Irish Data Protection Authority, Under Pressure From Other EU Officials, Says Meta’s Clickwrap Agreement Is No Legal Basis For Targeted Ads

Some big news out of the EU this week as the Irish data protection authority has fined Meta over $400 million, claiming it violated the GDPR. The full details of the ruling are not yet out (apparently, the officials are working with Meta over what needs to be redacted - which is not out of the ordinary in the EU, but still feels sketchy), but the basic idea is that Meta sought to get around some of the GDPR's consent rules regarding using data for customization / targeting by including consent" directly in the terms of service. The Irish regulator overseeing the case had initially indicated that this was legitimate, but apparently changed their minds.

Meta is pushing back on the ruling, claiming that the GDPR allows you to collect and process this data for personalization so long as it's considered a contractual necessity."

GDPR allows for a range of legal bases under which data can be processed. The rules of GDPR are clear: there is no hierarchy between these legal bases - none should be considered better or more legitimate than any other. Which basis is most appropriate to use depends on the specific situation. Like many companies, Meta uses a combination of legal bases to provide various services.

Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience - including the ads they see - is a necessary and essential part of that service. To date, we have relied on a legal basis called Contractual Necessity' to show people behavioural advertisements based on their activities on our platforms, subject to their safety and privacy settings. It would be highly unusual for a social media service not to be tailored to the individual user.

That said, there's a bit more background here that is worth understanding. As you may recall, last year, we noted that officials on the EU Commission were getting annoyed that the Irish data protection authority was seen as going easy on US internet companies. There has been a variety of efforts to update the GDPR to effectively give more power to either the Commission itself in Brussels, or possibly other country data protection authorities, to avoid the situation where US companies set up an EU headquarters" in Ireland in order to be regulated by that DPA.

Given that, the Irish DPA has been somewhat under pressure to come up with a scalp to show the rest of the EU to prove that it's serious." This is why we've mentioned that Elon Musk's Twitter might be an easy target. But, as always, going after the big guys," is always preferable.

This might also explain why it looked like the Irish regulators were originally okay with Meta's clickthrough / browserwrap arrangement, and then reversed course.

While it's fun to see Meta struggle (especially given all the troubles its had recently after Apple effectively kneecapped a whole bunch of Meta's data collection efforts) and face some consequences after playing fast and loose with data for years... it does feel like this kind of decision could have serious problematic consequences going forward. I'm loathe to give Meta any credit for anything that it does, but it's kinda true that when people are signing in to most social media these days they do expect personalization.

Are there ways that Meta could give users a lot more control? Yes. Could Meta be more transparent about how it's using data? Also yes. But I fear that the end result of this ruling is that we're going to just end up with even more useless and annoying cookie pop up" type warnings in which every company is going to feel the need to make you opt-in" to personalization over and over again in a manner that is extremely annoying and does nothing to really protect anyone's privacy.

But, alas, this is the state we live in today with the European approach to privacy laws, where most of the focus is just on getting companies to do something that is annoying for users, but which allows politicians to claim that they're protecting your privacy."