Towards the end of last year and the beginning of this year, the news about Meta, Facebook’s parent company, and its data protection-related legal issues never stopped.
On 23 December 2022, Meta agreed to pay $725 million to settle a lawsuit alleging that in 2016, Facebook had shared millions of American users’ data with Cambridge Analytica, a British consultancy firm that supported Donald Trump’s presidential campaign and Brexit campaign. Just a couple of weeks later, on 4 January 2023, the Irish Supervisory Authority – Data Protection Commission (DPC) – fined Meta €390 million, upon the allegation that for 4.5 years Facebook processed European users’ data without a lawful basis.
The total amount fined by the DPC has come under scrutiny from privacy activists such as noyb given the EDPB binding decision prior to the DPC’s fine. The criteria of effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR for supervisory authorities in making decisions appear to have been taken at a lower threshold by the DPC than the majority of those in the EDPB binding decision. Indeed, according to noyb, in factoring Meta’s global revenue and the revenue illicitly gained from unlawful operation of personal data under the GDPR, the fine amount should be equal to €4.36 bn, corresponding to the 4% of Meta’s global turnover of the past year rather than €390 million.
Moreover, it is important to note that 97.6% of Meta’s total revenue is from Advertising. Consequently, a company like Meta must be transparent about how and with whom it shares users’ data. Before we continue with the analysis of the two mentioned cases, it is worth considering the meaning of advertising in the data protection world, where it is a synonym of targeting. The European Data Protection Board (EDPB) defined targeting as the practice “that makes it possible for natural or legal persons (“targeters”) to communicate specific messages to the users of social media in order to advance commercial, political, or other interests. A distinguishing characteristic of targeting is the perceived fit between the person or group being targeted and the message that is being delivered”. Therefore, if the users’ data retained by Facebook allows the company to target an individual, Facebook can share this specific dataset with a third party that would be able to advertise a personalised product/message/opinion to that targeted user.
Data subjects’ risks
As the EDPB exhaustively explained in 2020, the major risks of profiling and targeting activities might involve an inference of interests or other characteristics, which the subject had not actively disclosed, hence undermining the individual’s ability to exercise control over their data. Thus, more transparency regarding the role of the different actors and the processing operations involved may ensure the exercise of subject data rights.
Moreover, a second and more alarming risk concerns the possibility of discrimination and exclusion. Targeting social media users may involve criteria that, directly or indirectly, have discriminatory effects relating to an individual’s racial or ethnic origin, health status or sexual orientation, or other protected qualities of the individual concerned.
In December 2022, the longstanding legal action against Facebook has seemingly come to an end with the tech giant agreeing to settle the lawsuit. The lawsuit alleged that in 2018, Cambridge Analytica acquired from Facebook data of tens of millions of American users, which the British consultancy firm profiled as “right/left wing” voters or undecide and later sold for the 2016 presidential political campaigns.
Similarly in Europe, on 5 December 2022, the EDPB released its binding decision on the dispute submitted by the Irish SA on Meta and its Facebook services, stating that since 2018 Meta processed users’ data for behavioural advertising without a proper legal basis. In fact, when the GDPR came into force, Meta updated its terms and conditions by adding a consent clause in it. By doing this, consent became part of the contract binding Facebook and every user creating a Facebook account. Consequently, Facebook alleged that they were lawfully able to process users’ data relying upon art. 6 (1)(b) of the GDPR, the performance of a contract, and not upon art. 6 (1)(a), data subject’s consent, arguing that ads are a part of the “service” that Facebook contractually owes the users. Hence, since 2018 users have been asked to “accept” Meta’s terms and conditions without any option to decline having their data mined.
One of the GDPR’s main principles is the lawfulness, fairness and transparency principle, which establishes that personal data shall be processed lawfully, fairly, and transparently. Therefore, whoever processes personal data must have a lawful basis, must inform the data subjects on how their data are processed (transparency) and must do it in a certain way as the data subjects can expect, considering the purpose of processing (fairness).
In relation to the lawfulness of processing, art. 6 of the GDPR provides six different legal bases to process personal data and establishes that the data controller shall rely on the most appropriate one, considering its pursued purposes and the nature of the processing. One of these six legal bases is the data subject’s consent, which, to be valid, must be informed, freely given, specific, withdrawable and unambiguous.
Analysing the purpose and the nature of Meta’s data processing, specifically focusing on personalising advertisement purposes, consent appears as the most appropriate legal basis. Moreover, it also appears most in line with the transparency principle. However, seeing Meta’s revenue sources, as mentioned above, Facebook knew that its business model would be jeopardised by the new GDPR’s standard of consent.
Nevertheless, on 4 January 2023, the DPC decided that “as directed by the EDPB, Facebook was not entitled to rely on Article 6(1)(b) GDPR” for the purpose of behavioural targeting and, as a consequence, Meta has been fined €390 million and has received a three month period to comply with art. 6 of the GDPR.
Whilst the total amount fined by the DPC is questionable in light of the EDPB Binding Decision, it is undeniable that such a decision is good news for privacy experts and activists; moreover, it seems to be a promising step towards a more secure digital environment, where people’s awareness of how their data are used should increase, at least in Europe. Of course, the decision still allows Meta to use non-personal data to personalise ads and/or request consent to ads via the yes/no option. However, users should now be able to withdraw consent at any time, and Meta should not limit their service if users choose to do so.
Nonetheless, Meta has already declared that it will appeal against this decision to the competent jurisdictional Court in Ireland, so some time will likely pass before we can see the real consequences of this decision and before Meta will be put on the same level of other platforms and apps which, if pursuing personalised advertising, need to provide the option to opt-in to users.
 EDPB – Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR).
 Facebook’s public information on users and revenue (refer to Earning Slides – https://investor.fb.com/financials/?section=quarterlyearnings)
 EDPB Opinion adopted on 2 September 2020 – Guidelines 8/2020 on the targeting of social media users. https://edpb.europa.eu/system/files/202104/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf
 EDPB – Binding Decision 3/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Facebook service (Art. 65 GDPR). https://edpb.europa.eu/system/files/2023-01/edpb_bindingdecision_202203_ie_sa_meta_facebookservice_redacted_en.pdf
 GDPR, Art. 6 (1): (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) “Processing shall be lawful only if and to the extent that at least one of the following applies: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.