Meta (formerly known as Facebook) announced yesterday it will give its users from the EU a chance to consent to their data being used for targeted ads. The announcement not involving UK-based users caught attention.
The United Kingdom’s leading data protection watchdog has warned Meta about its concerning data handling, emphasizing the need for compliance with data protection regulations.
In the post ICO statement on Meta, Stephen Almond, ICO Executive Director of Regulatory Risk, stated:
“As a digital regulator, we pay close attention to how companies operate internationally and how people’s rights are respected.
“We’re aware of Meta’s plans to seek consent from users for behavioral advertising in the EU, to the exclusion of the UK. This follows related findings by the Court of Justice of the European Union, Irish Data Protection Commission and Norwegian Data Protection Authority.
“We are assessing what this means for information rights of people in the UK and considering an appropriate response.”
The carefully chosen words used by Almond strongly suggest that the regulator is displeased with the tech giant, for its apparent reluctance to grant UK users the same data rights as their counterparts in the EU, European Economic Area (EEA), and Switzerland, who are on the verge of getting these rights.
The situation appears extremely awkward for the ICO and brings awful news for UK users, who find themselves in a less favorable position after Brexit. Meta’s decision not to extend the same level of respect for information to UK users as it does to Europeans living in other parts of the region adds to the concern.
UK’s data protection law continues to be based on the pan-EU General Data Protection Regulation (GDPR), that’s why the timing of Meta’s decision is particularly concerning. While the UK government’s plan to modify the domestic privacy regime post-Brexit is yet to be officially implemented, the privacy regulations currently remain aligned with the EU’s standards.
However, this puts the responsibility on the ICO to defend the domestic data protection rules without the backing of the Court of Justice of the EU (CJEU), which no longer has jurisdiction over UK law since January 31, 2020. Meta’s recent announcement to offer Europeans the choice to opt-out of tracking-for-ads came after a significant CJEU ruling, raising questions about the company’s motivations and approach to data protection.
Meta made this decision, following a significant GDPR enforcement in January 2023 by EU data protection regulators. Additionally, last month, Norway took immediate action by locally banning Meta’s behavioral ads due to legal basis concerns, instead of waiting for Ireland, the lead regulator for Meta within the EU, to address the issue across all member states.
The series of EU procedures has resulted in the tech giant losing any lawful basis under EU law for its data processing aimed at personalizing ads, except through consent. This momentum behind GDPR enforcement is now having a real impact on transforming privacy-hostile business models.
However, the unfortunate consequence for people in the UK is that they are not covered by the EU’s implementation of GDPR, leaving them without any intent from Meta to obtain consent. Despite the UK’s departure, the EU has been proactive in enacting digital regulations, including the Digital Markets Act (DMA), which has prompted Meta to reconsider its ads data processing practices.
The UK is not subject to the DMA. Similarly, both the Irish Data Protection Commission’s (DPC) GDPR enforcement and the Court of Justice of the European Union’s (CJEU) interpretation of GDPR application do not extend to the UK as well.
Earlier this year, Meta made a significant move by transferring UK users’ data from its Irish subsidiary to its US entity, effectively placing them outside the jurisdiction of the EU. This move marks the impact of Brexit on data regulation. Additionally, a “Made in the UK” digital ex ante competition reform, which could have been an equivalent to the DMA, has faced delays due to political turmoil within the governing Conservative party post-Brexit.
The ICO faces an even more specific challenge as it has repeatedly overlooked similar complaints concerning the lack of a proper lawful basis for adtech tracking, spanning a considerable period of time.
The ICO has also been criticized for not taking action on complaints about adtech practices. It was even sued in 2020 for not doing enough. During the pandemic, the ICO stopped investigating adtech issues, which raised concerns about people’s data rights during that time. Although the regulator has publicly criticized adtech abuses, it hasn’t taken strong action to address them.
Despite the UK GDPR allowing significant fines for rule-breaking; the ICO hasn’t imposed such penalties in the past. Because of this, Meta might think it can get away with not respecting the data rights of UK users.
TechCrunch contacted the ICO to inquire about its previous lack of action against adtech tracking and profiling. The regulator did not provide any additional details beyond its previous public statements.
Additionally, Meta declined to comment on the ICO’s remarks but pointed to its blog post, stating that its decision to switch to consent in the EU and EEA was prompted by enforcement actions by regulators and courts in the region.
Essentially, Meta implies that its decision to change the data processing basis is linked to enforcement actions taken against it. This suggests that the ICO has the power to influence how UK users’ data rights are treated by Meta and other adtech entities operating in the UK. The regulator can do this by actively enforcing UK law on the adtech industry, something privacy campaigners have long called for.
Michael Veale, a digital rights lecturer at University College London, urged the ICO to directly regulate adtech giants like Meta to protect the rights of UK users.
“Since Meta moved its relevant headquarters for U.K. users from Ireland to the U.S., the U.K. is now obliged to regulate the tech firm for itself, not to wait for Ireland. This would be a great time [for the ICO] to show it is ready for these significant new responsibilities,” Veale said to TechCrunch.
“The text of the relevant law applying to Meta is in all relevant ways identical in the EU and the U.K. Meta’s choice not to extend the same rights to U.K. users is it making a calculated decision that privacy enforcement in the U.K. is weak enough to ignore,
“Some of the court judgements do apply to the EU and not the U.K., as they were handed down after the end of 2020. But that does not mean that the regulator cannot take clear action using the information provided in the course of these judgements, and on the solid reasoning within them.”