Spanish Media association alleges Meta’s privacy violations constitute unfair competition

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

EUROPE

Spanish media association alleges Meta’s privacy violations constitute unfair competition

The Information Media Association (AMI) filed a lawsuit in Spain on behalf of 83 Spanish media outlets alleging that Meta’s “systemic and massive non-compliance” with European data protection regulations, including a failure to obtain user consent for profiling, allowed Meta “to offer the sale of advertising space on the market based on an illegitimately obtained competitive advantage”.

The AMI also calls on advertisers “to entrust their advertising campaigns to safe, reliable and responsible media, respectful of the rights of citizens”.

TAKEAWAY

The European Data Protection Board issued a binding decision in October 2023 (recently made publicly available) banning Meta’s targeted advertising practices following Meta’s alleged failure to demonstrate compliance with previous orders holding that contract was not a suitable legal basis for Meta’s processing of personal data for behavioral advertising.

The AMI lawsuit is based on activities from May 25, 2018 through July 31, 2023, but it is without prejudice to the possible extension of the lawsuit based on Meta’s persistence in its noncompliance following the EDPB decision.

Meta recently released a new consent based approach with a paid subscription model as an alternative to consent, which, according to the EDPB, is currently under evaluation by relevant Supervisory Authorities. 

Read more:

Meta to offer ad-free subscription plans in Europe

CJEU Clarifies Liability for “wrongful infringement” of GDPR

In response to questions from Lithuanian and German courts, the Court of Justice of the European Union (CJEU) issued a ruling clarifying several points regarding a DPA’s imposition of an administrative fine for a GDPR violation.

Most notably, the court held that a controller should not have an administrative fine imposed unless the infringement was wrongful; in other words, committed intentionally or negligently (i.e., where the controller could not have been unaware of the infringing nature of its conduct).

However, it also held that a legal entity is liable for infringements committed by any person acting in the course of the business of that legal entity and on its behalf—not just its management body—and in respect of operations performed by a processor.

Specifically, the CJEU held that it is not necessary for there to have been action by, or even knowledge on the part of, the management body for GDPR to apply.

Finally, the CJEU held that, where the recipient of a fine forms part of a group of companies, the fine must be calculated on the basis of the group’s total worldwide annual turnover, taken as a whole.

TAKEAWAY

The specific facts of the cases at issue both involve complex relationships where questions of liability resulted from a lack of clear visibility into data processing roles, responsibilities and activities among the entities involved.

Although application of the ruling to each circumstance will be fact-specific, it stresses the importance of establishing a clear understanding among persons and entities involved in data processing (whether as employees, processors, joint controllers, or otherwise) as to the expected and actual data processing activities performed by each person and entity.     

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.