Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
EU Data Storage Facebook Privacy The Courts Slashdot.org

Meta Faces Data Retention Limits On Its EU Ad Business After Top Court Ruling (techcrunch.com) 35

An anonymous reader quotes a report from TechCrunch: The European Union's top court has sided with a privacy challenge to Meta's data retention policies. It ruled on Friday that social networks, such as Facebook, cannot keep using people's information for ad targeting indefinitely. The judgement could have major implications on the way Meta and other ad-funded social networks operate in the region. Limits on how long personal data can be kept must be applied in order to comply with data minimization principles contained in the bloc's General Data Protection Regulation (GDPR). Breaches of the regime can lead to fines of up to 4% of global annual turnover -- which, in Meta's case, could put it on the hook for billions more in penalties (NB: it is already at the top of the leaderboard of Big Tech GDPR breachers). [...]

The original challenge to Meta's ad business dates back to 2014 but was not fully heard in Austria until 2020, per noyb. The Austrian supreme court then referred several legal questions to the CJEU in 2021. Some were answered via a separate challenge to Meta/Facebook, in a July 2023 CJEU ruling -- which struck down the company's ability to claim a "legitimate interest" to process people's data for ads. The remaining two questions have now been dealt with by the CJEU. And it's more bad news for Meta's surveillance-based ad business. Limits do apply. Summarizing this component of the judgement in a press release, the CJEU wrote: "An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data."

The ruling looks important on account of how ads businesses, such as Meta's, function. Crudely put, the more of your data they can grab, the better -- as far as they are concerned. Back in 2022, an internal memo penned by Meta engineers which was obtained by Vice's Motherboard likened its data collection practices to tipping bottles of ink into a vast lake and suggested the company's aggregation of personal data lacked controls and did not lend itself to being able to silo different types of data or apply data retention limits. Although Meta claimed at the time that the document "does not describe our extensive processes and controls to comply with privacy regulations." How exactly the adtech giant will need to amend its data retention practices following the CJEU ruling remains to be seen. But the law is clear that it must have limits. "[Advertising] companies must develop data management protocols to gradually delete unneeded data or stop using them," noyb suggests.
The court also weighed in a second question that concerns sensitive data that has been "manifestly made public" by the data subject, "and whether sensitive characteristics could be used for ad targeting because of that," reports TechCrunch. "The court ruled that it could not, maintaining the GDPR's purpose limitation principle."
This discussion has been archived. No new comments can be posted.

Meta Faces Data Retention Limits On Its EU Ad Business After Top Court Ruling

Comments Filter:
  • by gweihir ( 88907 ) on Friday October 04, 2024 @10:47PM (#64841163)

    Of course, it was entirely clear back when that Meta was not even beginning to be GDRP compliant. Unfortunately, the GDPR does not provide for impounding gains from illegal behavior.

    Incidentally, I an a supporter of noyb. Good to see them being effective.

    • I'd consider that no company that collects data or serves ads based on personal profiling is GDPR compliant.

      • by gweihir ( 88907 )

        At this time? Probably not. All criminally-minded enterprises. The other unfortunate oversight in the GDPR is that is does not know personal liability, it is always only the organization that gets punished.

      • by thegarbz ( 1787294 ) on Saturday October 05, 2024 @02:41AM (#64841343)

        I'd consider that no company that collects data or serves ads based on personal profiling is GDPR compliant.

        Except many are. The GDPR is literally about how to act as a data controller and how to process the data for the purposes of datamining. It's an instruction book for ad companies and literally nothing in it prevents collecting data for the purposes of serving ads, quite the opposite - it regulates how this is done.

        That said it's quite loosely written and many parts are open to interpretation.

      • by thsths ( 31372 ) on Saturday October 05, 2024 @04:42AM (#64841431)

        I would agree.

        Some are making an effort to be compliant, for example by asking for explicit consent.

        However, most make giving consent much easier than not, and they also start processing data before you give consent.

        So they are really not compliant, they just pay lip service.

        • However, most make giving consent much easier than not

          That is GDPR compliant. There's nothing in the law saying it needs to be easier the other way around, just that it isn't excessive.

          and they also start processing data before you give consent.

