Meta loses key privacy battle

Image of Carlo Cilento

Gepubliceerd op 30 apr 2024 en bijgewerkt op 14 mei 2024 door Carlo Cilento

Deze inhoud is nog niet vertaald in het Nederlands. Hieronder staat de Engelse versie.

On April 17 privacy scored an important win: the European Data Protection Board (that is, the organization that brings EU privacy watchdogs together) clarified that personal data are not a commodity and took a clear stance against Meta’s pay-or-ok approach to GDPR compliance. This is a step forward for EU privacy law and a big deal for the tech industry.

Before you pop the champagne, please note that the story is not quite over yet. Meta will no doubt drag the legal battle to the Court of Justice of the European Union, and the Court will have the last word. That being said, the EDPB siding with Meta’s critics is a very good sign.

  1. The background
    1. What this is not about
    2. Meta vs. the GDPR
    3. Pay-or-ok
  2. What did the Board say?
    1. Pay-or-ok doesn’t cut it
    2. There are alternatives
    3. What about smaller players?
  3. What happens next?
  4. Conclusions

Here is all you need to know about the EDPB’s Opinion, and why it matters. Let’s dive in!

The background

What this is not about

Before we explain what this legal battle is about, let's dispel a possible misconception: Meta is not under attack for putting a price on its platforms.

Meta is a for-profit entity and has a right to price its services however it sees fit, including requiring subscriptions to previously “free” platforms. No one contests this right- so what is the problem?

Well, Meta is using subscriptions as an argument to show that its business model as a whole- and especially the harvesting and mining of data from free users- is compatible with the GDPR. In other words, the point of Meta’s subscriptions is to justify spying on free users. This is what is problematic under the GDPR- not subscriptions per se.

Here’s the story in detail, and why it is a big deal for privacy law.

Meta vs. the GDPR

We already discussed the pay-or-ok saga extensively in another blog, so here is the short version.

For more than a decade now, Meta has been aggressively mining user data as a payment for Facebook (and later Instagram). This intensive probing allows the company to profile users and serve behavioral advertising, for which it charges advertisers. This business model is at odds with the GDPR and privacy advocates have been challenging it for a while now- especially noyb, an Austrian NGO with a long history with Meta.

So, commercial surveillance is how Meta makes most of its revenue. By challenging the compliance of its targeted advertising, privacy advocates are questioning the lawfulness of Meta’s very business model under the GDPR. This has important implications for the entire tech industry because many other companies rely on a data-as-payment business model.

So far, Meta responded to these challenges by tweaking some fluff in its privacy policy, eating nine-figure fines, and keeping doing business as usual. But as Meta keeps losing legal challenges, its options grow thin.

Paid subscriptions are the latest act in this long-running saga and the company's last-ditch attempt to save its business model in the EU market.

Pay-or-ok

Meta currently presents EU users with a choice: they can consent to behavioral advertising and use its social platforms for free, or get rid of behavioral advertising and pay €120 a year.

Of course, Meta knows that the vast majority of users won’t pay. The point is not to collect pennies from a handful of paid subscribers, but to justify spying on everyone else. Subscriptions are a trick that allows Meta’s lawyers to claim that consent to behavioral advertising meets the high consent standards of the GDPR- specifically, the requirement for consent to be freely given.

This pay-or-ok approach is controversial in the privacy space. Some see it as a powerful compliance tool that could potentially justify very invasive data mining under the GDPR. They hope that Meta’s approach survives regulatory scrutiny so that they can jump on board and make pay-or-ok the new standard for the digital economy.

On the other hand, Meta’s critics argue that data is not a commodity because privacy and data protection are human rights (and the Charter of Fundamental Rights agrees). They also point out that not everyone in Europe can afford to pay €10 a month to stay in touch with their friends and relatives on Facebook- let alone €10 per month per app, should pay-or-ok become commonplace for social platforms.

The EDPB was called to take a stance in the pay-or-ok controversy and sent a very clear message.

What did the Board say?

The EPBP’ Opinion is quite complex, but in a nutshell, it largely agrees with Meta’s critics. Data are not a commodity and putting a price tag on privacy is no way to collect valid consent under the GDPR.

The EDPB’s Opinion is not binding but holds plenty of weight. After all, the members of the Board are national regulators with the power to fine Meta for GDPR noncompliance.

Pay-or-ok doesn’t cut it

The EPBP took a close look at Meta’s compliance strategy and did not like it one bit.

