Is surveillance capitalism legal in the EU? (Part 1)
Why tech companies cannot use contractual necessity for behavioural advertising
TL;DR
This newsletter is about the EDPB's decision regarding the processing of personal data for behavioural advertising on the basis of contractual necessity. It looks why the EDPB was required to make a decision on this issue, the analysis underpinning its conclusion, and the implications this has for the contractual necessity provision under the GDPR.
Here are the key takeaways:
After a lengthy inquiry into Facebook's data processing activities, the Irish Data Protection Commissioner found that the social media platform could rely on contractual necessity to process its user's personal data for behavioural advertising. This finding was included in its draft decision shared with other data protection supervisory authorities in the EU.
The other supervisory authorities disagreed with this finding from the Commissioner. This triggered the dispute resolution procedure under the GDPR's one-stop-shop, requiring a decision from the European Data Protection Board on the matter.
In the EDPB's decision, adopted in December 2022, it found that Facebook could not rely on contractual necessity for behavioural advertising. This was on the basis that:
The main purpose of the Facebook service, as indicated by the terms and conditions, was to enable users to connect and communicate with each other online, and not to provide them with personalised adverts.
There was no obligation imposed on Facebook to offer personalised advertising to its users under its terms and conditions.
Business models must conform to the requirements of the GDPR and not the other way around.
Data subjects have the right to object to direct marketing, meaning that they can object to behavioural advertising at any time without needing to provide a reason.
The processing that underpins behavioural advertising falls outside the reasonable expectations of data subjects.
Intro
This series of posts looks at the legalities of surveillance capitalism in the context of EU data protection law, which has been covered in several important decisions in the EU in recent years.
This post focuses on a decision by the European Data Protection Board (EDPB) on whether surveillance capitalism (referred to as behavioural advertising in EU data protection law) can be carried out on the basis of contractual necessity under the GDPR. This decision concerned the use of this legal basis by Meta for the behavioural advertising carried out on Facebook in the EU.
How we got here
At the time the GDPR came into force May 2018, a complaint was made to the Austrian SA against Meta. The complaint alleged its social media platform, Facebook, processed personal data of its users in a manner violating the GDPR.1
Among the issues highlighted by the complainant, represented by NOYB (a non-profit organisation focusing on privacy issues in Europe), was the legal basis that Facebook relied on for processing data for behavioural advertising. The complaint was eventually transferred to the Irish Data Protection Commissioner (DPC) since Ireland is the location of Meta's European HQ.
An inquiry was then carried out by the Irish DPC looking into Meta which focused on, among other things, legal basis relied on for the processing of personal data for behavioural advertising. The inquiry began in August 2018 and ended in April 2020.
In May 2021, the Irish DPC issued a preliminary draft decision to Meta and the complainant. Submissions on this decision were provided by both the complainant and Meta a month later in June 2021, which the Irish DPC considered when completing its draft decision on the matter.
The investigation into Meta followed the so-called 'one-stop-shop' (OSS) under the GDPR.2 This means that while the Irish DPC led the investigation, other supervisory authorities were required to provide their opinions on the Irish DPC's findings.
The OSS began with the Irish DPC sharing its draft decision with the other SAs, which in this case included those from Austria, Germany, Finland, France, Italy, the Netherlands, Norway, Poland, Portugal and Sweden.3 Several of those SAs raised objections to the draft decision between October and November 2021.
The Irish DPC provided a response to these objections in January 2022, however several SAs maintained their objections to the draft decision. This triggered the dispute resolution mechanism whereby the EDPB was required to make a binding decision to resolve the issues raised during the OSS process.4
Among the contested issues was the Irish DPC's finding that Meta could rely on contractual necessity as a legal basis to carry out the data processing activities involved in the provision of Facebook, including behavioural advertising.5 The other SAs contended that Meta could not rely on contractual necessity and was infringing the GDPR by doing so.6
The EDPB agreed with the arguments of the other SAs that Meta could not rely on contractual necessity for behavioural advertising on Facebook. It therefore instructed the Irish DPC to alter its findings in its draft decision to "include an infringement of Article 6(1) GDPR based on the shortcomings that the EDPB has identified."7
Accordingly, in its final decision dated 31 December 2022, the Irish DPC, on this issue, found that Meta "was not entitled to rely on Article 6(1)(b) GDPR to process...personal data for the purpose of behavioural advertising in the context of the Facebook Terms of Service."8
What is behavioural advertising?
