back to article Using personal info for ads without consent puts Meta in EU's gunsights

European privacy regulators have determined that Meta's use of personalized advertising in Facebook, Instagram, and WhatApp violates data protection laws. Specifically, the European Data Protection Board (EDPB), a group of EU privacy regulators, has invalidated a prior decision by the Irish Data Protection Commission (DPC) …

  1. alain williams Silver badge

    Who else does this apply to ?

    For instance Google ?

    1. Dinanziame Silver badge

      Re: Who else does this apply to ?

      Google does ask for your consent, for example every time you do a search in incognito mode. It used to be you needed more clicks to reject all cookies than to accept all cookies, and they got fined for that, so now it's one click for both.

      1. Screepy

        Re: Who else does this apply to ?

        Not quite on topic but since consent options have been mentioned...

        A couple of months back Ghostery implemented their automatically 'opt out of all' functionality in their browser plugin.

        It works surprisingly well I find.

        Whenever I visit a new site, I see the consent pop-up window appear and then disappear as Ghostery automatically says no to all.

        It makes me happy each time it happens - small victories :)

        1. NopetyNope

          Re: Who else does this apply to ?

          If only there were some kind of way that browsers were able to pre-signal that decision without interruption. Maybe some kind of header would work, perhaps "do no tracking" or maybe better "do not track"...

          Malicious compliance at it's finest from the entire tech sector at play here.

          1. Evil Scot Bronze badge

            Re: Who else does this apply to ?

            Possibly add the computer misuse act regulation of "Securing access to a users computer with out their permission." then this browser option might work.

            1. Jimmy2Cows Silver badge

              Re: Who else does this apply to ?

              Simply make it an offence to ignore "do not track". A statutory offence at that. Give everyone a year to get their act together. Then fine anyone who still ignores it a minimuim 20% of global turnover. Not profit. Turnover. Add another 10% each time they fail to sort it out.

              No backroom deals, no weasellng out of it. Make it apply all the way up to the highest level of parent / shell company, so the parent doesn't just shutter the child and start afresh with the same behaviour.

              Run an extremely public campaign so nobody can say they weren't aware of it.

              Don't like it? No business here for you.

          2. Missing Semicolon Silver badge

            Re: Who else does this apply to ?

            The inability to obey "do not track" is kinda useful. Privacy badger can use it to detect a tracking site.

          3. Sora2566 Silver badge

            Re: Who else does this apply to ?

            That was a thing (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DNT). It was removed because sites not only ignored it, they used it as another data point in their fingerprinting.

        2. Anonymous Coward
          Anonymous Coward

          Re: Who else does this apply to ?

          But who Guards the Ghostery?

    2. Pseu Donyme

      Re: Who else does this apply to ?

      Well, Google not so much, not directly, as they apparently haven't tried the same blatant abuse of contract as legal basis as Facebook / Meta. The general gist of the decision (or what is allegedly known about it; it hasn't been actually published yet) seems to be against anybody's advertising based on profiling without consent though; this is still the core of Google's (Alphabet's) business model and the only plausible rationale for their extensive data collection with Chrome* and Google Analytics** (which is hardly based on consent in the GDPR-sense).

      * https://contrachrome.com/

      ** https://noyb.eu/en/update-cnil-decides-eu-us-data-transfer-google-analytics-illegal

  2. Kevin Johnston

    Schrems

    Can we get some sort of round of honours for this guy? With a very small number of politically driven exceptions he seems to be the only person willing/able to stand up and point to all the ways that big Corporations (and some politicians who may bear closer checks/cheques) are ignoring laws around data privacy to maximise profits

    1. Graham Cobb

      Re: Schrems

      Don't forget you can join (or just donate to) noyb (http://noyb.eu). You don't have to be an Eu citizen/resident to do so.

  3. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    Appeals

    There needs to be a change to stop this inevitable "appeal things as far as we can" and don't change anything until we've exhausted that route - maybe something along the lines of "If you appeal it and lose then the fine goes up by a factor of 10".

    1. OhForF' Silver badge

      Appeals/delay tactic

      It's more a "appeal things as slow as we can just before we have to pay up or change our ways" as it`'s purely a delay tactic.

