Meta Faces Data Retention Limits On Its EU Ad Business After Top Court Ruling (techcrunch.com) 32
An anonymous reader quotes a report from TechCrunch: The European Union's top court has sided with a privacy challenge to Meta's data retention policies. It ruled on Friday that social networks, such as Facebook, cannot keep using people's information for ad targeting indefinitely. The judgement could have major implications on the way Meta and other ad-funded social networks operate in the region. Limits on how long personal data can be kept must be applied in order to comply with data minimization principles contained in the bloc's General Data Protection Regulation (GDPR). Breaches of the regime can lead to fines of up to 4% of global annual turnover -- which, in Meta's case, could put it on the hook for billions more in penalties (NB: it is already at the top of the leaderboard of Big Tech GDPR breachers). [...]
The original challenge to Meta's ad business dates back to 2014 but was not fully heard in Austria until 2020, per noyb. The Austrian supreme court then referred several legal questions to the CJEU in 2021. Some were answered via a separate challenge to Meta/Facebook, in a July 2023 CJEU ruling -- which struck down the company's ability to claim a "legitimate interest" to process people's data for ads. The remaining two questions have now been dealt with by the CJEU. And it's more bad news for Meta's surveillance-based ad business. Limits do apply. Summarizing this component of the judgement in a press release, the CJEU wrote: "An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data."
The ruling looks important on account of how ads businesses, such as Meta's, function. Crudely put, the more of your data they can grab, the better -- as far as they are concerned. Back in 2022, an internal memo penned by Meta engineers which was obtained by Vice's Motherboard likened its data collection practices to tipping bottles of ink into a vast lake and suggested the company's aggregation of personal data lacked controls and did not lend itself to being able to silo different types of data or apply data retention limits. Although Meta claimed at the time that the document "does not describe our extensive processes and controls to comply with privacy regulations." How exactly the adtech giant will need to amend its data retention practices following the CJEU ruling remains to be seen. But the law is clear that it must have limits. "[Advertising] companies must develop data management protocols to gradually delete unneeded data or stop using them," noyb suggests. The court also weighed in a second question that concerns sensitive data that has been "manifestly made public" by the data subject, "and whether sensitive characteristics could be used for ad targeting because of that," reports TechCrunch. "The court ruled that it could not, maintaining the GDPR's purpose limitation principle."
The original challenge to Meta's ad business dates back to 2014 but was not fully heard in Austria until 2020, per noyb. The Austrian supreme court then referred several legal questions to the CJEU in 2021. Some were answered via a separate challenge to Meta/Facebook, in a July 2023 CJEU ruling -- which struck down the company's ability to claim a "legitimate interest" to process people's data for ads. The remaining two questions have now been dealt with by the CJEU. And it's more bad news for Meta's surveillance-based ad business. Limits do apply. Summarizing this component of the judgement in a press release, the CJEU wrote: "An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data."
The ruling looks important on account of how ads businesses, such as Meta's, function. Crudely put, the more of your data they can grab, the better -- as far as they are concerned. Back in 2022, an internal memo penned by Meta engineers which was obtained by Vice's Motherboard likened its data collection practices to tipping bottles of ink into a vast lake and suggested the company's aggregation of personal data lacked controls and did not lend itself to being able to silo different types of data or apply data retention limits. Although Meta claimed at the time that the document "does not describe our extensive processes and controls to comply with privacy regulations." How exactly the adtech giant will need to amend its data retention practices following the CJEU ruling remains to be seen. But the law is clear that it must have limits. "[Advertising] companies must develop data management protocols to gradually delete unneeded data or stop using them," noyb suggests. The court also weighed in a second question that concerns sensitive data that has been "manifestly made public" by the data subject, "and whether sensitive characteristics could be used for ad targeting because of that," reports TechCrunch. "The court ruled that it could not, maintaining the GDPR's purpose limitation principle."
Slow, but effective after all (Score:5, Interesting)
Of course, it was entirely clear back when that Meta was not even beginning to be GDRP compliant. Unfortunately, the GDPR does not provide for impounding gains from illegal behavior.
Incidentally, I an a supporter of noyb. Good to see them being effective.
Re: Slow, but effective after all (Score:2)
I'd consider that no company that collects data or serves ads based on personal profiling is GDPR compliant.
Re: (Score:2)
At this time? Probably not. All criminally-minded enterprises. The other unfortunate oversight in the GDPR is that is does not know personal liability, it is always only the organization that gets punished.
Re: Slow, but effective after all (Score:4, Interesting)
I'd consider that no company that collects data or serves ads based on personal profiling is GDPR compliant.
Except many are. The GDPR is literally about how to act as a data controller and how to process the data for the purposes of datamining. It's an instruction book for ad companies and literally nothing in it prevents collecting data for the purposes of serving ads, quite the opposite - it regulates how this is done.
That said it's quite loosely written and many parts are open to interpretation.
Re: Slow, but effective after all (Score:4, Insightful)
I would agree.
Some are making an effort to be compliant, for example by asking for explicit consent.
However, most make giving consent much easier than not, and they also start processing data before you give consent.
So they are really not compliant, they just pay lip service.
Re: (Score:2)
However, most make giving consent much easier than not
That is GDPR compliant. There's nothing in the law saying it needs to be easier the other way around, just that it isn't excessive.
and they also start processing data before you give consent.
For that claim you'd need to provide a citation.
Re: (Score:1)
Re: (Score:3)
The problem is that many tell users "Consent or leave" which isn't GDPR compliant either.
