EDPB - Urgent Binding Decision 01/2023

From GDPRhub
Revision as of 11:23, 12 December 2023 by Co (talk | contribs)
EDPB - Urgent Binding Decision 01/2023
LogoEDPB.png
Authority: EDPB
Jurisdiction: European Union
Relevant Law: Article 6(1)(f) GDPR
Article 6(1)(b) GDPR
Article 58(2)(f) GDPR
Article 60 GDPR
Article 61 GDPR
Article 66 GDPR
Article 66(2) GDPR
Article 41 CFREU
Type: Other
Outcome: n/a
Started: 26.09.2023
Decided: 27.10.2023
Published: 07.12.2023
Fine: n/a
Parties: Meta Platfroms Ireland Ltd
National Case Number/Name: Urgent Binding Decision 01/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: co

The EDPB issued an urgent binding decision pursuant to Article 66(2) GDPR ordering a ban on Meta Platforms Ireland’s processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR .

English Summary

Facts

On 31 December 2022, the Irish DPC as Lead Supervisory Authority in a cross-border case, issued two final decisions concerning, respectively Meta’s Facebook and Instagram services as controllers. These were adopted on the basis of two binding decisions by the EDPB, Binding Decisions 3/2022 and 4/2022 adopted by the EDPB on 5 December 2022 pursuant to Article 65(1)(a) GDPR.

On 5 April 2023, the DPC communicated to the concerned supervisory authorities via the IMI system Meta’s compliance reports showing their efforts to comply with the decisions by the DPC. In these reports, Meta stated that it changed its legal basis for behavioural advertising from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR, backed by a Legitimate Interest assessments. These documents were submitted to the CSAs so that they could assess whether the measures adopted by Meta could be considered effective in guaranteeing compliance with the orders in the DPC decision.

The Norwegian DPA (Datatilsynet) communicated to the DPC that it had doubts regarding the legitimacy of Meta’s choice of Article 6(1)(f) GDPR as a legal basis. Thereafter, the DPC shared two other letters from Meta to the CSAs substantiating its compliance efforts and the CSAs submitted their opinion to the DPC which were then sent back to Meta for feedback. On 5 May 2023, the Norwegian DPA transmitted a mutual assistance request to the DPC under Article 61(1) GDPR, asking the DPC to order a temporary ban on Meta’s processing for purposes of behavioural advertising based on Article 6(1)(f) GDPR and requesting the DPC to specify how it will ensure that Meta complies with Article 6(1) GDPR. On 30 May 2023, the Dutch DPA also asked the Irish DPC to provide its conclusions on the compliance efforts undertaken by Meta in a mutual assistance request under Article 61 GDPR. The DPC stated that it would be able to respond to the mutual assistance requests and draw its conclusion on the compliance reports only at the end of June 2023. The DPC also replied to the Norwegian DPA request for mutual assistance stating that it could not comply with it and the Norwegian DPA asked the DPC to at least inform it as to whether it would follow the Norwegian DPA’s mutual assistance request.

On 13 June 2023, the DPC stated that it would do so only after the delivery of CJEU judgment in case C-252/21 Meta Platforms and Others v Bundeskartellamt in July. Following the publication of judgment, the Irish DPC issued a provisional position paper with its preliminary conclusion on 11 July 2023, stating that Meta failed to comply with the orders of its decisions. The DPC’s provisional position paper was then submitted to the CSAs for feedback.

On 14 July 2023, the Norwegian DPA imposed a temporary ban on Meta and Facebook Norway on the processing of personal data of Norwegian data subjects for purposes of behavioural advertising based on Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. After a further set of exchanges between Meta and the Norwegian DPA, and Meta’s statement that it would shift to Article 6(1)(a) GDPR as a legal basis, the Norwegian DPA imposed a coercive fine on Meta and Facebook Norway for non-compliance with its order.

On 18 August 2023, the DPC communicated to the CSAs its final position on Meta’s compliance with tis decisions and concluded that Meta failed to demonstrate compliance but that it is reasonable to give Meta a chance to rely on consent as a legal basis. On 21 September 2023, the Norwegian DPA submitted to the DPC its view on the state of the proceedings and argued that it still considered the adoption of urgent measures necessary, asking the DPC to reconsider its position.

Given the negative response of the DPC, on 26 September 2023 the Norwegian DPA made a request to the EDPB to issue an urgent binding decision under Article 66(2) GDPR, asking that final measures be adopted.

Holding

First of all, the EDPB Secretariat assessed the request and asked the Norwegian DPA to submit further documentation paying particular attention to scrutinize the right to good administration under Article 41 CFREU. On 17 October, the EDPB assessed the completeness of the file and established its competence to deal with the request to issue an urgent binding decision.

1. Competence of the EDPB

For the EDPB to be competent to issue an urgent binding decision, two conditions must be given, namely: that a DPA has taken provisional measures under Article 66(1) GDPR and the same DPA made a request to issue a binding decision under Article 66(2) GDPR. In this case, the Norwegian DPA followed these two steps, hence the EDPB considered itself competent to deal with the request.

2. The right to good administration

In the second place, the EDPB made sure to act in accordance with the right to good administration under Article 41 of the Chartere of Fundamental Rights of the European Union (CFREU) and Article 11(1) of the EDPB Rules of Procedure. It also considered Meta’s position and ascertained that all the documents it received were also known to Meta, so that the procedure would respect Meta’s right to be heard. The EDPB concluded that Meta did not have an opportunity to make its views known on the procedure and asked Meta to provide written submissions.

3. On the need to request final measures

Further, the EDPB considered whether the adoption of urgent final measures was necessary, which is the case when one or several infringements exist and when an urgency situation justifies derogation from the ordinary procedure.

3.1.Infringments of the GDPR

First, as regards the existence of GDPR infringement(s) by Meta, the EDPB considered both the position of the Norwegian DPA and of the DPC in relation to the reliance of Meta on Article 6(1)(b) GDPR for behavioural advertising. The EDPB concluded that Meta was still processing location data and advertisement interaction data for purposes of behavioural advertising relying on Article 6(1)(b) GDPR, although it was previously declared unlawful by the DPC. Hence the EDPB held that Meta was still acting in violation of Article 6(1) GDPR.

Secondly, the EDPB assessed whether Meta was still processing personal data for purposes of behavioural advertising on the basis of Article 6(1)(f) GDPR. The EDPB considered that in line with the DPC’s decision, Meta was supposed to bring its processing into compliance with Article 6(1) GDPR, specifying that it may include but is “not limited to the identification of an appropriate alternative legal basis”.

The EDPB assessed the existence of the three cumulative conditions needed to satisfy the requirements of Article 6(1)(f) GDPR and concluded that Meta unlawfully relied on Article 6(1)(f) GDPR as a legal basis, since:

“the interests and fundamental rights of data subjects override the legitimate interests put forward by Meta IE for the processing of personal data collected on Meta’s products for the purposes of behavioural advertising”

In light of these findings, the EDPB concluded that there was an ongoing infringement of Article 6(1) GDPR by Meta.

Thirdly, the EDPB considered Meta’s infringement of the duty to comply with decisions by supervisory authorities, against Article 60(10) GDPR, which constitutes an independent violation of the GDPR. On he basis of the positions of the Irish and Norwgian DPAs, the EDPB held that:

“Meta IE did not achieve compliance with the IE SA Decisions within the deadline for compliance and is therefore currently in breach of its duty to comply with decisions by supervisory authorities.”

3.2. Urgency

The EDPB reiterated in its decision that the issuing of an urgent binding decision is an exceptional circumstance and it can only be granted if the regular consistency mechanism cannot be applied due to such urgency, as per Article 66(2) GDPR.

First, the EDPB assessed the existence of urgency on the basis of the position of the Norwegian DPA, the elements in the file and the circumstances of the infringement, that is the nature, gravity, duration and number of data subjects affected by the infringement. In this regard, the EDPB held, as it also previously stated in its binding decisions that the nature and gravity of the infringements were significant. Also the duration of the infringement was considered that:

“the fact that the processing activities are still performed without reliance on an appropriate legal basis represents an element in favour of concluding that there is an urgent need for final measures to be adopted”.

Hence the EDPB concluded that “failing to put an end to the processing activities at stake and to enforce the IE SA Decisions exposes data subjects to a risk of serious and irreparable harm”.

Secondly, the EDPB addressed the necessity to derogate from the standard cooperation and consistency mechanism, and it concluded that the fact that the DPC did not adopt any final measures to put an end to Meta’s GDPR infringements despite the risk of serious and irreparable harm for data subjects “shows that the regular cooperation and consistency mechanism is not providing satisfactory results”.

Thirdly, the EDPB examined whether the legal presumption of urgency provided in Article 61(8) GDPR was given in the case in question. Under Article 61(8) GDPR, if a DPA does not provide the information requested in a mutual assistance request within one month, urgency will be presumed. In this case, the Norwegian DPA had made such a request but received an unmotivated negative answer from the Irish DPC. The EDPB reiterated the importance of the cooperation mechanism and the fact that mutual assistance is at the core of such cooperation. Further, the authorities receiving a mutual assistance request have a series of procedural and substantive obligations under Article 61 GDPR to respond to such request. The EDPB also stressed that the mutual assistance request is a one-to-one procedure between the requesting and requested authorities. From a procedural point of view, the EDPB considered that the Irish DPC fulfilled its duty to respond to the request within the established time limit. As regards the substance of the reply by the DPC, however, the EDPB held that even though the DPC later explained that its answer that it could not comply with the request was a mistake, the DPC

“does not state it tried to amend its answer – for instance to provide the reasons for any refusal to comply with the request - or sought assistance to do so within the one-month deadline.”

Under Article 61(4) GDPR, the DPC might have refused to comply with the request but it also needed to give reasons explaining that compliance would infringe the GDPR or Member state law. Hence, the EDPB concluded that the DPC failed to provide a substantive reasoned response to the Norwegian DPA’s mutual assistance request within one month, thus the urgency could be presumed in accordance with Article 61(8) GDPR.

4. On the appropriate final measures

In its last point, the EDPB considered all the elements brought forward by the DPAs and the nature, gravity and duration of the infringements by Meta in order to assess the appropriateness of a ban on processing as a final measure. In particular, the seriousness of the infringement and the fact that the deadline for compliance had expired three months before, “provide arguments in favour of considering that the imposition of a ban would be appropriate, necessary and proportionate today”.

As a consequence, the EDPB ordered a ban on processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR, pursuant to Article 58(2)(f) GDPR, to be effective one week after notification to Meta. The EDPB added that the geographical scope of the measures should extend to the entire EEA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Urgent Binding Decision 01/2023 requested by the

 Norwegian SA for the ordering of final measures regarding
        Meta Platforms Ireland Ltd (Art. 66(2) GDPR)




                  Adopted on 27 October 2023
























Adopted                                                       1Table of contents


1    Summary of facts............................................................................................................................. 4

   1.1    Summary of the relevant events............................................................................................. 4

   1.2    Submission of the request to the EDPB and related events ................................................. 14

2    Competence of the EDPB to adopt an urgent binding decision under Article 66(2) GDPR.......... 15
   2.1    The SA has taken provisional measures under Article 66(1) GDPR....................................... 15

   2.2    Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the EEA.......... 16

   2.3    Conclusion............................................................................................................................. 16

3    The right to good administration.................................................................................................. 16
4    On the need to request final measures......................................................................................... 17

   4.1    On the existence of infringements........................................................................................ 17

     4.1.1      On the infringement of Article 6(1) GDPR..................................................................... 18

     4.1.2      On the infringement of the duty to comply with decisions by supervisory authorities42

   4.2    On the existence of urgency to adopt final measures by way of derogation from the
   cooperation and consistency mechanisms ....................................................................................... 45

     4.2.1      On the existence of urgency and the need to derogate from the cooperation and
     consistency mechanisms............................................................................................................... 46

     4.2.2      On the application of a legal presumption of urgency justifying the need to derogate
     from the cooperation and consistency mechanisms.................................................................... 56

     4.2.3      Conclusion as to the existence of urgency.................................................................... 65

5    On the appropriate final measures............................................................................................... 65
   5.1    Content of the final measures............................................................................................... 65

     5.1.1      Summary of the position of the NO SA ......................................................................... 65

     5.1.2      Summary of the position of Meta IE and Facebook Norway ........................................ 66

     5.1.3      Analysis of the EDPB...................................................................................................... 69
     5.1.4      Conclusion..................................................................................................................... 76

   5.2    Adoption of the final measures and notification to the controller....................................... 76

6    Urgent Binding Decision................................................................................................................ 77

7    Final remarks................................................................................................................................. 78














Adopted                                                                                                  2The European Data Protection Board

Having regard to Article 66 of Regulation 2016/679/EU of the European Parliament and of the Council

of 27 April 2016 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) (hereinafter ‘GDPR’) ,


HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37thereof,asamended
by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 ,  2

Having regard to Articles 11, 13, 23 and 39 of the EDPB Rules of Procedure     3, hereinafter the ‘EDPB
RoP’.


Whereas:

(1) The main role of the European Data Protection Board (hereinafter the ‘EDPB’ or the ‘Board’) is to
ensurethe consistentapplicationoftheGDPRthroughoutthe EEA.Tothiseffect,itcanadopt opinions

and binding decisions under different circumstances described under Articles 63 to 66 GDPR, within
the consistency mechanism. The GDPR also established a cooperation mechanism, as it follows from
Article 60 GDPR that the lead supervisory authority (hereinafter ‘LSA’) shall cooperate with the other

supervisory authorities concerned (hereinafter ‘CSAs’) in an endeavour to reach consensus.

(2) Pursuant to Article 66(1) GDPR, in exceptional circumstances, where a supervisory authority (‘SA’)
considers that there is an urgent need to act in order to protect the rights and freedoms of data

subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64
and65GDPRortheprocedurereferredtoinArticle 60GDPR,immediatelyadoptprovisionalmeasures
intended to produce legal effects on its own territory with a specified period of validity which shall not

exceed three months.

(3)InaccordancewithArticle66(2)GDPR,whereasupervisoryauthorityhastakenameasurepursuant
to Article 66(1) GDPR and considers that final measures need urgently be adopted, it may request an

urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such
opinion or decision.

(4) In accordance with Article 13(2) EDPB RoP, the supervisory authority requesting an urgent binding

decision shall submit any relevant document. When necessary, the documents submitted by the
competent supervisory authority shall be translated into English by the EDPB Secretariat. Once the
Chair and the competent supervisory authority have decided that the file is complete, it is

communicated via the EDPB Secretariat to the members of the Board without undue delay.

(5)Pursuant to Article 66(4)GDPR and Article 13(1) EDPB RoP, the urgent binding decision of the EDPB
shall be adopted by simple majority of the members of the EDPB within two weeks following the

decision by the Chair and the competent supervisory authority that the file is complete.







1
2OJ L 119, 4.5.2016, p. 1.
  References to ‘Member States’ made throughout this decision should be understood as references to ‘EEA
Member States’. References to ‘EU’ should be understood, where relevant, as references to ‘EEA’.
3EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 6 April 2022.


Adopted                                                                                               3       1 SUMMARY OF FACTS


1.     This document contains an urgent binding decision adopted by the EDPB pursuant to Article 66(2)
       GDPR, following a request made by the Norwegian supervisory authority - ‘Datatilsynet’ (hereinafter,
       the ‘NO SA’) within the framework of the urgency procedure under Article 66 GDPR.


       1.1 Summary of the relevant events

2.     On 31 December 2022, the Irish supervisory authority (‘Data Protection Commission’, hereinafter the

       ‘IE SA’) issued a final decision concerning the inquiry IN-18-5-5 (hereinafter, the ‘IE SA FB Decision’,
       related to the Facebook Service)and a final decision concerning the inquiry IN-18-5-7 (hereinafter, the

       ‘IE SA IG Decision’, related to the Instagram Service) in which it found that Meta Platforms Ireland Ltd
       (hereinafter, ‘Meta IE’) did not rely on a valid legal basis for processing personal data for behavioural
                               4
       advertising purposes . These two decisions (hereinafter, collectively, the ‘IE SA Decisions’) were
       adopted on the basis of EDPB Binding Decisions 3/2022 and 4/2022, adopted by the EDPB pursuant to
                                                                                                        5
       Article 65(1) (a) GDPR on 5 December 2022 (hereinafter, the ‘EDPB Binding Decisions’) .

3.     Each of the IE SA Decisions concluded that Meta IE was not entitled to rely on Article 6(1)(b) GDPR to
       carry out processing of personal data for the purpose of behavioural advertising in the context of the

       Facebook Terms of Service / Instagram Terms of Use and included an order, addressed to Meta IE, to
       bring its processing of personal data for behavioural advertising purposes into compliance with Article
                                          7
       6(1) GDPR within three months .

4.     On 5 April 2023, the IE SA shared with the CSAs , using the Internal Market Information system
                            9
       (hereinafter, ‘IMI’) , Meta IE’s compliance reports regarding the Facebook Service (IN-18-5-5) and the
       Instagram Service (IN-18-5-7) (hereinafter collectively, the ‘Meta IE Compliance Reports’ or the
                                10
       ‘Compliance Reports’) and supporting material that Meta IE submitted to the IE SA on 3 April 2023



       4 Decision of the Irish Data Protection Commission of 31 December 2022, DPC Inquiry Reference: IN-18-5-5,
       concerning a complaint directed against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in

       respect of the Facebook Service (the ‘IE SA FB Decision’); Decision of the Irish Data Protection Commission of 31
       December 2022, DPC Inquiry Reference: IN-18-5-7, concerning a complaint directed against Meta Platforms
       Ireland Limited (formerly Facebook Ireland Limited) in respect of the Instagram Service (the ‘IE SA IG Decision’).
       5 EDPB Binding Decision 3/2022, adopted on 05 December 2022 (hereinafter ‘EDPB Binding Decision 3/2022’);
       EDPB Binding Decision 4/2022 adopted on 05 December 2022 (hereinafter ‘EDPB Binding Decision 4/2022’). In

       each of these binding decisions the EDPB instructed the IE SA to alter its Finding 2 of its Draft Decision, which
       concluded that Meta IE may rely on Art. 6(1)(b) GDPR in the context of its offering of the Facebook Terms of
       Service or the Instagram Terms of Use and to include an infringement of Art. 6(1) GDPR based on the
       shortcomings that the EDPB has identified in the EDPB Binding Decisions. The reasoning of the EDPB is available

       in paragraphs 94-133 and 484 of EDPB Binding Decision 3/2022 and in paragraphs 97-137 and 451 of EDPB
       Binding Decision 4/2022.
       6IE SA FB Decision, Finding 2, p. 49; IE SA IG Decision, Finding 2, p. 49.
       7 IE SA FB Decision, paragraphs 8.8, 10.44; IE SA IG Decision, paragraphs 212, 417. The deadline for compliance

       8ith the orders in the IE SA Decisions fell on 5 April 2023.
        In the cases leading to the adoption of the IE SA Decisions, all EEA SAs were CSAs pursuant to the GDPR (IE SA
       FB Decision, Schedule 1, paragraph 1.10; IE SA IG Decision, Appendix 1 - Schedule 1, paragraph 6).
       9More specifically, the IE SA shared on 5 April 2023 the Meta IE Compliance Reports via two IMI workflows, one

       for the IE SA FB Decision and one for the IE SA IG Decision respectively (hereinafter, collectively, the ‘IE SA IMI
       Informal Consultations’ or the ‘IMI Informal Consultations’).
       10Meta IE’s Compliance Report regarding the Facebook Service (IN-18-5-5) of 3 April 2023 (hereinafter, ‘Meta
       IE Compliance Report on IE SA FB Decision’), paragraphs 2.1 and 2.3 and Meta IE’s Compliance Report




       Adopted                                                                                                        4       with the aim of showing compliance with the IE SA Decisions. In its Compliance Reports, Meta IE
       indicated that it changed its legal basis for the majority      11of its processing of personal data for

       behavioural advertising purposes from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR as of 5 April 2023,
       which was the deadline for compliance with the IE SA Decisions . Specifically for reliance on Article
                                                                                                     13
       6(1)(f) GDPR, Meta IE provided legitimateinterests assessmentsas supporting materials (hereinafter
       collectively, the ‘Meta IE Legitimate Interests Assessments’). Without providing its own analysis on

       the Compliance Reports, the IE SA invited all the CSAs to assess the extent to which the measures
       implemented by Meta IE achieved compliance with the orders in the IE SA Decisions and welcomed
       feedback from the CSAs by 5 May 2023. The deadline was later on extended to 15 May 2023 .          14


5.     Onthesameday,theNOSAemailedtheIESAinrespectofMetaIE’schangeoflegalbasistolegitimate
       interest, expressing strong doubts as to whether this legal basis could be validly relied on and asking

       for the IE SA’s preliminary view on this.

6.     On 6 April 2023, upon request of the IE SA, the EDPB Secretariat circulated a message from the IE SA
       to the members of the Enforcement expert subgroup within the EDPB. Such message aimed to attract
                                                                                                   15
       allCSAs’attentiontotheIESAIMIInformalConsultationscirculatedbytheIESAviaIMI .Onthesame
       day, the IE SA replied to the NO SA’s email of 5 April 2023, pointing to the message from the IE SA to
       the CSAs circulated by the EDPB Secretariat.


7.     On 13 April 2023, the IE SA shared with the CSAs via IMI two further letters from Meta IE (one on the
       IE SA FB Decision and one on the IE SA IG Decision) dated 12 April 2023, providing further information

       on its compliance efforts in relation to the IE SA Decisions.

8.     On 14 April 2023, the NO SA responded negatively to a meeting request from Meta IE dated 28 March
       2023, pointing out that the case is handled by the IE SA as the LSA.

9.     Some CSAs asked for clarifications on the procedure being followed, for example on the reasons why

       the IE SA did not at that point share its assessment of Meta IE’s compliance with the orders in the IE
       SA Decisions. The IE SA clarified, first, that the assessment of compliance with the orders in the IE SA

       Decisions would be carried out on a joint basis, more specifically by way of an assessment carried out
       by the CSAs at the same time as the LSA, and that this sequencing of the process was aimed to ensure

       a timely and consistent approach, in line with the deadline for compliance determined by the EDPB,




       regarding the Instagram Service (IN-18-5-7) of 3 April 2023 (hereinafter, ‘Meta IE Compliance Report on IE SA

       11 Decision’), paragraphs 2.1 and 2.3.
         According to the Compliance Reports, Meta IE continued to process limited categories of non-behavioural
       information toshow advertising onFacebook or Instagrambased onArt. 6(1)(b) GDPR. See Meta IE Compliance
       Report on IE SA FB Decision, paragraphs 3.1.3 and 5.8.2, and Meta IE Compliance Report on IE SA IG Decision,
       paragraphs 3.1.3 and 5.8.2.
       12
         Meta IE Compliance Report on IE SA FB Decision, paragraph 2.1; Meta IE Compliance Report on IE SA IG
       Decision, paragraph 2.1.
       13Meta IE’s Legitimate Interests Assessments Behavioural Advertising Processing of 3 April 2023, Annex 4 to
       Meta IE Compliance Report on IE SA FBDecision and Annex 4 toMeta IE ComplianceReport on IE SA IG Decision.
       14Following requests from two of the CSAs, the deadline to share feedback was extended until 15 May 2023. In

       15ct, the IE SA waited for a few more days, giving the opportunity to further CSAs to share their views.
         In the same message, the IE SA also specified: ‘As you will also recall, IE SA confirmed, during the Article 65
       [GDPR] discussions, that any assessment of compliance with the orders made [in the IE SA Decisions] would be
       carried out on a joint basis, the same as in previous cases, whereby the IE SA together with all CSAs would jointly
       assess the extent to which any action taken has achieved compliance with the terms of the order’.




       Adopted                                                                                                    5       formulated on the basis that urgent action was required to be taken by Meta IE to address the
                     16                                                                         17
       infringement    . The IE SA also clarified that it would not issue a new draft decision .

10.    Several CSAs provided their feedback on the way in which Meta IE complied with the IE SA Decisions.

         •    The Österreichische Datenschutzbehörde (Austrian supervisory authority - hereinafter, the ‘AT

              SA’) shared its views that processing operations in connection with behavioural advertising
              could not be based on Article 6(1) (f) GDPR . 18


         •    The Integritetsskyddsmyndigheten (Swedish supervisory authority - hereinafter, the ‘SE SA’)
              stressed the importance of adhering to any applicable EDPB guidelines       19.

