertising platforms like Meta must give users a “real choice” in decisions affecting their privacy.
No sensitive data for everyone, free for advertising
In today’s statement, AG Rantos also commented on a second point that was presented to the court: namely, whether the “obvious” publication of certain personal information – in this case information relating to Schrems’ sexual orientation – gives Meta carte blanche subsequent assertion of claims there can be used the sensitive data for ad targeting.
Schrems had complained that he had received advertising on Facebook that targeted his sexuality. He then publicly discussed his sexuality, but argued that the GDPR principle of purpose limitation must be applied in parallel, pointing to a key point of the regulation that limits further processing of personal data (i.e. without a new valid legal basis such as obtaining consent of the user). .
AG Rantos’s opinion seems to agree with Schrems’s. On this point, the press release states (again emphatically): “While sexual orientation data falls into the category of data that enjoys special protection and the processing of which is prohibited, this prohibition does not apply when the data is obviously made public.” by the person concerned. However, processing this data for the purpose of personalized advertising is not permitted from this position.”
In a first reaction to the AG’s views on both legal issues, Schrems, founder and chairman of the European data protection organization noyb, welcomed the statement via his lawyer in the case against Meta, Katharina Raabe-Stuppnig.
“Right now the online advertising industry is just storing everything forever. The law clearly states that processing must stop after a few days or weeks. For Meta, this would mean that much of the information they have collected over the last decade would be off limits for advertising,” she wrote in a statement, highlighting the importance of data retention limits for ads.
“Meta has basically been building a huge pool of data about users for 20 years, and it’s growing every day. However, EU law requires “data minimization”. If the court follows the opinion, only a small portion of that pool can be used for advertising – even if the advertising was approved,” she added.
Regarding the question of the further use of publicly known sensitive data, she said: “This topic is of great relevance for anyone who speaks publicly.” Do you retroactively waive your right to privacy, even if the information is completely unrelated, or can only the statement itself be used for the purpose intended by the speaker? If the court interprets this as a general “waiver” of your rights, it would deter any online speech on Instagram, Facebook or Twitter.”
To get its own reaction to the AG’s statement, Meta spokesman Matthew Pollard told TechCrunch that they would wait for the court ruling.
The company also claims to have “overhauled” data protection since 2019, suggesting it has spent more than €5 billion on EU-related privacy compliance issues and expanding user controls. “Since 2019, we have overhauled data protection at Meta and invested over five billion euros to anchor data protection at the heart of our products,” Meta wrote in an emailed statement. “Everyone who uses Facebook has access to a variety of settings and tools that allow people to manage how we use their information.”
Regarding sensitive data, Pollard highlighted another claim from Meta that it “does not use sensitive data that users provide to us to personalize ads,” as the statement said.
“We also prohibit advertisers from sharing sensitive information in accordance with our terms and filter out any potentially sensitive information that we can detect,” Meta also wrote, adding: “In addition, we have taken steps to remove all targeting options for advertisers .” on topics that are perceived as sensitive by users.”
In April 2021, Meta announced a policy change in this area, stating that advertisers would no longer be allowed to target users with ads based on sensitive categories such as sexual orientation, race, political opinion or religion. However, in May 2022, an investigation by nonprofit data journalism organization The Markup found that it was easy for advertisers to get around Meta’s ban by using “obvious proxies.”
A ECJ ruling from August 2022 also seems very relevant here, as the court confirmed at the time that sensitive conclusions should be treated as sensitive personal data within the meaning of the GDPR. Or to put it another way, using a sexual orientation proxy to target ads requires obtaining the same strict standard of “explicit consent” that directly targeting ads to a person’s sexual orientation would require in order to constitute lawful processing in the EU to ensure.