Weekend Edition Nº172 by eulawlive

Nº172

FEBRUARY 3

2024

LIUBOMIR NIKIFOROV

LEGAL GROUNDS FOR ONLINE BEHAVIOURAL ADVERTISING A CASE STUDY

Nº172 · FEBRUARY 3, 2024

Weekend

Edition keep smart

Legal Grounds for Online Behavioural Advertising A Case Study Liubomir Nikiforov 1

1. Introduction As leaked2 earlier this year, following the case C-252/21, Meta Platforms Inc v Bundeskartellamt,3 Meta started charging its European users if they do not consent to the use of their personal data for online behavioural targeting for advertising purposes. This constitutes a new strategy for Meta in response to EU data protection regulation. It follows the judgment of the Court of Justice of the European Union (CJEU) that the company has been illegally processing personal data, the Norwegian DPA’s decision to temporarily ban Meta’s online behavioural targeting,4 and the EDPB ban on non-consentbased targeting.5 The ‘Pay for your rights’ solution, however, seems to be unsuitable under current data protection law. Thus, the present Long-Read will look at the conundrum Meta is facing, related to the appropriate lawful grounds for online behavioural-targeted advertising under Article 6 of the General Data Protection Regulation (the ‘GDPR’).6 After the CJEU ruling, Meta can no longer avoid users’ consent by relying on ‘performance of a contract’ under Article 6(1) (b) or on ‘legitimate interests’, following Article 6(1)(f). In addition, I explain the reasons why the consent mechanism is burdensome for companies such as Meta. I provide three reasons why Meta’s new approach, where users have the choice to pay in order not be targeted with behavioural ads, is not a real alternative to consent, which ultimately makes it invalid.

1. PhD researcher at Vrije Universiteit Brussel, lyubomir.nikiforov@vub.be. 2. Sam Schechner, ‘Meta Plans to Charge $14 a Month for Ad-Free Instagram or Facebook’, The Wall Street Journal (2023). 3. Judgement of the Court of Justice of 04 July 2023, Meta Platforms Inc. v Bundeskartellamt, (C-252/21, EU: C:2023:537). 4. Datatilsynet (Norwegian Data Protection Authority), Temporary Ban on Behavioural Advertising on Facebook and Instagram, Datatilsynet (2023). 5. EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta, EDPB (2023). 6. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119, p 1

Nº172 · FEBRUARY 3, 2024

Weekend

Edition keep smart

Where users have the choice to pay in order not be targeted with behavioural ads, is not a real alternative to consent, which ultimately makes it invalid

2. Legal grounds for online behavioural targeting The million-euro question of the last couple of years: what legal grounds could a social media giant use in order to track its users’ online behaviour? Recently Meta has received another judicial blow7 concerning its search of an appropriate legal basis for its advertising business. In order to provide an initial overview of the complexity of the issue at stake, we first need to consider the conundrum Meta is facing. Online behavioural advertising is based on the observation of individuals’ actions and characteristics while browsing in order to develop a specific profile of an individual. The main idea is to provide tailored advertisements matching data subjects’ particular lifestyle, opinions, and tastes.8 The technology works by placing tracking text files, also commonly known as ‘cookies’, in user’s device or browser. Depending on the service provider’s objective, there are different types of cookies.9 Interesting for online targeting are the persistent third-party cookies whose objective is to collect data over a long period for subsequent advertisement purposes. They are particularly problematic due to the challenge they pose on the available lawful grounds for their deployment. As required by the Directive 2002/58/EC (the ePrivacy Directive),10 and outlined in the GDPR, notice and consent is the only mechanism to be used for a lawful third-party cookie deployment. Article 6(1)(a) of the GDPR establishes consent as a lawful ground for data processing, while the specific requirements and conditions to be met for its validity can be found in Article 4, and Articles 7 to 9. Furthermore, the GDPR contains a definition of consent in its Article 4 (11), where it is described as ‘any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.

