The European Data Protection Board (EDPB) recently passed a confidential decision that Meta Platforms Inc., the parent company of social media Facebook (Facebook) and Instagram, needs to obtain the user’s consent if it wants to advertise based on personal data in Europe in the future. The Irish Data Protection Commission (Ireland’s Data Protection Commission, DPC), which is responsible for supervising Meta, will make a ruling based on this binding resolution within a month.
EDPB Secret Resolution: Meta will be prohibited from using personal information for personalized advertising without permission
“Reuters” reported that people familiar with the matter said on the 6th that the EDPB, the guiding body of the General Data Protection Regulation (GDPR) , passed a series of secret resolutions that would prohibit Meta from using the software’s terms of service. , as a justification for allowing the platform to deliver personalized ads.
In addition, since Meta’s European headquarters is located in Dublin, Ireland, the DPC, the agency in charge of supervision, also needs to make a ruling on it according to the resolution within one month. The ruling may limit the material that Meta can obtain from selling such advertisements, and if Meta does not enforce, the EDPB is likely to ask the Irish authorities to impose fines on Meta.
According to the content of the resolution, EDPB requires Meta to have a yes or no consent option when using personal data for advertising. At the same time, it must also be possible for users to have the option to withdraw their consent at any time, and Meta must not not provide services because of this. Currently, the decision has not been made public, but it will be published together with the DPC’s final ruling in January 2023.
In this regard, one of Meta’s spokespersons stressed that the company is currently in contact with the Irish regulator. “The GDPR allows for a range of legal grounds on which data can be processed beyond consent or performance of a contract. Under the regulation, there is no hierarchy between these legal grounds, so there is no single one that is better or better. It should be a priority.”
A spokesman for the EDPB declined to comment on the secret decision. The Irish Data Protection Commission (DPC) pointed out that there is still one month to adopt the EDPB’s binding decision on Meta and announce the details in January 2023. At that point, Meta can appeal the decision.
The incident originated from a complaint by the European privacy campaign organization noyb in 2018
In fact, the EDPB’s ruling on Meta was triggered by a complaint in 2018 by Max Schrems, the current honorary director of the European privacy campaign organization noyb and an Austrian privacy advocate.
According to noyb ‘s statement on the 6th, Schrems filed a complaint with the committee on May 25, 2018 . At that time, it happened to be the first day on the road.
“Instead of providing a yes or no option for personalized ads, they just moved the terms of consent into the ‘terms and conditions’. Not only is it unfair, it’s patently illegal. And as far as we know, No other company has attempted to ignore the GDPR in such arrogance.”
Schrems said the case was about a simple question of law. Happy with the decision of the EDPB despite the slow process.
Schrems said that the EDPB’s ruling means that Meta must allow users to have a version of the software that does not use personal data to serve ads. At the same time, the company can also use other methods that do not use personal data to serve personalized ads. Ask for the consent of the user.
Schrems stresses that users can change their minds at any time, which will ensure Meta competes fairly with other advertisers.
It is not the first time that Meta has been fined. Experts suggest that Meta needs to change its business model
And this is not the first time that Meta has faced DPC punishment because of the protection of personal data
In September of this year (2022), the DPC fined Meta for Instagram’s improper handling of the personal information of young users. On November 28, the DPC found that a large amount of personal information of Facebook users was published on the Internet, and determined that Meta failed to protect data and violated the “GDPR”, fined 265 million euros ( approximately NT$8.6 billionyuan ).
Regarding the resolution, Helena Brown, head of data and privacy at London-based law firm Addleshaw Goddard, also said Meta may have to change its business model.
“Reuters” reported that Brown said that according to the current trend, European regulators will not allow Meta to hide behind the “terms of service” and use personal information for personalized advertisements. ”
Brown stressed that Meta may need to change its approach to seek explicit consent from users, and that it will be a challenge for the company to explain its advertising practices in a way that is legal and informed by users.