This is a big week for Meta-related EU privacy news. On Monday, Meta announced that it would allow users to pay for ad-free versions of Facebook and Instagram. I explained what arguably went wrong in EU law to force Meta to do this in a previous newsletter. Now, the European Data Protection Board (EDPB) has reportedly ruled that Meta broke EU privacy law by processing personal data for personalised advertising. See below for what I can tell so far about the new decision and for a brief overview of its background. More to follow once the EDPB decision is published.

Read the full piece here.

Meta officially announced that Facebook and Instragram will offer a paid subscription service tier without any ads. The move was prompted by recent enforcement actions by European privacy authorities and a judgment by the EU’s highest court, the Court of Justice. I’ll dive deeper into those developments in future posts. I believe that much of this is both bad law and bad policy. Today, I start with an overview, aiming to provide a simplified explanation.

Read the full piece here.

With the European Commission’s recent announcement that it had deemed the revamped data-protection framework from the United States to be “adequate” under the European Union’s stringent General Data Protection Regulation (GDPR), the stage is set for what promises to be a legal rollercoaster in the European Court of Justice (CJEU). The Commission’s decision is certain to be challenged, and the CJEU’s ultimate decision in that case has the potential to shape transatlantic relations and global data governance for years to come.

Read the full piece here.

What is anonymity? Do we have a right to it? And against what other values should this right be balanced when it comes to government regulation? This blog post will be the first in a series that looks at what anonymity is, why it is important, and what tradeoffs should be considered when applying a right to anonymity in specific contexts.

Read the full piece here.

I had thought we were in the dog days of summer, but the Farmer’s Almanac tells me that I was wrong about that. It turns out that the phrase refers to certain specific dates on the calendar, not just to the hot and steamy days that descend on the nation’s capital in . . . well, whenever they do (and not just before Labor Day, that’s for sure). The true dog days, it turns out, are July 3-Aug. 11, no matter the weather. So maybe this is just the cat’s tuches of summer, as if that makes it better.

Read the full piece here.

The Norwegian Data Protection Authority (DPA) on July 14 imposed a temporary three-month ban on “behavioural advertising” on Facebook and Instagram to users based in Norway. The decision relied on the “urgency procedure” under the General Data Protection Regulation (GDPR), which exceptionally allows direct regulatory interventions by other national authorities than the authority of the country where the business is registered (here: Ireland).

My initial view of the decision is that it is both a misuse of the urgency procedure and mischaracterizes the leading judgment from the EU Court of Justice (CJEU) on which it purports to rely (see my analysis of that judgment: part 1 and part 2). The decision misses the critical legal issue that it’s unclear to what extent the CJEU’s analysis applies to first-party personal data (collected by Facebook and Instagram) as the Court’s judgment expressly covered third-party data (collected “off-platform”).

Read the full piece here.

Among the regulatory tools created by the European Union’s Digital Markets Act (DMA)—landmark competition legislation that took effect across the EU last November—is a mandate that the largest digital-messaging services must be made interoperable. In the name of promoting fairness in digital markets, these gatekeeper services are asked to allow external services to connect with them, enabling new and smaller players to compete.

Read the full piece here.

Yesterday, I delved into the recent judgment in the Meta case (Case C-252/21) from the Court of Justice of the European Union (CJEU). I gave a preliminary analysis of the court’s view on some of the complexities surrounding the processing of personal data for personalized advertising under the GDPR, focusing on three lawful bases for data processing: contractual necessity, legitimate interests, and consent. I emphasized the importance of a nuanced understanding of the CJEU decision and pointed out that the decision does not determine definitively whether Meta can rely on legitimate interests or fall back on user consent for personalized advertising.

Read the full piece here.

Today’s judgment from the Court of Justice of the European Union (CJEU) in Meta’s case (Case C-252/21) offers new insights into the complexities surrounding personalized advertising under the EU General Data Protection Regulation (GDPR). In the decision, in which the CJEU gave the green light to an attempt by the German competition authority (FCO) to rely on the GDPR, the court also explored the lawful bases for data processing under the GDPR, notably for personalized advertising.

Read the full piece here.