Meta will not be able to process personal data of its users to serve them advertising tailored to their profile. This is established by an urgent and binding decision of the European Data Protection Board (EDPB), the body in which the data protection agencies of the 27 are coordinated, including the Spanish AEPD. The decision, agreed on Friday and notified to the technology giant this Tuesday, requires enforcement of the General Data Protection Regulation (GDPR), which came into force in 2018 and which the company founded by Mark Zuckerberg has not complied with since then.
The ban, which must begin to be enforced on November 8, affects the core of Meta’s business. The company built its empire by taking advantage of the personal data of its users (both those that they voluntarily upload to social networks, such as name, address, occupation or contacts, as well as those that the company collected from browsing histories) so that Advertisers could refine the objective of their campaigns to the maximum. The personalized advertising industry, controlled for the last decade and a half with an iron fist by Facebook and Google, has made these two companies the giants they are today.
That source of income, however, is not in danger for the moment for Meta. The data protection authority of Ireland, the country where the European headquarters of the multinational is located, has already informed those affected that this decision would go ahead. It is no coincidence that Meta announced that it will charge 13 euros to those who do not want to be profiled one day before the EDPB made this decision. “We all know what will happen in practice: very few people will pay, so Meta will be able to continue acting as before,” explains Jorge García Herrero, data protection delegate and lawyer specializing in enforcing this regulation.
Although Meta was already prepared to take the blow, the decision is relevant because it indicates the path that the EU will follow from now on in terms of data protection. “It is time for Meta to bring its data processing under regulation and stop illegal practices,” EDPB chairwoman Anu Talus said in a statement. The European decision comes two weeks after attorneys general from 41 US states sued the company for developing products consciously designed to hook children.
“Meta has already announced that it will offer citizens of the EU and the European Economic Area the opportunity to give their consent [para procesar sus datos personales] and, in November, will offer a subscription model to meet regulatory requirements,” says a company spokesperson. “The EDPB has known about this plan for weeks and we were already fully committed to them to reach a satisfactory result for all parties. “This fact unjustifiably ignores that careful and robust regulatory process,” he adds.
Why now: a five-year process
The EDPB has asked the Irish data supervisory authority, the country where Meta’s European headquarters is located, to prohibit “all processing of personal data for the purposes of behavioral advertising” on the group’s platforms. This decision is not sudden. It has its origin in three resolutions. The first is a sanction of 390 million euros from the Irish regulator in January of this year, which in turn comes from the EDPB, for the improper processing of data of European users since May 2018 (the date of entry into force of the regulations European Data Protection Regulation).
Meta maintained that the terms and conditions consent contract that its users accept when installing the application explains the use made of the data. And that, due to the particularities of its business model, this contract was sufficient to cover both the platform’s own treatments (that users renounce the copyright of the photos so that they are shared with others) and the profiling that makes Meta to sell personalized advertising to third parties. “The January sanction says that the contract only covers the first part; The second requires another contract,” says García Herrero.
In July, the EU Court of Justice ruled in a case between the German competition authority and Meta that the company cannot rely on its business model or legitimate interest to collect and process users’ personal data, but it could. do so if you have explicit consent from those affected. The door to charging for the service opens there.
That same month, the Norwegian data protection authority asks the Irish authority (the competent authority since the company is located in that country) to tell it if it breaches the GDPR. “The Norwegians take the January sanction and say that this is already urgent and must be stopped, and if you don’t do it, I’ll do it. The Irish company does nothing, so the Norwegian company prohibits its citizens from being profiled to serve them personalized advertising,” explains García Herrero. Oslo sends its decision to the EDPB so that it can make a statement and if it considers it correct, it can extend it to all of Europe. And that last one is what just happened.
You can follow EL PAÍS Technology in Facebook and x or sign up here to receive our weekly newsletter.
#Europe #prohibits #Meta #processing #user #data #serve #personalized #advertising