          For that claim you'd need to provide a citation.

        • by Anonymous Coward
          Some sites offer reject all, for some it's three minutes of individual declines which might be bordering on excessive.
        • by allo ( 1728082 )

          The problem is that many tell users "Consent or leave" which isn't GDPR compliant either.

          • Which is just bloody ridiculous. These are businesses, not charities, we're talking about here. And the whole raison d'etre for any business it to make money, usually in exchange for a good or service. Moreover, bills and employee have to be paid. And how many people out there would be willing to pay a fee to each web site they visit? So if people won't pay for access, advertising is all that's really left for bringing in money to keep the lights on. If someone is unwilling to pay with a fee or subscr

            • by allo ( 1728082 )

              No, it's not. It's just enforcing the law that demands to respect user's privacy. The whole "Cookie Banner" issue is about companies wanting you to give up your rights. No websites needs a cookie banner, but they use them because they want you to give them consent for things you do not need to consent to. You can of course do this - but it's voluntary as the law says you don't have to.

            • by allo ( 1728082 )

              Addition: Nobody says you cannot do ads. You can do ads, you just cannot track users. And you see that there are still ads, when you reject the tracking.

    • At what point does collected data become outdated? If I bought cat food one time while cat sitting for a friend, how long does that information provide value to an advertising company? Three years? Five years?

      Many people's financial status and interests change over time. If I was into wood working for a while but lost interest, I would think five years is enough history to allow that information to time out. If I got a pay raise or a new job and moved from mac and cheese to frozen fish sticks and hot d

      • by gweihir ( 88907 ) on Saturday October 05, 2024 @01:00AM (#64841279)

        The story simplifies things. This is actually not specifically about time-limits This is mostly about limiting data retention to the lifetime of the original purpose and minimizing data use in general.

        You can read up on it yourself, noyb publishes its stuff also in English as they are active EU-wide:
              https://noyb.eu/en/cjeu-meta-m... [noyb.eu]
        And something on the references decision regarding the "Bundeskartellamt":
              https://noyb.eu/en/cjeu-declar... [noyb.eu]

        Meta really has no chance ever being compliant here, because they simply mixed all data together. The only option they have is to delete everything. The usual limit on legally enforced measures needing to be "appropriate" does likely not apply because they clearly knew what they were doing was illegal. Will be interesting to see how this progresses.

      • by allo ( 1728082 )

        At least they know you're not having a cat allergy. That's probably still true today.

    • If the company trains an AI LLM on a person's data from 2020-2024 and then deletes the actual personal data from that time period, does the LLM data need to be deleted as well?

      For example, commented elsewhere here, if you buy 1 can of cat food 5 years ago and a LLM gets trained that you are a cat lover, will that follow you for the rest of your 'to be marketed to and profiled' life?

      • by gweihir ( 88907 )

        That really depends. There have now been numerous instances of LLMs partially or fully regurgitating training data. (There also have been instances of LLMs claiming wrong things about people, which is illegal under the GDPR and _must_ be fixed, no exceptions. It is a related issue.) This is currently going through the courts, but I expect they will find that yes, the model has to be adjusted (impossible) or deleted. The thing is that transforming data so that personally identifiable information cannot be ex

  • by Bruce66423 ( 1678196 ) on Saturday October 05, 2024 @03:13AM (#64841371)

    As it has done from the beginning of the colonisation of the land.

    I'm mostly joking... maybe...

  • Privacy win (Score:1, Insightful)

    by mcnewman ( 10295779 )
    I did a research recently on how companies handle user data, and it’s clear they rely heavily on tracking for targeted ads. This ruling is a good reminder that things need to change. It's concerning how much information these platforms hold onto, often without us realizing it. If Meta has to delete old data now, that's a win for us users. Actually, https://edubirdie.com/research-proposal-writing-service [edubirdie.com] helped be a lot with my research. For more details on data privacy, you might find noyb's suggestio

"An organization dries up if you don't challenge it with growth." -- Mark Shepherd, former President and CEO of Texas Instruments

Working...