News
AdTech Update: CJEU landmark data protection ruling for online and behavioral advertising
Online advertising is one of the largest online industries. However, it also has long faced issues with data protection regulators. The CJEU has handed down a landmark ruling that clarifies what legal bases controllers can rely on for online and behavioral advertising. This development follows several decisions relating to appropriate legal bases for processing data in the context of online and behavioral advertising.
Introduction
What legal basis can online platforms use for processing personal data for targeted advertising? We now have an answer. Following many fines and decisions from data protection supervisory authorities relating to the issue, the CJEU has issued a landmark decision in Meta vs Bundeskartellamt Case C-252/21 (Decision). The Decision significantly impacts the AdTech industry, especially the personalized use of consumers' personal data for targeted advertising by social media platforms, but also generally regarding the interplay of GDPR and Competition law.
This note explores the history leading to this decision and what this means for the future of personalised advertising by online platforms.
Background to the Decision
This development follows several decisions on the appropriate legal basis for processing data in the context of online and behavioral advertising. Under Article 6 of the General Data Protection Regulation (GDPR), organizations that process personal data must have a legal basis to do so. In recent years, data protection supervisory authorities have fined online platforms for failing to choose the correct legal basis for such purposes:
- Whatsapp was fined €5.5 million by the Irish Data Protection Commission (DPC) in January 2023. The messaging app previously relied on "contractual necessity" (Art 6(1)(b) of the GDPR) as a legal basis before the DPC determined that this was insufficient and ordered it to change from that legal basis. In July 2023, Whatsapp changed its legal basis to "legitimate interest".
- Meta and Instagram were fined €210 million and €180 million, respectively, by the DPC in January of 2023 on the basis that the platforms inappropriately relied on "contractual necessity" as a legal basis for processing personal data for behavioral advertising as this was not a core element of the services. The DPC gave the company three months to bring its data processing operations into compliance. In April, Meta changed the legal basis to that of "legitimate interest" (Art 6(1)(f) of the GDPR). However, since then and following the Court of Justice of the European Union (CJEU) decision below, it has changed the legal basis for such processing from "legitimate interest" to "consent" (Art 6(1)(a) of the GDPR).
CJEU's Analysis on Appropriate Legal Basis for Online & Behavioural Advertising
One of the key takeaways from the Decision is the helpful analysis the CJEU provided on the threshold required for using the appropriate legal bases available under Article 6 GDPR for personalized content and advertisement. Specifically, the question referred to the CJEU was:
(i) Can Meta, justify collecting data from other group services (i.e., Instagram), third party websites and apps via integrated services, cookies or other similar storage technology, link that data to the user's account, and use that data for personalized advertising on the basis of contract or legitimate interest under Article 6 of the GDPR? The CJEU was further asked whether specific interests as listed below could constitute a legitimate interest under the GDPR.
1. Necessary For The Performance Of A Contract
To rely on "contractual necessity" as a legal basis, the CJEU helpfully clarified that "the decisive factor for the purposes of applying the justification of contractual necessity is that the processing of the personal data by the controller must be essential for the proper performance of the contract concluded between the controller and the data subject". In essence the processing must be "objectively indispensable for a purpose that is integral to the contractual obligations intended for the data subject." This means that the controller must be able to show that the processing is essential for the performance of the contract, i.e., there are no workable, less intrusive alternatives and that the contract cannot be achieved if the processing does not occur. In this case, the CJEU believed that processing personal data for behavioral advertising was not integral to the contract and was merely ancillary.
In response to the justifications put forward by Meta in relying on contractual necessity for the processing, the CJEU set out the following:
- Personalized content: Personalized advertising is not necessary to offer the user social network services (e.g., having a profile and interacting and engaging on the platforms). The CJEU believed that those services could be offered as an equivalent alternative that did not provide personalization to the end user (e.g., use of the platform excluding personalized advertising).
- Consistent and seamless use of the Meta Group's services: There is no obligation to subscribe to the services offered by the Meta Group to create an account on Facebook. The services provided by Meta can be used independently of each other, so the processing was not necessary for this purpose.
2. Legitimate Interest
To rely on "legitimate interest" as a legal basis, the CJEU helpfully clarified that, when conducting a balancing test to assess whether the data subject’s interests override the legitimate interest, the controller must take the reasonable expectations of the data subject as well as the scale of the processing at issue, into account and its impact on data subjects.
In response to the following justifications put forward by Meta in relying on legitimate interest for the processing, the CJEU set out the following:
- Personalized Advertising: Even though the services of an online social network such as Facebook are free of charge, the user of that network cannot reasonably expect that the social network operator will process that user's personal data without their consent for personalized advertising. In such circumstances, the rights of the user override the rights and interests of the operator, i.e., that this activity finances its operations.
- Network Security: The German court will have to ascertain whether and to what extent the processing of personal data collected from sources outside the Facebook social network is necessary to ensure that the internal security of that network is not compromised.
- Product Improvement: The controller's interest in improving its product or service could constitute a legitimate interest capable of justifying the processing, subject to a final assessment as to whether this would override the interests and fundamental rights of the user.
- Sharing of Information with Law Enforcement Agencies: This cannot constitute a legitimate interest within the meaning of GDPR.
- Research and Innovation: The CJEU could not comment on this justification.
The CJEU acknowledged that personalized advertising may qualify as a legitimate interest. However, it held that the users’ interests, rights, and freedoms prevail in the context of the processing at issue. The CJEU noted that although online services such as Facebook are provided free of charge, users would not reasonably expect that such extensive processing activity for the purpose of personalized advertisement was being conducted without their consent. Therefore, it is unlikely that legitimate interest could be used as a lawful basis for personalized advertising.
(ii) Can consent, as defined under GDPR, be freely given to a dominant undertaking? (i.e., such as Meta Platforms Ireland)?
1. Consent
Concerning consent, the CJEU noted in the GDPR that "consent is not freely given where the data subject has no free or genuine choice or is unable to refuse or withdraw it without detriment". Therefore, users must be able to refuse consent to particular data processing operations which are not necessary for the performance of the contract (such as personalized advertising) without giving up the opportunity to use the service offered by the online operator. According to the CJEU, users not wishing to provide consent to processing operations that are not necessary for the performance of the contract could be charged a fee. It was also noted that the dominant market position of the online operator does not, per se, preclude users from being able to give valid consent to the processing of their data. However, it is an important factor to consider when determining whether consent was freely and validly given.
Competition Authority Can Investigate GDPR Breaches
The CJEU also addressed whether a National Competition Authority (NCA) can consider an alleged breach of the GDPR. It held that an NCA can find, in the context of the examination of abuse of a dominant position under Article 102 TFEU, that the undertaking's general terms of use relating to the processing of personal data and implementation thereof are not consistent with the GDPR (where such a finding is necessary to establish the existence of such an abuse).
Key Learnings
Online platforms with business models based on personalized content and advertisement should heed the Decision and review their data processing operations. There are several key takeaways:
- The fact that the processing of personal data for personalized content and advertisement is referred to in a contract or is useful to the performance of the contract may be irrelevant.
- Personalized content might not be necessary to offer a user online social network services.
- A "product improvement objective" might have the ability to come under the legitimate interest legal basis, but only where it does not override the interests and fundamental rights of the user.
- Consent must be valid and freely given to use as basis for processing.
- A dominant market position of the online operator does not, per se, preclude users from being able to give valid consent. However, it is an important factor to consider when determining whether consent was validly given.
Article provided by INPLP member: Leo Moore (William Fry, Ireland)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010