This article touches upon the privacy news regarding:
In the previous newsletter, we talked about Meta’s pitch to introduce a paid subscription for European users.
Just weeks after, people in Europe are being asked to choose: pay to avoid ads or use a free version on Facebook or Instagram and let them use “your info for ads”.
Meta has previously been told that they must basically stop their behavior-based marketing on Facebook and Instagram as it is in violation of the GDPR.
On 27 October 2023, the European Data Protection Board (EDPB) issued a binding decision banning Meta’s targeted advertising practices. This was done at the request of the Norwegian Data Protection Authority, who was the first to ban Meta’s targeted advertising practices in Norway.
The ban now applies to the entire EU/EEA, so it extends its reach and impact to all of Europe.
So it’s no surprise that Meta had to quickly introduce a solution to continue doing business in the region.
Is a paid subscription a valid solution? Many have expressed skepticism as to whether Meta's new approach meets the requirements for “freely-given” consent, partly because you have to pay if you do not "consent". The process is underway at European level to assess the legality of the new solution. We will keep a close watch on it and will keep you updated.
P.S. No, the laws haven’t changed in the region, as stated in the banner above 🙂Just after more than five years of violations of users' basic privacy rights, Meta is finally being asked to respect the GDPR.
Is this the start of a new approach to advertising? For now, the ban only applies to Meta, but the same principles apply to any ad tech company in the industry and many of them ultimately plug into Meta.
Under the GDPR, responsibility is shared among processors, so it’s not just Meta’s problem and should eventually affect the entire digital advertising market.
A recent ruling by Belgium’s Data Protection Authority highlighted the importance of having data processing agreements (DPAs) in place at the time the data is being shared.
In the ruling, the Authority found that a retroactive DPA was invalid.
The Belgian Authority also said it was the responsibility of both parties to ensure the written data processing agreement was in place at the material time. This is a fairly new approach, as data controllers (not their vendors) have normally been held primarily responsible for making sure that a DPA was in place.
It means that regardless of whether you are a data controller or a processor, you have a responsibility for ensuring that DPAs are entered into before the data processing takes effect.
So make sure to sign the DPA before you start sharing (or receiving) data 🙂
AI is everywhere and it’s evolving so fast the regulators are in the rush to introduce comprehensive rules.
But all eyes are on the EU AI Act. The EU AI draft law is at the last phase of the EU legislative process, so-called trilogues, whereby the EU Parliament, Council and Commission hash out the final provisions. Will it or will it not be finalized before the European Parliament election in June 2024? Some say the chances are 50/50. We hope it will! 🙂
On December 7th, we’re having an online masterclass on “How to prepare for the EU AI Act” together with partner and lawyer Tim van Canneyt. It’s free to join so make sure to sign up so you can start preparing for it.
Sign up for a regular dose of news and updates from the legal landscape.