By Jasper van den Boom & Sarah Hinck
This brief summary of the Meta workshop sheds light on its most important changes, some of the most relevant questions and answers in the Q&A, and shares some general observations. These reports are intended to represent facts and convey information on what was discussed during the workshops. They are not intended to provide normative considerations on whether the undertaking complies.
Opening remarks
For Meta, the DMA required that they change six core platform services: Facebook, Instagram, WhatsApp, Facebook Messenger, Facebook Marketplace, and Meta Ads. Besides this, Meta also had to make changes to two services that were designated by the Commission as ‘other services’: Facebook Gaming and Facebook Dating.
Meta opened the workshop with a review of its general compliance strategy. Here, it was mentioned that adapting as to comply with the DMA had been a multi-year process, was one of the most rigorous evaluations that the company has ever taken to comply with a law, and that it was one of the biggest changes to how they operated and their day-to-day operations. Meta estimates that around 11.000 engineers have logged 600.000 engineering hours to make the changes, and Meta has spent an estimated €5 billion. The biggest change to their business model and day-to-day operation involved introducing a range of new products and services, the introduction of a subscription model to complement its advertisement-based business model, offering services in a stand-alone manner and the introduction of an Accounts Center. For WhatsApp, it had to work on creating interoperability with other messaging services. Organizationally, Meta has introduced a new DMA compliance function which reports directly to management, monitors compliance and communicates with employees.
Hereunder, we will summarize the main changes surrounding specific activities and on the basis of specific provisions.
Data combination and cross use – Article 5(2)
In order to comply with article 5(2), Meta now offers 6 different consent moments to users related to consent for the use of their data. Meta has introduced 6 different consent moments to allow users to determine to which type of data-use and data-sharing they consent, at least where it relates to the eight designated services. Meta argues that the design of these choice screens offers a neutral and well informed choice, adhering to the principles set out in the DMA.
For Facebook and Instagram, end-users can give consent in their accounts Center, which is a centralized hub where users manage their data-choices. When a user consents to data combination they can cross-post between accounts, share photos, names, and avatars as to create a connected experience across platforms. If they withhold consent, they can still use those services but minus those data-dependent functionalities. It takes five steps to change one’s settings from sharing to not sharing or vice versa, users can change their consent preferences at any time. In order to comply, Meta will prompt users that have multiple accounts in their Accounts Center with the question if they consent to cross-use of data between these services.
For Facebook Messenger, Meta now provides the possibility to create a stand-alone account. This account will not be linked to one’s Facebook profile, and users can connect to Facebook or Facebook Messenger users directly or import contacts. They will enjoy the same functionalities such as messaging, sharing videos and pictures, etcetera. However, the account will not take information from the Facebook profile of the user and not update the chat history there. In order to ensure compliance, Meta has also added a chat functionality to the Facebook platform that is not the same as messenger for those with a stand-alone account, providing an equal but less personalized equivalent. For their other communications service, WhatsApp, Meta noted that it did not have to make changes as there is no data sharing from and to WhatsApp with any other services.
For Facebook Marketplace, users are now able to browse the Marketplace without logging in. This allows them to find interesting offers. In order to comply, Meta has introduced an e-mail-type functionality for non-consenting users to contact sellers, offering a less personalized but equivalent alternative.
For their other services, users will not receive equivalent services. Meta has explained that most developers create games for Facebook based on the connection component, when this connection is not possible most games will simply not function or not function in the same way. It is up to third-party developers to create non-connected games for users, and Meta can only wait and see. Facebook Dating will be unavailable to non-consenting users. Here, Meta cites the promise that users will not see their Facebook Friends on the dating app as a justification.
The most interesting compliance decision relates to Meta Advertising and the subscription model. Users that do not wish to have their data collected at all on a certain core platform service can pay a monthly subscription fee for the ad-free Meta experience. A fee is charged per platform, with a reduced fee for additional services beyond one platform. Meta has explained that irrespective of users choices to cross-use data across their platforms, all data will be used for Meta Advertising Services unless the user pays the subscription fee. Meta argues that the user experience and the advertising service are distinct from one another, as users use the platforms for their functionalities and not for the advertisements. This means in practice however, that data provided by users is still combined, raising questions about the scope and intention of article 5(2) DMA. Meta believes that offering the subscription model means it is compliant with this provision.
With the Q&A, Meta was granted an opportunity to further elaborate on its choice for a subscription model. Here, it argued that this subscription model was developed in discussions with the Bundeskartellamt following the Facebook case related to abuse of dominance, which made them believe this was compliant. Moreover, the subscription model is – according to Meta – a result of the tension between complying with the DMA and the GDPR. It also answered a number of questions on the design of the consent moment, where it explained for instance that it believes Threads is a part of the Instagram service, and not a distinct service for which users must give consent under the DMA (although they noted that they believe this consent moment is still offered). Moreover, they explained when they believe that offering non- or less-personalized advertising are appropriate equivalent services. Finally, they answered some questions on the limitations of the new stand-alone and signed out services, hinting to the audience that any lack of functionalities was a result of the user withdrawing consent.
Ads transparency and Data portability – Articles 5(9), 5(10), 6(8), 6(9) and 6(10)
On Ads Transparency and Data Portability, Meta argued it had a running start. Meta already offers a large amount of information and insights to advertisers, and has operated at the forefront of data portability solutions. On Ads Transparency, Meta argued that it had reviewed its policies and noticed that it already adheres to most requirements, it has added a new set of pricing transparency reports to address the DMA requirements, but what they offer already goes beyond the requirements in the DMA. In fact, Meta has chosen to focus on providing more intelligible information in the coming year(s), rather than providing more information, based on advertiser feedback.
