DaphneJan 6, 2023

RT @[email protected]

Breaking: In decisions just out, Meta is not only on the hook for privacy fines totaling nearly €400 million, but it must also — quickly — find a new legal basis for its sprawling targeted advertising empire. 🧵

https://pro.politico.eu/news/158293

🐦🔗: https://twitter.com/vmanancourt/status/1610652904188174338

POLITICO Pro

Show threadDaphneJan 6, 2023
Can smart EU lawyers with data protection chops help me understand the basic legal proposition of this case?
I get the Art 6 bases for processing, and how Meta’s latest maneuvers (moving from consent to contractual basis) were legally sketchy and made EDPB mad. 1/
Show threadDaphneJan 6, 2023
But I don’t get at a more fundamental level why “take it or leave it” is not an option. I’m probably out of practice.
2/
Show threadDaphneJan 6, 2023
Why can EDPB say “Meta, you have to offer this service on different and less profitable terms than you do now”? Why was consent not an OK basis, with FB saying “this version, where you consent to targeted ads, is the one we offer”? 3/
Show threadDaphneJan 6, 2023
I’m not trying to push back (yet). I assume there’s a good answer, or else I’d see more coverage. But I haven’t found it so far. @[email protected]? @[email protected]? @[email protected]? 4/
Show threadDaphneJan 6, 2023
I get that the GDPR offers a substantive baseline of privacy protection. So the US’s quasi-contractual, Lochnerian shenanigans won’t cut it. Platforms can’t offer terms below that baseline level of protection and say “the user consented, it’s fine!” 5/
Show threadDaphneJan 6, 2023
But for processing that the GDPR permits with consent, if controllers can’t say “the consent-based service is the only one we offer,” it seems like there’d be endless cases where DPAs can require an alternate version of a commercial service, with different privacy tradeoffs. 6/
Show threadDaphneJan 6, 2023
Like “Airlines can’t offer frequent flyer perks — tracking flight history requires consent. But passengers must also have an option to get those perks even if the airline can’t see their flight history.”
7/
Show threadDaphneJan 6, 2023
It just seems like data protection rules would become deeply enmeshed with, and displace, competition or fair trade rules. 8/
Show threadDaphneJan 6, 2023

Or that the social network is one service, and the ads are another, so the GDPR rules for the social network can presume that ads are not relevant?

That one also seems like a competition policy question.

9/

Show threadDaphneJan 6, 2023
Thanks, it’s late here, I assume I missed something. 10/10
Show threadMatt Linton Jan 6, 2023

@daphnehk This is a great thread and it's something that confuses me too about some of the European rulings I've seen come out.

It seems like the rulings boil down to "Internet companies offering any non-paid service in Europe must offer it free of any obligation whatsoever to the people using the service for free."

Show threadDiogo ConstantinoJan 6, 2023
@amuse @daphnehk this is not about whataoever obligations, it's about: which law regulates data protection (contract law, or data protection law), and about data protection, so the scope is rather narrow, and not extremely broad as you put it.
Show threadMatt Linton Jan 6, 2023

@DiogoConstantino @daphnehk I'm probably speaking much more broadly than Daphne was, sorry for being confusing there.

Beyond this specific law and case, just seems to me that the collection of EU perspectives on tech in general seems to be "You can offer free services, but you can't ask anything in return from their users"

I can totally understand from a privacy perspective why that's desirable, I'm having a harder time seeing how that's a feasible way to run tech businesses.

And I'm personally happy to just pay a small fee for ad-free, pro-privacy things but I doubt I'm in the majority.

Show threadTodd KnarrJan 8, 2023
@amuse @DiogoConstantino @daphnehk Meta can absolutely ask for things 8n return for providing a no-cost service. Just when it comes to things that require consent, like collecting personal information, they have to ASK for that consent, not just assume it. They can refuse to provide service if you don't consent, but they can't leave the whole thing about advertising unsaid and just assumed.
Show threadDiogo ConstantinoJan 8, 2023

@tknarr That's not how it really goes, they can't refuse service if what they are asking in return is not necessary to provide the service, otherwise consent wouldn't be free and therefore lawful. This is why facebook stopped asking for consent and tried this trick.