         •    The Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (hereinafter, the ‘DE

              Hamburg SA’) shared its views stating that ‘at this stage, consent would be the only possible
              legal basis to comply with’ the orders in the IE SA Decisions, and expressing concerns regarding

              the indications that sensitive data are processed without consent and regarding the processing
              activities for which Meta IE continued to rely upon Article 6(1)(b) GDPR .   20


         •    The Autoriteit Persoonsgegevens (Dutch supervisory authority - hereinafter the ‘NL SA’) shared
              its views that ‘the interests listed by [Meta IE] in the/its Legitimate Interest Assessment cannot
              be considered as “legitimate interests” in the sense of Article 6(1) (f) GDPR’, the processing of

              personal data is not ‘necessary’ for the purpose of the declared interests, and the ‘fundamental
              rights and freedoms of the data subject override the interest of [Meta IE] and the third parties
                        21
              involved’ .

         •    The NO SA transmitted on 5 May 2023 a formal mutual assistance request under Article 61 (1)
                    22
              GDPR     (hereinafter, the ‘NO SA Mutual Assistance Request’) to the LSA using the dedicated


       16
         These clarifications were made by the IE SA on 26 April 2023 as a reply to a question of the FR SA of 25 April
       2023 made in the IE SA IMI Informal Consultations.
       17The SE SA asked for clarification on the procedure being followed on 4 May 2023 via the IMI Informal
       Consultations. The IE SA replied on 5 May 2023.
       18
         TheseviewsweresharedasareplytotheIESAIMIinformalconsultationconcerningonlytheIESAFBDecision
       (Comment of the AT SA of 18 April 2023), see footnote 9. The AT SA also indicated that a balancing test was also
       difficult because the term ‘Behavioural Advertising Processing’ was not defined in the Privacy Policy and what
       this actually entailed was not entirely clear. The AT SA also made reference to the reasoning in its relevant and
       reasonedobjectiontotheIESA’sdraftdecision intheprocedureleading totheadoptionoftheIESA FBDecision.
       19
         Comment of the SE SA of 4 May 2023 as a reply to the IE SA IMI Informal Consultations, see footnote 9.
       20Commentofthe DE Hamburg SAof4May2023as areply to the IE SA IMI InformalConsultations,see footnote
       9. In its comments, the DE Hamburg SA stated that there ‘are strong indications that sensitive data stemming
       from different sources are processed without consent against the Art. 9 (1) GDPR’ and that ‘consent [is] the only

       possible legal basis for that kind of processing’ and made further remarks on this issue. The DE Hamburg SA also
       stated that the ‘processing described or indicated in the updated Terms of Use and [Meta IE] Privacy Notice
       cannot be based on Art. 6 (1) (b) GDPR’.
       21CommentoftheNLSAof4May2023,paragraph3-attachedasareplytotheIESAIMIInformalConsultations,

       see footnote 9. The NL SA, in its comments, also ‘urgently asks the [IE SA] to swiftly undertake adequate actions
       in order to cease the continuous illegality of the invasive processing of personal data of millions of users’
       (paragraph 4). In addition to providing detailed views on the applicability of Art. 6(1)(f) GDPR (paragraphs 8-63),
       theNLSAalsostresseditsconcernsabouttheprocessingofspecialcategoriesofdataandaboutthecompatibility

       of the processing of the amount of data at stake with the principles of data minimisation and purpose limitation
       (paragraphs 6-7).
       22Comment of the NO SA of 5 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote 9),
       attaching a copy of the NO SA Mutual Assistance Request introduced on 5 May 2023.




       Adopted                                                                                                     6       IMI flow 23. The NO SA requested the IE SA to (1) issue a temporary ban on Meta IE’s processing
       ofpersonaldataforbehaviouraladvertisingpurposesbasedonArticle6(1)(f)GDPRand(2)share

       a timeline with the NO SA and the CSAs specifying how the IE SA will ensure in an expedient
       manner that Meta IE complies with Article 6(1) GDPR.


   •   The Agencia Española de Protección de Datos (Spanish supervisory authority - hereinafter the
       ‘ES SA’) shared its views stating that ‘the submitted Legitimate Interest Assessment does not
       demonstrate that the processing carried out by [Meta IE] with the purpose of behavioural

       advertisement be based on Article 6(1)(f) GDPR since it does not meet the requirements of this
       Article’ .


   •   The Tietosuojavaltuutetun toimisto (Finnish supervisory authority - hereinafter the ‘FI SA’)
       shared its views on 15 May 2023 that ‘based on the information available, it does not seem that
       [Meta IE] would have brought all its processing activities into compliance with the GDPR and
                                                       25
       would meet the requirements of the GDPR’ .

   •   In addition, the Garante per la protezione dei dati personali (Italian supervisory authority -

       hereinafter, the ‘IT SA’) shared its views on 23 May 2023 saying that ‘[Meta IE’s] proposal is not
       such as to adequately implement the order to bring the processing into compliance insofar as it
       misclassifies part of the user-related information and thereby applies the legal basis of



23The formal NO SA Mutual Assistance Request contained two requests labelled as follows: ‘Pursuant to Art.
61(1) GDPR,thefollowingrequestsaremade:i.Wekindly requestthattheIESAissuesatemporarybanon[Meta

IE]’s processing of personal data for behavioural advertising purposes on Facebook and Instagram based on Art.
6(1)(f) GDPR, in accordance with Art. 58(2)(f) GDPR. The ban should last until the lead and concerned supervisory
authorities are satisfied that [Meta IE] has provided adequate and sufficient commitments to ensure compliance
withArt.6(1)GDPRandArt.21GDPR,inlinewithArt.31GDPR.Thiswillgiveustheopportunitytofurtherengage
with [Meta IE] and make sure that it commits to fully respect its obligations under the GDPR, while preventing

any further risks for data subjects stemming from [Meta IE]’s non-compliant behavioural advertising practices.
Please note that in our view, behavioural advertising includes any activities where advertising is targeted on the
basis of a data subject’s behaviour or movements, including advertising based on perceived location’. ii. ‘We
kindly requestthat the IE SA shares a timeline specifying how it will ensure in an expedient manner that [Meta IE]
complies with Art. 6(1) GDPR. We should be grateful if the IE SA, by 5 June 2023, would share the timeline and

confirm that a temporary ban will be issued. If the IE SA is not in a position to comply with our request regarding
[Meta IE], we may need to consider our options in relation to the adoption of provisional measures in Norway
pursuant to Art. 66 GDPR. We hope that this will not be necessary and look forward to cooperating further with
the IE SA within the framework of the cooperation mechanisms set out in Chapter VII GDPR’.
24These views were shared as a reply in the IESA IMI informal consultation concerning only the IE SA IG Decision

(Comment of the ES SA of 12 May 2023). More specifically, the ES SA argued that the interests listed by Meta IE
are ‘purely economic or commercial interests’ of Meta IE or third parties, and that in respect of the condition of
necessity of the processing ‘the direct link between the processing and the legitimate interest should be
established and prove that there are no less intrusive alternatives for the data subjects that could serve the
interest equally effectively’ (p. 4). The ES SA also noted some shortcomings in the balancing test carried out by

25ta IE (Comment of the ES SA of 12 May 2023, p. 5).
  Comment of the FI SA of15 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote9). More
specifically, the FI SA expressed doubts about legitimate interest being the most suitable legal basis in the case
at hand and argued that the Legitimate Interests Assessment carried out by Meta IE ‘seems to be rather one-
sided and superficial and fails to convince why the interests of [Meta IE] or third parties should override the

interests and fundamental rights of the data subjects’ (Comment of the FI SA of 15 May 2023, p. 2) and ‘fails to
take duly into consideration the volume of the processing and the high number of users of the said services’
(CommentoftheFISAof15May2023,p.2-3).TheFISAalsonotedthatcertaincategoriesofpersonaldataseem
to still be unlawfully collected for behavioural advertising purposes under Art. 6(1)(b) GDPR (Comment of the FI
SA of 15 May 2023, p. 2).




Adopted                                                                                                        7             contractual performance under Article 6(1)(b) GDPR to the serving of ads which, actually, are
             behavioural in nature’  26; the IT SA also highlighted some concerns concerning the switch to
                                                                                                           27
             legitimate interest for the other processing activities for behavioural advertising purposes .

11.    The IE SA shared with Meta IE the feedback received from the CSAs and invited Meta IE to provide
                                                    28
       submissions on these views by 2 June 2023 .

12.    On 30 May 2023, the NL SA sent the IE SA a request for mutual assistance under Article 61 GDPR
       (hereinafter, the ‘NL SA Mutual Assistance Request’) asking the IE SA to provide its conclusion as to

       whether Meta IE could rely on Article 6 (1) (f) GDPR, its conclusion as to whether Meta IE complies
       with the IE SA Decisions and as to a timeframe, which appropriate and expedient action will be taken
       to ensure that Meta IE acts in compliance with Article 6 GDPR . 29


13.    On 31 May 2023, the IE SA provided an update to all CSAs via the IE SA IMI Informal Consultations
       (hereinafter, the ‘IE SA Update to CSAs of 31 May 2023’, informing them about the NL SA Mutual

       Assistance Request and highlighting that it will be in a position to complete its own assessment of the
       Meta IE Compliance Reports and share its assessment with the NO SA and NL SA (who lodged Article
       61 GDPR requests) and all other CSAs by the end of June 2023. In particular, the IE SA indicated that

       theyhad‘receivedalloftheassessmentsfromCSAs’and‘forwardedthemto[MetaIE]forittoconsider
       the views expressed and to detail any changes that it proposes to implement on foot of the CSA

       assessments’. Furthermore, the IE SA stated that it will ‘complete its own assessment of [Meta IE]’s
       compliance reports’ after receiving Meta IE’s response. The IE SA also stated ‘it will be in a position to

       complete its own assessment of [Meta IE]’s compliance reports and to share its assessment with the
       Norwegian and Dutch supervisory authorities (both of which have lodged Article 61 requests for
       mutual assistance) and with all other CSAs by the end of June 2023’.


14.    Also, on 31 May 2023, Meta IE sent a letter to the IE SA providing its views and comments on the
       process that was being followed by the IE SA and asking for an extension of its deadline to provide a
       reply. In this context, it also provided some comments to the IE SA on the CSAs' feedback and some

       preliminary comments on the requests for urgent enforcement action from some CSAs.



       26
         Comment of the IT SA of 23 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote 9). As
       indicated in footnote 11, Meta IE indicated in its Compliance Reports the fact that it continued to process some
       data under Art. 6(1)(b) GDPR. The IT SA argued in this respect that ‘[Meta IE]’s distinction between non-
       behavioural and behavioural advertising can be said to be artificial and based merely on language’ (Comment of
       the IT SA of 23 May 2023, p. 1)
       27
         Comment of the IT SA of23May2023 as areply to the IESA IMI Informal Consultations(see footnote 9). More
       specifically, according to the IT SA, ‘it is as if the controller was shifting the burden of proof regarding legitimate
       interest as the legal basis of processing on the data subjects – who conversely should be called into play as key
       actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the necessity of the
       processing and performing the required balancing exercise’ (Comment of the IT SA of 23 May 2023, p. 2). The IT

       SAalsounderlinedthat‘theprocessingoperationsunderpinningtheuseofOnlineBehaviouralAdvertisingshould
       more appropriately be grounded in consent as a legal basis within the meaning of Art. 6(1) (a) GDPR’ (p.3).
       28On12May2023and16May2023,theIESAsenttwoletterstoMetaIE,providing MetaIE with thefirstreplies
       received from CSAs informing Meta IE that some CSAs requested an extension of time to provide a response. On
       25 May 2023, the IE SA transmitted to Meta IE the latest comments from CSAs with respect to the way in which

       Meta IE complied with the IE SA Decisions. The IE SA invited Meta IE to provide submissions by 2 June COB. On
       26 May 2023, the IE SA shared an update with all CSAs, informing them that their responses were forwarded to
       Meta IE, whose response was awaited by 2 June 2023.
       29The IE SA provided a reply on 31 May 2023. On the same day, the IE SA provided an update to CSAs in the IMI
       Informal Consultations, described in the following paragraph.




       Adopted                                                                                                 815.   On 2 June 2023, the IE SA provided a reply to the NO SA Mutual Assistance Request. In the notification
      formused,theIESAstatedthatitcould notcomplywiththerequest(bycheckingapre-codetextbox),

      andinvitedtheNOSAtolookatthe‘detailedresponseuploadedbythe[IESA]’intheIESAIMIInformal
      Consultations (see above, paragraph 13).

16.   On 9 June 2023, the NO SA further replied to the IE SA, via the IE SA IMI flow relating to the NO SA

      Mutual Assistance Request, asking whether the IE SA could ‘share their preliminary thoughts or non-
      bindingly indicate whether [it] may potentially be inclined to follow [the NO SA Mutual Assistance
      Request]’.InthesamemessagetheNOSAindicatedthatitwouldinanycaseawaittheIESA’sresponse

      towards the end of June.

17.   On 13 June 2023, the IE SA informed all CSAs via the IE SA IMI Informal Consultations that it would
      await the judgment of the Court of Justice of the European Union in Case C-252/21 (Meta Platforms

      Inc. v Bundeskartellamt) (hereinafter, the ‘CJEU Bundeskartellamt Judgment’) before sharing its
      assessment of the Meta IE Compliance Reports . The IE SA, noting the NO SA Mutual Assistance
      Request and the NL SA Mutual Assistance Request, indicated their intention to finalise their

      assessment as soon as possible after the CJEU Bundeskartellamt Judgment expected on 4 July 2023.

18.   On 14 June 2023, the IE SA sent a letter to Meta IE replying to its letter of 31 May 2023. The IE SA
      explained its intention to wait for the CJEU Bundeskartellamt Judgment before circulating its

      provisional assessment of the steps taken by Meta IE in purported compliance with the orders in the
      IE SA Decisions, as well as the expected next steps leading to the issuance of the final outcome of the

      assessment of compliance. In the same letter, the IE SA informed Meta IE that it no longer required it
      to make submissions in reply to the CSAs’ initial observations.

19.   On 21 June 2023, Meta IE shared with the IE SA its views on the concerns raised by some of the CSAs

      and regarding potential urgent proceedings. On 23 June 2023, the IE SA shared via the IMI Informal
      Consultations the communication received from Meta IE on 21 June 2023. The IE SA stated that Meta
      IE specified that this communication is without prejudice to Meta IE’s position that it brought its

      processing into compliance with the orders in the IE SA Decisions.

20.   On 30 June 2023, Meta IE shared by letter additional information with the IE SA regarding the IE SA’s
      proposed compliance assessment. In this letter, Meta IEoutlined its views on the next steps envisaged

      by the IE SA and provided information and arguments on what it considered to be misunderstandings
      underpinning the views provided by the CSAs on the Meta IE Compliance Reports .     31

21.   On 4 July 2023, the Court of Justice of the European Union delivered the CJEU Bundeskartellamt
                 32
      Judgment . On 6 July 2023, the IE SA indicated to all the CSAs via the IE SA IMI Informal Consultations

      30
      31The CJEUhad just announcedthat it would deliver the judgment beforethe IE SAgave this update to theCSAs.
        Letter from Meta IE to the IE SA of 30 June 2023. Meta IE’s comments on the next steps envisaged by the IE SA
      are available in paragraphs 1-3 of this letter. Meta IE also provided clarifications, information and arguments on
      what it considered to be misunderstandings underpinning the views provided by the CSAs on the Meta IE
      Compliance Reports in paragraph 7. By way of example, Meta IE stated that it ‘does not engage in a “balancing”
      exercise on receipt of a valid objection’, that the IE SA Decisions only apply to processing for behavioural

      advertising purposes (and not to processing of non-behavioural information for advertising purposes), and that
      the assessment of ‘Behavioural Advertising Processing’ only concerns data relating to activity on Facebook and
      Instagram (on-platform data). Meta IE also clarified that it relies on Art. 6(1)(a) GDPR to process information
      provided to Meta IE by third party advertising partners (‘off-platform data‘) for the purposes of showing
      personalised advertisements.
      32JudgmentoftheCourtofJusticeoftheEuropeanUnionof4July2023,MetaPlatformsInc.vBundeskartellamt,

      C-252/21, EU:C:2023:537.



      Adopted                                                                                                9       thatitwasconsideringsuchjudgmentinthecontextoffinalisingitsprovisionalassessmentofthesteps
       taken by Meta IE in purported compliance with the IE SA Decisions     3.


22.    On 11 July 2023, the IE SA issued a provisional position paper (‘IE SA Provisional Position Paper’) in
       which it preliminarily concluded that Meta IE had not complied with the orders in the IE SA Decisions,
                                                                                                     34
       and shared it with the CSAs alongside a letter dated 30 June 2023 received from Meta IE . The IE SA
       invited the CSAs to share their views on the IE SA Provisional Position Paper by 21 July 2023 . 35

23.    Between 20 July 2023 and 21 July 2023, two CSAs shared their views on the IE SA Provisional Position
                                                        36
       Paper via the IE SA IMI Informal Consultations . The IE SA shared these CSAs’ views with Meta IE on
       21 July 2023.

24.    On14 July2023,the NO SA imposed a temporaryban onMeta IE andFacebook NorwayAS (‘Facebook

       Norway’) regarding the processing of personal data of data subjects in Norway for behavioural
       advertising for which Meta IE relies on Article 6(1)(b) GDPR or Article 6(1)(f) GDPR (the ‘NO SA Order’

       or the ‘Provisional Measures’). On the same day, the NO SA informed by email the IE SA of the
       Provisional Measures being taken on the basis of Article 66(1) GDPR. On 7 August 2023, the NO SA
       rejected Meta IE’s and Facebook Norway’s request for deferred implementation of the NO SA Order.


25.    On 20 July 2023, the IE SA shared an update to the CSAs via the IE SA IMI Informal Consultations,
       informing the CSAs of its views on the NO SA Order. It also stated that it did not mean to refuse to
       comply with the NO SA Mutual Assistance Request as this was a result of ‘incorrectly (and

       inadvertently)’checking a boxand that, inits view,itscommunicationto the NO SAof2 June2023was
       referring to two documents shared with all CSAs on 31 May 2023 , which ‘directed to the subject

       matter of the NO SA [Mutual Assistance Request]’ and were ‘clearly engaging with the substance of
       the NO SA [Mutual Assistance Request] [...]’.

26.    On 24 July 2023, the NO SA answered to questions from a politician in the Irish national parliament on

       the NO SA Mutual Assistance Request. In its reply, the NO SA describes the reply provided by the IE SA
       to the NO SA Mutual Assistance Request and explains the reasons behind the issuance of the

       ProvisionalMeasures,expressingitsconcernsthat‘whileitisvery clearthat[MetaIE]doesnotcomply
       with the GDPR,failing to takespecific andresolute enforcementactionwould leadtoa cat-and-mouse

       game whereby [Meta IE] is able to evade compliance indefinitely’ and that ‘simply stating that [Meta
       IE] does not comply with the GDPR [...] without imposing any specific order spelling out what [Meta
       IE] must potentially do to comply with the law and by which date, will allow [Meta IE] to further delay

       compliance’.




       33In the same communication, the IE SA also indicated they expected to be in a position to circulate their
       provisional assessment the following week, and that they would then give the CSAs a period of ten days to
       respond. While the NO SA and the IE SA indicated that this update occurred on 5 July 2023, according to the IMI

       34ports relating to the IE SA IMI Informal Consultations, this update seems to have been sent on 6 July 2023.
         This letter was already mentioned above in paragraph 20.
       This update was shared by the IE SA via the IE SA IMI Informal Consultations. Together with the IE SA Provisional
       Position Paper and the Letter from Meta IE to the IE SA of 30 June 2023, the IE SA also shared again the Meta IE
       Compliance Reports (already shared on 5 April 2023 with the CSAs).
       35
         In the same communication, the IE SA also indicated that it would then provide the CSAs’ views on the IE SA
       Provisional Position Paper to Meta IE inviting it to make its submissions by 4 August 2023.
       36The NL SA shared its views via a document attached on 20 July 2023 and the DE Hamburg SA via a document
       attached on 21 July 2023.
       37See paragraph 13 above.




       Adopted                                                                                                 1027.   On 27 July 2023, Meta IE sent a letter to the IE SA stating that it intends to ground its processing for
      behavioural advertising purposes   38on consent (Article 6(1)(a) GDPR) (by way of “Meta IE’s Consent

      Proposal”Meta IE’s Consent Proposal)

                                                                                                  39
                                                                                                    . The IE SA
      shared this letter with the CSAs via the IE SA IMI Informal Consultations.

28.   On the same day, Meta IE sent a letter to the NO SA, making reference to the letter sent to the IE SA

      andrequesting the NO SA to lift the ProvisionalMeasuresin lightof Meta IE’s commitments tothe LSA
      to ensure compliance by way of relying upon consent.

29.   On 1 August 2023, the IE SA replied to Meta IE taking note of Meta IE’s intention to implement the

      necessary measures to enable it to rely on Article 6(1)(a) GDPR
                                                                  4.

30.   Meanwhile, on 1 August 2023, Meta IE and Facebook Norway lodged a complaint with the NO SA

      requesting that it lifts the NO SA Order. On 3 August 2023, the NO SA rejected this complaint and on
      the following day the NO SA sent a letter to Meta IE and Facebook Norway requesting confirmation as
      to whether the NO SA Order would be complied with.


31.   On 4 August 2023, Meta IE provided its response to the IE SA Provisional Position Paper. On the same
      date, Meta IE and Facebook Norway replied to the NO SA that they have, in their view, complied with
      the NO SA Order, and requested the Oslo District Court to grant a preliminary injunction against the

      NO SA Order.

32.   On 7 August 2023, the NO SA decided to impose a coercive fine on Meta IE and Facebook Norway for
      the non-compliance with the NO SA Order. On 14 August 2023, Meta IE requested the deferred

      implementation of the coercive fine imposed on Meta IE and Facebook Norway, at least until the Oslo
      District Court has ruled on Meta IE’s and Facebook Norway’s applications for a preliminary injunction.

      On 25 August 2023, the NO SA rejected Meta IE’s and Facebook Norway’s request for deferred
      implementation of the coercive fine.

33.   On 8 August 2023, Meta IE and Facebook Norway sent a letter to the Ministry of Local Government

      and Regional Development of Norway, asking it to consider Meta IE’s and Facebook Norway’s
      complaints against the NO SA Order submitted to the NO SA on 1 August 2023 . The Ministry of Local


      38





      39







      40 This letter was shared by the IE SA with the CSAs via the IE SA IMI Informal Consultations. The IE SA also
      highlighted that all the correspondence from Meta IE should be treated as confidential.
      41 Meta IE sustained that the Ministry should have declared the complaint valid and the decision should have
      been repealed, indicating that ‘the audit did not give [Meta IE] necessary notice of its proposed actions and did

      not give [Meta IE] the necessary opportunity to be heard’. In addition, Facebook Norway was of the opinion that
      the NO SA wrongfully indicated Facebook Norway as an addressee of the decision.


      Adopted                                                                                               11       Government and Regional Development of Norway responded on 10 August 2023, refusing to
       accommodate the request and indicating that it did not have the authority to handle complaints

       against the NO SA Order.

34.    On 10 August 2023, Meta IE sent a letter to the IE SA


                                                      highlighted its concerns arising from the Article 66 GDPR
       proceedings arising from the Provisional Measures and running in parallel to the process led by the IE

       SA.

35.    The IE SA responded on 11 August 2023. In its letter, the IE SA





                  highlighted that it considered it is not for it to second-guess the decision of the NO SA to
       trigger the application of the urgency procedure and that the Article 66 GDPR procedure would take

       its own course.

36.    The proceedings concerning the request for preliminary injunction lodged with the Oslo District Court
       further developed and the parties submitted written pleadings .      42

37.



                                      43
                                        .

38.    On 18 August 2023, the IE SA shared with all CSAs its final position paper (‘IE SA Final Position Paper’),
       in which the IE SA concluded that Meta IE failed to demonstrate compliance with the orders in the IE
                     44
       SA Decisions . The IE SA also indicated its view that in light of the Meta IE’s Consent Proposal, it is fair


       42On 10 August 2023 and 11 August 2023, respectively, Meta IE and Facebook Norway and the NO SA submitted
       their written pleadings to the Oslo District Court. Meta IE requested provisional injunctions to avoid damage
       following an alleged invalid administrative decision and Facebook Norway claimed that the NO SA’s justification

       was inadequate. The NO SA responded to the request for a preliminary injunction claiming, inter alia, that there
       was no case processing error that may have affected the content of the decision, the conditions for urgent
       measures for adopting its decision were met, the decision did not violate Article 84 GDPR (proportionality) and
       that an injunction by the Oslo District Court would have been in a manifest disparity with the damages or
       inconveniences Norway would have been inflicted. Meta IE then submitted further written pleadings to the Oslo

       District Court on 14 August 2023. On 15 August 2023, Meta IE and Facebook Norway complained against the NO
       SAabouttheNOSA’srejectionoftheircomplaint.MetaIEandFacebookNorwayreiteratethattheappealbefore
       the Ministry should be admissible and that they have the right to appeal the decision of the Ministry (contrary
       to the Ministry’s declaration) according to administrative law. On 16 August 2023, the NO SA submitted further
       written pleadings to the Oslo District Court, while Meta IE and Facebook Norway submitted their additional

       43itten pleadings on 18 August 2023.



