Austrian privacy activist Max Schrems filed a complaint against Meta with Ireland's data protection agency in 2018.
- Meta Fined EUR 390 Million by EU Regulator, Told to Reassess Legal Basis for Personalised Ads
- Meta Preparing to Announce Decision on Donald Trump's Return to Facebook, Instagram: Report
- Digital Competition Act Recommended by Parliamentary Panel to Regulate Big Tech Firms
Meta will only be able to run advertising based on personal data with users' consent, according to a confidential EU privacy watchdog decision, a person familiar with the matter said on Tuesday, in a blow to the US social network.
The Irish data protection agency, which oversees Meta because its European headquarters is located in Dublin, has been given a month to issue a ruling based on the European Data Protection Board's (EDPB) binding decision.
The EDPB will likely require the Irish body to hand out fines, the person said, asking not to be named because of the senstivity of the issue.
Big Tech's targeted ad model and how data is collected and used has drawn regulatory scrutiny around the world.
The Irish case against Meta was triggered by a complaint by Austrian privacy activist Max Schrems in 2018.
"Instead of having a yes/no option for personalised ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way," Schrems said in a statement.
He said the EDPB's ruling means that Meta must allow users to have a version of all apps that do not use personal data for ads while the company would still be allowed to use non-personal data to personalise ads or simply ask users for consent.
The 27-country bloc's landmark privacy rules known as the General Data Protection Regulation went into effect in 2018.
Meta is engaging with the Irish body, a Meta spokesperson said.
"GDPR allows for a range of legal bases under which data can be processed, beyond consent or performance of a contract. Under the GDPR there is no hierarchy between these legal bases, and none should be considered better than any other," the spokesperson said.
An EDPB spokeswoman declined to provide details of the decisions made. The agency said it stepped in after other national watchdogs disagreed with the Irish agency's draft decision.
Its draft decisions on Meta's parent Facebook and Instagram focus on the lawfulness and transparency of processing for behavioural advertising, while its decision on WhatsApp concerns the lawfulness of processing for the purpose of the improvement of services.
"The DPC cannot comment on the contents of the decisions at this point. We have one month to adopt the EDPB's binding decisions and will publish details then," the Irish Data Protection Commission said.
Meta may have to change its business model, said Helena Brown, head of data & privacy at London-based law firm Addleshaw Goddard.
"The direction of travel seems to be that the European regulators will not allow Meta to hide behind "provision of services" as its basis for using personal data for behavioural advertising," she said.
"Instead, Meta may need to change its approach to seeking clear, explicit consent instead. It will be a challenge for Meta to be able to explain its practices in a way that such consent can be lawful and well-informed," Brown said.
The Wall Street Journal first reported on the EDPB ruling.
© Thomson Reuters 2022