@amuse @daphnehk

Show threadTodd KnarrJan 8, 2023
@DiogoConstantino @amuse @daphnehk Under 6(1)(n), true. However, 6(1)(a) says "the data subject has given consent to the processing of his or her personal data for one or more specific purposes". That's the one that would allow it. And yes, you can say "If you don't consent, we won't offer you service.". There's no coercion there when done BEFORE service is offered and where there's no other requirement that the service be used.
Show threadDiogo ConstantinoJan 8, 2023

@tknarr
You're mistaken. Consent can only be requested if it can be meaningful refused without detriment. If the subject feels compeled to consent, the consent is not freely given, and subjects may obviously and easily feel compeled to have the service. It has nothing to do with being before or after.

@amuse @daphnehk

Show threadTodd Knarr
@DiogoConstantino @amuse @daphnehk I'm pretty sure it doesn't work that way. If it did, it would throw offer and acceptance out the window entirely. After all, by your definition their not receiving what was being offered if they didn't accept the terms offered would mean their acceptance was coerced.
Jan 8, 2023 at 10:40amWeb
Show threadDiogo ConstantinoJan 8, 2023

@tknarr it does work this way, and this is thr reason why facebook stopped using consent.

@amuse @daphnehk

Show threadTodd KnarrJan 8, 2023
@DiogoConstantino @amuse @daphnehk So, how then would contracts of any sort work if one party could always claim they were coerced (because they wouldn't receive what you offered if they didn't accept the contract's terms) thus invalidating the contract?
Show threadDiogo ConstantinoJan 8, 2023

@tknarr This is NOT about contract law. This is about data protection, that is what this decision was also about.

Contracts made under coercion are already effectively null.

@amuse @daphnehk

Show threadDaphneJan 8, 2023

@DiogoConstantino @tknarr @amuse

It seemed like the lynchpin of DiogoC’s point was “If the subject feels compeled to consent, the consent is not freely given, & subjects may obviously & easily feel compeled to have the service.”

So is this reasoning about contract basis for processing unique to services that are essential or dominant (Facebook, arguably)? If there were 100 social media companies, could one offer targeted ads on a take it/leave it basis?

Show threadTodd KnarrJan 8, 2023
@daphnehk @DiogoConstantino @amuse It depends, I think, on whether service has already been extended to a user. If it has been, then threatening to take away that service if they won't consent would be coercive. If the user is signing up for new service, though, simply having conditions under which the company will offer service isn't coercive (else simply requiring the customer pay for the merchandise would be coercion, you're not giving it to them if they don't agree to pay).
Show threadDiogo ConstantinoJan 9, 2023

@daphnehk no, you can still be compeled for reasons of other nature.

@tknarr @amuse

Show threadTodd KnarrJan 9, 2023
@daphnehk @DiogoConstantino @amuse The problem with his point is that feeling compelled to have the service doesn't mean the service has coerced you into agreeing to it's terms. If that were the case, contract law as the courts interpret it (even in the EU) couldn't exist. But under the law, coercion involves a threat intended to get someone to do something they're legally allowed to not do, or to not do something they're legally allowed to do.
Show threadDiogo ConstantinoJan 9, 2023

@tknarr it could and exists and if you had followed the complains and against facebook from day 0 you would know they changed from consent to contract because of this.

@daphnehk @amuse

Show threadDiogo ConstantinoJan 9, 2023

@tknarr contract law and data protection however treat it differently (different requirements and enforcement) and this decision is NOT about contract law is about data protection.

@daphnehk @amuse

Show threadTodd KnarrJan 9, 2023

@daphnehk @DiogoConstantino @amuse 2/ The problem is that you don't have a legal right to a Facebook account. Even if Meta saying "If you don't consent, we won't offer service.", the user has no legal right to receive service from them until _after_ they've agreed to the terms and Facebook has agreed to provide them service.

Now, once Facebook _has_ agreed to provide them service, it's another matter. Then they do have a legal right to receive service under the agreed-on terms.

Show threadTodd KnarrJan 9, 2023

@daphnehk @DiogoConstantino @amuse 3/ In the case of the existing user, Meta is now using the threat of terminating service if the user doesn't do something they have every legal right to refrain from doing: accepting a change in the terms of service.

Had Meta changed the terms to require express consent at the time the GDPR went into effect, they could've cited the change in the law as the basis for requiring a change in terms to comply with the law. But it's too late for that now.