Meta explained that its ad-tech value chain is already quite transparent as they operate mostly from an owned and operated model, and third-party involvement is limited. Where third parties are involved through their Origins network, Meta already provides quite some information. Now, the new pricing transparency reports will inform advertisers on the fees it pays to these parties and the fees that are paid to it. All information related to performance, price and other metrics is provided free of charge.
On data access for business users, Meta referred to its extensive insights services. They again believe that these tools surpass the requirements laid down in 6(10) DMA. As part of their commitments to the DMA, or other ongoing commitments, they have created an intake form for business users to request access to more data. Information and tools are made available to business users free of charge, at any time, through a range of services and helpdesks.
On data portability, Meta notes that it has started with its own data portability programs in 2010. They have long offered tools to download one’s information (called Download Your Information, or DYI). Since 2020, they also offer opportunities to transfer data directly through their Transfer Your Data (TYI) services. With the TYI tool users can transfer their data directly to other parties or cloud storage services, this includes posts, pictures and videos. Users can also set up automatic TYI transfers or DYI downloads, these then happen on a daily basis. These services are offered globally, and not just in the EU.
While Meta often referred to its excellence in this field, it did attract some critical questions in the Q&A. Observers were wondering why Meta does not offer an API for Transfer Your Information, but that they have taken an approach where they still retain a lot of control. Here, Meta cited safety concerns as a leading cause. It was also questioned whether daily data transfers equates real-time data transfers as required under the DMA, to which Meta responded that it believed that in light of the type of data transferred this should be seen as equivalent. Finally, it received a number of questions on advertising in specific sectors, on which it was open for debate and further discussion about future functionalities and changes. Finally, it received some questions on the metrics of their blind auctioning mechanism that is introduced when third-parties are involved. Here, Meta reiterated that it believed this mechanism was neutral and FRAND.
Data use and FRAND Conditions – Article 6(2) and 6(12)
On the prohibition of the use of non-public data provided by its business users to compete, Meta again took the point of view that it was already mostly if not completely compliant. It referenced previous investigation in the EU and the United Kingdom, stating that it had already engaged in evaluations and audits of its use of data. Here, it argued that it does not use any business user data in its activities in Facebook Marketplace. For advertisers specifically, Meta argued that it only used data to optimize their services and create better performance. It has introduced a number of systems in place to ensure that no data is used in competition with business users, including expanded pre-launch product reviews, requirements for internal lawyers to undertake significant training to make sure they understand the requirements of art. 6(2) DMA, technical tools to detect competitive data exchanges, training for responsible personnel and updates to their code of conduct to ensure data is not used competitively.
On article’s 6(12) obligation to offer FRAND conditions. Meta cited a two pronged approach. On FRAND, it offers it set of terms available online. Meta believes the terms for Facebook and Instagram are FRAND because they apply equally to all business users. Accounts are provided for free and are easy to set up, and accounts require minimum information and agreement to not violate Meta’s terms. Termination of accounts only happens in relation to violations. The other prong of their approach relates to dispute resolution on cases related to termination. Here, Meta has launched a new Alternative Dispute Resolution (ADR) Mechanism. Where users can lodge complaints before a “wholly independent” appeals body. This body consists of employees under contract and paid by Meta, but whom have been assured of safety in their independent decision-making.
It is not surprising that some of the questions in the Q&A related to whether these Meta employees are truly independent from the organization as a whole, a decision which Meta continued to defend. Other questions related to the data that Facebook collects that is not based on advertiser activity but other user-generated data. Here, Meta noted that it had only been scrutinized in terms of advertiser-generated data, but that it has voluntarily put other measures in place. Finally, some questions remained on what constitutes a business user and FRAND terms. Here, answers were short and the provided information was limited.
WhatsApp interoperability – Article 7
Meta started its presentation on interoperability with the remark that here, they did not have a running start. Instead, it was never their intention to make WhatsApp interoperable, so they had not made any previous investments into creating interoperability. Meta explained that it will try to adhere to the requirements of the DMA over the coming years, but that it must strike a balance between security on the one hand and openness on the other. For now, there will be an opt-in model for competing messaging services to ask for interoperability related to sending messages only. Third parties must provide a reference offer where they discuss their eligibility (highlighting their security measures and encryption efforts), technical details (client server model and proxy requirements), and general terms and services. To allow for these requests, Meta has set up a request portal.
The Q&A related mostly to the presentation of third-party messaging services, the scope of eligible services and geographic scope. Meta noted that it will determine whether third parties are eligible based on their requests, while excluding some services that were not considered Consumer Communications Services. On geography, it explained that it will work for EU users as long as they do not move permanently outside of the EU. On the presentation, it explained that there will be no discovery mechanism to find users of third parties and that the details of its presentation were still in development.
Observations
Meta’s pay or consent option is clearly the most controversial choice. By limiting functionalities when users disable the cross-use of services, while still combining data for the purpose of advertising, there seems to be little point in withholding consent. It is no surprise that the European Commission has already launched the first investigation into non-compliance on the basis of this decision. In other areas, we may still wonder if daily data transfers really equate real-time transfers, if Meta is indeed compliance in its transparency obligations on the basis of its existing services (although this does not seem to raise very urgent questions as of now) and whether it will meet its interoperability obligations for WhatsApp.