Re: (Score:2)
Which is just bloody ridiculous. These are businesses, not charities, we're talking about here. And the whole raison d'etre for any business it to make money, usually in exchange for a good or service. Moreover, bills and employee have to be paid. And how many people out there would be willing to pay a fee to each web site they visit? So if people won't pay for access, advertising is all that's really left for bringing in money to keep the lights on. If someone is unwilling to pay with a fee or subscr
Re: (Score:2)
At what point does collected data become outdated? If I bought cat food one time while cat sitting for a friend, how long does that information provide value to an advertising company? Three years? Five years?
Many people's financial status and interests change over time. If I was into wood working for a while but lost interest, I would think five years is enough history to allow that information to time out. If I got a pay raise or a new job and moved from mac and cheese to frozen fish sticks and hot d
Re:Slow, but effective after all (Score:5, Informative)
The story simplifies things. This is actually not specifically about time-limits This is mostly about limiting data retention to the lifetime of the original purpose and minimizing data use in general.
You can read up on it yourself, noyb publishes its stuff also in English as they are active EU-wide:
https://noyb.eu/en/cjeu-meta-m... [noyb.eu]
And something on the references decision regarding the "Bundeskartellamt":
https://noyb.eu/en/cjeu-declar... [noyb.eu]
Meta really has no chance ever being compliant here, because they simply mixed all data together. The only option they have is to delete everything. The usual limit on legally enforced measures needing to be "appropriate" does likely not apply because they clearly knew what they were doing was illegal. Will be interesting to see how this progresses.
Re: (Score:2)
At least they know you're not having a cat allergy. That's probably still true today.
Re:Looks like the GDPR is toothless... (Score:5, Informative)
Seems that the GDPR, which was passed, almost as an ex-post-facto law against Meta, Google and other companies has no teeth.
Meta has literally been fined $2bn euros so far. While it's small for a company given the size of its turnover, this is hardly a "slap on the wrist". And EU law allows for application of daily penalties until behaviour changes.
Also there's nothing ex-post-facto about this. The GDPR was written as a regulation of how to handle data and had a transitionary period. No one was fined for past data practices. Just because you have a business selling lead paint to children doesn't mean you get to keep doing that because you founded your business before laws were passed against it.
Re: (Score:2)
It's so small that google considers it a line item on their expense report. It's a slap on the wrist. Start jailing executives and revoking IP.
Re: (Score:3)
The next step after several fines is a prohibition of processing personal data of any kind. Has only hit a small number of companies so far, but it has been applied.
Re: (Score:3)
It's so small that google considers it a line item on their expense report. It's a slap on the wrist. Start jailing executives and revoking IP.
And yet Google changed its practices to comply with every ruling to date. What's that tell you? The slap on a wrist gets really annoying when it happens to you daily. Again it's not the size of the fine that is important. I don't go running red lights for fun simply because the fine where I live is about the cost of dinner for 2. I do it because eating out every evening would be fucking expensive over time.
Re: (Score:3)
There is also an escalation path. If you do not comply several times on the same thing, they can shut you down, or rather forbid you from processing any personal data at all. It has happened, but only to some small companies AFAIK. Hence it really is no surprise Google complies. They know in the end they will have to and complying early is probably just a lot cheaper, given the magnitude of the fines.
Re: (Score:1)
They even got slapped to make the reject button as simple as the accept button. Details matter and the GDPR is a strong weapon.
Re: (Score:2)
It's so small that google considers it a line item on their expense report. It's a slap on the wrist. Start jailing executives and revoking IP.
About that time, EU would suddenly have to build their own internet. I'd support a hard block, then the EU would not be bothered
It is impressive the number of outfits that even now soft geoblock EU countries, which is the best way to comply with them. All my sites are EU geoblocked, so I don't offend. And if someone VPNs in, well that isn't my problem.
Re: (Score:2)
It's hard for the EU to jail US executives. But as long as Meta is profitable in the EU they can fine them. If they are not, Meta could leave the EU, but it doesn't look like that would be a viable option for them anytime soon.
Re: (Score:2)
Meta has literally been fined $2bn euros so far. While it's small for a company given the size of its turnover, this is hardly a "slap on the wrist".
Well then, the system is working exactly as designed. The worst thing would be everyone bent the knee, then they'd have to figure out a new extortion target.
What do thy do with their money?
Re: (Score:2)
What do thy do with their money?
hookers and blow
You son of a bitch - I'm in!
How about garbled incohesive personal data (Score:2)
If the company trains an AI LLM on a person's data from 2020-2024 and then deletes the actual personal data from that time period, does the LLM data need to be deleted as well?
For example, commented elsewhere here, if you buy 1 can of cat food 5 years ago and a LLM gets trained that you are a cat lover, will that follow you for the rest of your 'to be marketed to and profiled' life?
Re: (Score:2)
That really depends. There have now been numerous instances of LLMs partially or fully regurgitating training data. (There also have been instances of LLMs claiming wrong things about people, which is illegal under the GDPR and _must_ be fixed, no exceptions. It is a related issue.) This is currently going through the courts, but I expect they will find that yes, the model has to be adjusted (impossible) or deleted. The thing is that transforming data so that personally identifiable information cannot be ex
Europe teaching Americans to be civilised (Score:3)
As it has done from the beginning of the colonisation of the land.
I'm mostly joking... maybe...
Re: Europe teaching Americans to be civilised (Score:2)
Well - it can be done... (Score:2)
https://www.bbc.co.uk/news/wor... [bbc.co.uk]
Re: Well - it can be done... (Score:2)
Privacy win (Score:1, Insightful)