Meta made a controversial move last year when it started charging users in the EU for ad-free access to Facebook and/or Instagram unless they agreed to be tracked and profiled so Meta could keep running its microtargeting ad business. This caused a lot of complaints from consumer rights groups. They are being brought under the bloc’s rules for protecting data.
Right now, Meta charges users in the region €9.99 per month on the web (or €12.99 per month on mobile) if they don’t want to see ads on their linked Facebook and Instagram accounts. EU users can only use Facebook and Instagram if they agree to be tracked. This means that the choice is either to pay for privacy or to “pay” for free access by giving up your privacy.
Eight consumer rights groups from around the region are complaining to their national data protection authorities about this “consent or pay” option. This was announced today by BEUC, the European consumer organization that the groups belong to and works with to coordinate their activities.
“Any consent that consumers give must be valid and meet the high standards set by the law. This means that the consent must be free, clear, specific, informed, and unambiguous.” “Meta’s ‘pay-or-consent’ model does not work in this way,” they say in a blog post about the complaint, which also says Meta is trying “to force consumers into accepting its processing of their personal data.”
Meta doesn’t tell its customers how it processes their data, so they can’t tell what changes if they pick one choice over another. They also say, “The company fails to show that the fee it charges people who don’t agree is necessary, which is a requirement set by the Court of Justice of the EU.” They add, “In these circumstances, the choice about how people want their data to be processed becomes meaningless and is therefore not free.”
According to the General Data Protection Regulation (GDPR), Meta does not have a legal right to use people’s data for ad targeting. Eight consumer groups from the Czech Republic, Denmark, Greece, France, Norway, Slovakia, Slovenia, and Spain say this. They say the company is processing personal data in a way that is “fundamentally incompatible with European data protection law.”
In particular, they say Meta broke the GDPR rules about purpose limitation, data minimization, fair handling, and openness.
If the rule is broken, the fines can be up to 4% of the company’s world annual turnover. More importantly, companies can be told to stop processing data in a way that is against the law. This means that lawmakers may be able to change business models that are bad for privacy.
In a statement, Ursula Pachl, who is the assistant director general of BEUC, said:
Meta has tried many times to explain why it keeps such close eyes on its users for business reasons. Its unfair “pay-or-consent” option is the latest way the company is trying to get its business plan legalized. Meta’s offer to customers is just a bunch of smoke and mirrors to hide the fact that it will continue to steal private information about people’s lives and use that information to make money through intrusive advertising. As per the GDPR, surveillance-based business models cause many issues. It is time for the authorities in charge of data security to stop Meta from processing people’s data unfairly and violating their basic rights.
BEUC said that a legal analysis it did with its members and the data rights law company AWO found that Meta’s handling of personal data about consumers breaks the GDPR in several ways. The research shows that some of the processing for ads “appears to rely invalidly on contract” and does not have a good reason for doing so.
The study also asks what legal reason Meta uses for personalizing content. It says this is “not clear” and “there is no way to verify” that all of Meta’s profiling for this purpose is necessary for the contract and in line with the GDPR principle of data minimization. When Meta profiles people for business reasons, the same questions are asked.
In addition, it said that Meta’s processing in general does not follow the principles of purpose limitation and transparency. It pointed out issues like processing that was not expected, using a dominant position to get consent, and “switching of legal bases in ways that frustrate the exercise of data subject rights.” This, in turn, did not follow the GDPR principle of fairness.
Meta’s self-serving “consent or cough up” offer is already the subject of a number of other GDPR complaints, as we’ve already said. Some of these are from the privacy rights group noyb and are about how Meta has put a high price on privacy. Others are about how Meta has made it very easy for users to agree to its tracking but very hard for them to protect their privacy, even if they want to change their minds and withdraw consent they already gave.
Earlier this month, three DPAs also asked the EDPB, which is in charge of data security in the EU, to give its opinion on whether consent or pay is legal.
That advice has not yet been given. But new complaints and this action by consumer protection and privacy rights groups could put more pressure on the EU’s data protection regulator not to approve of a strategy that privacy activists have long said is a dishonest way to get around the EU’s data protection rules for business reasons.
Unfortunately, Meta can’t use other legal bases that it said allowed the processing of its ads. This is because of privacy concerns and a competition challenge. Getting users’ permission is pretty much Meta’s only chance to keep running its tracking ads business in the EU, where the law requires a valid legal basis for processing people’s data (the GDPR lists six legal bases, but Meta’s business doesn’t need any of them).
If Meta’s latest attempt to get people to agree to something fails, it might finally have to change how it makes money from spying. We’ve said before that Meta and computer users in Europe have a lot at stake.
Consumer protection groups have already complained about Meta’s “consent or pay” strategy before. Some of them say it breaks the bloc’s rules on consumer protection as well. Overall, the sector took coordinated action last November. The BEUC and 18 of its member groups filed complaints against Meta for what they called “unfair, deceptive, and aggressive practices” that they say break the bloc’s consumer protection rules.
People sent those complaints to the CPC, which is a network of consumer protection bodies in different parts of the world. Consumer protection authorities have the power to fine Meta up to 4% of its global sales if it doesn’t participate in the CPC’s process, such as by making concessions to address the groups’ concerns.
BEUC said at the time that it might also file a data protection case against Meta’s controversial consent offer. This is what we’re seeing now.
Meta was told in a news release that it had to stop any illegal processing of personal data about consumers, even if it was for advertising purposes. “Any personal information that was obtained improperly must be erased. Meta must also make sure that the consent of its customers is freely given, clear, informed, and unambiguous if it wants to use that consent as a legal reason for processing their data.
Meta has said in the past that its “consent or pay” deal is legal under the GDPR. It does support the controversial strategy on its blog, but it doesn’t say anything about how it follows EU consumer protection law.
There’s one more thing to think about here: Meta has to follow the Digital Services Act (DSA) rules for bigger platforms and the Digital Markets Act (DMA). These are two younger, pan-EU laws that say you need permission to use personal data for ad targeting. The European Commission makes sure Meta does this. These rules also say that ads can’t use sensitive personal data or data about children. Also, say that giving permission should be just as easy as taking it back. What will the Commission do about Meta’s consent or pay offer in the EU? This is another very important question.
The EU’s executive has the power to make Meta follow the DSA and DMA, which could include giving remedial orders. If you break the DSA, you could be fined up to 6% of your yearly sales. If you break the DMA, you could be fined up to 10% (or even more if you do it again).
The most recent GDPR complaints from a consumer group against Meta will probably have to go through Ireland’s Data Protection Commission, which is the tech giant’s main data supervisor in the EU. This commission is still under fire for how laxly it enforces the GDPR on Meta and other tech giants, but the company’s choice of consent is also being looked at in a number of other ways. And maybe even faster and stronger policing as well.
Also Read: The Oversight Board Wants Meta to Change the “incoherent” Rules Against Fake Videos
*CECU, dTest, EKPIZO, Forbrugerrådet Taenk, Forbrukerrådet, Poprad, Spoločnosť ochrany spotrebiteľov (S.O.S.), UFC-Que Choisir, and Zveza Potrošnikov Slovenije (ZPS) are the BEUC members who have filed GDPR complaints against Meta. This is the ninth consumer group to file a complaint. It is the Netherlands-based Consumentenbond, and they will send a letter to the Dutch data security authority instead.
What do you say about this story? Visit Parhlo World For more.