In an opinion published by the former Article 29 Data Protection Working Party,9 online behavioural advertising is defined as follows:
...advertising that is based on the observation of the behaviour of individuals over time. Behavioural advertising seeks to study the characteristics of this behaviour through their actions (repeated site visits, interactions, keywords, online content production, etc.) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their inferred interests.
This reflects the definition of surveillance capitalism proposed by Shoshana Zuboff in The Age of Surveillance Capitalism:
Surveillance capitalism claims human experience as free raw material for translation into behavioural data. Although some of these data are applied to product or service improvement, the rest are declared as a proprietary behavioural surplus, fed into advanced manufacturing processes known as “machine intelligence,” and fabricated into prediction products that anticipate what you will do now, soon, and later. Finally, these prediction products are traded in a new kind of marketplace for behavioural predictions that I call behavioural future markets. Surveillance capitalists have grown immensely wealthy from these trading operations, for many companies are eager to lay bets on our future behaviour.10
Regarding Facebook specifically:
It collects data about its users regarding their activity on and off the platform. This includes data about content interactions, sites visited and other types of online activity, from which inferences are made about their behaviour and interests.
Facebook then enables advertisers on its platform to target users based on their inferred behaviour and interests. Advertisers pay for this service provided by Facebook.
This practice is crucial to Facebook's business model. The vast majority of the social media network's revenue is generated from targeted advertising, as shown in the graphic below from App Economy Insights.
What is contractual necessity?
Under Article 8 of the EU Charter of Fundamental Rights, the right to the protection of personal data specifies that data must be processed "on the basis of the consent of the person concerned or some other legitimate basis laid down by law." Those legitimate bases laid down by law are provided under Article 6 of the GDPR, the EU's principal piece of data protection legislation.
Under Article 6 are six separate legal bases for which data can be processed. In essence, that provision permits the processing of personal data either on the basis of the data subject's consent or where the processing is necessary for something.
This includes where processing is contractually necessary. To quote the exact provision under Article 6.1(b), personal data can be processed where the:
...processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
A very simple example of this is where a data subject purchases a product online to be delivered to home. To fulfil the order (i.e., perform the contract), the online retailer must collect the data subject's payment information to take payment for the product and their home address to deliver the product.11
To rely on contractual necessity, the processing of personal data must be "objectively necessary for a purpose that is integral to the delivery of [the] contractual service to the data subject."12 In other words, the processing is necessary if, without such processing, it would not be possible to fulfil the contract with the data subject.
For assessing whether data needs to be processed for the performance of a contract, the EDPB suggests in its guidelines that the following questions should be considered:13
What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
What is the exact rationale of the contract (i.e. its substance and fundamental object)?
What are the essential elements of the contract?
What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
What was the contract in relation to Facebook?
