A new case has once again inflamed the debate around the role of European data protection law in the digital age, particularly with the regard to the sustainability of platforms’ ad-based business model. At the end of December 2022, the Irish Data Protection Commission imposed a 390€ million fine against Meta for the processing of its users’ data for the purposes of targeted advertising based on contractual necessity as legal basis. Nonetheless, this decision was not aimed to react or punish Meta for violating the General Data Protection Regulation (GDPR), but primarily resulted from the binding opinion of the European Data Protection Board (EDPB) in the same month. In its decision, the EDPB recognised that Meta can provide its services without personalised advertising, both in the case of Facebook and Instagram. As a result, contractual necessity cannot be relied on as a valid legal basis to process users’ data for purposes of targeted advertising. Therefore, the EDPB decision left no space for the DPC rather than recognising that Meta violated the GDPR, particularly Art. 6, when relying on contractual necessity as the legal basis to process users’ personal data for purposes of targeting advertising. This case provides another example of the unsolved pitfalls of European data protection, from specific questions, including the relationship among legal bases to process personal data, to general concerns about the role of data protection in the internal market.
- The Legal Basis
The DPC decision contributes to consolidating the definition of a hierarchy among legal bases in European data protection. However, the GDPR does not establish such a hierarchy even if there is a growing trend towards considering consent to be more privacy protective than other legal bases. Particularly, the recent investigations of the Italian, Spanish, and Irish Data Protection Authorities (DPAs) against TikTok’s announcement about the shift from consent to legitimate interest for the processing of users’ data have questioned the possibility to rely on the legitimate interest. This view was also confirmed by the opinion delivered by Advocate General (AG) Rantos in the case of Meta Platforms v. Bundeskartellamt. In this case, the AG underlined that the adoption of the legitimate interest as legal basis to analyse users’ personal data for the purposes of advertising may not be justified by a clear and evident necessity of such processing of data, thus requiring additional efforts of the data controller in proving such necessity.
Despite this view, it is critical to underline that these decisions do not pre-empt the use of personalised advertising on social media. Article 6 of the GDPR provides other legal bases to process personal data. The decisions only clarify that contractual necessity as legal basis cannot be used by Meta when offering personalised advertising. Even if the DPC decision does not exclude the possibility to rely on other legal bases for targeted advertising, it seems hard to identify another suitable legal basis rather than consent, also in the light of the recent decisions on the use of the legitimate interest for targeted advertising. Contractual necessity as a legal basis provides a certain degree of certainty to users that agree to enter into a contract to use social media whose services are inherently based on advertising, particularly in the case of Facebook and Instagram. Besides, limiting the possibility of relying on contractual necessity could lead data controllers to rely on alternative legal bases, thus requiring additional investments as in the case of the legitimate interest for designing and implementing appropriate safeguards that balance the interest of data controllers with the fundamental rights of data subjects.
This picture underlines how the ability to process data for targeted advertising is de facto limited, even if still possible. This approach leads to a conflict with the architecture of the GDPR, particularly the principle of accountability. According to the GDPR, it is for data controllers to demonstrate that they have implemented appropriate safeguards to respect the general principles of the GDPR including the lawfulness, and, therefore, the adequate legal basis to protect users’ rights. Therefore, the DPC decision restricts the space for the principle of accountability, thus also unexpectedly shaping the role of Meta, and more broadly, social media as a data controller when it comes to the processing of personal data in the case of targeted advertising. This situation raises concerns for the possibility of data controllers in the EU to invest resources for complying with the dynamic requirements of the GDPR, that are often agreed with, or at least not contested by, national competent authorities.
- Institutional Misalignments
The question of legal bases does not exhaust the concerns raised by these decisions. These cases underline the problematic fragmentation in the approaches of national competent authorities and their coordination with the European institutions. This case indeed provides an opportunity to underline how the fragmentation in the views of the DPC and EDPB could lead to different outcomes that can affect the investments made by private actors to comply with certain obligations, often shaped and agreed with competent authorities. As underlined by Meta, since GDPR came into force, the platform has relied on contractual necessity to process users’ data for behavioural advertisements, and previous assessment of these services, there not objections by regulators or courts. Indeed, the primary problem is not related to the rigid position taken by European institutions or national competent authorities but the lack of a consistent interpretation that inevitably leads to unpredictable consequences for businesses in the internal market.
The GDPR has already required data controllers to adapt their compliance not to a rigid structure but to an evolving process based on a contextual risk assessment. The DPC decision seems to limit the centrality of advertising for social media’ business model that inevitably shapes when the processing of personal data can be considered contractually necessary. Even if social media can rely on alternative legal bases, the question is whether the compression of economic freedoms is tolerable in this case if this complexity is amplified by an inconsistent form of enforcement and interpretation. The price of the GDPR could be higher than expected for the internal market. Even if for good reasons, European data protection is a central cost to take into account, not only for tech giants but also for small businesses entering this market. The possibility of being sanctioned due to the lack of agreement between national and European bodies could be an institutional cost affecting fundamental freedoms in the internal market.
This situation also leads to looking at this case in a broader picture. The fine imposed by the DPC is not only another alarming example of how legal uncertainty is affecting the European internal market in the digital age but also about the sustainability of ad-based business models in Europe. This case underlines an increasing tension between the protection of individual rights and economic freedoms, thus making European data protection a critical space for assessing the evolution of the internal market. Therefore, the primary question is about how to strike a sustainable balance to limit abuses of private freedoms or individual rights.
- Searching for Consistency
The DPC case implicitly highlights how, despite the critical step made by the GDPR, the enforcement and interpretation of these rules raises primary concerns, particularly in terms of consistency among different political and legal interpretations of the GDPR by national and European institutions. This situation increases the uncertainty in the internal market, thus also affecting the trust between national competent authorities and the private sector that deals with a complex framework of compliance required by the GDPR.
In this case, the structure of the GDPR provides guidance to overcoming this situation. Indeed, on the one hand, the GDPR has led to an important step further in the protection of data subject’s fundamental rights. On the other hand, it still tends to protect economic freedoms in the internal markets. This constitutional conflict leads to looking at the principle of accountability as a potential way to limit potential abuses of individual rights or economic freedoms. Therefore, if the principle of accountability helps to strike a balance among constitutional conflicting interests, the primary point is also how to ensure that this principle also guides the relationship between national competent authorities and European institutions. The inconsistent enforcement of the GDPR does not only lead to unpredictable sanctions but also undermines the trust and collaboration between public and private actors in determining the compliance with the GDPR.