//by Katharina Kollmann//
On 7 December 2023, the European Data Protection Board (EDPB) published its urgent binding decision regarding Meta of 27 October 2023, which had been eagerly awaited by European data protection experts. In this decision, the Irish data protection authority (IE DPA), as the lead supervisory authority, was instructed to take final measures with regard to Meta within two weeks and to prohibit the processing of personal data for the purpose of behavioural advertising throughout the European Economic Area (EEA) based on Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (legitimate interest).
The background is that until recently, Meta financed its supposedly free Facebook and Instagram services exclusively through advertising. To this end, Meta processes users’ personal data on a large scale. I.e. the company tracks the activities of users of its platforms down to the smallest detail – even across websites and apps – and creates user profiles based on where they are, what kind of content they are interested in and what they publish. These personal profiles are used for behavioural advertising, a targeted marketing concept in which advertisements are placed based on conclusions drawn from observed user behavior. The problem is that this tracking is not visible, which is why most users are not aware that they are being subjected to ‘intrusive profiling’ as part of the Facebook and Instagram services.
The data protection NGO ‘None of your business’ (Noyb), founded by Maximilian Schrems, had set the ball rolling by filing two complaints (one regarding Facebook and one regarding Instagram) against Meta in 2018. The organization was of the opinion that Meta’s business model with behavioural advertising was not in accordance with Article 6 (1) GDPR, according to which the processing of personal data is only lawful if at least one of the conditions listed therein is fulfilled. In this sense, the IE DPA, which – as Meta has its European headquarters in Dublin – is the lead supervisory authority in this matter, found in two decisions in December 2022 that the processing of personal data for behavioural advertising in the context of the Facebook and Instagram services provided by Meta was not based on an appropriate legal basis under Art. 6(1) GDPR at that time. It therefore fined Meta a total of €390 million and ordered to bring its data processing operations into compliance with the GDPR within 3 months. Subsequently, Meta made some changes and changed the legal basis for some of the data processing in connection with behavioural advertising from Article 6(1)(b) GDPR (contract) to Article 6(1)(f) GDPR (legitimate interest). However, Meta continued to process certain personal data (location data, interactions of data subjects with advertisements) on the basis of Article 6(1)(b) GDPR.
The EDPB’s urgent binding decision was also preceded by a decision of the Court of Justice of the European Union (CJEU) in July of this year in a competition law case brought by the German Federal Cartel Office against Meta. In this case, the CJEU took a differentiated look at the possible legal bases for data processing by Meta within the Facebook platform for the purpose of behavioural advertising. Even though the final decision as to whether Meta’s practice falls under a legal basis of the GDPR is up to the referring Higher Regional Court of Düsseldorf, the CJEU left no doubt that, in its opinion, only consent within the meaning of Article 6(1)(a) GDPR and Article 9(2)(a) GDPR can be considered as a legal basis for behavioural advertising. However, Meta had not obtained such consent from its users.
Finally, also in July of this year, the Norwegian Data Protection Authority (NO DPA) issued a much-noticed decision in which it imposed a temporary ban on behavioural advertising based on the monitoring and profiling of users in Norway against Meta. The NO DPA was of the opinion that Meta had not brought its processing procedures in line with Article 6(1) GDPR, contrary to the instructions of the IE DPA. The NO DPA emphasized that the decision does not constitute a ban on Facebook and Instagram services in Norway. Only behavioural advertising is affected, insofar as it is based on Article 6(1)(b) or (f) GDPR. The ban originally applied for three months or until Meta proves that it complies with the law. In the event of non-compliance, the company was threatened with a penalty payment of up to NOK 1 million (approx. €89,000) per day. Although the IE DPA is actually responsible for issuing decisions against Meta, the NO DPA intervened here – in deviation from the usual cooperation procedure – by means of the so-called urgency procedure in accordance with Article 66(1) GDPR. According to this procedure, a supervisory authority concerned can immediately adopt provisional measures on its own territory with a specified period of validity which shall not exceed three months, if it comes to the conclusion that there is an urgent need to act in order to protect the rights and freedoms of data subjects. The NO DPA considered these conditions to be met. At the same time, it announced that it would ask the EDPB for a binding decision on the matter, which it did in September of this year. It called for the temporary ban on behavioural advertising on Facebook and Instagram to be made permanent and extended to the entire EU and EEA.
The EDPB complied with this request with its binding decision under the urgency procedure pursuant to Article 66(2) GDPR of 27 October 2023, in which it instructed the IE DPA to take final measures with regard to Meta within two weeks and to impose a ban on the processing of personal data for the purpose of behavioural advertising throughout the European Economic Area (EEA) based on Article 6(1)(b) GDPR (contract) and Article 6(1)(f) GDPR (legitimate interest). The EDPB concluded that there were persistent infringements of the GDPR and that there was an urgent need for action in view of the risks to the rights and freedoms of data subjects. Meta wrongly relied on the legal bases of contract and legitimate interest for the processing of personal data for the purpose of behavioral advertising in the context of its services and thus persistently violated Article 6(1) GDPR. Furthermore, Meta is in breach of its duty to comply with the decisions of the data protection authorities – in particular those of the IE DPA of December 2022. The adoption of final measures was urgently necessary, as otherwise the data subjects would be at risk of serious and irreparable harm. Following the EDPB’s urgent binding decision, the IE DPA imposed a corresponding ban on Meta on 10 November 2023.
In response to growing pressure from the European data protection authorities, Meta has now switched to the so-called ‘pay or okay’ model. With this business model, users are given the choice of either agreeing to tracking for behavioural advertising or taking out a paid subscription. Noyb sees this as a new ‘attempt to circumvent EU privacy laws’ and therefore filed another complaint against Meta with the Austrian data protection authority at the end of November 2023.