Meta’s data practices take a hit in major EU court ruling

5 Jul 2023

Image: © Ascannio/Stock.adobe.com

The CJEU ruled against Meta’s defence for its advertising practices and could give more authority to EU watchdogs to investigate future GDPR breaches.

Meta has suffered a blow to its data collection practices in a top European court, with a ruling that could set new precedents against other Big Tech companies.

The case surrounded a complaint from the German Federal Cartel Office, which claimed Meta processes some user data without consent, violating GDPR and abusing its dominant market position.

Meta brought its own action against this decision to Germany’s high court, which was then taken to the Court of Justice of the European Union (CJEU).

The EU court’s decision covers several areas and is overall a blow to Meta’s data practices. The CJEU ruled that information that is revealed when a user visits websites or apps does not mean the user “manifestly makes public” their data under GDPR.

“The same applies where a user enters information into such websites or apps or where he or she clicks or taps on buttons integrated into them, unless he or she has explicitly made the choice beforehand to make the data relating to him or her publicly accessible to an unlimited number of persons,” the CJEU said in a statement.

Patrick Breyer, an EU MEP of the Pirate Party, said the ruling could mean the end of the practice of “clickstream logging”, which is essentially data collected as a user navigates a website.

“Meta’s pretexts to justify this practice have largely been dismissed,” Breyer said. “Even for security purposes, indiscriminate and pervasive logging of all our clicks in an identifiable way is not necessary.

“Big Tech will need to be honest and give us the choice of paying for their services with money, or with our privacy. Today’s landmark ruling will change the internet landscape and give non-commercial, decentralised and free services a much-needed boost.”

The ruling also appears to give more power to antitrust authorities, as the CJEU said that it may be necessary during antitrust investigations to examine if a company’s conduct impacts rules outside of competition law, such as GDPR.

Personalised advertising

The CJEU also ruled that Meta’s personalised advertising practices are not a justified “legitimate interest” to process user data without consent.

NOYB, the non-profit established by privacy advocate Max Schrems, welcomed the court’s ruling and said the decision limits companies from running advertisements on a “freely given” yes or no consent.

“This is a huge blow for Meta, but also for other online advertisement companies,” Schrems said. “It clarifies that various legal theories by the industry to bypass the GDPR are null and void,” Schrems said.

Schrems claimed the ruling will also have a positive impact on “pending litigation” between NOYB and Meta in Ireland. In March, Meta agreed to change its targeted advertising practices in order to comply with a January ruling by Ireland’s data watchdog.

Meta changed the legal basis that it uses to process certain first-party data in Europe from ‘contractual necessity’ to ‘legitimate interests’. NOYB took issue with this, however, and said other platforms had tried and failed to use legitimate interest as a way to allow personalised ads on their platform.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com