       44Together with the IE SA Final Position Paper, the IE SA shared with the CSAs the same supporting materials as

       shared together with the IE SA Provisional Position Paper. See above paragraph 22.
       Also, on 17 August 2023, the IE SA provided an update to all CSAs via the IE SA IMI Informal Consultations,
       informing them mainly of the fact that the copies of the relevant communications to which the IE SA was party
       were transmitted to the NO SA and Meta IE to ensure that both the NO SA and Meta IE were in a position to put
       the full suite of communications before the Oslo District Court.




       Adopted                                                                                                     12       and reasonable to give Meta IE an opportunity to demonstrate that it can rely on consent as its lawful
                                                             45
       basis rather than engaging in enforcement measures      .

39.    On 25 August 2023, Meta IE and Facebook Norway submitted, each, to the NO SA their comments on
       the NO SA’s intended request for an urgent binding decision from the EDPB pursuant to Article 66 (2)

       GDPR, which was specified in the NO SA Order.

40.    On 28 August 2023, Meta IE and Facebook Norway complained against the NO SA regarding the

       coercive fine it had imposed. Meta IE and Facebook Norway asked the NO SA to revoke the
       enforcement decision or, at least, to lower the amount.

41.    On 6 September 2023, the Oslo District Court decided not to grant the petitions from Meta IE and

       Facebook Norway for a preliminary injunction against the NO SA Order.

42.





                                                                               46.
                                                                                                   .


43.



                                                 47.

44.    On 21 September 2023, the NO SA sent a letter to the IE SA outlining their views on the current state

       of play. More specifically, the NO SA stated that it considered there is still an urgent need for a ban of
       the unlawful processing of personal data carried out by Meta IE despite the Meta IE’s Consent
                48
       Proposal , and that such a ban would
       representanincentiveforMetaIEtoswiftlybringprocessingintocompliance .Thus,theNOSAasked

       the IE SA to reconsider their position, outlined in the IE SA Final Position Paper that enforcement

       45
         IE SA Final Position Paper, paragraph 9.2.
       46











       47

       48
         Letter of the NO SA to the IE SA of 21 September 2023, p. 2.






       49Letter of the NO SA to the IE SA of 21 September 2023, p. 3.




       Adopted                                                                                               13       measuresarenotnecessaryatthispointintime          50.TheletteralsomentionedthattheNOSArequested

       submissions from Meta IE about its intention to ask the EDPB for an urgent binding decision, but may
       consider not making such request should the IE SA decide to adopt enforcement measures .        51

45.    On 26 September 2023, Meta IE and Facebook Norway made submissions in relation to the request of

       the NO SA for an urgent binding decision of the EDPB and the NO SA lodged its request to the EDPB on
       IMI. Further details on this are available below .2


46.    On 27 September 2023, the IE SA replied to the letter of the NO SA of 21 September 2023, outlining
       its views on the NO SA’s position and course of action. More specifically, the IE SA recalled that the

       EDPB explicitly declined to instruct the IE SA to impose a temporary ban in the EDPB Binding Decisions
       and explained that each of the IE SA Decisions ‘made provision for enforcement measures, namely,
       the orders for compliance, under which [Meta IE]’s proposals for the adoption of one or more

       alternative legal bases for the [processing operations at stake] would be assessed, and ruled on, on
       their respective merits’ . The IE SA also expressed the view that ‘it is inaccurate to suggest that the [IE

       SA] could impose an immediate ban on processing, whilst continuing to progress its assessment of
       [Meta IE]’s proposed consent-based model, in conjunction with its CSA colleagues’ .     54


47.    On 11 October 2023, the NO SA replied to the letter of the IE SA of 27 September 2023. In this letter,
       the NO SA expressed its concern that despite the LSA and CSAs ‘agreeing that [Meta IE] cannot base

       processing of personal data for behavioural advertising on Article 6(1)(b) GDPR or Article 6(1)(f) GDPR,
       [Meta IE] continues to violate Article 6(1) GDPRand the [IE SA Decisions], and such violation continues
       to be tolerated’ . The NO SA reiterated its view that ‘corrective measures can and should be imposed
                                                                                                   56
       on [Meta IE] as soon as possible to stop [Meta IE]’s current illegal processing activities’ .

48.    The IE SA further replied on 13 October 2023. In its letter, the IE SA argued that the request of the NO

       SA to the EDPB amounts, in substance, to a demand for enforcement action against the IE SA for its
       (alleged) failure to implement the IE SA Decisions and to an attempt to use the Article 66 GDPR

       procedure as a means to procure an order from the EDPB to compel the IE SA to impose an EEA-wide
       ban on Meta IE’s processing of personal data for behavioural advertising purposes        57. The IE SA also

       expressed its view that it did put in place an enforcement procedure following the IE SA Decisions,
       consistent with the EDPB Binding Decisions    58.

49.    On16October2023,Meta IEandFacebookNorwayinitiatedlegalproceedingsbeforetheOsloDistrict

       Court to demand the invalidation of the NO SA Order.


       1.2 Submission of the request to the EDPB and related events





       50Letter of the NO SA to the IE SA of 21 September 2023, p. 3.
       51Letter of the NO SA to the IE SA of 21 September 2023, p. 3.
       52See paragraph 67 below.
       53
         Letter of the IE SA to the NO SA of 27 September 2023, p. 3.
       54Letter of the IE SA to the NO SA of 27 September 2023, p. 4.
       55Letter of the NO SA to the IE SA of 11 October 2023, p. 1.
       56Letter of the NO SA to the IE SA of 11 October 2023, p. 1.
       57
         Letter of the IE SA to the NO SA of 13 October 2023, p. 2-3, in which the IE SA also states that: ‘while, subject
       to ongoing litigation in Norway, [Meta IE]’s Norwegian subsidiary is accruing liabilities on a daily basis by
       reference to the fine recently applied by NO SA, [Meta IE]’s processing operations as they relate to behavioural
       advertising remain unchanged at this point’.
       58
         Letter of the IE SA to the NO SA of 13 October 2023, p. 3-6.


       Adopted                                                                                                  1450.   As mentioned above, on 26 September 2023, the NO SA used IMI to request the EDPB to adopt an

      urgentbindingdecisionpursuanttoArticle66(2)GDPR,withtheeffectoforderingtheimplementation
      of final measures (hereinafter, the ‘NO SA Request to the EDPB’ or ‘Request to the EDPB’).

51.   Following the submission of the NO SA Request to the EDPB, the EDPB Secretariat assessed the
      completeness of the file on behalf of the Chair of the EDPB.

52.   In the context of the assessment of the completeness of the file, the EDPB Secretariat contacted the

      NO SA on 4 October 2023 and 11 October 2023 requesting further documents and clarifications. In
      both cases, the NO SA responded on the same day by providing clarifications and uploading additional
      documents on IMI.

53.   The EDPB Secretariat also contacted the IE SA on 5 October 2023, requesting additional documents

      andclarifications.FollowingarequestsentbytheIESAtoextendthedeadlineinitiallyseton6October,
      the EDPB Secretariat extended the deadline to 9 October 2023. On 9 October, the IE SA replied by
      attaching some of the additional documents and providing some clarifications. On the basis of the

      reply, the EDPB Secretariat requested on the same day some further information and provided
      clarifications onthequestionsithadpreviouslyasked.On10October2023,theIESArespondedto the
      EDPB Secretariat’s email of 9 October 2023, highlighting the need for appropriate time to carry out
      verifications. On 11 October 2023, the EDPB Secretariat responded to the IE SA’s email identifying

      certainitemsasmattersofpriority.On12October2023,theIESArespondedtotheEDPBSecretariat’s
      request providing several documents and clarifications.

54.   A matter of particular importance that was scrutinised by the EDPB Secretariat was the right to good
      administration, as required by Article 41 of the Charter of Fundamental Rights of the European Union

      (hereinafter,the‘Charter’).FurtherdetailsonthistopicareprovidedinSection3ofthisurgentbinding
      decision.

55.   On 12 October 2023, the decision on the completeness of the file was then taken by the Chair of the
      EDPB and on 13 October 2023 by the NO SA in line with Article 13(2) of the EDPB RoP. The file was

      circulated by the EDPB Secretariat to all the members of the EDPB on 13 October 2023.

56.   On 17 October 2023, following a request of the IE SA to include an additional letter sent by the IE SA
      totheNOSAon13October2023,theEDPBdecided toincludeitinthefile,onthebasisofArticle11(2)
      EDPB RoP.



      2 COMPETENCE OF THE EDPB TO ADOPT AN URGENT BINDING

           DECISION UNDER ARTICLE 66(2) GDPR

57.   The EDPB is competent to issue an urgent binding decision under Article 66(2) GDPR to the extent that
      thefollowingconditionsaremet:anSAhastakenprovisionalmeasurespursuanttoArticle66(1)GDPR,
                                                                         59
      and there is a request from this SA pursuant to Article 66(2) GDPR.

      2.1 The SA has taken provisional measures under Article 66(1) GDPR

58.   On 14 July 2023, the NO SA adopted provisional measures pursuant to Article 66(1) GDPR, prohibiting

      Meta IE from processing the personal data of data subjects residing in Norway for targeting

      59See Art. 66(2) GDPR and EDPB Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from
      the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook
      Ireland Limited (hereinafter ‘EDPB Urgent Binding Decision 01/2021’), adopted on 12 July 2021, section 2.



      Adopted                                                                                             15      advertisements on the basis of observed behaviour for which Meta IE relies on Article 6(1)(b) GDPR or
      Article 6(1)(f) GDPR.

59.   The EDPB therefore considers that this condition is satisfied.


      2.2 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the
             EEA

60.   On 26 September 2023, the NO SA requested the EDPB to adopt an urgent binding decision pursuant

      to Article 66(2) GDPR, by introducing a formal request in the IMI system (Article 17 of the EDPB RoP).

61.   The EDPB therefore considers that this condition is satisfied.


      2.3 Conclusion
62.   The EDPB concludes it is competent to adopt an urgent binding decision under Article 66(2) GDPR.



      3 THE RIGHT TO GOOD ADMINISTRATION


63.   The EDPB is subject to Article 41 of the Charter (right to good administration). This is also reflected in
      Article 11(1) EDPB RoP.

64.   Similarly to what is provided under Article 65(2) GDPR, an urgent binding decision of the EDPB is
      addressed to the lead supervisory authority and all the supervisory authorities concerned, and is
                       60
      binding on them . It is not aimed to address directly any third party.

65.   Nevertheless, the EDPB assessed whether all the documents it received to be used in order to take its
      decision were known by Meta IE and Facebook Norway, and whether Meta IE and Facebook Norway

      were offered the opportunity to exercise their right to be heard on all the elements of fact and law to
      be used by the EDPB to take its decision.

66.   In this respect, the NO SA informed the EDPB Secretariat that it made available all the documents it
      submitted to the EDPB to Meta IE and Facebook Norway. The other documents (submitted by the IE

      SA), if not already known to the companies, were made available to them by the EDPB Secretariat by
      way of letters of 13 October 2023 and 18 October 2023 .   62

67.   On 17 September 2023, the NO SA sent a letter to Meta IE and Facebook Norway asking for their

      submissions on its draft request for an Article 66(2) GDPR urgent binding decision from the EDPB.
      Following extensions of the deadline initially set, these submissions were provided on 26 September
      2023 (hereinafter, ‘Meta IE’s Submissions of 26 September 2023’ and ‘Facebook Norway’s

      Submissions of 26 September 2023’). These submissions also attached Meta IE’s and Facebook
      Norway’sprevioussubmissionsof25August2023 concerning the intentionof theNO SA to request an
      urgent binding decision of the EDPB (‘Meta IE’s Submissions of 25 August 2023’ and ‘Facebook

      Norway’s Submissions of 25 August 2023’). In addition to these submissions, the file submitted to the
      EDPB also included multiple documents produced by Meta IE and/or Facebook Norway in the context

      oftheassessmentofcompliancewiththeIESADecisionsand/orinthecontextofthelegalproceedings

      60Art. 65(2) GDPR. According to Art. 66(4) GDPR, this provision is derogated in respect of the deadline for

      61option; therefore, the last sentence of Art. 65(2) GDPR fully applies.
        Letter of the EDPB Chair to Meta IE and Facebook Norway of 13 October 2023.
      62Letter of the EDPB Chair to Meta IE and Facebook Norway of 18 October 2023.



      Adopted                                                                                             16                                    63
      concerning the NO SA Order     , where Meta IE’s and Facebook Norway’s positions in respect of the
      elements being considered by the EDPB were clarified.

68.   On the basis ofthe assessment performed by the EDPBSecretariat,Meta IE andFacebook Norwayhad

      not yet had an opportunity to make their views known on some elements of fact and law included in
      some documents of the file to be used by the EDPB to take its decision. The Chair of the EDPB invited
      bywayofherletterof13October2023 MetaIEandFacebookNorwaytoprovidewrittensubmissions

      to the EDPB on these elements. These submissions, together with annexes, were provided by Meta IE
      and Facebook Norway on 16 October 2023 (‘Meta IE’s Submissions of 16 October 2023” and
                                                              65
      “Facebook Norway’s Submissions of 16 October 2023’) and were subsequently added to the file.

69.   On 18 October 2023, the Chair of the EDPB sent a new letter to Meta IE and Facebook Norway
      informing them of the document added to the file on 17 October 2023 and providing them with an
      opportunity to make written submissions on it. Meta IE and Facebook Norway made written

      submissionson19October2023(‘Meta IEandFacebookNorway’sSubmissionsof19October2023’),
      which were added to the file.

70.   The EDPB notes that Meta IE and Facebook Norway received the opportunity to make their views

      regarding all the legal and factual elements used by the EDPB to take this decision. Therefore, in case
      Meta IE and Facebook Norway would be found to be entitled to a right to be heard in this procedure,
      it would be in any case fully respected.



      4 ON THE NEED TO REQUEST FINAL MEASURES


71.   TheEDPBconsidersthatinorderforanurgentbindingdecisionadoptedpursuanttoArticle66(2)GDPR
      toorderfinalmeasurestwocumulativeconditionsneedtobefulfilled:theexistenceofone(orseveral)
      infringement(s) and the existence of an urgency situation justifying a derogation from the regular

      cooperation procedure.

72.   Consequently, the sections below assess first the existence of infringements (Section 4.1), then the
      existence of an urgency situation (Section 4.2).


      4.1 On the existence of infringements









      63By way of example, these documents included the Letter from Meta IE to the IE SA of 31 May 2023, the letter
      from Meta IE to the IE SA of 21 June 2023, the Letter from Meta IE to the IE SA of 30 June 2023, Meta IE’s
      Response to the IE SA Provisional Position Paper of 4 August 2023, Letter from Meta IE to the IE SA of 27 July

      6423, Letter from Meta IE to the NO SA of 27 July 2023.
        Letter of the Chair of the EDPB to Meta IE and Facebook Norway of 13 October 2023, replying to their letter of
      28 September 2023 where they requested that Meta IE and Facebook Norway be granted access to any
      documents in the administrative file, and tobe afforded an opportunitytomake submissions afterreviewing the
      file in advance of the EDPB reaching a final decision.
      65On 18 October 2023, Meta IE and Facebook Norway provided new versions of two of their annexes. In these

      letters of 16 October 2023, Meta IE and Facebook Norway also informed the EDPB that they filed a complaint
      before the Oslo District Court challenging and seeking to invalidate the NO SA Order on the merits.



      Adopted                                                                                             17       4.1.1 On the infringement of Article 6(1) GDPR

       4.1.1.1   Summary of the overall position of the NO SA

73.    TheNOSArequestedtheEDPBtoadoptanurgentbindingdecisionorderingfinalmeasurestobetaken

       across the EEA to ensure that ‘personal data shall not be processed for behavioural advertising based
       on Article 6(1)(b) [GDPR] or Article 6(1)(f) GDPR in the context of the Services’ . In the NO SA Request

       to the EDPB, the NO SA defines ‘behavioural advertising’ as ‘targeting ads on the basis of observed
       behaviour’ . In the view of the NO SA, this includes ‘targeting ads on the basis of inferences drawn

       from observed behaviour as well as on the basis of data subjects’ movements, estimated location and
       how data subjects interact with ads and user-generated content’ . This definition is in line with their
                                                            69
       understanding of the scope of the IE SA Decisions      .

74.    In the NO SA Request to the EDPB, the NO SA states that ‘[Meta IE] has failed to ensure compliance
                                      70
       with(...)[theIESADecisions]’ .According to the NOSA,thereisconsensusamong theCSAsthat Meta
       IE’s processing of personal data for behavioural advertising purposes is currently infringing the GDPR,

       and in particular Article 6(1)(b) GDPR, Article 6(1)(f) GDPR, and the duty to comply with the decisions
       of the SAs .1


75.    The NO SA’s analysis is based on the following elements:

           •   Despite the IE SA Decisions, Meta IE still relies on Article 6(1)(b) GDPR to process (1) location
               information, including GPS location, data subjects’ activity on Meta products and the places

               data subjects like to go and the businesses and people data subjects are near; and (2)

               information about ads that Meta IE shows and how data subjects engage with those ads; for
               the purpose of behavioural advertising .  72

           •   Meta IE relies on Article 6(1)(f) GDPR to process some personal data for the purpose of

               behavioural advertising, while Article 6(1)(f) GDPR is not an appropriate legal basis for this
               processing .73

           •   The IE SA also considers thatMeta IE failed to demonstrate that it has a lawful basis to process
               platform behavioural data for behavioural advertising , and did not provide any

               documentation confirming that it stopped processing personal data for the purpose of
                                                                                                          75
               behavioural advertising on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR .







       66NO SA Request to the EDPB, p. 12.
       67NO SA Request to the EDPB, p. 12.
       68NO SA Request to the EDPB, p. 3-4, referring to the NO SA Order.
       69
         NO SA Order, p. 3.
       70NO SA Request to the EDPB, p. 6.
       71NO SA Request to the EDPB, p. 5-7.
       72NO SA Request to the EDPB, p. 4 which refers to the NO SA Order. See also NO SA Order, section 7.2.1.1.
       73
         NO SA Request to the EDPB, p. 4. The NO SA Request to the EDPB only mentions that Meta IE changed its legal
       basis for ‘some of its processing’ of personal data. Meta IE clarifies in its Letter to the IE SA of 30 June 2023 that
       these changes relate to the personal data collected on its products (paragraph 7c). A description of this data is
       provided in section 2.3 of the Meta IE Compliance Reports.
       74
         NO SA Request to the EDPB, p. 5.
       75NO SA’s Decision to Impose a Coercive Fine on Meta IE and Facebook Norway of 7 August 2023, p. 4.




       Adopted                                                                                                   1876.    The NO SA states that Meta IE has already been given enough time to bring its processing into
       compliance with Article 6(1) GDPR, and takes the view that ‘[Meta IE] is making use of dilatory
                   76
       strategies’   .

77.    The NO SA considers that there is sufficient information to allow the EDPB to conclude that
       infringements are taking place .  77


       4.1.1.2    Inappropriate reliance on Article 6(1)(b) GDPR


            4.1.1.2.1 Summary of the position of the NO SA

78.    The NO SA takes the view that Meta IE’s infringement of Article 6(1)(b) GDPR in the context of its

       behavioural advertising processing activities was confirmed by the EDPB Binding Decisions and the IE
       SADecisionswhichconcluded,inlinewiththeviewsexpressedinpreviousEDPBguidelines,thatArticle

       6(1)(b) GDPR is an unsuitable legal basis for behavioural advertising processing activities, both
       generally and in the case at issue . 78

79.    The NO SA finds that Meta IE has incorrectly understood what constitutes ‘processing of personal data

       for the purposes of behavioural advertising’ in the IE SA Decisions . It states that Meta IE’s processing
                                        80                             81
       of data subjects’ location data     and engagement with ads is part of Meta IE’s processing of personal
       data for the purpose of behavioural advertising concerned by the IE SA Decisions         82, and that, pursuant
                                                                                                      83
       to those decisions, such processing which is based on Article 6(1)(b)GDPR, is unlawful .

            4.1.1.2.2 Summary of the position of the controller

80.    MetaIEstatesthat,priortotheIE SADecisions,itreliedonArticle 6(1)(b)GDPR inagoodfaithmanner

       and its ‘bona fide belief that it was lawful for it to do so’ , considering that different national courts
       found that Meta IE may validly rely on Article 6(1)(b) GDPR to process personal data for the purposes

       of behavioural advertising . 85






       76
         NO SA Request to the EDPB, p. 6.
       77NO SA Request to the EDPB, p. 7.
       78NO SA Request to the EDPB, footnotes 4 and 10, referring to EDPB Guidelines 8/2020 on the targeting of social
       media users, paragraphs 49 and 71.
       79
         NO SA Order, section 7.2.1.1, p. 14 (referring to the IE SA FB Decision paragraph 10.44(b) and the IE SA IG
       Decision paragraph 417(b), respectively).
       80According to the NO SA, ‘[Meta IE]’s use of location data to inform which ads are displayed to data subjects

       clearly constitutesBehaviouralAdvertising.Itisuncleartouswhatthislocationisestimatedonthebasisof,ifnot
       the data subject’s behaviour’. NO SA Order, section. 7.2.1.1, p. 15.
       81According to the NO SA, ‘For information about data subjects’ engagement with ads, we understand that data
       subjects may click on “Hide Ad” and that one effect of this would be that the particular ad is not shown to that

       data subject again. We agree with [Meta IE]’s assertion set out in its letter of 30 June 2023 that this in itself does
       not constitute processing for Behavioural Advertising. However, to the extent that this or any other engagement
       with an ad is used to inform which other ads a data subject should see, we find that the processing of personal

       82ta does take place for Behavioural Advertising’, NO SA Order, section. 7.2.1.1, p. 15.
         NO SA Order, section. 7.2.1.1, p. 15. The NO SA also states this in the NO SA Mutual Assistance Request, p. 5.
       83NO SA Order, p. 15.
       84Meta IE’s Submissions of 25 August 2023, paragraph 65.
       85
         Meta IE’s Submissions of 25 August 2023, paragraph 65; Written Pleading of 18 August 2023 from Meta IE to
       Oslo District Court, p. 6.




       Adopted                                                                                                       19                                                                                                 86
81.    Meta IE acknowledges that the IE SA Decisions concluded differently to these cases         , and argues that
       it took since then substantial steps to bring its processing activities into ‘what it believes was
                                           87
       compliance with those decisions’ . Meta IE states that it changed its legal basis from Article 6(1)(b)
       GDPR to Article 6(1)(f) GDPR for the processing of personal data collected on Meta’s products for the
                                                                                   88
       purposes of behavioural advertising to comply with the IE SA Decisions . It states further that it relies
       on Article 6(1)(a) GDPR to process personal data obtained from third party advertising partners        8.

82.    In relation to the definition of what behavioural advertising encompasses, Meta IE states that its

       processing of personal data for the purpose of behavioural advertising comprises the use of
       ‘information collected on Meta’s products about a user’s behaviour over time in order to assess and

       understand users’ interests and preferences’. According to Meta IE, this includes signals such as ‘a
       user’s activity across Meta’s products, engagement with content such as other users’ posts or which

       pages they visit, the individuals and groups they communicate with, and/or what the user searches
           90
       for’ . Meta IE states that it processes this personal data to assess and understand users’ interests and
       preferences, and to provide them with behavioural advertisements .       91

83.    However, Meta IE takes the view that its processing of a) demographic data (including location data),

       b) In-use app, browser and device data c) advertisement shown and d) advertisement interaction
       data does not constitute behavioural advertising, and therefore falls beyond the scope of the IE SA

       Decisions 93.Inthisrespect,MetaIEarguesthatitsprocessingofsuchdataonthebasisofArticle6(1)(b)
       GDPR is valid .4


84.

                                                       95
                                                         .


