Threads, Meta’s planned Twitter killer, is not yet available to the public, but it looks like a potential threat to user privacy. Mandatory disclosures on iOS indicate that Threads may collect highly sensitive user information, such as health and financial data, location, browsing history, contacts, search history, and other sensitive data, in order to profile user activity so Threads App EU Launch Delayed.
Meta, the developer behind the app previously known as Facebook, earns money by tracking and profiling web users to sell their attention through its behavioral advertising microtargeting tools.
This raises questions about whether Threads can launch in the European Union, where the legal basis Meta had claimed for processing Facebook users’ personal data (performance of a contract) was declared unlawful at the beginning of this year.
This week, the bloc’s top court ruled on a German case referral that Meta’s claim of legitimate interest in data-for-ads processing is not appropriate for running behavioral ads and that Meta must seek consent.
Meta must ask and obtain explicit permission from individuals to legally process sensitive data such as health information in accordance with the General Data Protection Regulation of the European Union.
The EU has banned the use of sensitive data for ads entirely and may require explicit consent from tech giants to combine data for ad profiling.
This creates legal uncertainty for Meta’s people farming business, as designated gatekeepers must comply with the Digital Markets Act (DMA) by next spring and very large online platforms must meet their obligations under the Digital Services Act (DSA) by August 25.
The adtech giant does not offer users a general, up-front choice to prevent its tracking and profiling. They also do not explicitly ask if it can share data on users’ health conditions for advertisers to try and sell diet pills or whatever.
With impending EU regulations limiting surveillance ads, an app that tracks everything to maximize its appeal to advertisers will likely face difficulty getting approval from regional regulators.
Recently, the EU issued an order to Facebook to stop sending EU user data to the US for processing and fined the company almost $1.3BN for breaching the GDPR’s requirements on data exports.
This order is specific to Facebook, but similar requirements could be applied to other Meta services that do not adequately protect European data in the US, such as by using zero-knowledge architecture end-to-end encryption.
Additionally, this could have far-reaching implications for Meta.
Threads clearly won’t give users the kind of privacy they need. To ensure its surveillance ads business complies with EU law, Meta must undergo a radical transformation in its operations, which doesn’t seem to be part of the Threads plan.
Instead, Threads continues to engage in the same data-grabbing attention farming that earned Mark Zuckerberg’s empire such a negative reputation that it had to undergo a costly rebrand to Meta in recent years.
We can debate whether Meta’s rebranding has been successful in detoxifying its corporate image since it has chosen to attach Threads to Instagram’s brand instead of explicitly calling it a Meta app. The developer listed on the App Store is “Instagram Inc” and the text description describes the app as “Instagram’s text-based conversation app”.
Meta believes that quickly building up a Threads user base is the best strategy.
To do this, they are pushing Instagram’s large and engaged community to switch to Threads, which they are framing as a sister “text” app. However, Threads won’t be available in the EU until Meta changes their approach to user choice over tracking.
The Irish Independent reported yesterday that the Irish DPC, Meta’s lead regional data protection supervisor, had been in contact with Meta about the app and confirmed that it would not launch “at this point”.
Meanwhile, sources inside Meta told the Guardian today that the company has put off the EU launch of Threads due to the legal uncertainty surrounding data usage limits imposed by the DMA on data sharing across different platforms.
The Meta spokesman did not answer our questions regarding whether they plan to launch Threads in the EU or not. However, the DPC clarified to SquaredTech that they have not prohibited Meta from launching Threads, as their role is to enforce compliance with the GDPR.
The DPC stated that the company currently has “no plans to launch in the EU yet”, indicating that there has been no regulatory intervention to impede a launch.
Meta expressed concern that launching now could lead to potential legal risk if it is subject to the DMA in a few months. Earlier this week, the company informed the EU that it believes the incoming ex-ante antitrust regime applies to its business, but it does not need to comply until six months after the official EU gatekeeper designations.
The European Commission will centrally enforce the new regulation, instead of Member State level authorities such as the Irish DPC.
This shift in approach towards enforcement of digital giants is likely to cause a change of gear in the bloc, as well as increasing legal uncertainty for Meta within the EU.
Threads will launch in the UK on Thursday. The Brexit referendum vote to leave the EU changed the regulatory picture since the UK market no longer falls under EU law.
However, the UK’s data protection regime still derives from the GDPR, so Threads must still comply with the same legal requirements around processing personal data.
The ICO, the country’s data protection watchdog, has not taken any action against systemic breaches in the surveillance advertising industry. Therefore, Meta is likely content with the legal risks their business faces in Brexit Britain.
Although the UK government recently proposed its own antitrust reform directed at digital giants, it is unlikely to have similar legislation to the EU’s DMA in place for several years.
The UK government has also proposed a plan to reduce domestic data protection standards in a post-Brexit data reform bill. This bill will weaken the independence of the ICO and could make the watchdog even less effective in addressing data protection violations.
The European Union (EU) fined Meta over $410 million in January for their lack of a valid legal basis under the General Data Protection Regulation (GDPR) to run behavioral ads on Facebook and Instagram.
This is the latest in a series of hefty penalties for breaching the GDPR that the Information Commissioner’s Office (ICO) has issued to Meta, who was previously known as Facebook when they were hit with a penalty after the Cambridge Analytics scandal.
The Data Management Authority (DMA) can impose penalties of up to 10% of global annual turnover for violations of the General Data Protection Regulation (GDPR). This is much higher than the maximum penalty that the GDPR allows data controllers to face for non-compliance, which is 4%.
Despite this, fines imposed on tech companies found to have broken GDPR rules have been much lower than the maximum, such as in the case of Meta. Adam Mosseri has also announced that Meta’s Threads app will not have ActivityPub support at launch.