      In my opinion an even worse problem is the Irish Data Protection Commission (DPC), i don't think there was any legal ground to stand on for them to say Meta was within its rights of using the data without consent. There need to be deterrents for the Irish DPC for taking decisions ignoring the law and favoring corporations like Meta.

    2. Phil O'Sophical Silver badge

      Re: Appeals

      Have the fines accrue compounded interest during the appeals process. The longer the appeals last, the bigger the potential penalty.

      1. heyrick Silver badge

        Re: Appeals

        Or just double the fine for every failed appeal?

        1. Someone Else Silver badge

          Re: Appeals

          ...whichever is greater

    3. This post has been deleted by its author

      1. John Brown (no body) Silver badge

        Re: Appeals

        "Do three months in a triple A cat"

        Not sure what that is, but it sounds like the sort of place you put violent criminals and terrorists, the sort of people who would be a physical danger to society at large if they escaped. You don't really want to be filling up the most expensive to run prisons with low risk, non-violent offenders. That just adds more cost for tax payer.

        1. This post has been deleted by its author

    4. Pseu Donyme

      Re: Appeals

      The fine could be determined after the final decision by multiplying the original fine by the number of years the violation continued after the first decision? This way there would be more incentive to fix things and less to delay the process.

    5. John Brown (no body) Silver badge

      Re: Appeals

      The appeals process is how justice is supposed to work. Changing that system would most likely adversly affect us, "the little people" who can't afford large teams of expensive lawyers.

      "and don't change anything until we've exhausted that route"

      Now that I can get behind. An appeal is against the decision of a court. That lower court has judged you guilty and convicted you. What you did IS illegal and must stop IMMEDIATLY. If you choose to appeal, that's fine, but you you are still convicted unless a subsequent appeal succeeds. Carrying on with an illegal practice after being convicted is contempt of court, even if later you do succeed in an appeal.

  5. Mike 137 Silver badge

    "We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way."

    I am.

    I led a research project on the fulfilment of the GDPR transparency obligation between 2018 and 2021 and found that absolutely no online business in a large randomly collected sample actually complied with the law. Even the 'best attempts' at fulfilment of Chapter III obligations turned out to be mere token gestures that failed to allow data subjects to exercise their statutory rights, and the worst were amazingly transparently unlawful.

    Interestingly, we sent a copy of this report to NOYB as soon as it was published - so they probably lost it.

    1. OhForF' Silver badge

      "We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way."

      Most of those that did their 'best attempt' to comply would probably not claim they are fully compliant once Max brings a compliant to them and the PDC pointing out specific problems. My guess is that this is what NOYB was referring to with their statement about Meta's arrogant way.

      Did you contact the companies you reviewed in the study with the results and what was their reaction?

      1. Mike 137 Silver badge

        "We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way."

        "Did you contact the companies you reviewed in the study

        In general, no as this was a survey primarily aimed at underlining the lack of policing, not an accusatory exercise, so we kept all findings anonymous.

        In one extreme case (as reported) we did -- a company providing web sites for medical practices (by definition applicable to Article 9 sensitive data), whose "privacy notices" referred to compliance with the "data protection act 1984". Their response was that they'd "inform their IT department", but nothing had changed a year later on any of the medical practice web sites.

        1. OhForF' Silver badge

          GDPR is an IT issue?

          Their response was that they'd "inform their IT department"

          I wonder why they informed IT instead of their legal department.

          Somebody complained about the web site so it must be an IT issue?

  6. Pseu Donyme

    "Meta has the option to appeal both the EDPB finding and Irish DPC ruling, whenever that appears."

    Actually, the CJEU General Court has just found that EDPB binding rulings cannot be appealed as such; an appeal may only be made against the DPA decision based on such a ruling. (https://curia.europa.eu/jcms/upload/docs/application/pdf/2022-12/cp220196en.pdf).

  7. Lorribot

    it was on a bus....

    Now we are no longer part of the EU thanks to Brexit can some one in the UK actually sue Meta on the same basis given that GDPR rules are exactly the same here still?

    Just to give their lawyers something else to think about and I am sure the treasury can find something useful to do with £350M since we seem to have lost that down the back of the sofa since Brexit.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like