            4.1.1.2.3 Analysis of the EDPB

85.    The EDPBBindingDecisionsinstructed, inter alia, the IESA to findaninfringementofArticle 6(1)GDPR
       on the ground that Meta IE inappropriately relied upon Article 6(1)(b) GDPR to process personal data

       for the purposes of behavioural advertising, and therefore lacked a legal basis to process this data for
       this purpose . In relation to this, the EDPB also instructed the IE SA to include in each of its final



       86Written Pleading of 18 August 2023 from Meta IE to Oslo District Court, p. 6.
       87Meta IE’s Submissions of 25 August 2023, paragraph 65; Written Pleading of 18 August 2023 from Meta IE to
       Oslo District Court, p. 6.
       88
         Meta IE Compliance Report on IE SA FB Decision, paragraphs 2.1 and 2.3 and Meta IE Compliance Report on IE
       SA IG Decision, paragraphs 2.1 and 2.3.
       89 Such data includes information from third party websites, apps and certain offline interactions (such as

       purchases). See Meta IE Letter to the IE SA of 30 June 2023, paragraph 7c and footnote 150 below.
       90Meta IE Compliance Report on IE SA FB Decision, paragraph 2.2; Meta IE Compliance Report on IE SA IG
       Decision, paragraph 2.2
       91Meta IE Compliance Report on IE SA FB Decision, paragraph 2.2; Meta IE Compliance Report on IE SA IG

       Decision, paragraph 2.2.
       92As described in section 5.8.2 of the Meta IE Compliance Reports.
       93Meta IE’s Request for preliminary injunction of 4 August 2023, p. 27.
       94
       95Meta IE’s Request for preliminary injunction of 4 August 2023, p. 27.



       96
         EDPB Binding Decision 3/2022, paragraphs 133 and 484; EDPB Binding Decision 4/2022, paragraphs 137 and
       451.




       Adopted                                                                                                    20       decisions an order for Meta IE to bring it processing of personal data for the purpose of behavioural

       advertising in the context of the Facebook and Instagram services into compliance with Article 6(1)
       GDPR within three months     97.


86.    On the basis of the EDPB Binding Decisions, the IE SA Decisions ordered Meta IE to bring its processing
       into compliance with Article 6(1) GDPR , the IE SA ordered Meta IE to take the necessary actions to

       bring into compliance with Article 6(1) GDPR and to address the finding that Meta IE is not entitled to
       processpersonaldataforthepurposeofbehaviouraladvertisingonthebasisofArticle6(1)(b)GDPR .                     99
       The EDPB notes that the IE SA made clear that such action may include, but is not limited to, the

       identification of an appropriate alternative legal basis in Article 6(1) GDPR    100.

87.    In the Compliance Reports, Meta IE indicated that it changed the legal basis it relies on for the

       processingof personaldata collectedon itsproductsforbehavioural advertising purposesfromArticle
       6(1)(b)GDPR to Article6(1)(f)GDPRasof 5April2023, which wasthedeadlineforcompliance withthe
                        101
       IE SA Decisions     . Meta IE also states that it still relies on Article 6(1)(b) GDPR to process what it
       considers to be ‘limited categories of non-behavioural information’ to show advertising on Facebook
                       102
       and Instagram     .

88.    In the IE SA Final Position Paper assessing Meta IE’s compliance with the IE SA Decisions and taking
       into consideration the comments received by the CSAs on such compliance, the IE SA addressed two

       key questions relevant for the purpose of this section of this urgent binding decision: the definition of
       behavioural advertising and whether the processing of Meta IE for advertising purposes relying upon
                                                          103
       Article 6(1)(b) GDPR falls within such definition     .

89.    As to the definition of behavioural advertising, the IE SA referred to the definition provided by the
                                                            104
       Article 29 Working Party in its Opinion 2/2010           being referred to by Meta IE in the Compliance
       Reports  10:

                ‘Behavioural advertising is advertising that is based on the observation of the behaviour of

                individuals over time. Behavioural advertising seeks to study the characteristics of this
                behaviour through their actions (repeated site visits, interactions, keywords, online content) in

                order to develop a specific profile and thus provide data subjects with advertisements tailored
                to match their inferred interests’ 106.






       97
         EDPB Binding Decision 3/2022, paragraphs 288 and 493; EDPB Binding Decision 4/2022, paragraphs 290 and
       459.
       98See IE SA FB Decision, paragraph 10.44b; IE SA IG Decision, paragraph 212. See also IE SA Final Position Paper,
       paragraph 2.1.
       99
         IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 212.
       100IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 212.
       101Meta IE Compliance Report on IE SA FB Decision, paragraph 2.1; Meta IE Compliance Report on IE SA IG
       Decision, paragraph 2.1.
       102
          Meta IE Compliance Report on IE SA FB Decision, paragraph 3.1.3; Meta IE Compliance Report on IE SA IG
       Decision, paragraph 3.1.3.
       103IE SA Final Position Paper, paragraphs 7.3 - 7.22.
       104IE SA Final Position Paper, paragraph 7.5, referring to Article 29 Working Party Opinion 2/2010 adopted on 22

       June 2010, p. 5.
       105Meta IE Compliance Report on IE SA FB Decision, p. 4; Meta IE Compliance Report on IE SA IG Decision, p.4.
       106Article 29 Working Party Opinion 2/2010 adopted on 22 June 2010, p. 5.




       Adopted                                                                                                     2190.    TodefinewhethertheprocessingofMetaIEforadvertisingpurposesrelyinguponArticle6(1)(b)GDPR
       falls within such definition, the IE SA also referred to the description of Meta IE’s processing for
                                                                                                107
       behavioural advertising purposes provided by the EDPB in the EDPB Binding Decisions         :

               ‘[Meta IE] collects data on its individual users and their activities on and off its Facebook social
               networkservicevianumerousmeanssuchastheserviceitself,otherservicesoftheMetagroup
               including Instagram, WhatsApp and Oculus, third party websites and apps via integrated

               programming interfaces such as Facebook Business Tools or via cookies, social plug-ins, pixels
               and comparable technologies placed on the internet user’s computer or mobile device.
               According to the descriptions provided, [Meta IE] links these data with the user’s Facebook

               accounttoenableadvertiserstotailortheiradvertisingtoFacebook’sindividualusersbasedon
               their consumer behaviour, interests, purchasing power and personal situation. This may also
               include the user’s physical location to display content relevant to the user’s location’10.

91.    The IE SA noted that Meta IE relies on Article 6(1)(b) GDPR for a more limited set of personal data for
                                                                       109
       advertising purposes in the Facebook and Instagram services       . The EDPB notes that Meta IE argues
       that it is relying on Article 6(1)(b) GDPR for the processing of ‘limited non-behavioural information’ to
       show advertisements, as described in its Compliance Reports    110:


               ‘a) Demographic data. This consists of age users provide, gender users provide, and estimated
               general location. The use of demographic data is required to ensure advertising is appropriate
               in accordance with the Terms of Use/Service. For example, (...) (c) relying on location is
               necessary to ensure advertisements that [Meta IE] show users are in an appropriate language

               and relate to an appropriately located company or service (e.g., [Meta IE] does not show users
               advertisements for products which are not available in their country);


               b) In-use app, browser and device data. (...) This includes the type of device being used, the
               language chosen on the device at that time and the version of the Facebook/Instagram app
               being used. These data points are necessary to deliver advertisements appropriately. For
               example,toproperlyformattheadvertisementtomeettheviewingrequirementsofthedevice,

               to avoid users being shown advertisements for apps which are not supported by the operating
               systemontheirdevice,andensurethattheadvertisementisinthechosenlanguageoftheuser;


               c) Advertisements shown. This consists of information on whether the advertisement is
               rendered and delivered to a user. This information is a basic metric which [Meta IE] needs in
               order, for example, to ensure the number of advertisements that [Meta IE] shows to users is at
               an appropriate level and to ensure that the same advertisements are not being directed to the

               user repeatedly. The information does not indicate whether the user has actually noticed the
               advertisement;


               d) Advertisement interaction data. This consists of two forms of information provided by users
               if they choose to interact with advertisements: (a) to provide negative feedback on their
               advertising experience, for example by selecting to “hide” or report an advertisement; and (b)






       107IE SA Final Position Paper, paragraph 7.4, referring to EDPB Binding Decision 3/2022, paragraphs 95-96 and
       EDPB Binding Decision 4/2022, paragraphs 98-99.
       10EDPB Binding Decision 3/2022, paragraphs 95-96 and EDPB Binding Decision 4/2022, paragraphs 98-99.
       10IE SA Final Position Paper, paragraphs 2.2, 4.5 and 7.6.
       110
         As referred to in the IE SA Final Position Paper, paragraph 7.6.



       Adopted                                                                                                22               to provide positive feedback on their advertising experience, for example by clicking
               advertisements they find relevant’.    111


92.    The EDPB notes the IE SA’s following findings:

           •    In relation to location data, the IE SA took the view that Meta IE did not provide sufficient

                information to allow the IE SA to understand why location data would fall outside the
                                                112
                definition of behavioural data     . According to the IE SA, Meta IE did not explain whether it is
                processing the user’s physical location or the location that they proactively provide to Meta IE

                to target ads to them.
           •    In relation to device data, the IE SA indicated that device information could also be used to

                identify different market segments, which in turn could be processed for behavioural
                advertising purposes  113.

           •    In relation to advertisements shown, the IE SA indicated that more clarity from Meta IE would
                be required as to whether Meta IE only analyses records of ads shown (which, according to

                the IE SA, are not amounting to behavioural data) or also behavioural ads presented by other
                tools through a shared interface screen, which would also add to the behavioural processing

                by Meta IE 114.

           •    In relation to advertisement interaction data, the IE SA underlined that ‘interaction data’ was
                listed in the definition of behavioural advertising in the Article 29 Working Party Opinion,
                                                                                         115
                which was incorporated by Meta IE into its Compliance Reports               . The IE SA therefore
                underlined the lack of clarity on how Meta IE would then distinguish ‘advertisement

                interaction data’, listed in point d) above from ‘interaction data’ included in the Article 29
                Working Party Opinion 2/2010. The IE SA raised concerns as to the fact that Meta IE stated

                that it relies on Article 6(1)(b) GDPR in circumstances where the user provides positive
                advertising feedback  116. According to the IE SA, this falls within the definition of behavioural


       111
          Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2; Meta IE Compliance Report on IE SA IG
       Decision, paragraph 5.8.2.
       112In particular,the IE SAstatedthat‘[Meta IE]hasexplainedthe usesof this data, but notwhy theseusesdo not
       amount to behavioural processing. For example, it is unclear if location data is used by [Meta IE] to tailor ads to
       users on the basis of visits to certain types of shops, their travel to business hubs or holiday destinations, or the

       times of year at which they travel. If [Meta IE] use location data in these ways, then this would be processing
       personal data for the purposes of behavioural advertising, both by reference to the EDPB’s description of such
       advertising, as set out at paragraph 7.4 above, and by reference to the Article 29 Working Party Opinion relied
       on by [Meta IE]’, IE SA Final Position Paper, paragraph 7.11.
       113The IE SA stated that ‘it is unclear whether [Meta IE] identifies device information as a different market

       segment. While the processing of device information to serve ads may not amount to behavioural advertising, it
       ispossiblethat[MetaIE]identifiescertaindevicesasadifferentmarketsegment.Thetypeofdevicecouldindicate
       spending power or history, which could be processed for behavioural purposes’, IE SA Final Position Paper,
       paragraph 7.12.
       114
       115IE SA Final Position Paper, paragraph 7.13.
          Article 29 Working Party Opinion 2/2010 adopted on 22 June 2010, p. 5 referred to in Meta IE Compliance
       Report on IE SA FB Decision, p. 4 and Meta IE Compliance Report on IE SA IG Decision, p. 4.
       116The IE SA’s concerns relate in particular to Meta IE’s statement that when ‘the user provides positive
       advertising feedback (e.g., actively choosing to click on a specific ad they find relevant and want to see), [Meta

       IE] similarly needs to use that information to ensure it is providing the user with an appropriate and relevant
       personalised advertising experience pursuant to the Terms of Service’, see IE SA Final Position Paper, paragraph
       7.14, referring to Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2 and Meta IE Compliance
       Report on IE SA IG Decision, paragraph 5.8.2.




       Adopted                                                                                                    23                advertising provided by the Article 29 Working Party Opinion 2/2010 as it involves Meta IE
                                                                                                                  ’117
                ‘inferringconclusionsaboutuserpreferencesfromusers’interactionwithanadvertisement                    .
                Following further information provided by Meta IE on 30 June 2023 to the IE SA on negative

                advertisingfeedback    11,theIESAindicatedthat,totheextentthatMetaIE‘processespersonal

                data solely to prevent a specific hidden ad being shown to a user, then the [IE SA] agrees that
                this does not amount to behavioural advertising. However, to the extent that [Meta IE] infers

                a user’s advertising preferences from the fact that they have hidden an ad, then this does fall
                withinthedefinitionofbehaviouraladvertising’       119.TheIESAaddedthat‘[MetaIE]submissions

                are too vague to determine whether it processes personal data just to hide the specific ad, or

                whether it draws inferences from the choice to hide an ad. The reference in the justification of
                this processing to a user’s “personal advertising experience” indicates that the decision to hide
                                                                                                                   120
                onead could beused toinferpreferencesabout theadsthat a user receives moregenerally’                 .
                TheEDPBnotesthatthisappreciationisinlinewiththeobservationsmadebytheDEHamburg
                   121
                SA   .The IE SA thereforeprovidedthat‘it appearsfrom theinformationprovidedby[MetaIE]
                that it uses data about hidden ads to engage in behavioural advertising’. The IE SA also

                provided similar conclusions for the positive feedback, raising that ‘Using information about

                click-throughs to determine what types of ads a user wants to see in the future falls plainly
                within the definition of behavioural advertising provided by [Meta IE] to the [IE SA]’     12.


93.    In light of the above, the EDPB notes that the IE SA found that Meta IE still conducts some processing
       for the purposes of behavioural advertising in reliance on Article 6(1)(b) GDPR      123.


94.    In addition, the IE SA also indicated the lack of sufficient information to explain why categories (a) to
       (d) were not behavioural data    124. The EDPB also notes that on this basis, the IE SA found that Meta IE
       had not demonstrated compliance with the IE SA Decisions as regards reliance on Article 6(1)(b) GDPR

       for behavioural advertising   12.

95.    The EDPB notes that this view was also expressed by certain CSAs replying to the IE SA IMI Informal

       Consultations. More specifically, the FI SA stated that ‘the following personal data seems to be still
       unlawfully collected for behavioural advertising purposes under Article 6(1)(b) [GDPR]: “Information


       117
          IE SA Final Position Paper, paragraph 7.15.
       118Meta IE said that ‘with respect to negative advertising feedback, if a user selects the option that is available
       to “Hide Ad – never see this ad again,” then [Meta IE] needs to use that information to ensure that choice
       regarding the user’s personal advertising experience (i.e., what advertisements they do not want to see) is

       respected’, IE SA Final Position Paper, paragraph 7.16.
       119IE SA Final Position Paper, paragraph 7.16, referring to the comments of the DE Hamburg SA on the IE SA
       Provisional Position Paper.
       120IE SA Final Position Paper, paragraph 7.16.
       121
          ‘Allowing[MetaIE]tofurtherjustifywhetheritprocessespersonaldataonlytohideaparticularad,orwhether
       it draws inferences from the decision to hide an ad, is nothing more than leaving a choice not to describe the
       actual purpose of the processing, to formally fall short of the definition of behavioural advertising. In doing so,
       hiding certain ads without anything deriving from that decision would contradict [Meta IE]´s business model. To

       the extent that this or other engagement with an ad is used to learn what other ads a data subject should see,
       Hamburg SA notes that the processing of personal data serves purposes of behavioural advertising’, Views of DE
       Hamburg SA of 4 May 2023; as referred to in the IE SA Final Position Paper, paragraph 7.17.
       122IE SA Final Position Paper, paragraph 7.19.
       123
          IE SA Final Position Paper, paragraph 6.2 and paragraph 8.1.
       124IE SA Final Position Paper, paragraph 7.22.
       125IE SA Final Position Paper, paragraphs 7.1, 7.22 and 8.1.




       Adopted                                                                                                     24       about ads we show you and how you engage with those ads” and “Location information”’.         126The IT SA

       also stated that ‘[Meta IE]’s proposal is not such as to adequately implement the order to bring the
       processing into compliance insofar as it misclassifies part of the user-related information and thereby

       applies the legal basis of contractual performance under Article 6(1)(b) GDPR to the serving of ads
       which, actually, are behavioural in nature’  12.

96.    The EDPB observes that if any of the data listed in paragraph 91 of this urgent binding decision may be

       considered as falling within the scope of the definition of behavioural advertising, there are grounds
       forfinding thatMetaIEisinfringingArticle6(1)GDPR.Thisis becauseMetaIE wouldstill beprocessing

       personal data for the purpose of behavioural advertising on the basis of Article 6(1)(b)GDPR, although
       it was considered unlawful by the IE SA Decisions   12.

97.    Inthisrespect,theEDPBsharestheIESA’sviewthatMetaIEstillconductssomeprocessingofpersonal

       data for the purposes of behavioural advertising in reliance on Article 6(1)(b) GDPR    12, at least for the
       following categories of data:


           •   Location data - the EDPB finds, in line with the view of the IE SA, that Meta IE failed to
               demonstrate that its processing of location data does not constitute processing for the
                                                    130
               purpose of behavioural advertising      . It is unclear to the EDPB, as it is to the NO SA and the IE
               SA, on which basis the location is estimated, if not the data subject’s behaviour. The EDPB

               consequently finds, in line with the view of the NO SA, that Meta IE’s processing of location
                                                                                                               131
               data to inform which ads are displayed to data subjects constitutes behavioural advertising       .
           •   Advertisement interaction data - the EDPB finds, in line with the view of the IE SA, that Meta

               IE failed to demonstrate that its processing of advertisement interaction data does not
               constitute processing for the purpose of behavioural advertising. The EDPB shares the view of

               the IE SA that ‘[Meta IE] is recording the behaviour of the users when they are presented with
               adsandusethattotailorfuturepresentationofads’         132.TheEDPBconsequentlyfindsthatMeta

               IE’s processing of advertisement interaction data constitutes behavioural advertising for the
               following reasons:

                    o   As rightly pointed out by the IE SA, the EDPB recalls that interaction is listed among

                        the data types in the definition of behavioural advertising in the Article 29 Working
                        Party Opinion 2/2010   13.

                    o   The EDPB observes that irrespective of whether the data subject provides negative or
                        positivefeedbackon theadstheysee, MetaIEstatesthattheinteractionswill beused
                                                                                          134
                        toprovidean‘appropriateandrelevantadvertisingexperience’             whichindicatesthat
                        Meta IE is inferring conclusions about user preferences from such interaction.




       126Views of the FI SA of 15 May 2023, p. 2.
       127Views of IT SA on IE SA FB Decision of 23 May 2023, p. 2, and views of IT SA in IE SA IG Decision of 23 May
       2023, p. 2.
       128
          In this respect, the IE SA Decisions implemented the findings described in the EDPB Binding Decision 3/2022,
       paragraphs 94-133 and the EDPB Binding Decision 4/2022, paragraphs 97-137.
       129See paragraphs 92-93 above.
       130IE SA Final Position Paper, paragraph 7.11.
       131
       132IE SA Final Position Paper, paragraph 7.11.
          IE SA Final Position Paper, paragraph 7.14.
       133IE SA Final Position Paper, paragraph 7.14.
       134Meta IE Compliance Report on IE SA FB Decision, p. 16.




       Adopted                                                                                                 25                    o   With respect to negative feedback (i.e., where the data subject clicks to hide/report

                        an ad), the EDPB observes that Meta IE states that it needs to use this information ‘to
                        ensure that choice regarding the user’s personal advertising experience (i.e., what
                                                                                  135
                        advertisements they do not want to see) is respected’        . The EDPB also observes that
                        MetaIEstatesthat theoptions‘HideAd’and‘Report Ad’areusedto‘directlyinfluence

                        the ads [users] see’ 13. The EDPB shares the view of the IE SA that ‘the reference in the

                        justification of this processing to a user’s “personal advertising experience” indicates
                        that the decision to hide one ad could be used to infer preferences about the ads that
                                                          137
                        a user receives more generally’      and therefore that ‘it appears from the information
                        provided by [Meta IE] that it uses data about hidden ads to engage in behavioural
                                     138
                        advertising’    .
                    o   With respect to positive feedback, the EDPB observes that Meta IE states that when

                        ‘the user provides positive advertising feedback (e.g., actively choosing to click on a
                        specific ad they find relevant and want to see), [Meta IE] similarly needs to use that

                        information to ensure it is providing the user with an appropriate and relevant
                                                                                                                 139
                        personalised advertising experience pursuant to the Terms of Service’                       .
                        Consequently, the EDPB also shares the view of the IE SA that this practice falls within

                        the definition of behavioural advertising provided by the WP29 Opinion as it involves
                        Meta IE ‘inferring conclusions about user preferences from users’ interaction with an
                                        ’140
                        advertisement      .

98.    In conclusion, the EDPB finds that Meta IE is inappropriately relying on Article 6(1)(b) GDPR to process

       location data and advertisement interaction data collected on its products for the purpose of
       behavioural advertising.


99.    In addition, the EDPB shares the view of the IE SA that Meta IE did not provide sufficient information
       to explain whyother categoriesofdata processed by Meta IEdo notamount to behaviouraldata,such
                                                     141
       as device data and advertisements shown         . In this respect, the EDPB finds, in line with the view of
       the IE SA, that in relation to device data, if Meta IE would use device data to identify different market
       segments, this would constitute a processing for behavioural advertising for which it would rely

       inappropriately on Article 6(1)(b), infringing Article 6(1) GDPR  142.






       135Letter from Meta IE to the IE SA of 30 June 2023, p. 5.
       136Meta IE’s submissions of 16 October 2023 to the Oslo District Court. For Instagram specifically, also see the

       screenshots included in p. 35 of the Annex 3 to the Compliance Report on IE SA IG Decision.
       137IE SA Final Position Paper, paragraph 7.16.
       138IE SA Final Position Paper, paragraph 7.18.
       139Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2 and Meta IE Compliance Report on IE SA IG

       140ision, paragraph 5.8.2.
          IE SA Final Position Paper, paragraph 7.15.
       141See paragraph 89 above.
       142The IE SA stated that ‘it is unclear whether [Meta IE] identifies device information as a different market

       segment. While the processing of device information to serve ads may not amount to behavioural advertising, it
       ispossiblethat[MetaIE]identifiescertaindevicesasadifferentmarketsegment.Thetypeofdevicecouldindicate
       spending power or history, which could be processed for behavioural purposes’, IE SA Final Position Paper,
       paragraph 7.12.




       Adopted                                                                                                    26       4.1.1.3 Inappropriate reliance on Article 6(1)(f) GDPR


          4.1.1.3.1     Summary of the position of the NO SA

100. The NO SA considers that Article 6(1)(f) GDPR does not constitute an appropriate legal basis under
                                                                               143
       Article 6(1) GDPR for Meta IE’s behavioural advertising processing         .

101. The NO SA refers to the IE SA Final Position Paper, in which the IE SA concluded that Meta IE continues
       to fail to rely onavalidlegalbasis toprocesspersonaldata for behaviouraladvertising purposesunder

       Article 6(1) GDPR, despite Meta IE’s switch to Article 6(1)(f) GDPR as a legal basis for its behavioural
       advertising processing on 5 April 2023     14. The NO SA outlines that this conclusion was supported by
                                                                                          145
       several CSAs explicitly, without any objection being raised by the other CSAs         .

102. Further, the NO SA states that paragraph 117 of the CJEU Bundeskartellamt Judgment validates the

       conclusion that Article 6(1)(f) GDPR does not constitute an appropriate legal basis for Meta IE’s
       behavioural advertising processing    146. In this respect, the NO SA acknowledges Meta IE’s view that the

       judgment is irrelevant and relates to a different aspect of Meta IE’s processing for behavioural
       advertising 147. However, the NO SA argues that the ruling does apply to Meta IE’s behavioural
                                                                                           148
       advertising practices in general and, therefore, that it cannot be disregarded        .

          4.1.1.3.2     Summary of the position of the controller

103. In its Compliance Reports, Meta IE states that it has changed its legal basis from Article 6(1)(b) GDPR

       to Article 6(1)(f) GDPR for ‘Behavioural Advertising Processing’ - solely for personal data collected on
       Meta’s products   149- to comply with the IE SA Decisions   150.


