In response to a question from the highest German court, the Advocate General of the ECJ – whose opinion is not binding but is usually followed by the court – provided essential clarification to European law on the protection of personal data. data to confirm that consumer associations can bring actions on behalf of individuals.

If followed by the ECJ, it will make it much easier for people to defend their rights against tech giants in the future. Following a European court ruling against Google several weeks ago for using the power of its platform to restrict competitors, this is the latest example of European regulators making the business climate increasingly cold for the companies that control our data – in stark contrast to the United States.

Facebook and consent

The current case is about how Facebook, now known as Meta, encouraged users to play quizzes and games like FarmVille, before sharing the results with all of their friends.

In a lawsuit brought by the Federation of Consumer Organizations of Germany (VZBV), initially heard in 2014, she claimed that Facebook’s data protection notice did not make it clear to users how their data could be shared. He wants the company not to be allowed to use similar consent forms in the future.

VZBV won the original case and on appeal, before it was heard by Germany’s highest court in May 2020. The judges agreed that Facebook had misled users with the opinion, but asked for the ECJ opinion on Facebook’s argument that only individuals and not consumer organizations can file a complaint under the EU General Data Protection Regulation (GDPR), which governs this area.

The Advocate General’s recommendation, ahead of a final ECJ ruling in 2022, reflects the fact that individuals typically do not take legal action against large companies for a small violation of a rather technical regulation. Suing large corporations on behalf of society is what consumer organizations do, so it would limit personal protection if that was denied.

Facebook’s approach to gaming isn’t the only time there have been questions about how it got user consent over data. In particular, he sent unsolicited emails to users’ contacts when they joined the social network. It also placed “Like” buttons on third party websites and collected the data without asking for user consent.

One by one, European national regulators declared these practices illegal, but always long after the fact. When Facebook was ordered to pay 100,000 (£ 85,138) by German regulators in 2016 for sending unsolicited emails, for example, it was clearly too late to affect the company’s behavior on this. individual problem.

VZBV has been at the forefront of the fight to hold tech giants accountable for customer data since the early 2010s, but not always successfully. It failed in its attempt to prevent Facebook from claiming that its platform is “free and always will be,” while forcing users to pay with their private data. Nor has he been able to require the company to allow users to adopt a pseudonym. Facebook had resisted citing security concerns, but also perhaps because identifiable consumer data is more valuable than anonymous data.

GDPR and future regulations

As Facebook and other social media companies continued to develop new techniques for collecting consumer data, the GDPR was adopted by the EU in 2018 as a general framework to clarify the rules. It gives users more control and rights over their own data, requiring clear consent before it can be used.

Pending a decision on consumer organizations, the ECJ has already recently ruled that national privacy watchdogs can directly impose fines on tech companies under GDPR for violations affecting their citizens. Facebook had said that only the Irish authority was competent, since its European headquarters are there. A forthcoming ECJ case will examine the granting of similar powers to antitrust authorities.

EU rules on big tech are also set to be tightened in 2022 with the Digital Services Act and the Digital Markets Act. This additional set of restrictions should include limiting the uncontrolled dissemination of unverified and often hateful content, with potential penalties of 10% of a company’s annual turnover.

And despite all the talk about a bonfire of EU data protection rules after Brexit, the upcoming UK online security bill arguably goes even further in the same direction, with not only similar fines, but also potential prison sentences for leaders for violations. The bill could even make Facebook responsible for scams by other companies advertising on the platform.

Major EU countries such as Germany, France and the Netherlands also want the digital services law to block what has become big tech’s main strategy for attracting new users: identifying internet companies. unprofitable but prosperous, and buy their technology and user base.

The United Kingdom is now firmly on the same path, as the French Competition and Market Authority has just ordered Facebook / Meta to sell Giphy, the largest repository of GIFs on the internet, which it bought in 2020. for $ 400 million (£ 301 million).

European regulators are therefore unraveling the business models of tech giants one decision after another. European data regulation is also becoming the de facto global standard because in order to be allowed to operate in Europe (which generates a quarter of Facebook’s annual profits), global technology often has to obey stricter European rules in all areas.

European logic is that the collection of private data is often a scam. People care about privacy but give away their data for next to nothing, and the government should protect it. U.S. regulators view this as patronizing, with the Supreme Court ruling nearly 20 years ago that a dominant company is free to exploit its consumers.

Recent whistleblower Frances Haugen has sparked some soul-searching in the United States, but will likely struggle to get meaningful changes to the rules around data and content.

With countries like the UK now strongly following the EU lead, the US is increasingly isolated in this area. Meta is still free to earn money with its existing Facebook users in Europe.

But as the younger generations move away from Facebook for TikTok and Snapchat, it is increasingly difficult to reach them and gather the information needed to sell their profiles to advertisers. So maybe it is time for companies like Facebook to find new sources of income.