7. Judgement of the Court of Justice, Meta Platforms Inc. v Bundeskartellamt, supra note 3. 8. Article 29 Data Protection Working Party, Opinion 2/2010 on Online Behavioural Advertising, (2010). 9. Id. 10. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ 2002, L 201, p 37

Nº172 · FEBRUARY 3, 2024

Weekend

Edition keep smart

The GDPR requires that controllers ensure that users’ conscious actions lead to consent and should design their notice mechanisms so that they comply with the consent validity requirements. In this sense, it is important to clarify those two points. First, whenever data controllers rely on consent for the processing of personal data they should make sure that it is obtained through clear manifestation of the data subject’s will. As put by the European Data Protection Board (EDPB) ‘merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation.’11 In other words, the data controller should have undeniable proof that the data subject has taken deliberate action to consent to the collection of his/her data. Second, drawing on the Guidelines of the EDPB on consent, consent cannot be considered ‘freely given’ if no other alternatives were available to the users within the services of the same provider, nor if an individual was forced to consent.12 This implies that when data subjects consent to third-party cookies without any alternatives to access the first-party digital service, the user’s consent is invalid. Furthermore, from a formal point of view, a consent notice should include controllers’ identity and a detailed list of all the purposes of the processing as well as information about any further data management.13 This requirement is challenging when it comes to online targeted advertisement because it is technically difficult to provide a thorough description of the purposes for which the collected data would be used due to the enhanced inference capacities of big data analysis. Those conditions, together with the requirement in Recital 32 of the GPDR that the notice’s text should be ‘understandable’ for the user in order to qualify as ‘informed’, keep compliance with data protection regulation in online advertisement industry a challenge. In order to avoid tackling with those issues and to circumvent the consent requirements in the GDPR, Meta has been exploring other legal grounds in order to obtain users’ data for the purposes of advertising such as performance of a contract (Article6(1)(b)) and legitimate interests (Article 6(1)(f)).14 However, they proved unsuitable following the ruling of the CJEU on Case C-252/21 Meta Platforms Inc v Bundeskartellamt, from July 2023. Under the EU data protection regulation, and as confirmed by the EDPB and CJEU decisions, Meta has little room for interpretation when it comes to the adequate lawful basis for behavioural targeting. As required by the ePrivacy Directive, and outlined in the GDPR, notice and consent is the mechanism to be used for a lawful third-party cookie deployment and data processing. In this context came Meta’s strategy aimed to avoid dealing with consent.15 Some news outlets in Europe already practice forms of paywall barriers.16 Similarly, different competitors in the social networks market developed with varying success

11. European Data Protection Board, Guidelines 05/2020 on Consent under Regulation 2016/679 Version 1.1, (2020). 12. Id. 13. Article 5(b) and Recital 42, GDPR. 14. CJEU declares Meta/Facebook’s GDPR approach illegal, Noyb (2023). 15. Schechner, supra note 2. 16. News Sites: Readers need to ‘buy back’ their own data at an exorbitant price!?, Noyb (2021).; Meta (Facebook / Instagram) to move to a ‘Pay for your Rights’ approach, Noyb (2023)

Nº172 · FEBRUARY 3, 2024

Weekend

Edition keep smart

their own policies regarding ad-free versions of their services.17 Although the strategy is familiar as Ribera Martínez (2023) shows, Meta’s decision is, at least, innovative because it supposes a new approach to collecting personal data by large online platforms.

3. How this point was reached Meta’s decision is, at least, innovative because it supposes a new approach to collecting personal data by large online platforms

Some would say it all started with the GDPR entering into force in 2018,18 others, on the 31 December 2022 with the Irish Data Protection Commission’s (Irish DPC) decisions.19 Those decisions found that Meta (concerning Facebook, back then, and Instagram, both under Meta today) could not rely on Article 6(1)(b) GDPR, performance of a contract, for its processing of personal data for the purposes of behavioural advertising in the context of their services. Meta was ordered to bring those processing activities into compliance with Article 6(1) GDPR within three months. On 5 April 2023, the Irish DPC shared with the other supervisory authorities documents20 that Meta has shifted its legal basis to Article 6(1)(f), legitimate interests. As the communication from the Norwegian Data Protection Authority (Norwegian DPA) read, on 5 May 2023, the Norwegian DPA formally requested the Irish DPC, as a lead supervisory authority, to temporarily impose a ban on Meta’s personal data processing for behavioural advertising purposes. This request was turned down.