The Board highlights that Facebook and Instagram benefit from powerful lock-in and network effects: the more social contacts you have on those platforms, the harder it is to leave them (as a a better blogger wrote, social networks are a hostage situation by now). At the same time, Meta’s dominant position on the social media market means that consumers lack alternatives.

This is why the EDPB ultimately agrees with Meta’s critics and refuses to recognize the consent collected by Meta as valid, freely given consent. Bottom line, Meta has no right to profile users based on their behavior.

(Incidentally, market dominance is the reason why the common objection that “platforms are not free to provide” does not work for Meta. In a competitive market, most users would delete their Facebook or Instagram account and move their data to a privacy-friendly competitor. In the real world, tech giants buy potential competitors, leaving users to pick their poison between Meta, X, and ByteDance.)

There are alternatives

Meta and other ad tech players like to present behavioral advertising as a black-and-white issue: either you allow us to probe the digital lives of Internet users inside out, or we go broke and the digital economy dies (see the IAB’s letter to the Board).

But the issue is not black and white. The EDPB was careful to clarify that platforms can provide advertising without consent. This doesn’t necessarily mean contextual advertising, either: for instance, Meta could simply ask users about their interests and use their answers to target ads. In the Board’s view, this less invasive form of advertising could conceivably be carried out without user consent while still complying with the GDPR.

Of course, this reasonable middle ground would be vastly less profitable than Meta’s invasive probing, and the company will keep fighting tooth and nail against privacy rather than tuning the surveillance down a notch.

The EDPB also points out that offering users a third, free option with less intrusive advertising could help Meta justify its business model under the GDPR. But we don’t expect Meta to take this advice anytime soon: the company knows users do not like surveillance and typically say “no, thanks” when presented with a fair, transparent choice such as the one required by the EDPB.

(I would also like to point out another obvious and 100% GDPR compliant way for Meta to monetize from Facebook and Instagram: turn them into paid services, period. No one demands a free meal- not the GDPR, not the regulators, not the privacy advocates. But Meta will never adopt this simple solution because a price tag would cost the company too many users.)

What about smaller players?

The message for Big Tech is very clear, but does the same logic apply to smaller websites and services?

Maybe.

Yup, that’s not the most satisfying answer- but that’s the answer we got.

The Opinion deals with big platforms only, but the Board points out that some of its reasoning may apply to small players as well- which is quite confusing. Overall, we feel like the Board doesn’t want to take a stance on how the rules apply to smaller players- at least for now.

What happens next?

It is worth repeating that the story is not over yet and that the Court of Justice will likely have the last word.

It is hard to say when this will happen. noyb’s complaint with the Austrian authority will probably go all the way to the Court of Justice, but that will take a while- especially if the Irish authority gets involved. In the meantime, Meta is unlikely to change its practices unless the fines start flying.

If the Court sides with EDPB, the ruling will mark a turning point in privacy law. Meta will be forced to rethink its business model and will likely eat gigantic fines. Other big fish will also need to re-evaluate their business model, as privacy advocates won’t hesitate to wield the Meta precedent against them. Long story short, we will move one step closer to the long overdue death of behavioral advertising.

On the other hand, if the Court sides with Meta and sanctions its self-serving interpretation of the law, then pay-or-ok will likely become the industry standard, the GDPR will be substantially defanged against Big Tech, and we will all have little to no expectations of privacy on the platforms that control our digital lives.

Conclusions

This time around, it’s not just Meta against the usual suspects (noyb) . Consumer advocates from the Bureau of European Consumers (BEUC) are also challenging Meta subscriptions and even the European Commission- as the EU’s top antitrust regulator- is looking into pay-or-ok’s conformity to the Digital Markets Act.

We are happy to see actors challenge Meta’s compliance puppet show from different angles. And we are even happier to see the EDBP take a strong stance.

It is impossible to overstate the importance of the pay-or-ok saga. When noyb’s complaint against Meta (predictably) lands in the Court of Justice, the Court will need to make a decision: should the GDPR bend to the surveillance economy, or should it be the other way around?

We don’t have a crystal ball, but the EDPB’s Opinion is a good reason to be optimistic.

We build Simple Analytics because we believe in a privacy-friendly web. We help our customers understand their traffic and expand their audience without collecting a single bit of personal data. Our web analytics tool is easy to learn, customizable, and comes with a hand AI assistant. If this sounds good to you, feel free to give us a try!