EDPB: Meta violates GDPR by personalised advertising. A "ban" or not a "ban"?
The breaking news about an "EU-wide ban on Meta's personalised advertising" may be confusing. Read for a short explanation and background information.
I did not plan to write more often than weekly, but I anticipate a lot of confusion about the Meta-related breaking news, hence this short explainer.
This is a big week for Meta-related EU privacy news. On Monday, Meta announced that it would allow users to pay for ad-free versions of Facebook and Instagram. I explained what arguably went wrong in EU law to force Meta to do this in a previous newsletter. Now, the European Data Protection Board (EDPB) has reportedly ruled that Meta broke EU privacy law by processing personal data for personalised advertising. See below for what I can tell so far about the new decision and for a brief overview of its background. More to follow once the EDPB decision is published.
EDPB’s Meta decision: not a ban on personalised advertising
The EDPB concluded that Meta breached the GDPR by relying on the “legitimate interest” basis for processing personal data for personalised advertising.
The decision is not addressed to and does not bind Meta directly. Just like the EDPB decision from December 2022, where they decided Meta cannot rely on “contractual necessity,” this decision overrides preliminary conclusions reached by the Irish privacy authority.
There will be a separate decision by the Irish authority, incorporating the findings from the EDPB decision. The GDPR gives the Irish authority one month to adopt such a decision.[1]
So far, there is no information about a potential fine, but it is possible that the forthcoming decision of the Irish authority will include a fine.
This decision may not have direct consequences for Meta’s move to give users a choice of a paid ad-free service tier on Facebook and Instagram. Even the Norwegian DPA, in its celebratory press release, only refers to their own “strong doubts” about Meta’s plan, not to any relevant conclusions in the EDPB decision. Moreover, Meta plans to introduce the change in November, and given that the Irish authority has a month to issue a decision to Meta, Meta may have time to implement the planned change.[1] Hence, I don’t think it’s likely Meta will be in a situation of having to defy a “ban on personalised advertising.”
Background
The EDPB is a sort of parliament for national data protection authorities in the EU, acting by majority vote, and has the power to overrule the conclusions of investigations conducted by national authorities.
For companies like Meta, which has its EU headquarters in Ireland, the 'lead authority' (its 'sole interlocutor') under the GDPR is the Irish Data Protection Commission (DPC). It's the DPC's job to investigate Meta's potential breaches of the GDPR.
In December 2022, the EDPB (the 'parliament' of privacy authorities) forced the Irish authority to conclude that Meta could not process personal data for personalised advertising while relying on the claim that this is necessary for the contract between Meta and users of Facebook and Instagram. Among the key arguments were the following two - both of which I believe to be misguided (from the Monday newsletter):
Critics have argued that Meta could sustain its services through non-personalized advertising alone. However, industry experts have cast doubt on the viability of this approach (Eric Seufert is excellent on this). Despite this, no privacy authority or court ever seriously attempted to show that non-personalized advertising could fully fund such services, but claims about such a theoretical possibility keep appearing in enforcement decisions.
A second argument against Meta’s use of “contractual necessity” asserts that it should only cover technical necessities for service provision, excluding economic or business necessities such as the need to generate revenue.
In response, Meta announced that it would rely on a different "lawful basis" for personalised advertising than “contractual necessity,” i.e., on Meta’s (and their users’) "legitimate interests."
The Irish authority (the DPC) launched an investigation into Meta's new policy. When informed of the preliminary results of this investigation in April, the Norwegian authority asked the Irish authority to temporarily ban personalised advertising in Meta's services. The Irish authority refused to impose such a ban.
In July, the EU’s highest court, the Court of Justice, decided a case about Facebook processing personal data collected not by Facebook (“third-party” or “off-platform” data). As I wrote:
[the Court] asserted that Facebook users could not reasonably expect their data, collected by other services (third-party data), to be processed by Facebook for personalized advertising. The Court gave no justification for this assertion. It just stated that even if a service is offered free of charge, users cannot reasonably expect the service provider to process user data collected by third parties for personalized advertising.
In effect, the Court’s view was that Facebook could not rely on legitimate interests to process third-party data for personalised advertising (which, by that time, Meta arguably wasn’t even doing—relying instead on a different GDPR lawful basis: user consent).
Impatient with the Irish investigation, the Norwegian authority decided in July to impose a temporary ban on personalised advertising on Facebook and Instagram for users in Norway due to Meta’s allegedly unlawful reliance on “legitimate interests.” [2]
The Norwegian decision also included a formal request to the EDPB (the “parliament”), calling on that body to extend the ban to the whole EU. The decision that the EDPB just adopted is a response to that request.
[1] The Danish privacy authority reported that the EDPB gave the Irish authority two weeks to adopt a decision. I’m not including this information in the main text, because it doesn’t seem coherent with the text of the GDPR—the provision on a two-week deadline (Article 66(4) GDPR) expressly refers to EDPB decisions and opinions, not to a decision of the lead authority. I’ll update the text once there is more clarity on this point.
[2] In doing so, the Norwegian authority cited the new court ruling, even though that judgment only concerned “third-party” data, for which, again, Meta already relied on user consent (not “legitimate interests”).