Meta, It's Nothing Personal
13 Jan, 2023
Only 4 days into the New Year and the DPA's traffic light systems have been flashing like the Christmas tree lights you've just packed up in the loft. In his latest piece for MAD//Insight, Ben Phillips, MAD//Fest's digital advertising consultant, investigates.
Yesterday, the Belgian Data Protection Authorities (BE DPA) informed IAB Europe that it had approved its action plan to bring the processing of personal data 'Transparency and Consent Framework', (TCF), in line with GDPR compliance. This is the same DPA who on 2nd February 2022 ruled consent pop-ups to be illegal and that all data collected illegally from 2018 be deleted.
They imposed an administrative fine of €250,000 and started counting down a 6-month deadline, (11th July 2023), in which to implement these measures, but there are other cases in the balance which could change this in the future.
We started to see DPA’s, and regulators gain momentum during the 2022 and only 4 days into the New Year, The Irish Data Protection Committee fined Meta €390m (€210 Facebook, €180m Instagram) for violating EU Privacy Rules.
A huge 'about-turn' as Meta’s lead data protection authority, the DPC had originally chosen to support Meta over the EU Data Protection Board (Which is made up of all EU/EAA Data Regulators) having previously recommended fines iro €59m based on its lack of transparency.
The EDBP Ruling to overturn the DPC’s decision and to implement the decision of the higher governing body, is based on what it believes to be “Reasonable” challenges that have been submitted by 9 national regulators against Meta. It also stepped in to expedite what others have considered a long and drawn-out process
On the 8th of March The Belgian DPA expressed the need for additional resources “The BE DPA points out that it has only 45.9 case handlers (FTEs) to carry out the 21 different tasks assigned by the GDPR, and that the gap with its European counterparts is therefore widening.” Awareness will drive more cases in the coming months and require more resource, which will need funding, and there would appear to be options for regulators to retain a % of these fines.
Pre GDPR the ICO had a £500,000 ceiling on fines for those violating data protection rights, post May 2018 this is now set at €20m or 4% of global turnover. Incidentally, in the past year and a half, Meta has racked up more than $1bn in privacy cases.
Whilst these fines are simply the cost of doing business for major platforms they would be crippling for others, after all not everyone can set aside $3bn for investigations into privacy
The problem here appears to be around identity and, for a change, it’s not the consumers identity we should be worried about, in this context anyway. It will be the courts ruling whether that the IAB is or is not Data Controller and that title will have a dramatic impact on advertising as we know it.
As for now, I am sure that there are those living with a feeling when you 'think' you saw a camera flash in your rear mirror but aren’t sure. You then spend the following weeks and months waiting for the fine to come through your letterbox...
Ben will be writing for MAD//Insight throughout the year and will host MAD//Fest's DigiAds stage in July.