104. Asmentionedinparagraph81above,MetaIEdefinesthescopeofthisprocessingoperationprocessed
       on the basis of Article 6(1)(f) GDPR as follows:

                ‘Behavioural Advertising Processing comprises the use by [Meta IE] of information collected on

                [Meta’s] products about a user’s behaviour over time in order to assess and understand users’


       143NO SA Request to the EDPB, p. 4.
       144NO SA Request to the EDPB, p. 5. As specified in paragraph 104 below, Meta IE defines the scope of this
       processing operation processed on the basis of Art. 6(1)(f) GDPR as relating to personal data collected on Meta’s

       products.
       145NO SA Request to the EDPB, p. 5.
       146NO SA Request to the EDPB, p. 5.
       147NO SA Request to the EDPB, p. 6. As specified in paragraphs 109 and 142 below, in paragraph 1.5 (A) of Meta

       IE’s Response to the IE SA’s Provisional Position Paper of 4 August 2023, Meta IE considers that the
       Bundeskartellamt Judgment ‘does not rule out Article 6(1)(f) [GDPR] “as a matter of principle” as a valid legal
       basis for [Meta IE]’s Behavioral Advertising Processing. The judgment assessed Article 6(1)(f) [GDPR] (and the
       element of “necessity”) in the context of different processing than is at-issue here (i.e., data collected off-[Meta],

       and to a limited extent cross-product data processing, as opposed to data collected on-[Meta] products). (...)
       Further,theCJEUdidnot(andcouldnotasamatteroflaw)issueablanketfindingthatusers’interestswillalways
       outweigh [Meta IE]’s and third parties’ legitimate interests in the context of personalised advertising (...).’
       148NO SA Request to the EDPB, p. 6.
       149
          Meta IE indicates to rely on Art. 6(1)(a) GDPR to process personal data about users’ activity off-Meta’s
       products (such as on third-party websites, apps and certain offline interactions (e.g., purchases)), obtained by
       MetaIEfromthirdpartyadvertisingpartnersforthepurposesofshowingpersonalisedadvertisingtotheseusers
       onFacebookorInstagram(seeMetaIEComplianceReportonIESAFBDecision,p.12,paragraph3.1.2,andMeta

       IE Compliance Report on IE SA IG Decision, p. 13, paragraph 3.1.2).
       150Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision, p.
       4.




       Adopted                                                                                                     27                interests and preferences. This includes signals such as a user’s activity across [Meta’s]

                products, engagement with content such as other users’ posts or which pages they visit, the
                individuals and groups they communicate with, and/or what the user searches for. [Meta IE]

                uses all of these signals to assess and understand users’ interests and preferences and to
                provide them with behavioural advertisements.’ (emphasis added in bold)          151


105. With respect to the above, the EDPB notes that the personal data processed for behavioural

       advertising purposes on the basis of Article 6(1)(f) GDPR is collected ‘on’ and ‘across’ Meta’s products
       and that these terms are used interchangeably by Meta IE.


106. Meta IE also refers to its updated privacy policies for Facebook and Instagram, which provide the list
       of categories of personal data processed for this purpose      152.


107. In Meta IE’s view, it was entitled to consider that it could switch to Article 6(1)(f) GDPR for its
       behaviouraladvertisingprocessingtocomplywiththeIESADecisions                153.AccordingtoMetaIE,neither

       the EDPB Binding Decisions nor the IE SA Decisions ordered Meta IE to rely on a specific legal basis
       under Article 6(1) GDPR, such as Article 6(1)(a) GDPR      154. Meta IE argues that it is only once the IE SA

       adopted the IE SA Final Position Paper on 18 August 2023 that an authority concluded that Meta IE’s
       reliance on Article 6(1)(f) GDPR was insufficient to comply with the IE SA Decisions       155. Meta IE argues

       that prior to this date ‘[s]ome SA submissions are inconsistent with one another and cannot be
       reconciled (for example (...) certain SAs appear to consider that consent is the only viable basis possible
                                                                 156
       whereas others accept Article 6(1)(f) GDPR is viable)’       .

                                                                                                          157
108. Meta IE carried out Legitimate Interests Assessments annexed to its Compliance Reports                 , in which
       it concludes that Article 6(1)(f) GDPR constitutes an appropriate legal basis for behavioural
                   158
       advertising    . Meta IE reiterates this conclusion on 4 August 2023, after having made a commitment
       to switch to Article 6(1)(a) GDPR through the Meta IE’s Consent Proposal             15. In addition, Meta IE
       highlighted that it ‘expended significant resources’ and implemented ‘very substantial steps’ to switch

       from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR to comply with the deadline of 5 April 2023         16.

109. With respect to the CJEU Bundeskartellamt Judgment, Meta IE takes the view that this case ‘does not

       rule out Article 6(1)(f) [GDPR] as a matter of principle as a valid legal basis’ for Meta IE’s behavioural


       151
          Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision, p.
       4.
       152Meta IE Compliance Report on IE SA FB Decision, p. 4-5, and Meta IE Compliance Report on IE SA IG Decision,
       p. 4-5.
       153
          Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 22. See
       also Meta IE’s letter to the IE SA of 27 July 2023, p. 1-2.
       154Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 4 and
       16.
       155
          Meta IE’s Submissions of 26 September 2023, p. 11 and Meta IE’s Submissions of 16 October 2023, p.5.
       156Letter from Meta IE to the IE SA regarding process and urgency of 31 May 2023, p. 3.
       157Meta IE’s Legitimate Interests Assessments Behavioural Advertising Processing of 3 April 2023, Annex 4 to
       Meta IE Compliance Report on IE SA FBDecision and Annex 4 toMeta IE ComplianceReport on IE SA IG Decision.
       158
          Annex 4 to the Meta IE Compliance Report on IE SA FB Decision and to Meta IE Compliance Report on IE SA
       IG Decision, p. 4, and Meta IE Compliance Report on IE SA FB Decision, p. 11, Meta IE Compliance Report on IE
       SA IG Decision, p. 12.
       159Meta IE’s Request for preliminary injunction, 4 August 2023, p. 27.
       160
          Meta IE’s Submissions of 26 September 2023, p. 10 and Meta IE’s Submissions of 16 October 2023, p.5. See
       also Meta IE’s Submissions of 25 August 2023, p. 33.




       Adopted                                                                                                      28       advertising processing activities, given that the CJEU ‘did not (and could not as a matter of law) issue

       a blanket finding that users’ interests will always outweigh [Meta IE]’s and third parties’ legitimate
       interests in the context of personalised advertising’           161. It argues that the CJEU Bundeskartellamt

       Judgment relates to a different processing than the processing covered by the EDPB Binding Decisions
       and the IE SA Decisions. More specifically, Meta IE points out that this judgment relates to personal

       data collected off-Meta, as opposed to data collected on-Meta products. Notably, Meta IE states that
       the scope of the case, ‘excludes processing for behavioural advertising purposes when using personal

       data collected across different [Meta IE]’s products’, while acknowledging that the case focuses ‘to a
       lesser extent’ on ‘the processing of personal data collected across various [Meta IE]’s products’               16.


110. Lastly, despite considering that it can lawfully rely on Article 6(1)(f) GDPR, Meta IE announced that,

       taking into account the ‘different views’ of the IE SA both in the IE SA Provisional Position Paper and
       regarding the interpretation of the CJEU Bundeskartellamt Judgment, it was willing to switch to
                                                 163
       consent for the processing at stake          .

                                                    164
                                                      .

                                                     165
                                                       .



                                                                              166.


                                               167.





           4.1.1.3.3      Analysis of the EDPB

111. In the IE SA Decisions, Meta IE was directed to take the necessary action to address the finding that

       Meta IE is not entitled to carry out the processing operations at stake on the basis of Article 6(1)(b)
       GDPR,wasordered tobringits processingof personaldatafor the purposesofbehaviouraladvertising

       into compliance with Article 6(1) GDPR and it was specified that such action is ‘not limited to the

       161
           Meta IE’s Response to IE SA’s Provisional Position Paper, 4 August 2023, section 1.5 (A) and also section 2 for
       a more detailed analysis.
       162 Meta IE’s Request for preliminary injunction, 4 August 2023, p. 27.
       163 Meta IE’s letter to the IE SA of 27 July 2023, p. 1-2.













       164 Meta IE’s letter to the IE SA of 27 July 2023, p. 2.
       165 Meta IE’s letter to the IE SA of 27 July 2023, p. 2.
       166
           IE SA’s letter to Meta IE of 11 August 2023, p. 2.
       167 IE SA’s letter to Meta IE of 11 August 2023, p. 2.




       Adopted                                                                                                              29       identification of an appropriate alternative legal basis’, but may include the implementation of ‘any

       necessary measures required to satisfy the conditionality associated with that/those alternative legal
       basis/bases’  16.

112. TheEDPBnotesthat,accordingtoMetaIEComplianceReportsandtheIESAFinalPositionPaper,Meta
                                                                                                           169
       IE relies on Article 6(1)(f) GDPR to process personal data collected on Meta’s products                for the
       purposes of behavioural advertising since 5 April 2023     170.

113. Pursuant to Article 6(1)(f) GDPR, Recital 47 GDPR and the CJEU’s settled case-law         171, three cumulative

       conditions must be met to be able to rely on Article 6(1)(f) GDPR, ‘namely, first, the pursuit of a
       legitimate interest by the data controller or by a third party; second, the need to process personal data

       for the purposes of the legitimate interests pursued; and third, [according to a balancing test] that the
       interests or fundamental freedoms and rights of the person concerned by the data protection do not
                                                                                              172
       take precedence over the legitimate interest of the controller or of a third party’       .

114. More specifically, the first condition relates to the existence of legitimate interests pursued by the
       controller or a third party.


115. Meta IE has identified different interests that it considers legitimate and on which it relies for the
       processing at stake. These interests are pursued either by Meta IE or third parties, namely businesses
       that use Facebook/Instagram and other users of Meta’s products              173. More specifically, Meta IE

       identified the four following legitimate interests:

           •    (1)Meta IE’s‘interest and theinterestsofother userstoprovidea positiveuserexperiencethat

                users will want to engage with, and which is tailored to users - providing quality targeted and
                personalised ads is a core element of the wider user experience across Meta Products’,

           •    (2) Meta IE’s ‘interest and the interests of other users to enable [Meta IE] to generate revenue
                and continue to innovate, improve and develop the Meta Products and new technologies’,

           •    (3) Meta IE’s and third parties’ (e.g. advertisers) interests ‘to provide businesses, both big and

                small, the opportunity to connect with the users who are most likely to be interested in their
                products and services’, and

           •    (4) Meta IE’s ‘interests and the interests of third parties (e.g. advertisers) and other users, for
                businesses, both big and small, to be able to promote their products and services to users’       17.







       168
          IE SA FB Decision, paragraph 8; and IE SA IG Decision, paragraph 212.
       169IE SA Final Position Paper, paragraph 7.23, p. 11-12, referring to Meta IE’s Letter to the IE SA of 30 June 2023,
       and Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision,
       p. 4.
       170
          IE SA Final Position Paper, paragraph 7.25, p. 12, and Meta IE Compliance Report on IE SA FB Decision, p. 4,
       and Meta IE Compliance Report on IE SA IG Decision, p. 4.
       171As recently recalled in the CJEU Bundeskartellamt Judgment, paragraph 106, which refers to previous case-
       law. The IE SA Final Position Paper also recalls and applies this test in paragraphs 7.27 and seq., p. 12-21.
       172See paragraph 106 of the CJEU Bundeskartellamt Judgment.
       173
          Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p.
       6.
       174Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p.
       6.




       Adopted                                                                                                     30116. These four categories of interests are further broken down in several sub-interests in Meta IE
       Legitimate Interests Assessments       17. For example, the first and the second legitimate interests also

       include the following sub-interest: ‘[For other Facebook and Instagram users:] The enjoyment of
       Facebook and Instagram services free of charge’.        176

117. As recalled by the IE SA, the given legitimate interests must be ‘sufficiently clearly articulated and [be]

       real and present, corresponding to current activities or to benefits that are expected in the near
       future’ 177.


118. The EDPB notes that the IE SA concluded that the interests listed by Meta IE in its Compliance Reports
       can meet these criteria   178.


119. The second condition relates to the necessity of the processing for the pursuit of those interests (or
       ‘necessity test’).


120. In its Compliance Reports, Meta IE considers that: (1) the processing at stake is necessary to pursue
       and achieve the legitimate interests identified by Meta IE          179, (2) this processing is reasonable and
                                                                          180
       proportionate to achieve the legitimate interests pursued             and (3) no viable alternatives exist that
       would allow the legitimate interests to be achieved       181.

121. In that regard, the IE SA considers that Meta IE failed to demonstrate in its Compliance Reports that

       its behavioural advertising processing was necessary to the different legitimate interests it
       identified 182. More specifically, the IE SA points out that Meta IE’s explanations regarding the impact

       of the processing at stake are ‘too vague’ and therefore they do not allow the IE SA to determine that
       there is a less intrusive alternative that Meta IE could pursue       183. In addition, the IE SA considers that

       Meta IE Legitimate Interests Assessments do not apply the necessity test for each of the legitimate
       interest on which it relies  184.


122. More specifically, regarding the first interest set out by Meta IE, the IE SA refers to the EDPB Binding
       Decision 3/2022 and concludes that behavioural advertising is not in the interest of all Meta IE’s users,
                                  185
       but only of some users       . Therefore, according to the IE SA, Meta IE has not explained the need to



       175
          MetaIELegitimateInterestsAssessmentsBehaviouralAdvertisingProcessingof3April2023,Annex4toMeta
       IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 9-
       13.
       176MetaIELegitimateInterestsAssessmentsBehaviouralAdvertisingProcessingof3April2023,Annex4toMeta

       IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 9.
       This sub-interest is further detailed on p. 12 of Meta’s Legitimate Interests Assessments.
       177IE SA Final Position Paper, paragraph 7.33, referring to the EDPB Binding Decision 02/2022, paragraph 110.
       178
          IE SA Final Position Paper, paragraph 7.33, p. 13-14.
       179Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision,
       p.6, both referring to sections 2.b, 2.c., and 3.a of Meta IE Legitimate Interests Assessments.
       180Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision, p.

       7, both referring to section 3.b of Meta IE Legitimate Interests Assessments.
       181Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision, p.
       7, both referring to sections 3.c, 3.d, and 3.e of Meta IE Legitimate Interests Assessments.
       182
       183IE SA Final Position Paper, paragraph 7.50, p. 18.
          IE SA Final Position Paper, paragraph 6.3, p. 5.
       184IE SA Final Position Paper, paragraph 7.41, referring to Meta IE Legitimate Interests Assessments Behavioural
       Advertising Processing of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB Decision and Annex 4

       to Meta IE Compliance Report on IE SA IG Decision.
       185IE SA Final Position Paper, paragraphs 7.43-7.44, p. 16.




       Adopted                                                                                                         31       process the personal data of all of its users ‘for the purposes of realising the interests of those users
                                                         186
       who want to receive behavioural advertising’        .

123. Further, regarding the second, third and fourth interests put forward by Meta IE in its Compliance
                187
       Reports    , the IE SA concludes that Meta IE’s arguments are not sufficiently substantiated because of
       the vagueness and the lack of specificity of the analysis      188. In particular, Meta IE has not explained

       which specific categories of personal data Meta IE needs to process or which processing operations
       need to take place to achieve the above interests     189.

124. When conducting the ‘necessity test’ in the Meta IE Legitimate Interests Assessments, Meta IE claims

       that ‘Without the Processing, which as explained above is essential in order to monetise Facebook and
       Instagram, [Meta IE] would not be able to provide the services to users free of charge in the same

       manner as it does currently. This in turn would jeopardise the attainment of the legitimate interests
       identified above’  190. According to Meta IE, if it did not carry out the processing of personal data

       collected on its products for the purpose of behavioural advertising and if it only carried out the
       ‘limited’ processing it engages in when data subjects object, it ‘would significantly impact the user

       experienceonFacebook andInstagram (in part, duetolessinnovation happeningon theplatformsdue
       to reduced revenue) and it would also impact [Meta IE]’s ability to provide Facebook and Instagram

       free of charge (regardless of the financial means of the user) to users as this is largely due to the
       revenues that [Meta IE] makes from enabling advertisers to effectively advertise to Instagram and
                         191
       Facebook users’     .

125. However, the IE SA points out that Meta IE’s privacy policy states that Meta IE is pursuing a legitimate
       interest ‘to generate revenue’, which is different than providing services for free       19. According to the

       IE SA, given that other types of advertising may also generate revenue, it cannot be concluded that
       behavioural advertising is necessary to generate ‘any revenue at all’      193.


126. The IE SA also highlights that ‘there is no explanation as to why it is necessary to process all the data
       categories that [Meta IE] uses for behavioural advertising in order to provide the services for free’        19.

       Against this background, the IE SA concludes that Meta IE’s claim that it is necessary to carry out
       behavioural advertising to provide Meta IE’s services is not sufficiently granular       195. In particular, it is

       unclear whether, through this argument, Meta IE is saying that (1) Meta IE is unable to provide
       FacebookandInstagramforfreeunlessitprocessesthepersonaldataofallofitsusersforthepurpose





       186
          IE SA Final Position Paper, paragraph 7.44, p. 16.
       187Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p.
       6.
       188IE SA Final Position Paper, paragraphs 7.45 and 7.50, p. 16 and 18.
       189
          IE SA Final Position Paper, paragraph 7.45, p. 16.
       190MetaIELegitimateInterestsAssessments BehaviouralAdvertisingProcessingof3April2023,Annex4toMeta
       IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p.
       21, section 3a.
       191
          MetaIELegitimateInterestsAssessments BehaviouralAdvertisingProcessingof3April2023,Annex4toMeta
       IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p.
       24, section 3d.
       192IE SA Final Position Paper, paragraph 7.46, p. 17.
       193
          IE SA Final Position Paper, paragraph 7.46, p. 17.
       194IE SA Final Position Paper, paragraph 7.47, p. 17.
       195IE SA Final Position Paper, paragraph 7.47, p. 17.




       Adopted                                                                                                      32       of behavioural advertising, or (2) Meta IE is still able to provide Facebook and Instagram for free by
                                                                                                           196
       processing the personal data of some of its users who do not object to behavioural advertising        .

127. The IE SA’s conclusion for the second condition was shared by a number of CSAs in their comments
       and reactions on the Compliance Reports:


           •   On 4 May 2023, the NL SA outlined that ‘[t]he massive processing of users’ (special) personal
               data for the purpose of behavioural advertising is not ‘necessary’ for the purposes of the
                                   197
               declared interests’   .

           •   On 23 May 2023, the IT SA notes in relation to Meta IE Legitimate Interests Assessments that

               ‘it is as if the controller were shifting the burden of proof regarding legitimate interest as the
               legal basis of processing on the data subjects – who conversely should be called into play as

               key actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the
               necessity of the processing and performing the required balancing exercise’     19.

           •   In the NO SA Order, the NO SA argues that Meta IE fails to show that it fulfils the ‘necessity

               test’ based on (1) the absence of assessment of the necessity of each interest put forward by
               Meta IE, (2) the absence of a substantiated assessment regarding alternative advertising

               models that could be viable, (3) the incorrect finding in Meta IE Legitimate Interests
               Assessments that its behavioural advertising processing is unlikely to have an adverse impact

               ondata subjects,and (4)theinappropriatereference to the fact thatother businessesarealso
               carrying out behavioural advertising, which does not have an impact on the lawfulness of such
               processing  19.


128. According to the settled case-law of the CJEU, when applying the necessity test, ‘it should be borne in
       mind that derogations and limitations in relation to the protection of personal data must apply only in
                                     200
       so far as is strictly necessary’ .

129. In its Bundeskartellamt Judgment, the CJEU also recalled that this second condition requires ‘to
       ascertain that the legitimate data processing interests pursued cannot reasonably be achieved just as

       effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, in
       particular the rights to respect for private life and to the protection of personal data guaranteed by
                                         201
       Articles 7 and 8 of the Charter’     . This condition must also be examined in conjunction with the
       principle of data minimisation under Article 5(1)(c) GDPR   202.








       196IE SA Final Position Paper, paragraph 7.47, p. 17.
       197Views of the NL SA of 4 May 2023 on Meta IE’s choice of a new legal basis for the processing of personal data

       198Meta IE in the framework of Behavioural Advertising on its platforms Facebook and Instagram, paragraph 3.
          Views of IT SA on the IE SA FB Decision of 23 May 2023, p. 2, and views of IT SA on the IE SA IG Decision of 23
       May 2023, p. 2.
       199NO SA Order, p. 17-18.
       200Judgment of 4 May 2017, Rīgas satiksme, C-13/16, ECLI:EU:C:2017:43, paragraph 30 and cited case-law;

       Judgment of 11 December 2014, Ryneš, C-212/13, ECLI:EU:C:2014:2428, paragraph 28; Judgment of 11
       December 2019, Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, paragraph 46.
       201CJEU Bundeskartellamt Judgment, paragraph 108.
       202CJEU Bundeskartellamt Judgment, paragraph 109.




       Adopted                                                                                                 33130. In the EDPB Binding Decisions, the EDPB considered that there are realistic, less intrusive alternatives
                                                                                         203
       to behavioural advertising, making the processing at stake not ‘necessary’           .

131. Inlight ofthe above,the EDPBconsidersthat therearegrounds forconcluding, asthe IE SA did                  204,that

       Meta IE failed to fulfil the second condition of the ‘necessity test’ to be able to rely on Article 6(1)(f)
       GDPR for the processing of personal data collected on Meta’s products for purposes of behavioural
                                                                                                                205
       advertising, in particular whether there are no other means that are less intrusive alternatives             and
       regarding compliance with the principle of data minimisation under Article 5(1)(c) GDPR           20.


132. The third condition relates to the ‘balancing test’.

133. In its Compliance Reports referring to the Meta IE Legitimate Interests Assessments, Meta IE has
       concluded that, in light of the ‘extensive measures and safeguards’ it implemented, the potential risks
                                                                     207
       to data subjects identified are ‘appropriately mitigated’       .

134. More specifically, Meta IE refers inter alia to the following safeguards: the measures implemented to

       ensure transparency towards data subjects (e.g. through privacy policies and ‘Help center’ articles),
       the publication of advertising policies for users, the existence of restrictions on targeting criteria, the

       existence of control tools (in relation to advertising in general or to specific ads that are displayed to
       users) 208,thepossibilitytoobjecttotheprocessing        209andthepossibilitytoexercisedatasubjects’data
                          210
       protectionrights     .Metaalsoarguesthatthelanguage introducedtoexplainthechangeoflegalbasis
       and the impact on users, including their ability to object to the behavioural advertising processing at

       stake, ‘have been implemented to ensure that users have a reasonable expectation of Behavioural
       Advertising Processing and are aware of their right to object to this processing             211’. In Meta IE’s

       Legitimate Interests Assessments, Meta further claims that ‘Users reasonably expect the processing of
       Platform Behavioural Information for behavioural advertising, taking into account the robust






       203EDPB Binding Decision 3/2022, paragraph 121 and the EDPB Binding Decision 4/2022, paragraph 124. As

       eluded to in the EDPB Binding Decisions, the AT SA, PL SA (only for EDPB Binding Decision 3/2022) and SE SAs
       mention as examples contextual advertising based on geography, language and content, which do not involve
       intrusivemeasuressuch asprofiling andtracking ofusers.Thisanalysiswasmadeinthecontextofthelegalbasis
       of Art. 6(1)(b) GDPR.
       204
       205IE SA Final Position Paper, paragraph 7.50, p. 18 and paragraph 6.3., p. 5.
          IE SA Final Position Paper, paragraphs 7.46-7.48, p. 17.
       206IE SA Final Position Paper, paragraph 7.45, p. 16, and an analysis of the principle of data minimisation is
       included in paragraph 7.59, p. 19, with respect to the balancing test.
       207
          Meta IE Compliance Report on IE SA FB Decision, p. 10 and Meta IE Compliance Report on IE SA IG Decision,
       p. 11, both referring to sections 4 and in particular sections 4.2.b and 4.2.c of Meta IE Legitimate Interests
       Assessments.
       208Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB

       Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.c. on the implemented
       safeguards.SomesafeguardsarereiteratedinMetaIEComplianceReportonIESA FBDecision,p.7-10andMeta
       IE Compliance Report on IE SA IG Decision, p. 7-12.
       209Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA

       FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.e. on the opt-out tools.
       210Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA
       FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.f. on data protection
       rights.
       211
          Meta IE Compliance Report on IE SA FB Decision, p. 7 and Meta IE Compliance Report on IE SA IG Decision,
       p. 7.




       Adopted                                                                                                       34       transparency [Meta] has implemented (...), which contributes to managing user expectations around
                                                                        212
       the Processing and personalised advertising more broadly’          .

