It's great that you have a non-publicly available newsletter as a source, but if you read the DPC item [1] you'll see that it's just about the GDPR. What Ben probably does not understand, is that the fine is not about the TOS change _before_ the GDPR came in effect, but about the fact that data was processed without valid legal basis _after_ the GDPR came in effect as the TOS change and an 'I accept' button was simply not sufficient.
Can you provide a link or the full quote of the relevant section, so that we can see what’s going on here? My expectation is that he’s misunderstanding the situation.
To be fair, it is not 100% clear on my original post that I am not talking about this fine but a previous one. But if you read it carefully that is was I say. And here is Ben thompson on 11th January 2023:
"In short, Meta can not make access to its personalized social media services contingent on accepting personalized advertising; moreover, the company was fined for having done just that, despite the fact their regulator agreed with them that that was acceptable.
I find this decision disturbing for two reasons. First, it seems unduly punitive that Meta can be fined a material amount for an approach that is not only reasonable on its face (more on this in a moment), but also one that its primary regulator agreed was appropriate. GDPR is not clear on this point, and it’s ridiculous that a company can be retroactively fined for not reading the minds of EU bureacrats.
Second, and more importantly, the fact that Meta must offer personalized social networking to users — which uses their data! — but cannot tie that to offering personalized ads — which uses their data in the exact same way, and without sharing or selling that data to advertisers — is a completely arbitrary attack on Meta’s ability to do business. Let me reiterate that point: serving a video or a post in your Facebook feed is no different from serving an ad; it is Facebook that is choosing what to serve you, not an advertiser, who has no access to users or their data. It’s all just bits, it just so happens that some of those bits make Meta money. That, apparently, is the crime here (and a callback to the Google Shopping case)."
Do you still think the EU is acting like a fair player? When in fact they are both a player and the referee? This type of behavior is exactly why there wont ever be any major innovation in the EU. And I live here btw.
There is nothing in there about retroactively applying laws. If there is anything, it may be that the laws were(/are) unclear.
The Irish DPC states they never approved anything (but there has been discussions between various European data protection authorities and the EDPB during the investigation). See for example 2.44 or 2.46 of the report [1]:
> It is factually not the case that the Commission endorsed or approved of the Terms of Service and Data Policy of Facebook or indeed of any other organisation
and
> To the extent that Facebook seeks to rely on or has ever relied on any consultative process with the Commission in order to defend the lawfulness of a particular practice, this has been in error. More pertinently, for present purposes, Facebook makes no such argument in the context of this Complaint. This is because the Commission never provided any such approval in this case nor does it do so in the context of its engagement and consultation role more generally
If you look at the final decision on Meta, you'll see that most of the fine (80+70=150 million) is for the fact that Meta was not clear on what they were doing with user's data. Only the last 60 million is about the actual legal ground of the processing. So the past that Ben Thompson mentions essentially skips 70% of the fines.
And yes, the data protection authorities are acting like a fair player and they are not the referee. We have courts for that (and this will find it's way through the courts, no worries).
Yes, it wasn't clear initially which fine you were writing about. But, if the fine was referring to activity that occurred after the GDPR entered into force, it is inaccurate to say that it was retroactive - it was simply that the Irish regulator misunderstood or misenforced the law according to the courts, but for a company as sophisticated as Meta, that shouldn't be an excuse. They have far more legal expertise on staff than the Irish DPA.
And, no, nobody is forcing Meta to offer personalized social networking to users in the EU. Meta is free to decline to do so. The EU is simply forcing them to decouple consent to such a service from consent to receive personalized ads. It is a valid social policy choice to want to differentiate those processing purposes, even if Meta doesn't like it. I do.
To the extent that the EU is not acting like a fair player here, it is by disrespecting the democratic will of the EU population as expressed through their EU representatives by inadequately enforcing the GDPR.
I think it's good that the regulatory capture and the intentional Irish government policy of underfunding which currently applies to the Irish DPA is not as successfully a "get out of jail free card" for non-compliance in the EU as equivalent circumstances are in the US. Many thanks to noyb.eu for filing complaints and to the EU courts and the European Data Protection Board for taking them seriously.
