Why Meta is in a world of trouble

Image of Carlo Cilento

Published on Aug 9, 2023 by Carlo Cilento

This is the second blog in a two-part series about Bundeskartellamt- a very important ruling against Meta that flew under the media radar.

In another blog, we explained how the ruling could be a game-changer for cookie-based analytics. But there is much more to the decision. Today we will look at what the Court of Justice said about Facebook’s business model and the powers of antitrust authorities.

Spoiler: all of it is bad news for Big Tech.

  1. What is the case about, and what does it say?
  2. Meta and targeted advertising- yet again!
  3. The performance of a contract, or why the EDPB was right
  4. Legitimate interest does not work, either
  5. How about consent?
  6. Bundeskartellamt is already sending waves
  7. Data protection and competition law
  8. What does this all mean for Meta and Big Tech?
  9. Conclusion
Logo of the Government of the United KingdomThe UK Government chose Simple AnalyticsJoin them

What is the case about, and what does it say?

Our first blog explained that the ruling relates to a case involving Meta and the German competition authority (the Bundeskartellamt). The authority found that Meta was abusing its dominant position on the social network market by imposing privacy policies which were contrary to the GDPR.

The Bundeskartellamt ordered Meta to change its privacy policy for German users. Meta challenged the decision and got an even worse one from the Court of Justice.

In the ruling, the Court touched upon very some sensitive points for Meta:

  • Meta’s tracking tools collect a ton of sensitive data (as we explained in our other blog on the decision)
  • consent is pretty much mandatory for targeted advertising- and needs to meet fairly high standards for huge platforms such as Facebook
  • competition authorities can take GDPR violations into account to assess the abuse of a dominant position.

Meta and targeted advertising- yet again!

In Bundeskartellamt the Court of Justice (CJEU) looked closely at Meta’s legal bases for targeted advertising. The legal issues might seem very technical, but make no mistake: at heart, this case is about the legitimacy of Facebook’s business model- and, by extension, of other Big Tech “free services” that you pay with your data.

So, this is not about the fine print on Meta’s privacy policy. The ruling is a big deal in the grand scheme of things. Here’s why.

Facebook makes most of its revenue from targeted advertising. This advertising requires the aggressive profiling of users based on their behavior both on and off the platforms.

Under the general rules of the GDPR, this profiling data needs a legal justification (“legal basis”), such as a legal obligation, the performance of a contract, or the consent of the user (which is one of several legal bases, and not always needed to process personal data- as we explained in an older blog).

People do not like invasive tracking and profiling, so Meta did not want to give users a real and fair choice on the matter. This is why it avoided relying on consent so far.

Until April of this year, Meta used the legal basis of contractual necessity to provide targeted advertising on Facebook and Instagram. In other words, it claimed that providing targeted advertising was strictly necessary to comply with its Terms of Service with the user.

The European Data Protection Board (that is, the EU institution bringing all European privacy authorities together) did not agree. Meta was fined a combined €390M and forced to change its legal basis to “legitimate interest” in April in its new privacy policy.

The performance of a contract, or why the EDPB was right

The CJEU took a close look at Meta’s advertising practices and found them to be unnecessary for executing the contract with the user. In other words, it confirmed that contractual necessity could not justify targeted advertising.

The EDPB already made this point, but the ruling is still important because the CJEU has the last word on the interpretation of the GDPR (and EU law in general). The EDPB is very influential, but the CJEU’s word basically trumps everything else.

So, Bunderskartellamt says nothing new on contractual necessity but “officially” confirms the EDPB’s position. After the CJEU embraced the same stance, there is simply no room left to argue for contractual necessity.

This does not really affect Meta since they ditched contractual necessity already. But it is bad news for Big Tech because other companies using a pay-with-your-data business model will have a really, really hard time arguing that contractual necessity is a valid legal basis for advertising.

Bye bye, contractual necessity. You won't be missed.

Legitimate interest does not work, either

But what about Meta’s new legal basis- legitimate interest? Surely that works, right?

Nope: the Bundeskartellamt ruling shot legitimate interest down as well! Explaining why would turn this blog into a book, but let’s just say that the more invasively you process data, the more unlikely it is that legitimate interest is a valid legal basis. And Meta’s profiling happens to be as invasive as it gets.

In truth, it was obvious all along that legitimate interest was not a viable legal basis in this scenario. Meta knew and only changed its privacy policy to buy time.

Bundeskartellamt will this harder for Meta to buy time because it will pressure regulators (read: the Irish data protection authority) to rule against Meta when the issue of legitimate interest comes up. And it will come up. noyb- the privacy NGO that lead to the €390M fine- intends to challenge Meta again over its new privacy policy.

It should be no surprise, then, that Meta recently announced the intention to rely on consent for providing targeted advertising!

How about consent?

The Bundeskartellamt ruling essentially looks at all plausible legal grounds for targeted advertising and only spares the basis of consent.

But the CJEU didn’t just say, “yeah, consent will be alright for this; we’re cool.” The Court stressed that consent needs to be a real user choice and cannot be extorted by a platform- something Meta and other monopolists love to do. In particular, the consent-collecting practices of monopolists need to be scrutinized very, very carefully to ensure that consent is free and not extorted.