Shortly after, on 4 July 2023, the CJEU issued its decision on the case C-252/21, Meta Platforms Inc v Bundeskartellamt.21 In this judgment, the Court interprets Article 6 GDPR and holds that Meta cannot rely on Article 6(1)(f) for processing of personal data for behavioural advertising. The Court’s decision suggests that Meta has been processing personal data for the purposes of behavioural advertising in lack of lawful grounds since 2018, when the GDPR, entered into force. In this context, the Norwegian DPA announced22 on 17 July 2023 that it has issued a temporary ban on Meta’s processing of personal data for advertising based on behavioural targeting techniques. It is the first European data protection authority to take this step. The ban lasted for three months, from 4 August 2023 until 3 November 2023. The possible options before Meta are either to comply and shift to consent as the only lawful ground for personal data processing for behavioural targeting or to litigate in Oslo, and face fines.23 However, this decision is not binding for the other data protection authorities.

17. Alba Ribera Martínez, Op-Ed: ‘The Ambivalence of Rejecting and Granting Consent: Ad-F(r)Ee Digital Services’ EU Law Live, 16 October 2023. 18. Meta (Facebook / Instagram) to move to a ‘Pay for your Rights’ approach, supra note 14. 19. Inquiry IN-18-5-5, EDPB (2022); Inquiry IN-18-5-7, EDPB (2022). 20. Urgent and Provisional Measures - Meta (Ref. num. 21/03530-16), Datatilsynet (2023). 21. Judgement of the Court of Justice, Meta Platforms Inc. v Bundeskartellamt, supra note 3. 22. Datatilsynet (Norwegian Data Protection Authority), supra note 4. 23. By the time of the publication of this document, no information on the next steps taken by Meta are known to the author.

Nº172 · FEBRUARY 3, 2024

Weekend

Edition keep smart

Therefore, the Norwegian DPA requested an urgent binding decision.24 On 27 October, the EDPB adopted a binding decision imposing a ban on the processing of personal data for behavioural advertising on the grounds on Articles 6(1)(b) and (f).25 Some celebrated the CJEU’s judgement as a turning point and even an ‘independence-from-Meta’s-surveillance-capitalismday’.26 However, the saga around Meta’s approach to EU data protection seems not to end up here. On 3 October 2023, a media outlet published an article, which reports about a meeting in September with regulators in Brussels, during which Meta’s officials presented their plan to tackle EU data protection rules. The idea is to give a choice to European users between free access to its social media platforms with personalized ads or to subscribe to a paid version without ads. As Ribera Martínez (2023) points out it is not clear whether this policy has any impact on the processing of personal data for contextual advertising. Meta relies on the CJEU’s recent ruling,27 in particular, paragraph 150, which states that ‘... users must be free to refuse individually ... to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator ... if necessary for an appropriate fee, (emphasis added) an equivalent alternative not accompanied by such data processing operations.’

24. Urgent and Provisional Measures - Meta (Ref. num. 21/03530-16), supra note 18. 25. EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta, supra note 5. 26. Natasha Lomas, CJEU Ruling on Meta Referral Could Close the Chapter on Surveillance Capitalism, TechCrunch (2023). 27. Judgement of the Court of Justice, Meta Platforms Inc. v Bundeskartellamt, supra note 3.