In the case of Facebook, both the EDPB and the Irish DPC recognised the relevant contract to be the platform's terms of service.14 In these terms and conditions, under the heading titled 'To Provide a Personalised Experience for you', was the following:
Your experience on Facebook is unlike anyone else's: from the posts, stories, events, ads, and other content you see in News Feed or our video platform to the Pages you follow and other features you might use, such as Trending, Marketplace, and search. We use the data we have - for example, about the connections you make, the choices and settings you select, and what you share and do on and off our Products - to personalize your experience.15
Furthermore, under the heading titled 'Help you discover content, products, and services that may interest you', was the following:
We show you ads, offers, and other sponsored content to help you discover content, products, and services that are offered by the many businesses and organizations that use Facebook and other Facebook Products. Our partners pay us to show their content to you, and we design our services so that the sponsored content you see is as relevant and useful to you as everything else you see on our Products.16
The Irish DPC's view on the matter
In its draft decision, the Irish DPC considered behavioural advertising to be "a core part of the service offered to and accepted by the users, having regard to the specific terms of the contract and the nature of the service provided and agreed upon by Meta IE and the user."17 It argued that "the nature of the service being offered to Facebook users is set out in the first line of the Facebook Terms of Service: a personalised service that includes advertising."18
The Irish DPC also stated that any reasonable user of Facebook would understand that behavioural advertising formed "a core element of [Facebook's] business model and transaction with users."19 In particular, the Commissioner contended that users understood that a "distinguishing feature and commercially essential element of the contract between Meta IE and the user is that it funds its Facebook social media service with targeted and personalised advertising to the user."20
Accordingly, the Irish DPC concluded in its draft decision that Meta "may in principle rely on Article 6(1)(b) GDPR as a legal basis of the processing of users’ data necessary for the provision of its Facebook social media service, including through the provision of behavioural advertising insofar as this forms a core part of that service offered to and accepted by users."21
The EDPB's view on the matter
Central to the EDPB's analysis was the concept of necessity. It explored whether behavioural advertising, as carried out by Facebook, was "objectively necessary" to provide it service based on the terms and nature of the service.22
To answer this question, EDPB attempted to identify the main purpose of the Facebook service. On this, the EDPB found that the main purpose of the service was to enable users to communicate with each other.23
This conclusion was reached based on information provided on Facebook's landing page, which described the platform as enabling users to "connect with friends and the world around you on Facebook." The EDPB also cited the beginning of the terms of service, which explained Facebook's mission as giving "people the power to build community and bring the world closer together."24
Furthermore, the EDPB found that there was no obligation imposed on Facebook to offer personalised advertising to its users. However, there was an obligation between Meta and its advertisers to provide a targeted advertising service.25
The EDPB also noted that Facebook being offered for free for users and funded by behavioural advertising did not make such processing contractually necessary. It stressed the primacy of data protection law in this regard:
Under the principle of the GDPR and its Article 6, it is the business model which must adapt itself and comply with the requirements that the GDPR sets out in general and for each of the legal bases and not the reverse.26
In fact, according to the EDPB, there are no other types of advertising, even ones that are less intrusive than behavioural advertising, that could be considered contractually necessary for the delivery of a social networking service.27 Instead, it considered that contractual necessity does not apply to "processing which is useful but not objectively necessary for performing the contractual service, even if it is necessary for the controller's other business purposes."28
The EDPB's argument against the contractual necessity of behavioural advertising was also supported by the right to object to direct marketing under the GDPR. This right itself renders behavioural advertising based on contractual necessity untenable since data subjects can opt out of this processing at any time and without needing to provide a reason.29
As a final point, the EDPB contended that the processing that underpinned Facebook's behavioural advertising fell outside the reasonable expectations of data subjects. In particular, given the complexity and insufficient information about the processing in the terms of service, users were not able to understand the nature and scope of the processing, including the consequences it may have on their data rights.30
Based on all this, the EDPB concluded that behavioural advertising was not the main purpose of the Facebook service.31 Accordingly, it found that Meta could not rely on contractual necessity to process personal data for the purposes of behavioural advertising.32
Some reflections on the EDPB's decision
One way to think about this decision is that it is essentially a battle between two different perspectives:
The Facebook POV. Behavioural advertising is a crucial part of Facebook's offering because, without it, Meta would not be able to provide a Facebook service enabling users to network with each other free of charge. It is also what allows Facebook to operate as a for-profit organisation, exercising the right to conduct business under Article 16 of the EU Charter.
The User POV. Facebook is a social media platform, predominantly designed for connecting with other people and posting, consuming and sharing content. Viewing personalised advertisements or content is ancillary to that main purpose, and therefore the use of personal data for behavioural advertising is not in fact necessary to provide the Facebook service.
The EDPB's analysis clearly sides with the User POV, and it does so by making an important observation about contract as a legal basis for data processing:
The GDPR, pursuant to EU primary law, treats personal data as a fundamental right inherent to a data subject and his/her dignity, and not as a commodity data subjects can trade away through a contract.”33
On its face, this might seem difficult to reconcile with the nature of contractual necessity:
Contracts are mechanisms by which two or parties agree to exchange things of value based on a set of terms.