135. In that regard, the EDPB notes that the IE SA concluded that, due to the failure to facilitate the right to
                                        213
       object under Article 21 GDPR       , the lack of any consideration of the right to private life (as enshrined
       in Article 7 of the Charter) 214 or data minimisation   21, and the insufficient consideration of the impact
                                                                      216
       of the processing on the purpose limitation principle            , Meta IE has not demonstrated that its
       legitimate interests in processing for behavioural advertising outweigh the fundamental rights and
                                    217
       freedoms of data subjects       . In particular regarding the right to object, the IE SA pointed out inter alia
       that ‘there is no ability in these [objection] tools to turn off processing of data collected directly by

       [Meta IE] for advertising purposes, including content, audio, metadata about content, apps and
       features used, transactions, hashtag and the time, frequency and duration of activities on [Meta IE]

       products’ as these categories of data would still be used for the purpose of behavioural advertising
       according to Meta IE’s privacy policy    21.


136. The IE SA also refers to a previous CJEUjudgment of 24 September 2019, where the CJEU held that the
       data subjects’ fundamental rights under Articles 7 and 8 of the Charter ‘override, as a rule (...) the
                                                   219
       economic interest’ of a private operator       .

137. The conclusion of the IE SA regarding the third condition was shared by a number of CSAs in their
       comments and reactions on the Meta IE Compliance Reports:


            •   On 4 May 2023, the NL SA concluded that ‘[t]he fundamental rights and freedoms of the data
                subject override the interest of [Meta IE] and the third parties involved’       22. The NL SA raised

                the following considerations:

                    o    ‘some of the data processed by [Meta IE] for the purpose of behavioural advertising
                         are special, sensitive kinds of personal data, which increase the weight attached to
                                                                               221
                         the interests of data subjects in the balancing act      ’
                    o    ‘Not only the type but also the sheer amount of data that is processed by a company

                         with the size of [Meta IE] should be taken into account in the balancing act. For the
                         purposes of behavioural advertisement, [Meta IE] processes a broad spectrum of

                         (special) personal data from millions of users. These data are analysed and possibly
                                                                           222
                         stored, adjusted, and reused on a daily basis.      ’



       212Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA
       FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 7.
       213
          IE SA Final Position Paper, paragraphs 7.60.-7.66., p. 19-21.
       214IE SA Final Position Paper, paragraphs 7.57, p. 19.
       215IE SA Final Position Paper, paragraph 7.59, p. 19.
       216IE SA Final Position Paper, paragraph 7.58, p. 19.
       217
          IE SA Final Position Paper, paragraph 7.67, p. 21, and paragraph 6.3., p. 5.
       218IE SA Final Position Paper, paragraph 7.65., p. 20-21, referring in footnote 29 to p. 54-55 of Meta IE’s privacy
       policy.
       219IESAFinalPositionPaper,paragraph7.57.,p.19,referringtoJudgmentoftheCourtofJusticeoftheEuropean

       Union of 24 September 2019, GC and Others, C-136/17; ECLI:EU:C:2019:773, paragraph 53. In this case, the
       private operator was a search engine. Also see case-law cited.
       220Views of the NL SA of 4 May 2023 on Meta IE’s choice of a new legal basis for the processing of personal data
       by Meta IE in the framework of Behavioural Advertising on its platforms Facebook and Instagram, paragraph 3.
       221
          Views of the NL SA of 14 May 2023, paragraph 43.
       222Views of the NL SA of 14 May 2023, paragraph 44.




       Adopted                                                                                                       35             o   ‘With regard to user expectations, the NL SA points out that, in line with the principle
                 of accountability, the assessment of user expectations should take place before the

                 processing is initiated under Art. 6(1)(f) GDPR. Controllers cannot simply "retroactively
                 adjust" the expectations of existing users and bring processing in line with Art. 6(1)(f)

                 GDPR, simply by providing them with some information – especially not when the
                 essence of this information is hard to grasp. 22’

             o   ‘Furthermore,asalsoconcludedbytheEDPBinitsdecision3/2022,20theNLSAagrees
                 withtheEDPBthatusersdonotsignupto[MetaIE]’sservicestobeservedpersonalized

                 content but for the sake of connecting with friends and family. Even in its changed
                 Terms of Service, [Meta IE] presents its services as “services that enable people to

                 connect    with    each     other,   build   communities…”.       The    connection    to
                 people/friends/family is therefore still theservicewith which [Meta IE] seeks to attract

                 newusers.Eventhough“buildingbusinesses”isinsertedasathird“goa”oftheservices
                 of [Meta IE], this does not create the reasonable expectation that users’ personal data
                                                                                224
                 will be processed for the purpose of behavioural advertising’     .
             o   ‘NL SA therefore concludes that users do not expect or should reasonably expect that

                 their data are processed for the sake of behavioural advertising as done by [Meta
                 IE].25’

             o   ‘Consideringthegravityoftherisksidentified,NLSAfindsthat[MetaIE]indeedtreads
                 very lightly on these risks and their mitigation.26’

             o   ‘The NL SA therefore finds that the right to object as provided for in the GDPR, a core
                 right when processing is undertaking on the basis of Art. 6(1)(f) GDPR, is therefore not
                                                   227
                 properly respected by [Meta IE]’    .


    •   On 12 May 2023, the ES SA identified the following shortcoming in Meta IE’s assessment of
        the balancing test:

             o   ‘Regarding the impact on data subjects, it is not established that it does not concern
                 sensitive data.
             o   As regards the way in which data is processed, data is processed massively,

                 comprehensively and in combination with all types of data obtained from other
                 sources, without taking into account the principle of data minimization.

             o   As regards the data subject’s reasonable expectations, the data typology reflected in
                 the privacy policy is not easily understandableto the average user, who does not know

                 exactlywhatdataisbeingprocessedandwhattheextentofsuchprocessingis.Inorder
                 for the user to know what type of data is being processed and how they are being

                 processed, the user must also look up several documents.
             o   As regards the position of the controller and the data subject, there is no balance of

                 power, Meta [IE] is a large company which imposes its conditions on its users without
                 they have the possibility of choosing or not certain processing operations and which of




223Views of the NL SA of 14 May 2023, paragraph 45.
224Views of the NL SA of 14 May 2023, paragraph 46.
225
226Views of the NL SA of 14 May 2023, paragraph 49.
   Views of the NL SA of 14 May 2023, paragraph 51.
227Views of the NL SA of 14 May 2023, paragraph 63.


Adopted                                                                                                 36                        their data are processed. There is also no analysis of how the [processing] affects

                        vulnerable sectors, and how to mitigate possible negative effects.
                    o   Finally, with regard to the additional safeguards included to prevent undue impact on

                        data subjects, as already stated, the principle of data minimization is not taken into

                        account, there is no indication of what actions [Meta IE] takes to prevent the
                        processing of sensitive data indirectly and, as explained below, the GDPR is not
                                                                       228
                        complied with regard to the right to object.’     [emphasis added in bold]

           •   On 15 May 2023, the FI SA stated that ‘[Meta IE]´s legal interests assessment (...) seems to be

               rather one-sided and superficial and fails to convince why the interests of [Meta IE] or third
               parties should override the interests and fundamental rights of the data subjects’    229.


           •   On 23 May 2023, the IT SA notes in relation to Meta IE Legitimate Interests Assessments that
               ‘it is as if the controller were shifting the burden of proof regarding legitimate interest as the

               legal basis of processing on the data subjects – who conversely should be called into play as
               key actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the
                                                                                               230
               necessity of the processing and performing the required balancing exercise’        .

           •   In the NO SA Order, the NO SA rejects Meta IE’s assumption that the data subjects

               undisputedly want and expect behavioural advertising based on monitoring and profiling of
               their behaviour  231. Therefore, according to the NO SA, Meta IE’s assessment of the elements
               of Article 6(1)(f) GDPR has been skewed    23. In addition, the NO SA refers to the paragraph 117

               of the CJEU Bundeskartellamt Judgment, which held that ‘data subjects cannot reasonably
               expect that the operator of the social network will process that user’s personal data, without

               his or her consent, for the purposes of personalised advertising’        233. Further, the NO SA
               considers that informing data subjects about behavioural advertising processing does not

               mean that it falls within their reasonable expectations and in any case, data subjects are not
               realistically able to read the privacy policies of every service used, including Meta IE’s privacy
                       234
               policies   . The NO SA also argues that Meta IE fails to show that Meta IE’s interests outweigh
               the rights and freedoms of data subjects    23.

                                                                         236
138. The IE SA made an overall conclusion on the three-step test            that Meta IE has not demonstrated
       compliance with Article 6(1)(f) GDPR for the processing at stake    237. The IE SA highlighted, both in the

       IE SA Provisional Position Paper and IE SA Final Position Paper that this conclusion stems from the
       following reasons: (1) ‘[Meta IE] has not made out that the processing is necessary for legitimate

       interests. Its explanations of the impact of the processing on its business are too vague to allow the [IE


       228Views of the ES SA of 12 May 2023, p. 5.
       229ViewsoftheFISAof15May2023,preliminary remarksonMeta´snewlegalbasisinrelationtotheprocessing

       of personal data for the purposes of behavioural advertising in Facebook and Instagram services, p. 2.
       230ViewsofITSAonthelegalbasisorderandtransparency orderrelatingtotheIE SAFBDecision,p.2,and views
       of IT SA on the legal basis order and transparency order relating to the IE SA IG Decision of 23 May 2023, p. 2.
       231NO SA Order, p. 15-16.
       232
          NO SA Order, p. 15-16.
       233NO SA Order, p. 17.
       234NO SA Order, p. 16.
       235NO SA Order, p. 17-23.
       236
          IE SA Final Position Paper, paragraphs 7.27-7.28, p. 12-13, referring to the CJEU Bundeskartellamt Judgment,
       paragraph 126.
       237IE SA Final Position Paper, paragraph 7.30, p. 13.




       Adopted                                                                                                  37       SA] to determine that there is no less intrusive alternative that can be pursued’, (2) ‘[Meta IE] has not

       demonstrated that the balancing favours its processing. In particular, the opt-out mechanism provided
       does not comply with the GDPR’    238. The conclusions of the IE SA regarding the results of the three-step
       testwassharedbyanumberofCSAs,whichalsoraisedtheinappropriaterelianceby Meta IEtoArticle

       6(1)(f) GDPR:

           •    On 18 April 2023, the AT SA stated that processing operations in connection with ‘behavioural
                                                                                    239
                advertising processing’ cannot be based on Article 6(1)(f) GDPR        .
           •    On 12 May 2023, the ES SA indicated that Meta IE Legitimate Interests Assessments ‘did not

                demonstrate that the processing carried out by Meta IE with the purpose of behavioural
                advertisement can be based on [A]rticle 6(1)(f) [GDPR] since it does not meet the requirements

                of this article’0.

           •    In the NL SA Mutual Assistance Request sent on 30 May 2023, the NL SA expressed concerns
                as to Meta IE’s reliance on Article 6(1)(f) GDPR, taking into account ‘thefact that thecontroller

                could not have been unaware of already established guidance from the EDPB, nor of the
                position of several CSAs on the matter, but chose to explore the path of Article 6(1)(f) [GDPR]
                            241
                regardless’   . The NL SA states that ‘Meta [IE] cannot invoke Article 6(1)(f) [GDPR] as a valid
                legalbasistoprocessthepersonaldataofitsusersforthepurposesofbehaviouraladvertising’,

                and that this conclusion is ‘in line with several EDPB and WP29 Guidance documents, which
                underpin that the appropriateness of using Article 6(1)(f) [GDPR] as a legal basis for the
                                                                242
                processing concerned is highly questionable’      .

139. In previous judgments, the CJEU clarified that when carrying out the ‘balancing test’, the data

       controller ‘must take account of the significance of the data subject’s rights arising from Articles 7 and
       8 of the Charter’ 24.


140.   In its Bundeskartellamt Judgment, the CJEU held the following obiter dictum:

               ‘as can be seen from recital 47 of the GDPR, the interests and fundamental rights of the data
               subject may in particular override the interest of the data controller where personal data are
                                                                                                                244
               processed in circumstances where data subjects do not reasonably expect such processing             .’

               ‘(...) such processing must also be necessary in order to achieve that interest and the interests
               or fundamental freedoms and rights of the data subject must not override that interest. In the

               contextofthatbalancing oftheopposingrightsatissue,namely,thoseofthecontroller,onthe
               one hand, and those of the data subject, on the other, account must be taken, as has been

               noted (...) above, in particular of the reasonable expectations of the data subject as well as the
               scale of the processing at issue and its impact on that person.    24’



       238IE SA Final Position Paper, paragraph 6.3, p. 5 ; IE SA Provisional Position Paper, paragraph 5.3, p. 4 (in

       239ghtly different terms).
          IMI report on Compliance in the Facebook case.
       240Views of the ES SA, 12 May 2023, p. 6.
       241NL SA Mutual Assistance Request, p. 2.
       242NL SA Mutual Assistance Request, p. 1, where a reference is made to the EDPB Guidelines 8/2020 on the

       targeting of social media users.
       244CJEU Bundeskartellamt Judgment, paragraph 112.
       244CJEU Bundeskartellamt Judgment, paragraph 112.
       245CJEU Bundeskartellamt Judgment, paragraph 116.




       Adopted                                                                                                    38                ‘In this regard, it is important to note that, despite the fact that the services of an online social

                network such as Facebook are free of charge, the user of that network cannot reasonably
                expectthattheoperatorofthesocialnetworkwillprocessthatuser’spersonaldata,without

                his or her consent, for the purposes of personalised advertising. In those circumstances, it
                must be held that the interests and fundamental rights of such a user override the interest of

                thatoperatorinsuchpersonalisedadvertisingbywhichitfinancesitsactivity,withtheresult
                that the processing by that operator for such purposes cannot fall within the scope of point
                                                                               246
                (f) of the first subparagraph of Article 6(1) of the GDPR.’       [emphasis added]

141. In the IE SA Provisional Position Paper issued before the CJEU Bundeskartellamt Judgment, the IE SA
       provisionallyfoundthatMetaIEhadnotdemonstratedcompliancewithArticle6(1)(f)GDPR                      247asMeta

       IE had not demonstrated that it could rely on Article 6(1)(f) GDPR        248. The IE SA then confirmed that
       Meta IE has not demonstrated compliance with Article 6(1)(f) GDPR following the analysis of the CJEU

       Bundeskartellamt Judgment as it states in its Final Position Paper that ‘Prior to the date of [the
       Bundeskartellamt]judgment,the[IESA]hadanalysed[MetaIE]’srelianceonArticle6(1)(f)[GDPR]and

       had come to the provisional conclusion that [Meta IE] had not demonstrated compliance with that
       provision’ and that‘theCJEUindicated that there aresignificant barriers to [Meta IE] seeking to rely on
                                                                                                          249
       Article 6(1)(f) [GDPR] for the behavioural advertising processing at issue in that judgment’         .

142. The EDPB notes Meta IE’s arguments regarding the alleged irrelevance of the CJEU Bundeskartellamt
                  250
       Judgment      . Meta considers that this judgment ‘does not rule out Article 6(1)(f) [GDPR] “as a matter
       of principle” as a valid legal basis for [Meta IE]’s Behavioral Advertising Processing. The judgment

       assessed Article 6(1)(f) [GDPR] (and the element of “necessity”) in the context of different processing
       than is at-issue here (i.e., data collected off-[Meta]     25, and to a limited extent cross-product data

       processing, as opposed to data collected on-[Meta] products). (...) Further, the CJEU did not (and could
       not as a matter of law) issue a blanket finding that users’ interests will always outweigh [Meta IE]’s
       and third parties’ legitimate interests in the context of personalised advertising (...)   252.’


143. As regards the scope of the CJEU Bundeskartellamt Judgment, the EDPB notes the references made to
       data collection from other services of the group to which an operator belongs         25.




       246
          CJEU Bundeskartellamt Judgment, paragraph 117.
       247IE SA Provisional Position Paper, paragraph 6.26, p. 11.
       248IE SA Provisional Position Paper, paragraph 5.3, p. 4.
       249IE SA Final Position Paper, paragraph 7.26, p. 12.
       250
          MetaIE’sResponsetoIESA’sProvisionalPositionPaperof4August2023,section1.5(A).SeealsoENGVersion
       of Meta IE Merits Complaint submitted to the Oslo District Court of 16 October 2023 (corrected), p. 38 and Meta
       IE’s Submissions of 26 September 2023, p. 10-11.
       251Data collected ‘off’-Meta products refers data collected outside of Meta’s products, such as on third-party

       websites, apps and certain offline interactions (e.g., purchases).
       252Meta IE’s Response to IE SA’s Provisional Position Paper of 4 August 2023, section 1.5 (A) and section 2 for a
       more detailed analysis of the CJEU Bundeskartellamt Judgment.
       253In that regard, paragraph 86 of the CJEU Bundeskartellamt Judgment states: ‘By Questions 3 and 4, which it is

       appropriate to examine together, the referring court asks, in essence, whether and under what conditions points
       (b)and(f)ofthefirstsubparagraphofArticle6(1)oftheGDPRmustbeinterpretedasmeaningthattheprocessing
       of personal data by the operator of an online social network, which entails the collection of data of the users of
       such a network from other services of the group to which that operator belongs or from visits by those users to

       third-party websites or apps, the linking of those data with the social network account of those users and the use
       of such data, may be considered to be necessary for theperformance of a contract to which the data subjects are
       party, within the meaning of point (b), or for the purposes of the legitimate interests pursued by the controller or




       Adopted                                                                                                      39144. The EDPB acknowledges that the behavioural advertising processing that Meta carries out in reliance
                                                                                               254
       ofArticle6(1)(f)GDPRandthatisexaminedforthepurposeofthissection4.1.1.3                     relatestopersonal
       data collected on Meta’s products while, according to Meta IE, the CJEU Bundeskartellamt Judgment

       mostly relates to personal data obtained from third party advertising partners outside of Meta’s
       products. However, the EDPB considers that this Judgment, addressed to Meta IE, Meta Platforms Inc.
                                             255
       and Facebook Deutschland GmbH           , outlines the way the balancing exercise may be carried out for
       the purpose of behavioural advertising, which is also relevant for personal data collected on Meta’s
       products.


145. The EDPB recalls its previous guidelines where it highlighted that ‘it would be difficult for controllers to
       justify using legitimate interests as a lawful basis for intrusive profiling and tracking practices for

       marketing or advertising purposes, for example those that involve tracking individuals across multiple
       websites, locations, devices, services or data-brokering.   256’

146.    The EDPB considers that this guidance is relevant for the processing at stake carried out by Meta IE,

       which,asprovidedintheEDPBBindingDecisions,isintrusivegivenitsscaleandtheextensiveamounts
       of data that is processed by Meta IE   257. In those decisions, the EDPB outlined ‘the complexity, massive

       scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the
       Facebook [or Instagram] service’    25. In other words, ‘[b]ehavioural advertising, as briefly described in

       [paragraph 95 of the EDPB Binding Decision 3/2022 and paragraph 98 of the Binding Decision
       4/2022  259] is a set of processing operations of personal data of great technical complexity, which has a


       by a third party, within the meaning of point (f). That court asks, in particular, whether, to that end, certain
       interests which it explicitly lists constitute ‘legitimate interests’ within the meaning of the latter provision.’
       254
          Meta IE indicates to rely on Art. 6(1)(a) GDPR to process personal data obtained by Meta IE from third party
       advertising partners. Such data is about users’ activity off-Meta’s products. See footnotes 89 and 149 above in
       that regard.
       255The request for a preliminary ruling in the CJEU Bundeskartellamt Judgment has been made in proceedings

       betweenMetaPlatformsInc.,formerlyFacebookInc.,MetaPlatformsIrelandLtd,formerlyFacebookIrelandLtd,
       andFacebookDeutschlandGmbH,ontheonehand,andtheBundeskartellamt.MetaIEoperatestheonlinesocial
       network Facebook in the EU. See CJEU Bundeskartellamt Judgment, paragraphs 2 and 26.
       256Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes

       of Regulation 2016/679, adopted on 3 October 2017, as last Revised and Adopted on 6 February 2018, endorsed
       by the EDPB on 25 May 2018, p. 15. This was referred to by the NO SA in the NO SA Order, p. 9. This same
       statement wasreiterated by the EDPB in theEDPB Guidelines on the targeting of social media users, Version 2.0,
       adopted on 13 April 2021, paragraph 56.
       257EDPB Binding Decision 3/2022, paragraph 444 and EDPB Binding Decision 4/2022, paragraph 413.
       258
          EDPB Binding Decision 3/2022, paragraph 96 and the EDPB Binding Decision 4/2022, paragraph 99.
       259Paragraph 95 of EDPB Binding Decision 3/2022 states: ‘These requests for preliminary rulings mention that
       [Meta IE] collects data on its individual users and their activities on and off its Facebook social network service
       via numerous means such as the service itself, other services of the Meta group including Instagram, WhatsApp

       and Oculus, third party websites and apps via integrated programming interfaces such as Facebook Business
       Tools or via cookies, social plug-ins, pixels and comparable technologies placed on the internet user’s computer
       or mobile device. According to the descriptions provided, [Meta IE] links these data with the user’s Facebook
       account to enable advertisers to tailor their advertising to Facebook’s individual users based on their consumer

       behaviour, interests, purchasing power and personal situation. This may also include the user’s physical location
       to display content relevant to the user’s location. Meta IE offers its services to its users free of charge and
       generates revenue through this personalised advertising that targets them, in addition to static advertising that
       is displayed to every user in the same way.’

       Paragraph 98 of EDPB Binding Decision 4/2022 states: ‘These requests for preliminary rulings mention that Meta
       IE collects data on its individual users and their activities on and off its Facebook service via numerous means
       suchastheserviceitself,otherservicesoftheMetagroupincludingInstagram,WhatsAppandOculus,thirdparty
       websites and apps via integrated programming interfaces such as Facebook Business Tools or via cookies, social




       Adopted                                                                                                     40       particularlymassiveandintrusivenature”      260.TheIESAreiteratedthisconclusionintheIESADecisions:

       ‘ItisthereforeclearthattheBoardconsiders(...)thenatureandscopeoftheprocessingtobeextensive,
       complex, intrusive and on a massive scale’   261.

147. In light of the above and taking into account the legal analysis provided by the IE SA (see for example

       in paragraphs 135 and 138 above, as supported by the assessment performed by the of the CSAs), the
       EDPB considers that the interests and fundamental rights of data subjects override the legitimate

       interests put forward by Meta IE for the processing of personal data collected on Meta’s products for
       the purposes of behavioural advertising, with the result that Meta IE did not fulfil the third condition

       of Article 6(1)(f) GDPR.

148. In light of the above analysis of the EDPB from paragraph 111 to 147, the EDPB considers that Meta IE
       inappropriately relies on Article 6(1)(f) GDPRto process personal data collected on its products for the

       purpose of behavioural advertising.


          4.1.1.3.4     Conclusion as to the infringement of Article 6(1) GDPR

149. The compliance approach adopted by Meta IE has been assessed in the IE SA Final Position Paper as
       follows:

           •   Meta IE seeks to still rely on Article 6(1)(b) GDPR to process some specific categories of

               personal data  262, for advertising purposes 263;

           •   Meta IE seeks to rely on Article 6(1)(f) GDPR to process other personal data for the purposes
               of behavioural advertising   264- solely for personal data collected on Meta’s products   265;

           •   Meta IE relies on Article 6(1)(a) GDPR to process personal data provided to Meta IE by third
               party advertising partners  266.


150. Meta IE                                                                    is willing to rely on Article 6(1)(a)
       GDPR as its legal basis
                                                                        267
                            through the Meta IE’s Consent Proposal        .

151. The EDPB highlights the need to assess the compliance of the processing activities within the scope of

       the IE SA Decisions with Article 6(1) GDPR at this point in time.






       plug-ins, pixels and comparable technologies placed on the internet user’s computer or mobile device164.
       According to the descriptions provided, Meta IE links these data with the user’s Facebook account to enable
       advertiserstotailortheiradvertisingtoFacebook’sindividualusersbasedontheirconsumerbehaviour,interests,

       purchasing power and personal situation. This may also include the user’s physical location to display content
       relevanttotheuser’slocation.MetaIEoffersitsservicestoitsusersfreeofchargeandgeneratesrevenuethrough
       this personalised advertising that targets them, in addition to static advertising that is displayed to every user in
       the same way.’
       260
       261EDPB Binding Decision 3/2022, paragraph 123 and the EDPB Binding Decision 4/2022, paragraph 126.
          IE SA FB Decision, paragraph 9.23 and IE SA IG Decision, paragraph 243.
       262See paragraph 91 above.
       263IE Final Position Paper, paragraphs 6.2 and 7.1-7.22.
       264
       265IE Final Position Paper, paragraphs 6.3 and 7.23-7.67.
          IE Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to the IE SA of 30 June 2023.
       266IE SA Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to the IE SA of 30 June 2023.
       267Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2.




