Meta's Privacy Fiasco: A Cautionary Tale for Big Tech

Image of Carlo Cilento

Published on Apr 13, 2023 and edited on Aug 15, 2023 by Carlo Cilento

Most big techs are not very good with privacy, and Meta might be the worst. “See what Meta is doing and do the exact opposite” might as well be the golden data protection rule.

For instance, an ongoing litigation in California highlighted that Meta barely knows how it handles data (the ICCL, who brought the matter to the attention of the European Commission, summed it up pretty well). And the Irish supervisor recently fined Meta 390M for unlawfully processing personal data of millions of users across Europe.

In March, we saw another ruling against Meta, this time from the Amsterdam District Court. It is an important decision and an interesting one in several ways. We will quickly give you some background on the DPCs' decisions as they help contextualize the ruling. Then we will dive in!

  1. Some background
  2. The case
    1. The unlawful processing of personal data
    2. The processing of sensitive data
    3. Facebook is not for free
  3. Updates
  4. Conclusions

Some background

It hasn’t been long since the Irish DPC fined Meta 390M for profiling their users without a legal basis under the GDPR. The total fine resulted from three distinct cases involving Facebook, Instagram, and Meta.

Our blog goes more in-depth on the decisions, so here is the short version. All cases went back-and-forth between the DPC (the Irish supervisory authority) and the EDPB (short for European Data Protection Board, the EU institution where all European privacy authorities sit). The DPC was not initially not keen on fining Meta, but the Board essentially overturned her initial decisions, which led to the fines.

The decisions set an important precedent for other companies and highlighted deep disagreement between the DPC and her European counterparts.

The case

On March 15 the Data Privacy Foundation won a class action against Meta in the Amsterdam District Court. The Court held that Meta illegally processed the personal data of Facebook users for the purpose of advertising- including sensitive data. This decision comes shortly after the Irish privacy watchdog (DPC) fined Meta 390M for processing personal data unlawfully.

The ruling is declaratory in nature so damages will be claimed in a different procedure. The class action involves 190.000 people, so Meta is risking a lot of money!

The decision involved several claims1, so we will focus on the most important ones: the processing of personal data for advertising purposes, the processing of sensitive data, and the violation of consumer law.

The unlawful processing of personal data

In the Dutch case, the Data Privacy Foundation claimed that Meta lacked a legal basis for providing Facebook users with targeted advertising. But what does this mean exactly?

Targeted advertisement is based on profiling. In other words, someone (in this case, the Facebook social network) gathers extensive data about each user based on how they behave on the platform and on the data they upload themselves. These data are used to build a profile of each user to figure out what ads they are most likely to engage with.

Profiling requires the processing of personal data- otherwise, a platform cannot know what a user’s interests are. Under the GDPR, personal data can only be processed on the grounds of a legal basis. You can think of a legal basis as a “legal justification” for processing someone’s data, such as consent or a legal obligation (this blog dives deeper into the topic, in case you’re interested).

In this case, Meta’s legal basis for profiling its users was the performance of a contract2. In other words, Meta argued that targeted advertising was necessary to provide its Facebook platform to users and that this necessity justified the profiling of users (as we explained in our blog).

The Court ruled otherwise. Based on past guidance from the EDPB (as well as the WP29, the Board’s predecessor in the pre-GDPR era), the Court endorsed a strict interpretation of “necessity.” It held that profiling users are not necessary to provide a social network.

This is the same legal issue examined by the EDPB regarding three different Meta services, including Facebook, and the Board reached the exact same conclusion. Furthermore, the conclusion was rather obvious from the start, as the EDPB itself has long clarified that the performance of a contract does not justify profiling on social media platforms3.

So the Amsterdam District Court is not saying anything new. Still, the Dutch decision is important, as it shows that the precedent set by the EDPB might serve as guidance not just for data protection authorities but also for Courts.

The processing of sensitive data

The Data Privacy Foundation also claimed that sensitive data were processed without a lawful exemption, which is a severe infringement under the GDPR.

The EDPB decision did not cover the processing of sensitive data. The issue was part of the noyb complaints that started it all, yet the DPC did not investigate it. Needless, to say, neither the EDBP4 nor noyb are terribly happy about that.

But let’s get back to the issue. Sensitive data are very delicate categories of personal data such as sexual orientation, health data, religious and political beliefs, and so on. The GDPR protects these data by setting out extra requirements for processing them. These requirements are called exemptions and perform a similar function as legal bases- they are essentially a “justification” for processing sensitive data, the same way legal bases are a “justification” for processing personal data.

