Bookmarked Commission opens non-compliance investigations against Alphabet, Apple and Meta under the Digital Markets Act (by European Commission)

With the large horizontal legal framework for the single digital market and the single market for data mostly in force and applicable, the EC is initiating first actions. This announcement focuses on app store aspects, on steering (third parties being able to provide users with other paths of paying for services than e.g. Apple’s app store), on (un-)installing any app and freedom to change settings, as well as providers preferencing own services above those of others. Five investigations for suspected non-compliance involving Google (Alphabet), Apple, and Meta (Facebook) have been announced. Amazon and Microsoft are also being investigated in order to clarify aspects that may lead to suspicions of non-compliance.

The investigation into Facebook is about their ‘pay or consent’ model, which is Facebook’s latest attempt to circumvent their GDPR obligations that consent should be freely given. It was clear that their move, even if it allows them to steer clear of GDPR (which is still very uncertain), it would create issues under the Digital Markets Act (DMA).

In the same press release the EC announces that Facebook Messenger is getting a 6 month extension of the period in which to comply with interoperability demands.

The Commission suspects that the measures put in place by these gatekeepers fall short of effective compliance of their obligations under the DMA. … The Commission has also adopted five retention orders addressed to Alphabet, Amazon, Apple, Meta, and Microsoft, asking them to retain documents which might be used to assess their compliance with the DMA obligations, so as to preserve available evidence and ensure effective enforcement.

European Commission

Favorited EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta by EDPB

This is very good news. The European Data Protection Board, at the request of the Norwegian DPA, has issued a binding decision instructing the Irish DPA and banning the processing of personal data for behavioural targeting by Meta. Meta must cease processing data within two weeks. Norway already concluded a few years ago that adtech is mostly illegal, but European cases based on the 2018 GDPR moved through the system at a glacial pace, in part because of a co-opted and dysfunctional Irish Data Protection Board. Meta’s ‘pay for privacy‘ ploy is also torpedoed with this decision. This is grounds for celebration, even if this will likely lead to legal challenges first. And it is grounds for congratulations to NOYB and Max Schrems whose complaints filed the first minute the GDPR enforcement started in 2018 kicked of the process of which this is a result.

…take, within two weeks, final measures regarding Meta Ireland Limited (Meta IE) and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA).

European Data Protection Board

Bookmarked 1.2 billion euro fine for Facebook as a result of EDPB binding decision (by European Data Protection Board)

Finally a complaint against Facebook w.r.t. the GDPR has been judged by the Irish Data Protection Authority. This after the EDPB instructed the Irish DPA to do so in a binding decision (PDF) in April. The Irish DPA has been extremely slow in cases against big tech companies, to the point where they became co-opted by Facebook in trying to convince the other European DPA’s to fundamentally undermine the GDPR. The fine is still mild compared to what was possible, but still the largest in the GDPR’s history at 1.2 billion Euro. Facebook is also instructed to bring their operations in line with the GDPR, e.g. by ensuring data from EU based users is only stored and processed in the EU. This as there is no current way of ensuring GDPR compliance if any data gets transferred to the USA in the absence of an adequacy agreement between the EU and the US government.

A predictable response by FB is a threat to withdraw from the EU market. This would be welcome imo in cleaning up public discourse and battling disinformation, but is very unlikely to happen. The EU is Meta’s biggest market after their home market the US. I’d rather see FB finally realise that their current adtech models are not possible under the GDPR and find a way of using the GDPR like it is meant to: a quality assurance tool, under which you can do almost anything, provided you arrange what needs to be arranged up front and during your business operation.

This fine … was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020. Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR.

EDPB

De Nederlandse overheid gaat mogelijk van Facebook af. In Duitsland is het overheidsgebruik van Facebook door de Duitse autoriteit persoonsgegevens stilgelegd in 2021, omdat Meta zich (uiteraard) niet aan de AVG houdt. De AP doet dat soort uitspraken sinds 2018 niet meer zelf, omdat Facebook in Ierland is gevestigd. De Duitse instantie heeft dat soort consideratie niet, en gaat uit van een eigen verantwoordelijkheid. In plaats van veel te lang wachten op een Iers oordeel over Facebook, steekt ze de hand in eigen boezem en stelt dat de eigen overheid in ieder geval niet aan de eigen AVG verplichtingen kan voldoen door Facebook pages te hebben.

