15 January 2024
Targeted and behavioral advertising has become increasingly popular in recent years, especially with the rise of social media and online shopping. Companies use targeted advertising to reach specific audiences based on their interests, demographics, and online behavior. It allows companies to tailor their messages to the right people at the right time and has become a major source of revenue and financing their businesses. However, it requires processing of personal data in unseemly large amounts. With the advent of privacy laws in India, it is important for such companies to assess their data processing activities to make sure that they are compliant with all the applicable laws.
Recently, the Court of Justice of the European Union (‘CJEU’) made a preliminary ruling (‘CJEU Judgment’) on processing of personal data for behavioral and targeted advertising by the Meta Group on the legal bases of ‘contractual necessity’ and ‘legitimate interests’ under the General Data Protection Regulation (‘GDPR’).[1] This ruling has far-reaching implications for AdTech Industry which includes, but is not limited to, social media companies, e-commerce platforms, streaming platforms, search engines, and any other company whose major source of revenue comes from targeted advertisements.
This article analyses the decision of the CJEU and its implications in the background of the Indian data privacy laws. In this regard, it is pertinent to note that India’s Digital Personal Data Protection Act, 2023 (‘DPDP Act’) will be notified soon and companies involved in processing of personal data for targeted advertising may need to revisit and revise their policies to comply with the law.
Though the DPDP Act differs from the GDPR on a few grounds, both the laws are guided by the same principles. The CJEU Judgment lays down guiding principles for processing of personal data for targeted and behavioral advertising which will help companies navigate this complex issue in the Indian context. It is important to note that the grounds to process personal data under the DPDP Act are more restricted than that under the GDPR and thus, companies will have to pass an even stricter test in India than those laid down by the CJEU.
The CJEU Judgment advances legal scrutiny of data processing for personalized advertisements. In terms of the factual background, users signed up on Facebook.com and agreed to the user agreement containing the terms of usage which was necessary to use the social media website. As per the company’s data and cookies policy, Meta was allowed to collect user-related and device-related activities of the user on and off the social media platform (such as visits to third party apps and websites as well as visits to other Meta platforms such as Instagram etc.).
Meta would process the data collected to generate automated detailed profiles of users and showed online advertisements to them tailored as per their consumer behavior, interests, purchasing power and personal situation. As per paragraph 32 of the CJEU Judgment, in 2019, Meta introduced new general terms expressly stating that the user, instead of paying to use Facebook products, agrees to being shown advertisements. Further, as per paragraph 33 of the CJEU Judgment, in 2020, Meta has been offering at a global level ‘Off Facebook Activity’ which allows the users of the social network Facebook to view a summary of the information about the Meta group companies in relation to outside Facebook activities and gives an option to disconnect their past or future activities if they wish to.
The CJEU analysed the following grounds for examining whether such processing activity is in compliance with the GDPR or not:
The GDPR prohibits processing of sensitive personal data subject to a few exceptions. When the data is made publicly available by the user itself, then it can be processed even if it falls under the category of sensitive personal data.[2] The CJEU ruled that these exceptions should be interpreted strictly. The CJEU stated that entering information into these third-party websites and apps by the users cannot amount to manifestly making it public by the user and that Meta’s claim that it can process data collected from users’ visits to third party websites would be unfounded unless the user has expressly made that choice with full knowledge to make the data publicly accessible.
While the DPDP Act makes no sub-categorization of data into sensitive data, this principle still holds value in the Indian context because the DPDP Act also carves out an exception for information that is made publicly available by the data principal/ data subject.[3] This guiding principle provides clarity in terms of what amounts to making data public
The CJEU observed that where processing is emanating out of grounds other than consent, then such other grounds need to be applied restrictively. In this case, the CJEU has provided the much-needed clarity for the use of ‘contractual necessity’ as a ground for processing personal data. It held that it can only be used when processing is objectively indispensable and essential for the proper performance of the contract. The CJEU further clarified that the data controller must show how the processing is necessary to achieve the main subject matter of the contract and there are no workable, less intrusive alternatives available. The CJEU responded to Meta’s claims as follows:
(a) Personalized content: The CJEU held that personalized content is not integral and objectively indispensable to offer the social media services. An alternative model without such personalization is possible.
(b) Consistent and seamless use of the Meta group’s own services: The CJEU held that services offered by Meta’s group are independent of each other and users cannot be forced to subscribe to various products and services offered by Meta for creating an account. Therefore, processing of user data is not essential for offering Meta’s own other services such as Instagram.
