Circle your calendar, European friends: July 4th may soon be celebrated as “independence from Meta’s surveillance capitalism day.”
The Court of Justice of the European Union (CJEU) has delivered a significant judgment that appears to severely restrict the social media giant’s ability to disregard EU privacy laws and deny users a free choice regarding tracking and profiling.
YOU MAY ALSO LIKE: Twitter Faces Lawsuit For Ducking Arbitration With Ex-Employees
This ruling originated from a groundbreaking order issued by Germany’s antitrust regulator, the Federal Cartel Office (FCO).
The FCO conducted an extensive investigation into Facebook’s practices and argued that privacy violations should be treated as exploitative competition abuses.
In February 2019, the FCO directed Facebook (then known as Meta) to cease combining user data across its suite of social platforms without consent.
Meta challenged the order in German courts, leading to the referral of the case to the CJEU in March 2021.
The CJEU’s ruling not only affirms that competition authorities can consider data protection in antitrust assessments.
It also indicates that consent is the only legitimate basis for the personalized content and behavioral advertising that Meta monetizes through tracking and profiling.
The press release highlights the court’s doubts about whether personalized content or the seamless use of Meta’s services can meet the criteria for justifying data processing without consent based on the performance of a contract.
Under EU data protection law, consent means users must have the choice to refuse tracking without forfeiting access to the core service.
However, Meta historically denied users this choice.
In the weeks leading up to the CJEU’s judgment, Meta introduced new controls to allow users to limit cross-site tracking.
But it remains to be seen if these measures are sufficient.
While a CJEU advisor had previously expressed a similar opinion on Meta’s superprofiling practices, today’s ruling carries the weight of law.
Neither Meta nor EU data protection authorities can disregard the court’s decision.
This ruling is crucial because some EU data protection authorities have been criticized for their reluctance to vigorously enforce the General Data Protection Regulation (GDPR) against tech giants.
The CJEU’s guidance should compel authorities to take action. When users are empowered to reject surveillance capitalism, they do so in large numbers.
The CJEU also emphasizes the importance of ensuring that consent is valid, meaning that users are offered a genuine choice without manipulation or penalization.
The court confirms that Meta cannot evade the legal requirement to obtain explicit consent for processing sensitive categories of personal data.
This aspect of the ruling could result in further litigation against Meta for processing sensitive data without explicit consent.
Max Schrems, the lawyer and privacy rights advocate who filed the original complaint against Meta’s “forced consent,” describes today as “GDPR meltdown day for Meta.”
Schrems believes the court has closed all the loopholes that Meta’s lawyers have attempted to exploit over the past five years.
Privacy rights organization noyb, founded by Schrems, calls Meta’s GDPR approach “illegal” and anticipates a positive impact on pending litigation between noyb and Meta in Ireland.
The European consumer organization, BEUC, also welcomes the CJEU’s ruling, stating that it opens the way for more effective enforcement against dominant digital platforms.
YOU MAY ALSO LIKE: “Companies Must Stop Using Google Analytics,” – IMY
Meta has not yet provided a detailed response, stating that it is evaluating the court’s decision and will provide further comments in due course.
The company refers back to a previous blog post in which it switched its legal basis for data processing in Europe from “Contractual Necessity” to “Legitimate Interests,” claiming that there is no hierarchy among legal bases according to the GDPR.
