The European Data Protection Board announced on Thursday (7 December) its binding decision about banning Meta’s platforms from processing personal data for behavioural advertising.
The Board is a body that gathers all EU data protection regulators with a view to ensuring consistent application of the General Data Protection Regulation.
Thursday’s decision comes after, starting in early August, Meta-owned platforms faced a temporary three-month ban on behavioural advertising based on extensive user profiling in Norway, as Euractiv reported.
Facebook and Instagram continued to operate in the country, where behavioural advertising infringing the EU regulation on data protection is banned. The penalty was one million Norwegian kroner (almost €89,000) daily.
The social media platforms could also process information a user has put willingly on the platforms, despite the ban, including a user’s bio, place of residence, gender, age, or interests, should the user have provided them himself or herself.
The General Data Protection Regulation (GDPR) applies to all 27 EU member states, plus the three other European Economic Area countries: Iceland, Lichtenstein, and Norway.
Provisional measures with a legal effect on their territory for three months at most can be taken by the national privacy regulator. However, the EDPB and the European Commission must be notified in such cases.
The relevant authority should then ask the EDPB for an urgent ban with proper reasoning as to why they find it necessary.
In January, based on another binding decision of the EDPB, the Irish Data Protection Commissioner found Meta’s legal basis for processing EU personal data for the purpose of advertising to be in breach of the European data protection framework.
As a result, Meta launched paid subscriptions for Facebook and Instagram for “€9.99/month on the web or €12.99/month on iOS and Android” for EU users to choose to stop receiving targeted advertisements.
At the end of November, consumer groups, as well as noyb, a digital activism group, also filed complaints against Meta’s ‘pay-or-consent’ model.
The European Data Protection Board’s (EDPB) decision follows the Norwegian Data Protection Authority’s request to order a ban for the whole European Economic Area rather than a temporary ban on a national level.
EDPB’s Chair Anu Talus said that “the EDPB binding decisions clarified that contract is not a suitable legal basis for processing personal data carried out by Meta for behavioural advertising”,
Moreover, “Meta has been found by the IE DPA [Ireland’s Data Protection Act] to not have demonstrated compliance with the orders imposed at the end of last year”, she added. Violating Irish law is particularly problematic because Meta’s European headquarters is located in Dublin.
The Board stressed the urgent need to order final measures, and not only national-level bans, is clear in light of the risks of serious and irreparable harm caused to data subjects without the adoption of final measures.
Meta did not react to Euractiv’s request for comment by the time of publication.
[Edited by Luca Bertuzzi/Zoran Radosavljevic]