Reading between the lines, the CJEU was clearly thinking ahead. It knew that Meta would switch to consent at some point and expected the company to extort consent by way of a take-it-or-leave-it proposition to its users. In other words, either you consent to being profiled for advertising, or you can’t be on Facebook- sorry.

By stressing that consent needs to be free and non-extortive, the CJEU gave a clear hint that it next wants to see real and meaningful consent and expects the same from privacy authorities and other courts. This is a problem for Meta because people don’t like being profiled and often say “no” when offered a real and fair choice.

To be fair, there is some room to argue around free consent. On paper, the GDPR leaves some wiggle room for extorting consent because of the (infuriatingly vague) wording of Article 7(4). But the CJEU’s “preventive” remarks on consent suggest that the Court will likely take a harder stance and not allow companies to force consent through a take-it-or leave-it approach- particularly when dealing with monopolists such as Meta

Where does that leave targeted advertising on social platforms? How can it be justified under the GDPR?

Contractual necessity is out of the picture, and so is legitimate interest. Consent will be held to very high standards resulting in high opt-out rates and a loss of revenue. How will Big Tech justify the pay-with-your-data business model? Is it even possible at this point?

Bundeskartellamt is already sending waves

The Bundeskartellamt decision is already impacting targeted advertising. One month after the ruling, Meta announced the intention to switch to consent as its legal basis for targeted advertising- further confirming that its new compliance strategy built around legitimate interest is already dead in the water.

Furthermore, two weeks after the ruling, the Norwegian privacy watchdog (Datatilsynet) provisionally prohibited targeted advertising on Facebook and Instagram.

The order is an urgent decision that bypassed the GDPR’s normal jurisdiction criteria. For this reason, the authority will seek confirmation for its decision from the European Data Protection Board- the organization that brings together all privacy authorities from the EU and the EEA. If the decision were to be confirmed, then it would not be surprising to see other authorities follow the Datatylsinet’s lead and shut Meta's advertising down until Meta follows up on its announced move to consent.

Data protection and competition law

Believe it or not, there is yet more to the ruling. Yep- you could write a book about it.

In the Court’s view, an antitrust authority can take GDPR violation into account to assess an abuse of a dominant position, as long as there is some degree of collaboration with the competent privacy authority.

This indication is somewhat vague. So, it might take a while to figure out exactly what it means and what kinds of GDPR infringements can be considered. Maybe antitrust authorities could start looking into GDPR infringements related to unfair privacy policies and terms of use- basically the kind of stuff that blurs the lines between privacy and consumer protection laws. But this is really based on my feelings, so take it with a grain of salt.

For sure, Bundeskartellamt means trouble for Big Tech. Tech giants often hold a dominant position in one or more markets. For instance, Google is a monopolist in the search engine and online advertising markets, and Meta is pretty much a monopolist for social networks (TikTok is arguably a contender, but upon closer inspection, that might be a slightly different market).

Big Tech has little or no regard for privacy law. Sometimes there are little or no alternatives to their services, so they can impose horrible conditions on the users and get away with it because the users have nowhere else to go. They also love violating antitrust law at every chance- that’s how they became monopolists after all.

If privacy and antitrust law start to overlap, they are in trouble- which is why Bundeskartellamt could be a game changer in the long run and play a big role in antitrust cases.

What does this all mean for Meta and Big Tech?

First of all, Meta's new privacy policy is dead in the water after a mere 4 months.

But Bundeskartellamt is much, much bigger than Meta. The takeaway is that Big Tech can’t get away with murder under the GDPR. This is the implicit but consistent assumption behind all of the findings of the Court- from legal bases for advertising to the overlap between antitrust and privacy law. Every word of this ruling is bad news for Big Tech.

From now on it will be harder than ever to argue that the widespread pay-with-your-data business model can comply with the GDPR unless you give users a fair and meaningful choice to opt-out. In which case, many users will opt out, with catastrophic consequences for revenue. So, the ruling is a major blow to the data-as-payment business model often used by Big Tech.

As if it wasn’t enough, competition authorities can factor in GDPR violations when assessing abuses of a dominant position. This is bad news for Big Tech because they are often in the crosshair of both privacy and competition authorities.

Conclusion

It is commonplace by now that GDPR enforcement is lacking. Decisions often take ages because privacy authorities are chronically underfunded and overworked, and countless cross-border cases are delayed or derailed entirely by inefficient cooperation between authorities.

But there is a silver lining. We may not see as many decisions as needed, but the ones we do see, are often quite good.

Many regulators understand that the GDPR is not a laundry list of paperwork that a company needs to do but rather an important law that plays a crucial role in the protection of the fundamental right to privacy. They expect organizations to comply with the spirit of the regulation and don’t let them off the hook over technicalities. If you do something wrong, you probably won’t be able to “lawyer” your way out of trouble.

Bundeskartellamt is a prime example of good enforcement. It proves that the CJEU takes the GDPR seriously and suggests that the Regulation may finally show Big Tech its teeth in the near future- which is bad news for Big Tech and good news for everyone else.

In the meantime, organizations can also help the EU’s move towards privacy. Many widespread and data-hungry services have excellent, privacy-friendly alternatives- and Google Analytics should be a prime candidate for ditching!

We built Simple Analytics because we believe web analytics does not need to be invasive! We are proud to provide our customers with all the insights they need to grow their business and foster their online presence- all without collecting personal data or tracking users. If this sounds good to you, feel free to give us a try!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial