The approach by Facebook to users’ data has just been dealt a major blow from the Court of Justice for the European Union (“CJEU”). In an answer to a question from Germany’s highest court, the CJEU’s advocate general – whose opinion is not binding but is generally followed by the court – has made an essential clarification to Europe’s data protection law to confirm that consumer associations can bring actions on behalf of individuals. If followed by the CJEU, this will make it easier for people to defend their rights against tech giants in future. Coming on the back of a decision by the CJEU against Google several weeks ago for using its platform power to restrict competitors, this is the latest example of European regulators making the business climate increasingly chilly for the companies that control user data – in sharp contrast to the U.S.

Facebook and Consent

The current case is about the way that Facebook – whose parent has since rebranded to Meta – in its early years encouraged users to play quizzes and games such as FarmVille before sharing the results with all their friends. In an action brought by the Federation of Germany Consumer Organizations (“VZBV”), which was originally heard in 2014, the VZBU claimed that Facebook’s data protection notice did not clearly explain to users how their data could be shared. It wants the company to be forbidden from using similar consent forms in future. 

VZBV won the original case and its appeal – and the case was then heard by Germany’s highest court in May 2020. The judges agreed that Facebook had misled users with the notice, but sought an opinion from the CJEU on Facebook’s argument that only individuals and not consumer organizations can bring complaints under the EU’s General Data Protection Regulation (“GDPR”), which governs this area. The advocate general’s recommendation, ahead of a final CJEU decision in 2022, reflects the fact that individuals do not typically start legal proceedings against large companies for a small breach of a rather technical regulation. Suing big firms on behalf of society is what consumers’ organizations do, so it would limit people’s protection if this was disallowed. 

Facebook’s approach to games is not the only time that there have been questions about how it obtained users’ consent over data. It famously sent unsolicited emails to users’ contacts when they joined the social network. It also placed “like” buttons on third party websites and harvested the data without seeking users’ consent. One by one, national European regulators have ruled these practices illegal, but always long after the fact. When Facebook was ordered to pay €100,000 (£85,138) by German regulators in 2016 for sending unsolicited emails, for instance, it was clearly too late to affect the company’s behavior on that individual issue.

VZBV has been at the forefront of fighting to make tech giants accountable for customer data since the early 2010s, though not always successfully. It failed in an attempt to stop Facebook claiming its platform is “free and will always be,” while making users pay with their private data. It was also unable to require the company to allow users to adopt a pseudonym. Facebook had resisted citing safety concerns, but perhaps also because data on identifiable consumers is more valuable than anonymous ones.

The GDPR and Future Regulations

As Facebook and other social media companies have continued to develop new techniques to harvest consumer data, the GDPR was adopted by the EU in 2018 as a general framework to clarify the rules. It gives users more control and rights over their own data, requiring clear consent before it can be used. Pending a decision on consumer organizations, the CJEU has already recently decided that national privacy watchdogs can directly fine tech firms under the GDPR for breaches affecting their citizens. Facebook had claimed only the Irish authority was competent, since its EU headquarters are there. A forthcoming CJEU case will look at giving similar powers to antitrust authorities.

The EU rules around big tech are also set to be strengthened in 2022 with the Digital Services Act and Digital Markets Act. This package of extra restrictions is set to include curbing the uncontrolled spread of unverified and often hateful content, with the potential for penalties of 10 percent of a company’s annual revenue. And for all the talk of a bonfire of EU data protection rules after Brexit, the forthcoming UK Online Safety Bill goes arguably even further in the same direction, with not only similar fines but potential prison sentences for executives over breaches. The bill may even make Facebook responsible for scams by other companies advertising on the platform. 

Major EU countries, such as Germany, France and the Netherlands, also want the Digital Services Act to block what has become big tech’s major strategy to attract new users: identifying non-profitable but successful internet companies, and buying their technology and user base. The UK is now decisively on the same path, as the Competition and Market Authority just ordered Facebook/Meta to sell Giphy, the largest repository of GIFs on the internet, which it bought in 2020 for $400 million.

European regulators are, therefore, unravelling tech giants’ business models one decision after another. European data regulation is also becoming the de facto global standard because to be allowed to operate in Europe (which generates a quarter of Facebook’s annual profits), global tech often has to obey the stricter European rules across the board.

The European logic is that harvesting private data is often a rip-off. People care about privacy but give away their data in exchange for almost nothing, and the government should protect them. American regulators consider this patronizing, with the Supreme Court ruling almost 20 years ago that a dominant firm is free to exploit its consumers. Recent whistleblower Frances Haugen has provoked some soul searching in the U.S., but will probably ultimately struggle to secure meaningful changes to the rules around data and content. 

With the likes of the UK now strongly following the path of the EU, the U.S. is becoming increasingly isolated in this area. Meta is still free to make money out of their existing Facebook users in Europe. But as younger generations leave Facebook for the likes of TikTok and Snapchat, it faces increasing difficulties in reaching them and gathering the necessary information to sell their profiles to advertisers. It may, therefore, be time for companies like Facebook to find new sources of revenue … potentially in the metaverse

Renaud Foucart is a Senior Lecturer in Economics at Lancaster University School of Management School. (This article was initially published by The Conversation.)