Meta Not Allowed to Process Without Consent

The EU Court of Justice (CJEU) has given a preliminary ruling against Meta following ongoing issues in Germany and Ireland regarding Meta’s collection of user data. This came about after the German Federal Cartel Office (FCO) prohibited the use of Facebook to protect German residents from having data processed without their consent. The FCO made this decision as they claimed Meta’s processing was not GDPR compliant and constituted abuse of Meta’s dominant position in the market for online social networks.

Meta fought against the decision from the FCO and responding to a compliance deadline in the Irish DPC’s order, announced they would switch the legal basis it claims for the data-for-ads processing to another non-consent-based basis known as “legitimate interest”.

The Higher Regional Court referred the case to the CJEU. Within the referral they questioned:

  • Whether an online social network operator can process a data subject’s sensitive data within the means of GDPR
  • The lawfulness of the processing by such an operator under GDPR
  • The validity of the consent given

EU Court of Justice

The CJEU decided to uphold the original decision by the FCO. They determined the processing of personal data by Meta’s operator must be considered as ‘processing of special categories of personal data’. This is because when a user inputs information during registration or purchase within a website or app data is collected by means of integrated interfaces, cookies or similar storage technologies. Collection like this links all that data with the user’s social network account. This could in turn reveal the user’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Sexual orientation

This use of data is prohibited under GDPR. The collection of this special category data can only be done when the user gives explicit consent, which Meta is not doing. As user’s do not explicitly make their sensitive data obviously public it has meant that Meta have not been forced to obtain explicit consent thus far. However, the CJEU has said that the linking of data within a Facebook account is not necessary for Meta’s “legitimate interests” since it does not:

  • Inform users from whom the data has been collected
  • Obtain valid consent from the users
    • Given the market power Meta has, the quality of consent needs to be valid, free and not manipulated by the use of dark patterns or penalizing the user with a sub-par service.
A blue gradient background which is darker in the bottom right and lighter in all other corners. In the centre is a logo for Value Privacy. It is value privacy written in white, privacy is bold, value is not and there is a yellow fullstop after privacy. Underneath this logo is written "Making Privacy Simple" in yellow

Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.

You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.

Previous Post

Planned Parenthood Patients Sue Google

Next Post

European Commission Adopts EU-US Adequacy Decision

Related Posts