How Meta Is Using a Fire Extinguisher to Cook a Meal
By Sharon Bauer
If you are a company that collects personal data from the EU, you would have gone through the analysis of determining what your lawful basis is for processing personal data. If you have not considered it or your business has evolved, then you better read this article and put a red flag on that issue.
Determining the lawful basis for processing personal data can, at times, be confusing as the six lawful bases outlined in Article 6(1) GDPR can be interpreted (or manipulated) to make it fit for purposes.
Companies that process EU data can rely on six lawful bases, namely, (1) Consent, (2) Contract, (3) Legal Obligation, (4) Vital Interests, (5) Public Interest, and (6) Legitimate Interest.
While Article 6(1) has been around since the inception of GDPR in 2018, recently, there has been a lot of attention on the interpretation of these lawful bases, which may impact not only the way your company collects and processes personal data but your business model too. Recently, Meta was slapped with a 400 million euro fine by the European Data Protection Board (EDPB) for choosing the wrong lawful basis for processing personal data.
Before we dive into the groundbreaking decision, let’s review the application of four of the most used lawful bases for processing personal data:
Consent - an individual freely gives specific, informed, and unambiguous consent to process the data for one or more specific purposes. Furthermore, consent must be “clearly distinguishable from the other matters” (meaning you cannot bundle multiple consents) and presented in “clear and plain language”. The individual must be able to withdraw consent at any time. An example of when consent is used as a lawful basis is when a company asks its online customers if it may collect data about their online activities for the purpose of sending them personalized content.
Contract - the processing of personal data is necessary for the performance of a contract to which the individual is a party. In other words, the business must process personal data in order to deliver a contractual or requested service to the individual. For example, an online retailer collects a customer’s address in order to ship the customer their purchase.
Legitimate Interest - the processing of personal data is necessary for a legitimate interest pursued by the controller or third party. In other words, processing of personal data is necessary for the purpose the data was collected for in the first place. However, a balancing test must be conducted taking into consideration whether the individual would reasonably expect their data to be processed as well as whether the processing is overridden by the fundamental rights and freedoms of the individual.
Legal Obligation - processing is necessary for compliance with a legal obligation to which the controller is subject. For example, a bank must process an account holder's data to comply with anti-money laundering laws.
While these seem to be straightforward, it is not surprising that companies have been interpreting these lawful bases in favour of their business, making it easier for them to collect, use and process data to their own business advantage. A perfect illustration of this maneuvering is the way in which Meta architected the lawful basis for processing personal data (i.e. hundreds of data points about Facebook and Instagram users) for the purpose of delivering personalized ads.
Meta’s Lawful Basis Architecture
It is no big surprise that Meta’s business model is prefaced on using individual’s personal data to personalize and deliver ads. This model is the very thing that has made them the social media giant they are today. Like any other company that processes EU data, Meta had to identify the lawful basis for processing personal data to send personalized ads.
Some reasonable individuals may think, “well geez, wouldn’t they rely on consent?”. While that does seem logical, it would be an uphill battle for Meta. You see, Meta would need to ask each individual whether they agree to have their data used to serve them with personalized ads. Meta would need to be very clear and specific about how that data would be used. To be clear, Meta would need to explain to individuals how they collect their personal data, how it is used, who it is shared with and so on. It is an extremely complex maze that most individuals would not understand. Furthermore, individuals would need to take an explicit step to agree to that processing, like clicking an accept button, as well as be provided with the opportunity to withdraw their consent at any time. As you can imagine, and as Meta must have imagined, it is unlikely individuals would agree to that. Why give away more personal data or use it in more ways than is necessary if you don’t need to. Many think getting personalized ads is a bit creepy. Given the high stakes in relying on processing personal data for targeted ads, which is Meta’s business model, this lawful basis was way too risky for Meta.
Instead, Meta tried to find a way to get around seeking consent; they relied on contractual necessity as a lawful basis to process personal data for targeted ads. Meta added a clause in its terms of service that confirmed that by using its services, the user agrees to have their personal data be used for targeted ads. Since it is in the contract, Meta argued that they must process personal data for ad targeting since it's a performance of a contract.
Some of you may say, “hey not a bad idea”, however, the EDPB was not pleased with these shenanigans. The EDPB ruled that processing personal data to target users with ads is not necessary for the performance of a contract. The contract, being the terms of service, was intended to allow users to use Facebook and Instagram platforms, not to be targeted by ads. Therefore, Meta could not rely on contractual necessity to process personal data for the purpose of ad targeting. Instead, Meta must start to collect opt-in consent from each user in order to serve them with personalized ads, which will no doubt have a significant impact on their business. They have three months to get their act together.
So what does this mean for your business?
While Meta is expected to appeal this decision, this is a loud and clear message to all companies, that identifying the appropriate lawful basis for each processing activity is of paramount importance as it may have an impact on your business model and business activities.
One of the best times to identify the lawful basis for processing activities is when you prepare a data map (or records of processing activities) and before you launch your product or service. Identifying a basis for processing should be done at the time of collection before processing occurs. Relying on contract or legitimate interest when you should be relying on consent may significantly impact the way you perform the activities in your business. It is also important to note that according to Article 29 Working Party’s guidance on consent, you cannot rely on multiple lawful bases for one specific purpose. You must choose only one.
Be mindful that you cannot rely on legitimate interest as a lawful basis for “special category” (or sensitive) personal data. Consent will likely be the proper lawful basis.
So remember, just as a fire extinguisher is a tool that is designed for a specific purpose (i.e. putting out fires), the lawful bases under the GDPR are tools that are designed for a specific purpose (i.e. providing a lawful justification for processing personal data). Using a fire extinguisher to cook a meal would be an inappropriate use of the tool, just as using a lawful basis under the GDPR for a purpose other than what it was intended for would be.