Just this morning I reported on the LG München decision on Focus.de, and another decision seems to have dealt the data protection death blow to obtaining permission from users of a platform/website for “targeted advertising” only via provisions in the terms and conditions and not through explicit consent.
As confirmed by the Irish Data Protection Authority, the European Data Protection Board (EDPB) has rejected the circumvention of the GDPR/GDPR by the Irish Data Protection Authority and Meta on the basis of complaints filed by the organization “noyb” against Facebook and Instagram. Meta, as the operator of Facebook, Instagram and Whatsapp, is now prohibited from circumventing the GDPR through a clause in its terms and conditions. Meta must obtain consent for personalized advertising and offer users a “yes/no” option.
The GDPR recognizes six legal bases for the processing of data. One of them is consent pursuant to Article 6(1)(a) DSGVO. The delimitation of the possibilities and when which possibility is permissible or how exactly these must be designed is not entirely clear and is always a cause for controversy. Since users are naturally reluctant to clearly and unambiguously consent to being recognized on a website for the purpose of advertising (and certainly not across different services), Meta attempted to circumvent the consent requirement for tracking and online advertising by arguing that ads were part of the “service” it contractually owed to users.
However, this so-called “contractual necessity” under Article 6(1)(b) is usually understood narrowly. An example would be the forwarding of address data to a postal service provider by an online store in order to be able to carry out an order that has been placed. Meta took the position that it could simply add whatever elements it wanted to the contract with the user (such as personalized advertising) to avoid a yes/no consent option for users.
Despite many attempts by the Irish data protection authority to allow this practice for Meta, the European Data Protection Board now also rejects this practice in the final decision.
The decision means that Meta must provide all users with a version of all apps that does not use personal data for advertising within three months. The ruling would still allow Meta to use non-personal data (such as the content of a story) to personalize ads or ask users to approve ads via a yes/no option. Users must be able to withdraw their consent at any time, and Meta must not restrict service if users so choose. While this would drastically limit Meta’s profits in the EU, it would not ban advertising entirely. Instead, the decision puts Meta on the same level as other websites or apps that must offer users a yes/no option. In addition, a 3-digit million fine was imposed on Meta. This is unlikely to do the already rapidly falling share price any good.
In addition to a number of other cases pending before the ECJ, the question of whether Meta users are now entitled to claims for damages against Meta because it unlawfully used personal data for 4.5 years is likely to be exciting. Another field for legal service providers?
The path taken by data protection authorities and privacy activists, as well as the courts, is therefore quite clear and marketers and service providers are strongly advised not to process and/or share users’ data with third parties without explicit consent, unless this is clearly and unambiguously for the performance of a contract, a legal obligation, to safeguard vital interests, or to serve a public interest. The “f” option in Article 6(1)(a) of the GDPR, “the legitimate interest of the controller or a third party” can quickly become a dangerously hot, and as you can now witness at Meta, expensive undertaking.
Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.
The General Data Protection Regulation (GDPR) has fundamentally changed the way companies handle personal data. It has set new standards...
Read moreDetails
In my IT Media Law Podcast, I focus on exciting topics relating to law, technology and digital transformation. So far,...
Read moreDetails
Introduction: A precedent with far-reaching consequences The case of Robert Kneschke against LAION e.V. marks a milestone in the legal...
Read moreDetails
For GamesMarkt, I contributed content to the special "eSport - Player, Business, Sponsoring" and commented on the topic "Compensation for...
Read moreDetails
Travel expense accounting is important My article yesterday on the risk of tax and/or social security audits generated some feedback....
Read moreDetails
GMail is not a telecommunications service. This was the decision of the Higher Administrative Court for the State of North...
Read moreDetails
The sale of mobile games or even in-app sales of computer games via app stores constitutes a service commission under...
Read moreDetails
Since 99 of my clients come to me with digital topics, my law firm is of course as digital as...
Read moreDetails
Anyone who occasionally follows my blog may have noticed that I am an opponent of insisting in politics that esport...
Read moreDetailsThe Distance Learning Protection Act (FernUSG) has been experiencing a renaissance for some time now. What for decades was considered...
Read moreDetails
In this captivating episode of my IT Medialaw podcast, I, Marian Härtel, share my personal journey as a passionate IT...
Read moreDetails
In this video, I talk a bit about transparent billing and how I communicate what it costs to work with...
Read moreDetails
