Update on August 01, 2023 at 5:00AM PT:
Today, we are announcing our intention to change the legal basis that we use to process certain data for behavioural advertising for people in the EU, EEA and Switzerland from ‘Legitimate Interests’ to ‘Consent’. This change is to address a number of evolving and emerging regulatory requirements in the region, notably how our lead data protection regulator in the EU, the Irish Data Protection Commission (DPC), is now interpreting GDPR in light of recent legal rulings, as well as anticipating the entry into force of the Digital Markets Act (DMA).
Historically, businesses operating in this region have relied on a variety of legal bases under GDPR for the purpose of processing data for advertising. GDPR states that there is no hierarchy between legal bases, and none should be considered more valid than any other. However, we have listened carefully to regulatory feedback from the Irish DPC, including how it is interpreting recent decisions by the European Court of Justice, in deciding to make this change.
There is no immediate impact to our services in the region. Once this change is in place, advertisers will still be able to run personalised advertising campaigns to reach potential customers and grow their businesses. We have factored this change into our business outlook and related public disclosures made to date.
We will share further information over the months ahead, because it will take time for us to continue to constructively engage with regulators to ensure that any proposed solution addresses regulatory obligations in the EU, including GDPR and the upcoming DMA.
This post contains forward-looking statements, including about Meta’s business outlook. You should not rely on these statements as predictions of future events. Additional information regarding potential risks and uncertainties about our business and financial results can be found in our most recent Form 10-Q. Meta undertakes no obligation to update these statements as a result of new information or future events.
Update on March 30, 2023 at 4:15AM PT:
In December, the Irish Data Protection Commission found that Facebook and Instagram must change their approach to the legal basis under GDPR for the purpose of serving behavioural advertisements in Europe. To comply, from Wednesday 5 April we are changing the legal basis that we use to process certain first party data in Europe from ‘Contractual Necessity’ to ‘Legitimate Interests’. GDPR clearly states that there is no hierarchy between legal bases, and none should be considered more valid than any other.
It is important to note that this legal change does not prevent personalised advertising on our platform, nor does it affect how advertisers, businesses or users experience our products. Advertisers can continue to use our platforms to reach potential customers and grow their business. Relevant users will also be notified of this change, which will give them additional options around how we process certain information to serve behavioural advertisements. This legal basis is used by similar platforms, and our EU Privacy Policy and Terms of Service will be updated to reflect this change.
We believe that our previous approach was compliant under GDPR, and our appeal on both the substance of the rulings and the fines continues. However, this change ensures that we comply with the DPC’s decision.
Originally published on January 4, 2023 at 7:00AM PT:
Today, the Irish Data Protection Commission (DPC) has set out its findings on the legal basis that Facebook and Instagram use under GDPR for the purpose of serving behavioural advertisements.
The debate around legal bases has been ongoing for some time and businesses have faced a lack of regulatory certainty in this area. We strongly believe our approach respects GDPR, and we’re therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines.
There has also been inaccurate speculation and misreporting on what these decisions mean. We want to reassure users and businesses that they can continue to benefit from personalised advertising across the EU through Meta’s platforms.
What is a Legal Basis?
In the EU, an organisation needs a legal basis to process data. Data processing occurs in a variety of situations, such as when data is stored, transferred or aggregated.
GDPR allows for a range of legal bases under which data can be processed. The rules of GDPR are clear: there is no hierarchy between these legal bases – none should be considered better or more legitimate than any other. Which basis is most appropriate to use depends on the specific situation. Like many companies, Meta uses a combination of legal bases to provide various services.
Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service. To date, we have relied on a legal basis called ‘Contractual Necessity’ to show people behavioural advertisements based on their activities on our platforms, subject to their safety and privacy settings. It would be highly unusual for a social media service not to be tailored to the individual user.
Businesses lack regulatory certainty around appropriate Legal Bases
Since GDPR came into force, Meta has relied on Contractual Necessity to process the data needed to provide behavioural advertisements in the EU. We have always been open with regulators and courts about this, and in previous assessments of our services they did not object to the use of Contractual Necessity for this type of activity.
However, following recent engagement with and directions from other regulators across Europe, the DPC has now found that Meta must change its approach regarding the legal basis on which it processes user data for behavioural ads.
It’s important to note that these decisions do not prevent personalised advertising on our platform. The decisions relate only to which legal basis Meta uses when offering certain advertising. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets.
The decisions also do not mandate the use of Consent – another available legal basis under GDPR – for this processing. Similar businesses use a selection of legal bases to process data and we are assessing a variety of options that will allow us to continue offering a fully personalised service to our users. The suggestion that personalised ads can no longer be offered by Meta across Europe unless each user’s agreement has first been sought is incorrect.
There has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time. This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether. That’s why we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.
We offer tools to manage your advertising and privacy preferences
We’re continually investing in new technology and processes to allow our community to manage their advertising and privacy preferences. This includes steps to provide more detailed information to people about how their data is used and shared, as well as tools to give people greater control over the information they share. For example:
- Making Our Terms and Privacy Policy Clearer: Last year, we updated our Terms of Service to make it easier to read, and updated our Privacy Policy to better spell out what data we collect and how we use it.
- New Privacy Shortcuts menu: We created a new Privacy Shortcut menu where people can control their data in just a few taps, with clearer explanations of how our controls work. This helps point people to our long-standing ad preferences tool, where everyone on Facebook can control what kinds of ads they see and opt out of having certain kinds of data used to inform the ads they see.
- Tools to find, download and delete your data: On top of our Download Your Information tool, we introduced Access Your Information – a secure way for people on Facebook to access and manage their information, such as posts, reactions, comments, and things people searched for. We also launched a feature on Instagram that allows people to bulk delete content they’ve posted like photos, videos, likes and comments. This is an important way of helping people understand what information they’ve shared on Instagram, what is visible to others, and to have an easier way to manage their digital footprint.
- Transparency about ads: For every ad and post on Facebook, people can click on “Why am I seeing this?” – which explains how factors like basic demographic details, interests and website visits contribute to the posts and ads you see.
You can learn more about how to manage and control your privacy experience on our Privacy Center.
0 Comments