from the fundamental-right-of-legitimate-interest dept.
noyb will take immediate action to stop this illegal practice:
As the Wall Street Journal reports, Meta (Facebook and Instagram) is switching from an illegal contract to equally illegal basis "legitimate interests" for advertisement, after noyb won a series of complaints against them. noyb will take imminent action, as the clear case law and guidance does not allow a company to argue that its interests in profits overrides the users' right to privacy.
Background. The GDPR allows to process personal data if a company complies with at least one of six legal basis in Article 6 GDPR. Most of these six options are irrelevant for advertisement. While most companies require users to consent ("opt-in") for the use of personal data for advertisement, Meta (Facebook and Instagram) have tried to bypass this requirement by arguing that the use of personal data for ads is "necessary under the contract" when the GDPR became applicable in 2018. noyb has instantly filed a series of complaints and ultimately won them before the European Data Protection Board (EDPB) in December 2022. Meta got until April to stop the practice.
One illegal practice replaced by next illegal practice. Now Meta announces to give in against the pressure by noyb, but instead of switching to an "opt-in" system, like Google or Microsoft, they now try to argue the next unlawful option, by claiming that their "legitimate interest" to process user data would override the fundamental right to privacy and data protection of users. This was tried by other companies before, but rejected by the regulators multiple times (see e.g. the Italian DPA on TikTok or the Belgian DPA on the IAB TCF at para 441).
[...] Max Schrems: "Meta is switching one illegal practice for another illegal practice. noyb will take imminent legal action to stop this charade, as it is clear that the Irish Regulator of Meta will again be inactive. This is an absurd game and we will stop it as quickly as possible. Like any other company, Meta needs to have a clear yes/no option for users, where they must actively say yes if they want to give up their fundamental rights. This system of using legitimate interest at least allows for opt-out, which makes it a slight improvement for users."
(Score: 5, Insightful) by ledow on Thursday April 06, @10:13AM (1 child)
You would have a legitimate interest in processing that data of MINE if, for example, I actually consented to you doing so.
You don't have a legitimate interest in processing data that I don't want you to have, and you have no legal reason to possess. The only reason you have for having that data is to sell it to others, in effect, and that's not "legitimate interest".
e.g. in the UK (which basically follows the EU GDPR still):
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/ [ico.org.uk]
“processing is necessary for…
…the purposes of the legitimate interests pursued by the controller or by a third party, …
…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
(Whoops, with that "except", Facebook!)
"Purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?"
(Whoops again with the latter)
Sure, you can say that sometimes it's necessary to process it, as in the examples given, but that doesn't cover "so we can sell it to our ad partners".
(Score: 2) by kazzie on Friday April 07, @08:51AM
Good points overall, but I'd like to clarify for other readers around
"Legitimate interests" don't require explicit consent from the user, as they're meant to be the "well, duh" category of neccesary processing to fulfil a contract, etc. Online retailers don't need explicit consent to share your address with the postal service in order to ship the thing you just ordered. That's the whole point of "legitimate interest" : not having to ask for consent. But it's only allowed subject to the considerations you listed.
(There are other legal reasons for processing data without consent: thieves can't stop the police from processing their fingerprints!)
The key issue here (as you alluded to) is that Facebook have decided that they have a legitimate interest in collecting and selling user data because that's what Facebook do, that user interests aren't as important, and seem to have persuaded the Irish Data Commissioner (per TFA) that this is okay. That's where the appeals up to the European courts started...
(Score: 5, Insightful) by bradley13 on Thursday April 06, @04:48PM
The EU has provisions for exactly this kind of recalcitrance. They can fine companies a percentage of their global turnover.
It's time and past time to start fining Meta. The fines need to be big enough that they cannot be regarded as the ordinary cost of doing business.
Everyone is somebody else's weirdo.
(Score: 2) by The Vocal Minority on Friday April 07, @04:12AM
No, SN should never be serving ads argle bargle argle...
(Score: 1) by khallow on Friday April 07, @12:56PM