It is an open secret by now that Facebook processes sensitive data. In case that wasn’t clear from the Facebook-Cambridge Analytica scandal, the advertising on the platform makes it obvious enough. People suffering from back issues are more likely to see ads for physiotherapy, followers of a religion are more likely to see content that aligns with their beliefs, and so on. Facebook uses information fed by the user to “flag” them as someone with certain characteristics, including quite sensitive and revealing ones (and strictly protected under the GDPR). This allows Meta to profile a user and cater the ads it serves across its platforms.

It gets worse. Profiling based on sensitive data can happen even when the user does not disclose any sensitive information to the social network. For instance, users with a lot of queer Facebook friends may be labeled as likely to be queer themselves by Facebook’s algorithms, and the ads and content they see will be tailored around that assumption.

In a nutshell, Facebook’s monetization of sensitive data is invasive and creepy.

And according to the Amsterdam District Court, it is also unlawful. Meta lost their case pretty badly on sensitive data. First, the Court dismissed Meta’s disingenuous arguments that it does not process sensitive data. Then it looked at the Article that lists the rules for processing sensitive data (Art. 9(2) GDPR) and, unsurprisingly, found that Meta processed the data unlawfully.

The Court went into some depth on the rules for processing sensitive data, which is interesting in and of itself. The legal requirements to lawfully process common personal data and sensitive data are cumulative: if I cannot process your personal data, then I cannot process your sensitive data, either. The Court had already established that personal data were processed unlawfully, which means that sensitive data were processed unlawfully as well.

Judges are busy people and typically solve cases by taking the minimum number of logical steps required to justify the outcome. So why did the Court put in the extra work and deal with Art. 9(2) in detail?

We can’t know for sure, but we can take a guess. Maybe the Court wanted to bulletproof its decision about sensitive data in case its findings on the issue of legal bases are overturned on appeal. Maybe it wanted to make a point that would still stand even if Meta were to later change its legal basis for processing data because of the fines from the DPC (this happened two weeks later). Alternatively, the Court might have simply intended to shed some light on Meta’s handling of sensitive data since the DPC ignored the issue in her investigation.

Either way, we are happy that the Court gave us a comprehensive ruling that thoroughly debunked Meta’s defenses. The handling of sensitive data on social networks is an urgent privacy issue. Hopefully, the ruling will raise awareness as to how aggressive and invasive the monetization of such data can be.

Facebook is not for free

Meta advertises Facebook as a free service. It isn’t because the user effectively pays with their personal data.

The Foundation claimed that presenting Facebook as a free service is a deceptive practice. The Court agreed and held this to be an unfair commercial practice, and a violation of the Unfair Commercial Practices Directive of the EU as well as its implementations in Dutch law.

This is not surprising at all. As we all know, there is no free meal. If the meal looks free, then you are the meal.

Paying with data is one of the dominant business models in Web 2.0 services, yet countless companies still advertise their services as free when their end goal is the monetization of personal information. It is refreshing to see a Court look past the fig leaf of free service and call Meta’s business model what it is.

Updates

On April 5 2023, as a result of the EDPB's and DPC's decisions ruling against reliance on the legal ground of contract, Meta switched to the legal basis of legitimate interest for providing targeted advertising.

noyb- the NGO behind the complaint which led to the decisions- is not terribly happy about Meta's reliance on legitimate interest and intends to challenge the company again. In our opinion, noyb has good reasons to be critical of Meta's move- but that's a big can of worms, and a story for another day.

Conclusions

It is worth highlighting, once again, that the class action involved nearly two hundred thousand people. Privacy watchdogs and legal nerds are not alone in worrying about digital privacy and how big techs respect it (or don’t).

Rather, the public is becoming more and more concerned with digital privacy. People realize that many online services are essentially data devouring machines, and that for many companies, privacy is an afterthought, if not an outright farce.

Does the Internet have to be like this? We don’t think so. This is why we built Simple Analytics to allow organizations of all sizes to collect useful insights in a 100% privacy-compliant way. Simple Analytics is built around privacy from its very design. We do not track your users, and we do not collect their personal data. If that sounds good to you, feel free to give us a try!

  • #1 The decision also involves the sharing of data with third party partners, and the use of cookies. The cookie claims were not upheld by the Court. You can check the summary on the gdprhub for a more comprehensive description of the case and ruling.
  • #2 Meta/Facebook used different legal grounds before the GDPR entered into force. Discussing them all would take forever, but in the end, they were all held to be invalid by the Court in the case at hand.
  • #3 EDPB Guidelines 8/2020 on the targeting of social media users.
  • #4 The Board ordered the DPC to investigate Facebook’s use of sensitive information. The DPC, however, believes that the Board has no authority to order her to carry out an investigation, and intends to challenge the order before the EU Court of Justice.