It may be noted that the DPDP Act does not recognize contractual necessity as a ground for lawful data processing. Therefore, platforms such as Meta, cannot rely on such a ground for justifying data processing in India and thus, would be required to review and revamp their user agreements and terms of usage agreed with users.
The GDPR allows processing of data based on legitimate interest pursed by the data controller or any third party.[4] While this is a very broad concept under the GDPR, the CJEU reiterated that this requires balancing the fundamental rights and freedom of data subject which require protection of their data, with that of the data controller’s legitimate interest. The controller cannot override the data subject’s rights[5] and must consider less intrusive alternatives.
Meta listed various justifications for processing under this ground. The CJEU responded as follows:
(a) Personalized advertising: The CJEU held that interests of the data subjects override the interests of the controller (funding through ads) in this context because the data subject cannot reasonably expect their data to be processed for personalized advertising without their consent.
(b) Network Security: The CJEU did not rule on this ground and placed importance on the possibility of other means less restrictive of data subjects’ interests.
(c) Product Improvement: The CJEU did not entirely rule out this justification but again put emphasis on reasonable expectation, scale, and impact of such processing.
(d) Sharing of Information with Law Enforcement Agencies: The CJEU refused this justification stating that it is unrelated to Meta’s economic and commercial operations.
The CJEU also pointed out that the users must be informed about the legitimate interests.[6] Similarly, the DPDP Act also requires a notice for obtaining consent.[7] While the DPDP Act allows processing of data for certain legitimate uses[8], data controllers are not allowed the ground of ‘pursuing theirs or third party’s legitimate interests’ as a valid ground. This again would require companies to relook at their policies and agreements for processing of data in India.
Similar to the DPDP Act[9], the GDPR requires that where consent is the basis for lawful processing, it should be free, informed, specific, unambiguous with a clear affirmative action and retractable.[10] In this regard, the CJEU reiterated Recital 42, Recital 43, and Article 7(4) of the GDPR to establish that consent is not freely given when:
The data subject has no free choice or right to withdraw consent without detriment.
There is a clear imbalance between data controller and data subject such as in a case where the data controller holds a dominant position in the market.
Separate consent for different kinds of processing operations is not allowed to be given by the data subject.
Performance of contract is conditional on the data subject’s consent for the processing of personal data which is not necessary for the performance of that contract.
Further, the CJEU remarkably held that processing for targeted ads is not strictly necessary for the performance of the contract of providing an account on a social media platform and thus, users should be given an option to refuse to consent to such processing. It further clarifies that such refusal should not refrain the users from entirely using the platform services and that an appropriate fee can be charged as an alternative to services which do accompany processing of such data.
Though the requirement of ‘consent’ under both the laws is quite similar, it is unclear whether this pay or consent model will be allowed in India. Moreover, the illustration provided under Section 6(1) of the DPDP Act implies that consent shall be valid only to the extent it is necessary for the provisions of the services. Therefore, it creates a doubt as to whether consent for purposes which are not necessary for the provisions of the services will be valid under the DPDP Act.
Another important provision under the DPDP Act is that withdrawal of consent should be as easy as giving consent.[11] It is yet to be seen whether the pay or consent model will pass this test or not.
With the advent of privacy regulations in India, it is imperative for companies involved in processing of personal data to be prepared given the large ramifications of the DPDP Act. The DPDP Act mandates several compliances which would significantly affect how the companies interact with their users.
Although the DPDP Act and the GDPR share similar fundamental principles, the DPDP Act is more stringent on the grounds for processing. Social media platforms and other similar ad-financed companies will have to review and restructure their contracts, terms and conditions, privacy and cookies policies, standard user agreements etc., to adhere to the DPDP Act’s requirements.
The CJEU Judgment establishes principles that can guide companies in India in distinguishing between cases that need consent and those where consent can be assumed to be voluntary or not required. Companies must evaluate their processing activities carefully, as contractual necessity and legitimate interests are not available as lawful grounds for processing data in India. In general, consent[12] and implied consent under legitimate uses[13] seem to be the only feasible alternatives in India, and they will vary depending on the specific facts and purposes for each case. Further, the companies must evaluate any impact of the recently notified Guidelines for Prevention and Regulation of Dark Patterns, 2023[14] in relation to mandatory sharing of personal information or signing up for unrelated services.
[The authors are Associate Partner and Intern, respectively, in Corporate and M&A practice of Lakshmikumaran & Sridharan Attorneys, New Delhi]