January 5, 2023
Breaking news this week, with the announcement that Meta (Facebook and Instagram) has incurred a whopping €390 million fine for the misuse of personal data for the purposes of advertising. The case, which has gripped the data protection world since it was submitted in 2018, speaks volumes of the importance of abiding by the GDPR - regardless of where you’re based in the world.
While this case is set to predominantly impact those operating within the EU, it does have the potential to impact UK businesses using targeted advertising to reach people in the EU. It is also possible that Meta may choose to lump the UK in with the EU if changes need to be implemented to its advertising methods. Below, we tackle the details of the case, what Meta got wrong, and what you need to do to avoid the wrath of NOYB.
NOYB - otherwise fondly known as “None Of Your Business” - was founded in 2017 with a focus on European data protection rights. Since then, NOYB has worked on a number of initiatives in support of the General Data Protection Regulation (GDPR) and the protection of private data. The entity has gone head to head with the likes of Apple, Facebook, Grindr, and Google Analytics, and in doing so, it has placed the importance of data protection centre stage.
NOYB’s involvement with this case began back in 2018, on May 25th - the very day that the GDPR became applicable. NOYB filed a complaint each about Facebook and Instagram with European data protection authorities, which alleged that the companies were attempting to bypass the requirement for consent by referencing the use of personal data for advertising in their T&Cs, and then stating that the processing for advertising purposes was part of the services they provide contractually to users. NOYB alleged that all Facebook and Instagram’s advertising-related data processing was based on consent, and that the ways of obtaining that consent made it invalid. From here, Meta (including Facebook and Instagram) faced a two-year wait to see the results of the case.
It’s no secret that Meta makes the bulk of its revenue through advertising. So much so, that Meta reported revenue of an estimated $84 billion in 2022, $82.4 billion of which was directly attributed to ads. How did they achieve those billion-dollar figures, you ask? By processing the personal data of its 3.59 billion strong user base for the purposes of highly targeted advertising.
It’s important to note that Meta is not alone here. Targeted advertising is a staple for many businesses to connect their product or service with the perfect customer. And, done correctly, it’s all fine and dandy with the data protection bodies that be. Whether that’s the ICO, the DPC, or the CNIL (the privacy world loves an acronym), as long as you abide by rules designed to protect the privacy of individuals, advertising is fair game.
However, if by doing so you are non-compliant with data protection law - most notably the GDPR, and its UK equivalent - it is becoming more common for organisations like NOYB to take matters into their own hands and make complaints.
In Meta’s case, the social media giant attempted to “bypass” the consent requirement of the GDPR, in the words of NOYB, “by adding a clause to the terms and conditions for advertisement.” This was then cross-referred in their privacy notice, which stated that using personal data for advertising purposes was necessary in order to comply with their terms and conditions. On this basis, NOYB alleged that Meta had processed the personal data of users without securing their explicit and informed consent.
While the data protection world rejoices, the same can’t be said for Meta (and Facebook and Instagram) as they enter 2023. The business is now prohibited from bypassing the GDPR via a clause in terms and conditions and they are now obligated to get “opt-in” consent for personalised advertising.
Perhaps most painful for Meta is the scale of the fine. In the initial draft decision, the Irish DPC (the Irish Data Protection Commission) initially asked for a €28 to 36 million fine. However, given the scope of previous fines - Meta has now been fined an eye-watering €390 million. Max Schrems, co-founder of NOYB stated:
"This is a huge blow to Meta's profits in the EU. People now need to be asked if they want their data to be used for ads or not. They must have a 'yes or no' option and can change their mind at any time. The decision also ensures a level playing field with other advertisers that also need to get opt-in consent."
We are still waiting for the results of similar cases, resulting from complaints made by NOYB against Google and WhatsApp (the latter is also owned by Meta).
While this case is set to impact Meta’s EU profits, it’s also set to impact EU advertisers and UK businesses using Meta, Facebook, and Instagram to target EU-based customers. As a UK business targeting EU customers, what should you be aware of?
This decision could cause a lot of ripple effects for businesses using Meta to advertise, including the possibility of action from users (individually or as a group action) over the non-compliant use of their personal data.
A huge number of businesses advertise their products and services using big tech companies like Facebook and Google to reach their target audience. If Facebook and Instagram don’t have an appropriate lawful basis for using their users’ personal data to target them with adverts for other businesses, those businesses may be better served advertising elsewhere unless and until Facebook becomes compliant.
It is possible that Meta will change its business model to allow users to opt in or out of targeted marketing at any time, as proposed by NOYB. However, this doesn’t seem to be immediately on the horizon. Meta has said it intends to appeal the substance of the rulings as well as the fines imposed, and claims that the decisions do not prevent personalised advertising on their platforms.
This is definitely an area you want to keep an eye on, as it is constantly changing and there is a lot of debate between the different data protection authorities in the EU, and the European Data Protection Board (EDPB).
This decision doesn’t affect the UK, as it has been made in respect of the EU GDPR. However, there is nothing to stop people making similar complaints to the UK Information Commissioner’s Office (ICO) and starting the whole process again.
We support countless scaleups with squeaky-clean data hygiene and a data protection strategy that protects businesses and consumers alike. Keen to avoid the fate of Meta, WhatsApp, and Google? Discover how our data protection experts can support you.