       Adopted                                                                                                   41                                268. For the sake of clarity, the EDPB specifies that Meta IE’s Consent Proposal

       was not assessed in its merits for the purposes of this urgent binding decision. In this regard, the EDPB
       may only take note of the existence of an ongoing evaluation of the Meta IE’s Consent Proposal by the

       IE SA and the CSAs.

152. According to the EDPB, there is an ongoing infringement of Article 6(1) GDPR arising from

       inappropriate reliance on Article 6(1)(b) GDPR for processing of personal data, including location data
       and advertisement interaction data collected, on Meta’s products for behavioural advertising
                  269
       purposes     .

153. Inaddition,theEDPBconcludes thatthereisanongoinginfringementofArticle6(1)GDPRarisingfrom

       inappropriate reliance on Article 6(1)(f) GDPR for processing personal data collected on Meta’s
       products for behavioural advertising purposes       27.


       4.1.2 On the infringement of the duty to comply with decisions by supervisory authorities


       4.1.2.1    Summary of the overall position of the NO SA

154. According to the NO SA, since the deadline for complying with the IE SA Decisions was 5 April 2023 but
       the infringement of Article 6(1) GDPR still persists more than six months later, Meta IE failed to ensure
                                                                                                                     271
       compliance with the IE SA Decisions, and hence infringed its duty to comply with the SAs’ decisions              .
       The NO states further that there is consensus on the European level between the IE SA and the CSAs
                                                         272
       that the processing continues to be unlawful         , and that ‘as acknowledged by the IE SA itself, Meta IE
       has failed to ensure compliance with [the IE SA Decisions]’           273. The NO SA stated that this non-
                                                                                        274
       compliance constitutes in itself an independent violation of the GDPR                for which Article 83(5)(e)
       GDPRenvisagesafinewhichmaybeimposedinadditiontothefinesimposedbytheIESADecisions                              275.


       4.1.2.2    Summary of the position of the controller

155. MetaIEstatedthat,priortotheIESADecisions,itreliedonArticle6(1)(b)GDPRinagoodfaithmanner
                                                                      276
       and its ‘bona fide belief that it was lawful for it to do so’    .

156. Following to the IE SA Decisions, Meta IE argued that it took substantial steps to bring its processing
                                                                                         277
       activities into ‘what it believes was compliance with [the IE SA] decisions’         , including by changing its
       legal basis from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR for the processing of personal data
                                                                                    278
       collected on its products for the purposes of behavioural advertising          .


       268


       269See the analysis carried out above in Section 4.1.1.2.3 and paragraphs 98-99.
       270See the analysis carried out above in Section 4.1.1.3.3 and paragraph 148.
       271NO SA Request to the EDPB, p. 6.
       272
          NO SA Request to the EDPB, p.12.
       273NO SA Request to the EDPB, p. 6.
       274NO SA Request to the EDPB, p. 6 and Letter from the NO SA to the IE SA dated 11 October 2023, p. 2.
       275NO SA Request to the EDPB, p. 6.
       276
          Letter from Meta IE to NO SA of 4 August 2023, in relation to right to be heard, paragraph 65.
       277Letter from Meta IE to NO SA of 4 August 2023, in relation to the right to be heard, dated paragraph 65.
       278 Meta IE’s Compliance Report regarding the Facebook Service (IN-18-5-5) of 3 April 2023 (hereinafter,
       ‘Compliance Report on IE SA FB Decision’), paragraph 2.1 and Meta IE’s Compliance Report regarding the

       Instagram Service (IN-18-5-7) of 3 April 2023 (hereinafter, ‘Compliance Report on IE SA IG Decision’), paragraph
       2.1 (together, the ‘Compliance Reports’).




       Adopted                                                                                                        42157. Meta IE takes the view that neither the EDPB Binding Decisions nor the IE SA Decisions ordered Meta

       IE to rely on a specific legal basis for the processing of personal data collected on its products for
       behavioural advertising purpose under Article 6(1) GDPR, such as Article 6(1)(a) GDPR             27. As a result,

       Meta IE still currently seeks to rely on Article 6(1)(b) GDPR to process some specific categories of
       personaldatathatitdoesnotconsidertobebehaviouraldata                 28,andonArticle6(1)(f)GDPRtoprocess
                                                                               281
       other personal data for the purposes of behavioural advertising            - solely for personal data collected
       on its products  282.


158. After considering the IE SA Provisional Position Paper (including the IE SA’s interpretation of the CJEU
       Bundeskartellamt Judgment), Meta IE stated that it was willing to implement the necessary measures

       to rely on Article 6(1)(a) GDPR as its legal basis for processing for the purpose of behavioural
       advertising through the Meta IE’s Consent Proposal         28.


159. After considering the IE SA’s Final Position Paper, Meta IE stated that it considered itself as compliant
       with the IE SA Decisions
                                                                  284
                                                                    .

                                                                 285
                                                                    .

       4.1.2.3    Analysis of the EDPB

160. TheEDPBrecallsthatArticle60(10)GDPRprovidesforthedutyforthecontrollerto‘takethenecessary

       measures to ensure compliance with the decision [taken in the context of the cooperation mechanism]
       as regards processing activities in the context of all its establishments in the Union’       28.


161. The EDPB also recalls that non-compliance with an order of an SA pursuant to Article 58(2) GDPR
       constitutes an infringement that may be sanctioned by way of an administrative fine pursuant to
                                                          287
       Article 83(5)(e) GDPR and Article 83(6) GDPR         .








       279Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 4 and

       280
          See paragraph 91 above and the IE SA Final Position Paper, paragraphs 6.2 and 7.1-7.22.
       281IE SA Final Position Paper, paragraphs 6.3 and 7.23-7.67.
       282See paragraph 104 above and the IE SA Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to

       the IE SA of 30 June 2023.
       283Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2.
       284Meta IE’ Submissions of 25 August 2023, paragraph 61.
       285Meta IE’s Submissions of 25 August 2023, paragraph 64.
       286
          Article 60 GDPR.
       287According to Art. 83(5)(e) GDPR, ‘non-compliance with an order or a temporary or definitive limitation on
       processingorthesuspensionofdataflowsbythesupervisory authoritypursuanttoArticle 58(2)[GDPR]orfailure
       to provide access in violation of Article 58(1) [GDPR]’ is an infringement that ‘shall, in accordance with

       paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 %
       of the total worldwide annual turnover of the preceding financial year, whichever is higher’. Art. 83(6) GDPR
       provides: ‘Non-compliance with an order by the supervisory authority as referred to in Article 58(2) [GDPR] shall,
       in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the

       case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year,
       whichever is higher’.




       Adopted                                                                                                         43162. The EDPB confirms, in line with the view of the NO SA            288, that non-compliance with decisions of
                                                                                     289
       supervisory authorities is in itself an independent violation of the GDPR       .

163. As already noted above, the IE SA Decisions required Meta IE to, inter alia, take the necessary action

       to address the finding that Meta IE is not entitled to process personal data for behavioural advertising
       on the basis of Article 6(1)(b) GDPR and to bring its processing of personal data for behavioural
                                                                           290
       advertising purposes into compliance with Article 6(1) GDPR.           Also, the IE SA made clear that the
       actions Meta IE should take to comply with the IE SA Decisions may include, but were not limited to,
                                                                                            291
       the identification of an appropriate alternative legal basis in Article 6(1) GDPR       and may include the
       implementation of any necessary measures required to satisfy the conditionality associated with
                                                  292
       that/those alternative legal basis/bases      . The deadline for compliance with the IE SA Decisions was
       5 April 2023.


       The EDPB notes that in the IE SA Final Position Paper, the IE SA found that Meta IE failed to
       demonstrate compliance with the IE SA Decisions, and states that Meta IE ‘failed to demonstrate that

       it no longer relies on Article 6(1)(b) GDPR to process personal data for behavioural advertising’ and
       ‘failed to demonstrate that it has a lawful basis to process Platform behavioural Data for behavioural
                    293
       advertising’   .

164. The EDPB notes that the NL SA also stated that ‘As Meta [IE] has publicly stated that it already makes
       useofArticle6(1)(f)[GDPR]asalegalbasis,thisconclusionmeansthat-atthemoment-personaldata

       of millions of European data subjects are being processed without there being a valid legal basis. This
       moreovermeansthat Meta[IE]doesnotcomplywiththe[IESA]’s orderinthe[IESADecisions]tobring
                                                                   294
       these processing operations in line with Article 6 GDPR’.

165. The EDPB notes the view of the IE SA that neither the GDPR nor Irish national law prescribes the

       mannerinwhichtheassessmentofthestepstakenby thecontrollerinpurportedcompliance withthe
       orders of an SA should be carried out   295. In this respect, the EDPB notes that Meta IE does not contest

       that the IE SA’s findings made subsequently to the IE SA Decisions are made ‘to implement the existing
       [IE SA] decisions pursuant to Article 60(10) GDPR’.   296

166. In respect of Meta IE’s argument that it fully complied with the IE SA Decisions by taking, first,

       substantial steps to bring its processing activities into compliance by 5 April 2023       297and, secondly,
       steps in the direction of theMeta IE’s Consent Proposal     29, the EDPB highlights that these elements do


       288
          Letter from the NO SA to the IE SA of 17 September 2023 in relation to the right to be heard, p. 7.
       289‘Non-compliance with a corrective power previously ordered may be considered either as an aggravating
       factor, or as a different infringement in itself, pursuant to Art. 83(5)(e) and Art. 83(6) GDPR. Therefore, due note

       should be taken that the same non-compliant behaviour cannot lead to a situation where it is punished twice’,
       EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1, paragraph 103.
       290See IE SA FB Decision, paragraph 10.44b; IE SA IG Decision, paragraph 212.
       291IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 10.
       292
          IE SA FB Decision, paragraph 8; and IE SA IG Decision, paragraph 212.
       293IE SA Final Position Paper, section 8, p. 25. In relation to Meta IE’s reliance on Article 6(1)(b) GDPR, also see
       paragraphs 96-99 above. In relation to Meta IE’s reliance on Art. 6(1)(f) GDPR, also see paragraphs 121, 135, 138
       above.
       294
          NL SA Mutual Assistance Request, p. 2.
       295Letter of the IE SA to Meta IE of 14 June 2023, p. 1-2.
       296Meta IE’s Submissions of 26 September 2023, p. 12 and 13.
       297Meta IE’s Submissions of 26 September 2023, p. 10 and Meta IE’s Submissions of 16 October 2023, p. 5. See

       also Meta IE’s Submissions of 25 August 2023, p. 33.
       298Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2.




       Adopted                                                                                                     44       notinthemselvescontradicttheconclusionthatatthispointintimecompliancewithArticle6(1)GDPR

       for the processing activities within the scope of the IE SA Decisions has not yet been achieved while
       the deadline to implement the IE SA Decisions was 5 April 2023.





       4.1.2.4   Conclusion as to the infringement of the duty to comply with decisions by supervisory
                 authorities

167. InlightofitsfindingsthatMetaIEstillreliesinappropriatelyonArticle6(1)(b)GDPRtoprocesspersonal
       data, including location data and advertisement interaction data, collected on its products for the

       purpose of behavioural advertising   300and on Article 6(1)(f) GDPR to process personal data collected
       onitsproductsforthepurposeofbehaviouraladvertising         301theEDPBfinds,inlinewiththeconclusions
                           302                                                           303           304
       drawn by the IE SA     and with the views expressed in particular by the NO SA                     in the
       courseof the proceedings, that Meta IE did not achievecompliancewith the IE SADecisions within the

       deadline for compliance and is therefore currently in breach of its duty to comply with decisions by
       supervisory authorities.


       4.2 On the existence of urgency to adopt final measures by way of derogation

             from the cooperation and consistency mechanisms

168. The second element to assess pursuant to Article 66(2) GDPR is the existence of an urgency situation

       justifying a derogation from the regular cooperation procedure.

169. TheurgentinterventionoftheEDPBpursuanttoArticle66(2)GDPRisexceptional,andderogatesfrom
       the general rules applicable to the regular consistency and cooperation mechanisms.

170. Considering the fact that the urgency procedure under Article 66(2) GDPR is a derogation to the

       standardconsistencyand cooperationmechanisms,itmustbeinterpretedrestrictively.Therefore,the
       EDPB may request final measures under Article 66(2) GDPR only if the regular cooperation or

       consistency mechanisms cannot be applied in their usual manner, due to the urgency of the
       situation30.

171. In addition, Article 61(8) GDPR provides that, where an SA does not provide the information referred

       to in Article 61(5) GDPR within one month of receiving a mutual assistance request from another SA,
       the ‘urgent need to act under Article 66(1) [GDPR] shall be presumed to be met and require an urgent

       binding decision from the Board pursuant to Article 66(2) [GDPR]’. If such a presumption applies, the
       urgent natureofan Article 66(2)requestforan urgentbinding decisioncan be presumed and doesnot
                                 306
       need to be demonstrated      .




       299
         LetterfromNO SAtoMetaIE andFacebookNorway of17September2023 in relationtotherighttobeheard,
       p. 9.
       30See paragraphs 98-99, and 152 above.
       30See paragraphs 148 and 153 above.
       30IE SA Final Position Paper, section 8, p. 25.
       303
         NO SA Request to the EDPB, p. 6.
       304
       30EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 167.
       30EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 170.




       Adopted                                                                                                45172. In the present procedure, the NO SA requested the EDPB to adopt a decision pursuant to Article 66(2)

       GDPR, in order to urgently request the IE SA to impose final measures on Meta IE. The request has
       been made following to the adoption of provisional measures pursuant to Article 66(1) GDPR        307which
       are only applicable in Norway, and are only valid for three months.


173. In the sections below, the EDPB analyses first whether the circumstances of the present case
       demonstrate theexistence ofurgencyandtheneedtoderogatefromthecooperationandconsistency

       mechanisms(section4.2.1below)beforeanalysingwhetherthepresumptiondescribedinArticle61(8)
       GDPR is applicable to the circumstances of the case (section 4.2.2).


       4.2.1 On the existence of urgency and the need to derogate from the cooperation and
               consistency mechanisms


       4.2.1.1   Summary of the position of the NO SA

174. The NO SA considers that ‘Regardless of the applicability of the Article 61(8) presumption, in the

       present case there is an urgent need for a binding decision from the EDPB in accordance with Article
       66(2) GDPR, in order to protect the rights and freedoms of data subjects’    30.

175. According to the NO SA, the processing in question is detrimental to individuals’ fundamental rights,

       and failing to put an end to this processing would thus expose these data subjects to a risk of serious
       and irreparable harm  309. In more details, the NO SA takes the view that:

           •   Theinfringementshavebeenoccurringforasignificantamountoftimeandareofanespecially

               serious nature, as they have a considerable impact on the users of Meta’s products whose
               online activities are ‘constantly, intrusively and opaquely monitored and profiled by Meta’,

               which ‘may give rise to the feeling that their private life is being continuously surveilled’.10

           •   The infringements affect over 250 million average monthly active users in the EU, including
               vulnerable data subjects in need of particular protection, such as minors, elderly people and
                                                  311
               people with cognitive disabilities   .
           •   The filtering of the specific ads that are displayed on Facebook or Instagram has an adverse
                                                                                                312
               effect on data subjects’ freedom of information and on political participation      while creating
               ‘a potential for reinforcement of existing stereotypes, and it can leave data subjects open to

               discrimination’ 313.

           •   Not taking urgent action to ensure compliance with the IE SA Decisions would deprive data
               subjects of the right to seek an effective remedy against a data controller from SAs under
                                314
               Article 77 GDPR     .






       307
          Art. 66(4) GDPR; as described in Section 2.1 above.
       308NO SA Request to the EDPB, p. 10.
       309NO SA Request to the EDPB, p. 10.
       310NO SA Request to the EDPB, p. 10, referring to CJEU Bundeskartellamt Judgment, paragraph 118.
       311
          NO SA Request to the EDPB, p. 10.
       312NO SA Order, p. 22.
       313NO SA Request to the EDPB, p. 10; NO SA Order, p. 22.
       314NO SA Order, p. 28.




       Adopted                                                                                                 46           •    The NO SA is of the view that there is no measure that could be applied retroactively to repair
                the violation of the rights and freedoms of data subjects     315.


176. In addition, the NO SA states that there has been a ‘continued refrainment from enforcement’ on the
       part of the IE SA 31. The NO SA takes the view that despite the fact that infringements are taking place

       appears uncontroversial among supervisory authorities, ‘the IE SA appears to be unwilling to demand
       that such infringements be ceased without any further delays’       31. In this respect, the NO SA states that

       thefailuretofirmlyandexpedientlyreacttonon-compliancewiththeIESADecisionsnotonlydeprives
       datasubjectsoftheprotectiontheyareentitledto,butisalsocontrarytosupervisoryauthorities’duty

       to ensure that the GDPR is respected in practice     318.

177. More generally, in the view of the NO SA, not reacting to Meta IE’s prolonged state of non-compliance
                                               319
       would set a dangerous precedent             as it would ‘invite dilatory strategies from non-compliant
       controllers’andunderminetheauthorityoftheIESA,theCSAsandtheEDPB                    320.FortheNOSA,afailure

       to adopt the requested urgent binging decision in the present circumstances would entail serious risks
       that the Article 66 GDPR mechanism would turn in to a ‘paper tiger’        32.


178. The NO SA argues that an EDPB urgent binding decision would be a narrow and strictly limited
       exceptiontotheprimacyoftheLSAinensuringcompliancewithanArticle60GDPRdecisionandwould
                                                                                                               322
       not set a precedent for derogating from the standard one-stop-shop cooperation procedure                   as it
       would be issued after the completion of an Article 60 GDPR process, following the adoption by the IE
                                   323
       SA of the IE SA Decisions      and given the fact that the IE SA does not envisage to start a new Article
       60 GDPR procedure     32.


179. Further, the NO SA argues that final measures would not interfere with
                                                          commitment to change the legal basis for behavioural
                                325
       advertising to consent      . According to the NO SA, ‘if Meta [IE] would be ordered to stop all such
       processing activities based on Article 6(1)(b) [GDPR] and [Article 6(1)] (f) pending the identification of

       a valid legal basis, it would have an incentive to expeditiously identify adequate and lawful solutions to
       resume its processing activities as soon as possible’   326.


180.





       315
          NO SA Rejection of Meta IE and Facebook Norway’s Request for Deferred Implementation of the Order dated
       7 August 2023, p. 1.
       316NO SA Order, p. 12.
       317
          NO SA Request to the EDPB, p. 6.
       318NO SA Request to the EDPB, p. 6.
       319Letter of NO SA to IE SA of 11 October 2023, p. 11.
       320NO SA Order, p. 28; NO SA Request NO SA Request to the EDPB, p. 12.
       321
          NO SA Request to the EDPB, p. 12, referring to the opinion of Advocate General Bobek in Case C‑645/19,
       Facebook Ireland and Others, paragraph 119 and paragraph 122.
       322NO SA Request to the EDPB, p. 12.
       323
          NO SA Request to the EDPB, p. 10-11, referring to IE SA Information on Procedure (response to SE SA) of 4
       May 2023 where the IE SA had indicated via the IE SA IMI Informal Consultations that they would ‘not be
       preparing any further decision in this matter’.
       324NO SA Request to the EDPB, p. 11.
       325
          NO SA Request to the EDPB, p. 11-12.
       326NO SA Request to the EDPB, p. 11-12.




       Adopted                                                                                                      47                                                                                                                327
                                                                                                                ’  .

                                                                                                       328
                                                                                                         .

181. The NO SA also recalls that in any event, the Meta IE’s Consent Proposal does not eliminate the urgent
       need to adopt final measures     329.




             330.


                                                                                                      331. Therefore, in
       the NO SA’s view, final measures constitute ‘the only way’ to stop the harm to data subjects’

       fundamental rights    33.


       4.2.1.2    Summary of the position of the controller

182. According to Meta IE, the circumstances of the case do not justify an urgent decision of the EDPB
       pursuanttoArticle66(2)GDPR        333.Inparticular,MetaIE recallsapriordecisionoftheEDPBstatingthat

       ‘the urgency procedure under Article 66(2) GDPR is a derogation to the standard consistency and
       cooperation mechanisms, it must be interpreted restrictively. Therefore, the EDPB will request final

       measures underArticle66(2)[GDPR] onlyif theregularcooperationor consistencymechanismscannot
       be applied in their usual manner due to the urgency of the situation’       334.


183. In this respect, Meta IE notes that the comments received by the IE SA from the CSAs show that the
       cooperation and consistency mechanism being led by the IE SA (which incorporates the views of

       numerous CSAs in addition to the views of the NO SA), is clearly functioning in accordance with Article
       60 GDPR, and argues that there is no reason to derogate from that mechanism              335. For this reason, in

       Meta IE’s view, the NO SA’s invocation of Article 66(1) GDPR and the NO SA Request to the EDPB are
       improper   33.


184. According to Meta IE, the urgency procedure interferes with the regular cooperation mechanism that
       the IE SA has been following to implement the IE SA Decisions        337. Meta IE’s view is that the process of



       327LetterofNOSAtoIESAof11October2023,p.2.SeealsoNOSARejectionofMetaIE’sandFacebookNorway’s
       RequestforDeferredImplementationoftheCoerciveFineof7August2023,p.1-2,wheretheNOSAgivesseveral
       arguments related to the fact that Meta IE has ‘not implemented any measures that would warrant lifting the

       Orderorwaivingthecoercivefine,as                                                                     thepersonal
       data of data subjects in Norway continue to be unlawfully processed for behavioural advertising purposes [...],


                                                                                             .
       328NO SA Request to the EDPB, p. 11.
       329NO SA Request to the EDPB, p. 11.
       330NO SA Request to the EDPB, p. 8.
       331
          NO SA Request to the EDPB, p. 8.
       332NO SA Request to the EDPB, p. 12.
       333Letter from Meta IE to IE SA of 31 May 2023, p.5; Letter from Meta IE to IE SA regarding potential urgent

       334ceedings of 21 June 2023, p. 4.
          Letter from Meta IE to IE SA dated 31 May 2023, p. 5, referring to EDPB Urgent Binding Decision 01/2021,
       paragraphs 195-196.
       335Meta IE’s Submissions of 16 October 2023, p. 4.
       336
          Meta IE’s Submissions of 16 October 2023, p. 4.
       337Meta IE’s Submissions of 26 September 2023, p. 12-13.




       Adopted                                                                                                        48       engagement between Meta IE and the IE SA pursuant to Articles 56(6) GDPR and Article 60(10) GDPR

       remains ongoing, and that there are no exceptional circumstances that would allow the NO SA to
       bypass such process    338.


185.    In addition, according to Meta IE, ‘the NO SA’s action directly conflicts with and undermines (i) the
       authority of the LSA, (ii) the role of other supervisory authorities across the EU/EEA who are
                                                                                                                 339
       appropriately engaging via the LSA-led process and (iii) the GDPR’s one-stop-shop mechanism’                 .

186. Meta IE also states that the existence of a disagreement between a LSA and a CSA does not, in itself,
       create a situation of urgency as such    340. In this respect, it states that ‘the fact that the [NO SA] appears

       to disagree with                          the [IE SA] cannot justify it resorting to the use of Article 66(2)
       [GDPR]’  341. Meta IE also states that there is no precedent for a SA using Article 66(2) GDPR to seek to

       ‘overrule and dictate the process that a LSA has put in place to assess compliance with the LSA’s own
       orders’ 342.


187. Regarding the nature of the infringements, Meta IE is of the view that the NO SA does not provide
       evidence of their alleged seriousness, and states that behavioural advertising is a common practice,
       widespread beyond Meta’s services       343.


188. Meta IE also argues that the fact that the behavioural advertising processing has been ongoing for
       manyyearsdoesnotjustifyanyurgencybut,rather,provesthatthereisnonewelementofurgency                             344.

       Meta IE highlights that the processing at stake in this case is the same processing as the one that has
       been ‘thesubject of detailed consideration by the[IE SA] (...)for over 4 years and by the EDPB, with the
                                         345
       awareness of SAs throughout’         . In this respect, Meta IE also recalls that in the EDPB Urgent Binding
       Decision 01/2021, the EDPB has established that ‘the mere continuation of processing, cannot, on its
                                              346
       own, justify an urgent need to act’      .