If the GDPR includes contractual necessity as a legal basis for processing personal data, then one might interpret this to mean that personal data can be subject to contractual arrangements.
So in the Facebook case, users provide their personal data in order to receive the Facebook service, making the use of that data by Facebook contractually necessary.
However, this is not how the EDPB interprets the GDPR. Article 6.1(b) states that personal data can be processed only if the processing is necessary for the performance of a contract.
This provision does not permit the exchange of personal data via a contract, reflecting the stipulation made by the EDPB about personal data not being a commodity. Instead, it permits the processing of personal data where this activity is needed to enable the exchange of the things of value that the contract is principally concerned with.
Take the aforementioned example regarding the retailer selling products online:
The contract imposes an obligation on the online retailer to deliver a product, and a corresponding obligation on the buyer to provide sufficient funds to pay for the product and its delivery. The contract is therefore not principally concerned with the exchange of personal data.
However, given the context of the contract, it is necessary for the buyer to provide certain personal data to the retailer so that the contracting parties can fulfil their respective obligations. The buyer's payment details are needed so that the retailer can receive the funds for the product being purchased, and the buyer's address is needed so that the retailer can deliver the purchased product to the buyer.
The processing of personal data here is therefore needed for the contract to be executed. This is why the processing is considered contractually necessary.
Additionally, as the EDPB indicates in its analysis, the protection of personal data is a fundamental right in the EU. Accordingly, it is the User POV that needs to prevail, meaning the the rights and interests of data subjects must be prioritised over the economic interests of data controllers.
Apply these points to the Facebook case and you can see the rationale for the EDPB's decision. Behavioural advertising is ancillary to the main purpose of the Facebook service, and the economic interest Meta may have in pursuing this as a business model does not take prevalence over the data protection rights of its users.
This EDPB decision takes away contractual necessity as a legal basis that can be relied on by Facebook and other tech companies that engage in surveillance capitalism. Future posts in this series will look at the further developments on this issue, including the judgment of the European Court of Justice in Bundeskartellamt and the EDPB's guidelines on 'consent or pay'.
EDPB, Binding Decision 3/2023, para. 3.
GDPR, Article 60.
GDPR, Article 60.3.
GDPR, Article 65.1(a).
EDPB, Binding Decision 3/2023, para. 30.
EDPB, Binding Decision 3/2023, para. 42.
EDPB, Binding Decision 3/2023, para. 133.
Irish Data Protection Commissioner, Meta Decision (31 December 2022), para. 4.56.
The Article 29 Data Protection Working Party was established under the Data Protection Directive as an independent advisory authority made up of members from the data protection authorities across the EU. Its functions were taken over by the EDPB in May 2018 when the GDPR came into force and replaced the Directive.
Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Profile Books 2019), p.8.
EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, p.10.
EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, para. 30.
EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, para. 33.
The recognition of the Facebook terms and conditions being the contract in question was maintained in the Irish DPC's final decision on the matter, for which see para. 4.6 and 4.36 of the final decision.
Irish Data Protection Commissioner, Meta Decision (31 December 2022), para. 2.13.
Irish Data Protection Commissioner, Meta Decision (31 December 2022), para. 2.13.
EDPB, Binding Decision 3/2023, para. 34.
EDPB, Binding Decision 3/2023, para. 34.
EDPB, Binding Decision 3/2023, paras. 35 and 36.
EDPB, Binding Decision 3/2023, para. 34.
EDPB, Binding Decision 3/2023, para. 37.
EDPB, Binding Decision 3/2023, para. 111.
EDPB, Binding Decision 3/2023, para. 117.
EDPB, Binding Decision 3/2023, para. 117.
EDPB, Binding Decision 3/2023, para. 118.
EDPB, Binding Decision 3/2023, para. 119.
The EDPD cited contextual advertising based on geography, language and content as one possible alternative.
EDPB, Binding Decision 3/2023, para. 121.
EDPB, Binding Decision 3/2023, para. 122.
EDPB, Binding Decision 3/2023, para. 123.
EDPB, Binding Decision 3/2023, para. 124.
EDPB, Binding Decision 3/2023, para. 133.
EDPB, Binding Decision 3/2023, para. 101.