Staatssecretaris van Digitalisering Alexandra van Huffelen bereidt nu mogelijk een besluit voor langs dezelfde lijnen. Terecht lijkt me. Meta houdt zich zelf niet aan de AVG, en bovendien is de algemene uitwisseling van Europese persoonsgegevens met de VS geheel niet juridisch gedekt op dit moment.

De overheid moet zelf het goede voorbeeld geven bij online interactie met burgers en de omgang met eigen gegevens. Dit geldt voor Meta, voor Twitter, maar ook voor cloud diensten en de Microsoft lock-in waar de overheid zich grotendeels in bevindt. Facebook zelf niet meer gebruiken is een bescheiden eerste signaal, dat al verrassend lastig lijkt voor de overheid om helder af te geven.

Ik hoop dat de staatssecretaris de knoop snel doorhakt.

Ein datenschutzkonformer Betrieb einer Facebook-Fanpage sei nicht möglich, schrieb Kelber in einem Brief an alle Bundesministerien und obersten Bundesbehörden.

Bundesdatenschutzbeauftragte

This is quite something to read. The Irish data protection authority is where most GDPR complaints against US tech companies like Facebook end up, because the European activities of these companies are registered there. It has been quite clear in the past few years how enormously slow the Irish DPA has been in dealing with those complaints. Up to the point where the other DPA’s complained about it, and up to the point where the European DPA intervened in setting higher fine levels than the Irish DPA suggested when a decision finally was made. Now noyb publishes documents they obtained, that show how the Irish DPA tried to get the other national DPA’s to accept a general guideline they worked out with Facebook in advance. It would allow Facebook to contractually do away with informed consent by adding boiler plate consent to their TOS. This has been the FB defense until now, that there’s a contract between user and FB, which makes consent unnecessary. I’ve seen this elsewhere w.r.t. to transparency and open data in the past as well, where government entities tried to prevent transparency contractually. Contractually circumventing and doing away with general legal requirements isn’t admissable however, yet that is precisely what the Irish DPA attempted to make possible here through a EU DPA Guideline.

Reading this, the noticeable lack of progress by the Irish DPA seems not to be because of limited resources (as has been an issue in other MS), but because it has been actively working to undermine the intent and impact of the GDPR itself. Their response to realising that adtech is not workable under the GDPR seems to be to sabotage the GDPR.

The Irish DPA failed to get other DPA’s to accept a contractual consent bypass, and that is the right and expected outcome. That leaves us with what this says about the Irish DPA, that they attempted it in the first place, to replace their role as regulator with that of lobbyist:

It renders the Irish DPA unfit for purpose.

There are many companies named Meta, Opencorporates lists 8890 of them, about a third of them in the USA, and a handful named Meta Company. Interestingly the one doing the rounds the past few days with an ‘open letter‘ decrying Facebook’s behaviour in trying to wrest their name and domains from them, isn’t among them: Meta.Company. Nick Stulic, signing as founder, has no Google search results alongside the name Meta but without Facebook, and also has almost no online traces for the name only. Quite a feat in itself, but it raises questions in this context. There’s no Linkedin Profile for the name, the social media accounts have been created last month, and the domain has no archive traces earlier than this month. The logo above the letter has no results on tineye.com.

True, Open Corporates does not seem to hold US companies from Chicago/Illinois, where this one says to originate. Searching for the Meta company name in Chicago does surface a local fintech company that had an angel investment round last year. They used a different domain, metacash.io (now for sale), and name a different founder. There is a Nick Stulic, who coded in python some years back it seems. The domain meta.company was registered in 2014.

But there is nothing about what the company actually does in the letter, nor is there anything but that letter on its website. The named legal offices exist but don’t pertain to the company, but to the suggested FB actions.

The ‘open letter’ precisely boosts a notion about FB that seems to fit perfectly, and that many will want to believe. But I’ll put this one in the stack marked fake.