As previously mentioned in our early article ‘Meta-morphosis: the Evolution of Data Protection’, global regulators have begun a crackdown on data usage in an effort to restore the equilibrium between the power of the big tech firms and the individual. This re-establishment of control, which aims to give individuals greater understanding and control over their data, continues to be managed by both global governments and the courts. This article outlines and assesses the efforts of the crackdown so far and claims that the fight against big tech has only just begun.
The General Data Protection Regulation (GDPR) came into effect in 2018, outlining new rules for how companies must handle user data when operating in the EU. The GDPR gives individuals in the EU and EEA greater control over their personal data (including email addresses, bank details, location details, medical information, IP addresses etc) and what companies can or cannot do with these details. For instance, under the GDPR, citizens have the right to be forgotten, meaning they can withdraw their consent from a company or organization to use their data.
The effect of GDPR has been far-reaching, taking away the power of big tech firms that leverage user data for monetary gain and putting it back in the hands of the individual.
However, as you might gather, the GDPR only operates within the EU and EEA, meaning that large parts of the world are awarded this legislative protection. Nonetheless, the implementation of GDPR has inspired other regulators to implement similar protections. For example, the California Consumer Privacy Act (CCPA) came into effect in 2020, which offers similar protections to Californian citizens such as the right to know what personal data is being collected about them and the right to delete such information.
The implementation of GDPR had an instantaneous effect on the individual’s ability to assert their new rights over big tech.
In May 2018, days after the GDPR was implemented, a collective action was filed with the French Data Protection Authority (CNIL) by two not-for-profit organizations that alleged that Google was violating the GDPR’s transparency and consent requirements.
The CNIL found that Google provided vague information to users about how their data is collected and used, with essential information being spread across several pages making it inaccessible.
In relation to consent, the CNIL found that Google did not obtain consent for targeted ads purposes. It noted that user consent was obtained in a default pre-clicked checkbox, which was not a valid way to obtain user consent.
While Google appealed the decision, in June 2020, the French Council of State upheld CNIL’s decision and the €50m fine, stating that Google’s data processing procedures were a “serious violation” of privacy rights.
Furthermore, the CNIL has since continued the fight for user data privacy against big tech. In 2022, the CNIL fined Facebook and Google a combined €210m for preventing its users to stop online tracking outside of the companies’ platforms.
However, while this sounds impressive, it is extremely unlikely that these hefty fines are likely to prevent big tech from defending their business model. As we have explained previously (read: ‘The Cost of Clicks’), big tech relies on obtaining and using individual data for the creation and deployment of personalized ads. The value of personalized ads to big tech is so great that Google will simply view the yearly €100m fines as a small price to pay to maintain their business model. Therefore, the only way to get big tech to change is to force them to implement an opt-in system for user data processing.
Several people are hoping that this is precisely what the recent Data Protection Commission (DPC) decision against Meta might ultimately achieve.
The recent Data Protection Commission (DPC) decision in early 2023 might be the case that fundamentally changes how big tech firms can operate in Europe.
In summary, in May 2018, two investigations into Meta’s data processing operations (one against Facebook and one against Instagram) were launched with the Data Protection Commission (DPC). The investigations were in connection with the legal justification that Meta was relying on to process users’ personal data to deliver their services under the GDPR, including their targeted adverts.
Meta argued that it could compliantly process user data as it was “necessary for the performance of a contract to which the data subject is a party”.
The DPC, implementing the recommendations from the European Data Protection Board (EDPB), found that the delivery of personalized targeted advertising could not be considered “necessary and essential” to Meta providing the core elements of its services. Therefore, the DPC ordered that Meta needed to re-structure its current Terms of Service and consent procedures in order to become GDPR compliant.
Predictably, Meta is aiming to appeal this decision. However, let’s suppose for a moment that the DPC decision is upheld following a Meta appeal, Meta (and other companies that process user data to create targeted ads inside the EU) will have to seriously rethink their business models.
Might we see a move by big tech companies to start to charge for access to certain services or content? Following the introduction and relative success of Twitter Blue Musk (Twitter’s premium subscription service that gives users special features and services) in late 2022, it seems possible that we might be experiencing a change in the way companies will monetize their social media platforms for the first time since their inception.
We are currently amidst a time of transition in terms of data privacy and what the law does (and does not) allow companies to do with our personal data. The introduction of GDPR has certainly facilitated a shift in the power balance between the user and the tech giant. However, there are still many hurdles to jump over before we can agree that users have real control over their personal information. Furthermore, there are millions of people who are currently unprotected from any data protection laws and will not receive the benefits of any European breakthroughs in the data usage crackdown. Therefore, for the time being, we can only wait and see how big tech responds to the recent efforts of the courts and what consequences that might have for the advertising business model globally.