Nº172 · FEBRUARY 3, 2024

Weekend

Edition keep smart

4. In search of legal grounds Those plans have been already implemented, which constitutes a new chapter in the intricate relations between Meta and European regulators. However, there are several reasons why this approach is flawed. First, Meta’s new approach is based on a sentence from the recitals to the GDPR, the interpretative part of the legislation in question; preceding the text of the CJEU’s final ruling, which automatically casts doubts on the lawfulness of the social media giant’s new strategy. In Sections 2 and 3, I explain that the only lawful ground for data processing for behavioural targeting is consent. This is by virtue of the provisions in the GDPR and the ePrivacy Directive. The guiding and interpretative work of the EDPB as well as the judgments of the CJEU confirm this stance in a consistent and coherent manner. Therefore, the only legally binding and lawful actions Meta could rely on before a court are contained in the case C-252/21, Meta Platforms Inc v Bundeskartellamt, ruling and the provisions of the GPDR and the ePrivacy Directive, which mandate that consent is the legal basis for data processing when it comes to online behavioural targeted advertising. Second, Meta is in a dominant position in the online social networks market. An important element of the validity of consent is the notion of freedom to choose. ‘ Free’ consent implies a real choice. Meta exercises a dominant position on the social media platforms market, which means that users cannot easily withdraw from Facebook or move to a competitor. This entails a risk of power imbalance and imposition of unilateral conditions by the platform to its users. As recognised in Case 252/21, ‘…a dominant position on the market for online social networks does not, as such, preclude the users of such a network from being able validly to consent...‘. This means that although Meta enjoys a dominant position, it has to ensure full compliance with consent requirements as any other market player. Furthermore, the influence Meta has on the market constitutes an ‘important factor in determining whether the consent was in fact validly and, in particular, freely given, which it is for that operator to prove.‘ The EDPB Guidelines on consent28 explicitly state that ‘if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.‘ In addition, ‘consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment‘.

28. European Data Protection Board, supra note 9.

Consent is the legal basis for data processing when it comes to online behavioural targeted advertising. ‘Free’ consent implies a real choice

Nº172 · FEBRUARY 3, 2024

Weekend

Edition keep smart

The ‘controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment

Third, the option to choose between a paid and free version of Meta’s platform Facebook does not constitute a valid consent. This is so not only in connection with the specific market position of the social media but because it could not be withdrawn without detriment to the user. The EDPB Guidelines are illuminating in this matter by determining that the ‘controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment (recital 42). For example, the controller needs to prove that withdrawing consent does not lead to any costs for the data subject (emphasis added) and thus no clear disadvantage for those withdrawing consent.‘ Therefore, the possible switch from free to paid version, on the basis of the consent of the user in order not to be targeted with online behavioural adversiting within the same service whose data processing operations are not necessary for the performance of the service constitutes an invalid consent. Hence, Meta’s data processing is unlawful.

5. Conclusion The endeavours to circumvent the exigent requirements of consent for online behavioural-targeted advertising, as mandated by the GDPR and the e-Privacy Directive, has produced a complex legal conundrum. The approach of offering users the choice between accepting personalised ads or paying for an ads-free service underscores the centrality of user consent in EU data protection rules. The unfolding of this case not only highlights the complexities of current data protection regulations when it comes to advertising but also serves as a crucial case study when it comes to privacy and consumer rights. This innovative yet legally challenging strategy fuels the saga around Meta’s data processing in Europe and will keep regulators busy for the next months for two reasons.

A crucial case study when it comes to privacy and consumer rights

First, the EDPB has decided29 over the Norwegian DPA request to ban Meta’s behavioural targeting practices. The consequences of such a decision are unexpected and need to be evaluated. However, the EDPB’s urgent binding decision and the CJEU’s ruling have made it clear that consent is the only valid mechanism for online behavioural targeting. Second, the implementation of the plan to charge users who wish not to be subjected to behavioural targeting does not constitute a valid consent, as it does not allow users to refuse or withdraw consent without detriment. Moreover, it has already given rise to civil society30 and consumer organizations complaints, 31 adding up series of new litigations to this longlasting saga. Therefore, the consequences of this case have the potential to shape future discussions on data processing and the delicate balance between user choice and service providers’ practices in the digital age.

29. EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta, supra note 5. 30. noyb files GDPR complaint against Meta over ‘Pay or Okay,’ Noyb (2023). 31. Consumer groups file complaint against Meta’s unfair pay-or-consent model, BEUC (2023).