189. Meta IE considers that the EDPB Binding Decisions did not mandate it to rely on Article 6(1)(a) GDPR
       forbehaviouraladvertising processinganddidnotconcludeeither thatArticle6(1)(f)GDPRwasnotan


       338
          Letter from Meta IE to IE SA of 31 May 2023, p. 5; Letter from Meta IE to IE SA regarding potential urgent
       proceedings of 21 June 2023, p. 4.




                             .
       339Letter from Meta IE to the IE SA                                             of 10 August 2023, p. 2.
       340Meta IE’s Submissions of 26 September 2023, p. 1-2, 8. See also Meta IE’s Submissions of 16 October 2023, p.

       5.
       341Meta IE’s Submissions of 26 September 2023, p. 12.
       342Meta IE’s Submissions of 26 September 2023, p. 2.
       343MetaIE’sSubmissionsof26September2023,p.9.Morespecifically,MetaIEhighlightsthattheminimumage

       for using Facebook and Instagram is 13 andfor users agedbetween 13 and 17 only theage and locationare used
       to display ads.
       344Meta IE’s Submissions of 26 September 2023, p. 8-9. Meta IE also reiterated that the ‘alleged “urgency”
       claimed by the [NO SA] cannot be premised on the relevant processing (i.e. [Meta IE]’s use of on-platform data

       for behavioural advertising purposes), given this processing has been ongoing for years with the full knowledge
       of regulators, and the only recent development is that [Meta IE] has increased the level of data subjects’ control
       over this processing’, see Meta IE’s Submissions of 16 October 2023, p. 5.
       345See also Letter from Meta IE to IE SA of 31 May 2023, p. 5. Also see Letter from Meta IE to IE SA regarding

       potential urgent proceedings of 21 June 2023, p. 3.
       346Letter from Meta IE to IE SA of 31 May 2023, p. 5, referring to the EDPB Urgent Binding Decision 01/2021,
       paragraphs 195-196.




       Adopted                                                                                                         49       appropriate legal basis for the processing of personal data collected on Meta’s products for the
                                              347
       purpose of behavioural advertising        . Meta IE argues that it was only with the IE SA Final Position
       Paper that it became clear to it that its reliance on Article 6(1)(f) GDPR for such processing did not
                                          348
       comply with the IE SA Decisions      .

190. Meta IE also argues that the IE SA is not refraining from enforcing the GDPR against it, given that the

       IE SA shared a timeline with the CSAs and issued the IE SA Provisional Position Paper and then the IE
       SAFinalPositionPaper     34.


                         35.

191. Meta IE states further that any urgent binding decision would be counterproductive

                                                                        , and ultimately harm the interests of data
       subjects while generating administrative work for the EDPB, the IE SA, the CSAs and Meta IE          35. In this

       respect, it also highlights that the measures requested by the NO SA through the urgency proceedings
       had already been considered as objections during the previous Article 65 GDPR process, and rejected
                                                      352
       by the EDPB in the EDPB Binding Decisions         .

                353
                   .

       4.2.1.3    Analysis of the EDPB

192. Article 66(2) GDPR requires the SA requesting an urgent binding decision to provide reasons for

       requesting such opinion. This includes the need for the requesting SA to demonstrate an urgent need
       to act.


193. Therefore, the EDPB analyses, whether, on the basis of the views of the NO SA and of the controller,
       as well as on the basis of the elements in the file, the condition of urgency is met.

194. In this respect, the EDPB considered in a past decision that the nature, gravity and duration of an

       infringement, as well as the number of data subjects affected and the level of damage suffered by
       them, may play an important part when deciding whether or not there is an urgent need to act in a
                       354
       particular case    .

195. In relation to the nature and gravity of the infringements, the EDPB notes that its findings that Meta

       IE still relies inappropriately on Article 6(1)(b) GDPR to process personal data, including location data
       and advertisement interaction data collected on its products for the purpose of behavioural
                   355
       advertising     and on Article 6(1)(f) GDPR to process personal data collected on its products for the


       347Meta IE’s Submissions of 26 September 2023, p. 10.
       348Meta IE’s Submissions of 26 September 2023, p. 10 (Meta IE refers to national courts in the EU holding, prior

       totheIESADecisions,thatArt.6(1)(b)GDPRisanappropriatelegalbasis,andtothefactthat previousdecisions
       from the IE SA initially confirmed the possibility to rely on Art. 6 (1) (b) GDPR). See also Meta IE’s Submissions of
       16 October 2023, p. 5.
       349Meta IE’s Submissions of 26 September 2023, p. 7 and 9.
       350
          Meta IE’s Submissions of 26 September 2023, p. 11.
       351Meta IE’s Submissions of 26 September 2023, p. 3; see also Meta IE’s Submissions of 25 August 2023,
       paragraphs 46-48.
       352Meta IE’s Submissions of 26 September 2023, p. 7-8.
       353
          Meta IE’s Submissions of 26 September 2023, p. 9.
       354EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 169.
       355See paragraphs 98-995 and 152 above.




       Adopted                                                                                                     50                                             356
       purpose of behavioural advertising        relate to the same processing activities as those referred to in
       the IE SA Decisions adopted on the basis of EDPB Binding Decisions.

196. In this respect, the EDPB recalls its finding from the EDPB Binding Decisions, i.e. that the nature and

       gravity of the infringement of Article 6(1) GDPR are such that a risk of damage caused to data subjects
       is consubstantial with the finding of the infringement itself  357. In relation to Meta IE’s infringements of

       Article 6(1) GDPR with respect to behavioural advertisement practices, the EDPB found that they
       constituted a very serious situation of non-compliance with the GDPR, in relation to processing of

       extensive amounts of data    358, which is essential to the controller’s business model, and harming the
       rights and freedoms of millions of data subjects in the EEA    359.


197. The EDPB also already highlighted in its EDPB Binding Decisions the ‘complexity, massive scale and
       intrusiveness of the behavioural advertising practice that [Meta IE] conducts’          36. This view is still

       currently shared by the NO SA, which finds that Meta IE’s users’ online activities are ‘constantly,
       intrusively and opaquely monitored and profiled’ by Meta IE, which ‘may give rise to the feeling that
                                                            361
       their private life is being continuously surveilled’    . This view is also still shared by the NL SA, which
       expressed greatconcerns withrespect to the processingactivities atstakeinlightof‘thelargeamount

       of personal data being processed, the number of data subjects involved as well as the nature of the
       data that is being processed – including video, audio and mouse movement’         362.


198. The EDPB also clarified that at the time of the adoption of the EDPB Binding Decisions, bringing the
       processingintocompliancewiththeGDPRwouldallowtominimisethepotentialharmtodatasubjects
                                                 363
       created by the violations of the GDPR       . In the EDPB Binding Decisions, the elements of the ‘nature
       and gravity of the infringement’    364and the ‘number of data subjects affected’ - which were and still
                      365
       aresignificant    -ledtheEDPBtoconcludethat‘itisparticularlyimportantthatappropriatecorrective
       measuresbeimposed[...]inorderto ensurethat[MetaIE]complieswiththisprovisionoftheGDPR’                      366.


199.    When determining the transition period for bringing Meta IE’s processing into compliance with the
       GDPR, the EDPB requested that the IE SA gives ‘due regard to the harm caused to the data subjects by
                                                                                                 367
       the continuation of [Meta IE]’s infringement of Article 6(1) GDPR during this period’        .

200. The need for urgent action was fully acknowledged and clearly indicated in the IE SA Decisions          368.


       356
          See paragraphs 148 and 153 above.
       357EDPB Binding Decision 3/2022, paragraph 446 and EDPB Binding Decision 4/2022, paragraph 415.
       358EDPB Binding Decision 3/2022, paragraph 444 and EDPB Binding Decision 4/2022, paragraph 413.
       359
          EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284.
       360EDPB Binding Decision 3/2022, paragraph 96 and EDPB Binding Decision 4/2022, paragraph 99.
       361NO SA Request to the EDPB, p. 10, referring to CJEU Bundeskartellamt Judgment, paragraph 118.
       362NL SA Mutual Assistance Request, p. 2.
       363
          EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284.
       364EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281.
       365EDPB Binding Decision 3/2022, paragraph 445 and EDPB Binding Decision 4/2022, paragraph 414.
       366
       367EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281.
          EDPB Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288.
       368IESAFBDecision,paragraph8.10(‘[...]IdonotagreewithFacebook’ssubmissionthatthe[IESA]hasdiscretion

       to delay the activation of the timeline for compliance [...]. It is clear, from paragraph 286 of the Article 65 [GDPR]
       Decision, that the EDPB considered it necessary for Facebook to take the remedial action required to address the
       relevant infringements “within three months”. While Facebook has correctly identified that the EDPB has not
       expressly identified the starting point of this compliance period, the [IE SA]’s view is that it goes without saying

       that the starting point has to be the adoption and notification of the [IE SA]’s final decision, given that this is the
       earliest time from which the applicable timeline for compliance can start to run. Any contrary suggestion would




       Adopted                                                                                                     51201. In relation to the duration of the infringement and considering the above findings that Meta IE still

       relies inappropriately on Article 6(1)(b) GDPR and Article 6(1)(f) GDPR to process personal data
       collected on its products for the purpose of behavioural advertising          369 despite the fact that the

       deadline for complying with the IE SA Decisions was 5 April 2023, the EDPB finds that data subjects are
       still faced with data processing activities that are unlawful   37. In relation to Meta’s argument that it is

       only on 18 August 2023 that the IE SA concluded that Meta IE’s reliance on Article 6(1)(f) GDPR for
       behaviouraladvertisingpurposewasinsufficienttocomplywiththeIESADecisions                 371,theEDPBshares

       the view of the NL SA expressed already on 30 May 2023 that ‘the controller could not have been
       unaware of already established guidance from the EDPB, nor of the position of several CSAs on the
                                                                                      372
       matter, but chose to explore the path of Article 6(1)(f) [GDPR] regardless’       .

202.    In this respect, the EDPB can only note that every additional day during which the processing activity

       at stake takes place without reliance on an appropriate legal basis causes supplementary harm to the
       data subjects and allows Meta to continue to collect significant amounts of personal data of millions

       of European individuals on a daily basis and to generate significant revenue from the unlawful
       processing of the personal data of millions of data subject in the EEA      37. It also observes, in line with

       the position of the NO SA, that there are no measures that could be applied retroactively to repair the
       violation of the rights and freedoms of data subjects    374.


203. Therefore, while in some cases the fact that an infringement has been continuing for a long time may
       serve to demonstrate that an urgent need to act does not arise       37, as recalled by Meta IE 376, the EDPB

       considers in this case that the situation is different. To the contrary, in this case, the fact that the
       processing activities are still performed without reliance on an appropriate legal basis represents an

       element in favour of concluding that there is an urgent need for final measures to be adopted, since
       despite the orders given in the IE SA Decisions and the different discussions regarding their

       implementations, Meta IE still processes unlawfully personal data and still does not comply with the
       IE SA decisions 377This is not dispelled by Meta IE’s arguments on the fact that more transparency and
       an opt-out mechanism were implemented         378, as these elements do not solve the underlying issue of

       the lawfulness of the processing   379and the related harm caused on data subjects.





       be inconsistent with the need for urgent action that was clearly indicated to be required in paragraphs 286, 288

       and 290 of the Article 65 Decision. It would further render meaningless the EDPB’s consideration of the
       compliance period in terms of a fixed number of months (in this case, three)’). An analogous wording is present
       in paragraph 214 of the IE SA IG Decision.
       369See paragraphs 152 and 153 above.
       370
          EDPB Binding Decision 3/2022, paragraph 446 and EDPB Binding Decision 4/2022, paragraph 415.
       371Meta IE’s Submissions of 26 September 2023, p. 11 and Meta IE’s Submissions of 16 October 2023, p.5.
       372NL SA Mutual Assistance Request, p. 2.
       373In this respect, Meta IE states that ‘any suspension of behavioural advertising in Norway for nearly a three

       month period would irreparably damage [Meta IE] as it would suffer (i) many millions of Euros in lost advertising
       revenue during this period’, see Meta IE’s Letter to the NO SA of 14 August 2023, p.9.
       374NOSARejectionofMetaIE’sandFacebookNorway’sRequestforDeferredImplementationoftheOrderdated
       7 August 2023, p. 1.
       375
          See, for instance, EDPB Urgent Binding Decision 01/2021, paragraphs 195-196.
       376Letter from Meta IE to IE SA of 31 May 2023, p. 5, referring to the EDPB Urgent Binding Decision 01/2021,
       paragraphs 195-196.
       377See sections 4.1.1.4 and 4.1.2.4 above.
       378
          Meta IE’s Submissions of 26 September 2023, p. 9.
       379See paragraphs 152 and 153 above.




       Adopted                                                                                                     52204. The EDPB recalls in this respect the NO SA’s argument that the failure to firmly and expediently react

       to non-compliance with the IE SA Decisions deprives data subjects of the protection that they are
       entitled to 380.


205. The EDPB finds, in light of the above and in line with the view of the NO SA, that failing to put an end
       tothe processingactivities atstakeand toenforcetheIESADecisionsexposes datasubjects toarisk
                                            381
       of serious and irreparable harm         . The NO SA, alongside other CSAs, have also expressed the view
       that further measures are urgently needed in this case not only to address the situation of non-

       compliance with the GDPR but also put an end to the harm to data subjects.

206. The SE SA expressed the need for further action after the circulation of Meta IE Compliance Reports
                                                                                            382
       and asked ‘the [IE] SA what procedure [the SE SA] can expect going forward’             .

207. The NL SA
                         ”383, echoing its previous call to the IE SA “to swiftly undertake adequate actions in

       order to cease the continuous illegality of the invasive processing of personal data of millions of
       users’ 38. It is also important to recall the NL SA Mutual Assistance Request           38, according to which

       ‘appropriate and expedient action is required to protect the fundamental rights of millions of data
       subjects in the Netherlands as well as throughout the European Economic Area’           386 and that SAs should

       be ‘acting together’ on this ‘as cooperating European supervisory authorities under the lead of the [IE
       SA]’ 38.


208. Similarly, already after the circulation of the IE SA Provisional Position Paper to the CSAs, the DE
       Hamburg SA requested the IE SA ‘to swiftly reach a consolidated position that [Meta IE] has not

       demonstrated the legal basis and suspend the processing, which is based on Art[icle] 6 (1) [(b) GDPR]
       and [Article 6 (1)] (f) GDPR for behavioural advertising’    388.

209. In the EDPB Binding Decisions, the EDPB made clear that urgent action was already required in

       December 2022 and decided that, at that time, the order for compliance to be imposed on Meta IE
       should require Meta IE to restore compliance within a short period of time           389. In doing so, the EDPB


       380
       381NO SA Request to the EDPB, p. 6.
          See paragraph 175 above, and NO SA Request to the EDPB, p. 10.
       382SE SA comment in IE SA IMI Informal Consultations of 4 May 2023.
       383                                                                                                     .
       384
          Views of the NL SA on the Compliance Reports of 4 May 2023, in IMI informal consultation on FB case and in
       IMI informal consultation on IG case, paragraph 4.
       385The NL SA made the NO SA Mutual Assistance Request on 30 May 2023 and requested the IE SA to inform
       them by 30 June 2023:

       (i) ‘Of its conclusion as to whether [Meta IE] can or canno invoke Article 6(1)(f) GDPR for the processing of the
       personal data of its users for the purposes of behavioural advertising, more specifically for a large part of the
       processing operations for which [Meta IE] previously relied on Article 6(1)(b) [GDPR];’ and
       (ii) ‘Of its conclusion as to whether [Meta IE] does or does not comply with the [IE SA]’s final decision of 31

       December 2022, ordering [Meta IE] to bring these processing operations in line with Article 6 GDPR;’ and
       (iii) ‘Of a timeframe in which appropriate and expedient action will be taken to ensure that [Meta IE] acts in
       compliance with Article 6 GDPR, to protect the fundamental rights of millions of data subjects affected by this
       processingoperation,intheNetherlandsaswellasthroughouttheEuropeanEconomicArea(EEA).Inthisrespect,

       the [NL SA] attaches significant weight to the connection between the controller’s non-compliance with Article 6
       GDPR and its failure to comply with the [IE SA]’s order. In our view, this warrants prompt intervention’
       386NL SA Mutual Assistance Request, p. 1.
       387NL SA Mutual Assistance Request, p. 2.
       388
          Views of the DE Hamburg SA on IE SA Provisional Position Paper of 21 July 2023, p. 2.
       389Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288.




       Adopted                                                                                                        53       recalled the IE SA’s reasoning on the three-month deadline already provided by the IE SA its draft
               390
       decision   forcomplianceforthetransparencyinfringements,whichitconsideredtobenecessaryand
       proportionate in light of: (1) the potential for harms to the data subjects’ rights that such a measure
       entails, considering that the interim period for compliance ‘will involve a serious ongoing deprivation

       of their rights’, (2) the significant financial, technological, and human resources and (3) the clear
       instructions provided to Meta IE to comply with GDPR     39. The EDPB therefore instructed the IE SA to

       include in itsfinaldecision anorder for Meta IE tobringitsprocessingof personaldata forthepurpose
       of behavioural advertising in the context of the Facebook service into compliance with Article 6(1)
                                   392
       GDPR within three months       .

210.   Importantly, the understanding that the timeframe to be left to Meta IE to achieve compliance with
       the GDPR needed to be a fixed one was also shared by the IE SA in the IE SA Decisions, where the IE SA

       referredto theEDPBBindingDecisions andexplainedthatclearly ‘theEDPBconsidereditnecessary for
       [Meta IE] to take the remedial action required to address the relevant infringements ‘within three
                                                                                                393
       months’ and indicated a ‘need for urgent action’, and with ‘a fixed number of months’      .

211. The EDPB previously established that urgency procedures under Article 66 GDPR are derogations from
       the standard consistency and cooperation mechanism and that the requirements of Article 66 GDPR
                                         394
       must be interpreted restrictively   . Therefore, the EDPB considers that it may request final measures
       underArticle 66(2)GDPRonlyiftheregularcooperationorconsistency mechanismscannotbeapplied
                                                                     395
       in their usual manner due to the urgency of the situation        . Therefore, the EDPB assesses in this
       section whether there is a need to derogate from the regular cooperation and consistency

       mechanisms in this case.

212. In this particular case, the IE SA already adopted the IE SA Final Decisions under the one-stop-shop
       procedure on the basis of the EDPB Binding Decisions, containing an order for compliance with Article

       6(1) GDPR. Pursuant to Article 60(10) GDPR, the controller shall notify the measures taken for
       complying with a decision taken in the cooperation mechanism with the LSA, which shall inform the

       CSAs.

213. The EDPB Guidelines on the application of Article 60 GDPR highlight that the ‘obligation [of the
       controllertonotifytotheLSAthemeasurestakentocomplywiththedecision]ensurestheeffectiveness

       of the enforcement. It is also the basis of possible necessary follow-up actions to be commenced by the
       LSA, also in cooperation with the other CSAs’ 396.

214. These guidelines further point out that if the LSA concludes that the measures taken are insufficient,

       the LSA should, as part of its legal duty to inform the CSAs, consider providing the other CSAs with its
       assessmentofthemeasuresadoptedbythecontroller,inparticularinordertodecidewhetherfurther






       390
         IE SA draft decision relating to Facebook, paragraph 8.4, IE SA draft decision relating to Instagram, paragraph
       202.
       39Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288.
       39Binding Decision 3/2022, paragraph 288 and Binding Decision 4/2022, paragraph 290.
       39IE SA FB Decision, paragraph 8.10; IE SA IG Decision, paragraph 214.
       394
         EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraphs 165-167.
       395EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 167. Also see paragraph 169
       above.
       39EDPB Guidelines 02/2022 on the application of Article 60 GDPR, adopted on 14 March 2022, paragraph 248.




       Adopted                                                                                                54       actions are necessary     397.This indicates that where the measures adopted by the controller are

       considered to be insufficient, there may be a need for the LSA to take further actions.

215. In the case at hand, the IE SA concluded in the IE SA Final Position Paper, also relying upon the

       comments shared and views expressed by the CSAs, that Meta IE failed to demonstrate compliance
       with the IE SA Decisions    398. However, it also considered that it was ‘fair’ and ‘reasonable’ to provide

       Meta IE with an opportunity to demonstrate that it can rely on consent as a lawful basis rather than
       engaging in enforcement measures        399.


216. The IE SA has also reiterated its position, as LSA, that no further urgent actions are necessary in this
       case, as the course of action already being taken, consisting in ‘an enforcement procedure[...] in which

       adefinedsetofproposals,bywhich[MetaIE]proposestoachievecompliancewithitsobligationsunder
       Article 6 GDPR (and the terms of the [IE SA] Decisions), is the subject of ongoing assessment by the [IE
                                                                       400
       SA] and the CSAs’, is adequately addressing the situation          .

217. In this respect, the EDPB acknowledges the need to evaluate the proposal being made by the
       controller, and that this entails the ‘examination of a number of particularly complex (and novel)

       issues’ 401. The EDPB also fully acknowledges that a ‘regulatory process’ is ‘being conducted under the
       GDPR’s cooperation and consistency framework’, led by the IE SA,




                                                                     402.

218.
                                     403
                                        .

                                      404
                                        .






                                        he EDPB therefore finds that the existence of the Meta IE’s Consent

       Proposal does not undermine the need to take actions to ensure that the unlawful processing comes
       to an end.


219. In this context, the EDPB notes that the IE SA acknowledged in its Final Position Paper - more than four
       monthsafter the deadlineforcompliance-that Meta IEstill infringesthe GDPR                405.The EDPBfindsthat

       the fact that the IE SA did not take supervisory measures to put an end to Meta IE’s inappropriate
       reliance on 6(1)(b) and 6(1)(f) GDPR and to enforce the IE SA Decisions, despite the risk of serious and



       397
          EDPB Guidelines 02/2022 on the application of Article 60 GDPR, adopted on 14 March 2022, paragraph 249.
       398IE SA Final Position Paper, paragraph 9.2.
       399IE SA Final Position Paper, paragraph 9.2.
       400Letter of IE SA to NO SA of 13 October 2023, p. 4.
       401
          Letter of IE SA to NO SA of 13 October 2023, p. 4-5.
       402Letter of IE SA to NO SA of 13 October 2023, p. 6.
       403Letter of IE SA to NO SA of 13 October 2023, p. 4-5.
       404IE SA’s Response to Meta IE of 11 August 2023 p. 2. The


       405IE SA Final Position Paper, paragraph 8.1.




       Adopted                                                                                                         55       irreparable harm caused to data subjects     406, shows that the regular cooperation and consistency

       mechanismisnotprovidingsatisfactoryresults,andthatthereisaneedtorequesttheIESAtourgently
       order final measures due to the urgency of the situation. In this respect, the EDPB notes that while

       now six months after the deadline for compliance have passed, there is still no clear indication that
       compliancewillbereached soonnoristhereaclearindicationthatthe IESA -asLSA-intendstoadopt
                                                                         407
       corrective measures in order to end the ongoing infringements       .

220. In conclusion, the EDPB finds, in light of the circumstances described above, that the regular
       cooperation or consistency mechanisms cannot be applied in their usual manner, and that due to

       the risk of serious and irreparable harm without urgent final measures, there is a need to derogate
       from the regular cooperation and consistency mechanisms to order final measures due to the urgency

       of the situation.

221. Lastly, the EDPB considers it relevant to recall the SAs’ duty to monitor the application of the GDPR in
       order to protect the fundamental rights and freedoms of natural persons in relation to processing and
                                                                    408
       to facilitate the free flow of personal data within the EU     . In particular, the EDPB has stated that
       when a violation of the GDPRhas been established, competent supervisory authorities are required to
                                                         409
       react appropriately to remedy this infringement     . The powers afforded to SAs by Article 58 GDPRare
       aimed to fulfilling this goal. Similarly, the Court of Justice of the European Union held that ‘(...)

       [a]lthough the supervisory authority must determine which action is appropriate and necessary (...),
       the supervisory authority is nevertheless required to execute its responsibility for ensuring that the
                                                     410
       GDPR is fully enforced with all due diligence’   .

       4.2.2 On the application of a legal presumption of urgency justifying the need to derogate

               from the cooperation and consistency mechanisms

222. Intheprecedentsection,theEDPBfoundthatthereisaneedtoderogatefromtheregularcooperation
                                                                                                       411
       and consistency mechanisms to order final measures due to the urgency of the situation            . In this
       section, the EDPB assesses whether such urgency and need to derogate from the regular cooperation
       and consistency mechanisms may also be presumed on the basis of Article 61(8) GDPR.

                                         412
223. Considering the facts of the case     , the EDPB will assess whether this case falls within the description
       provided by Article 61(8) GDPR, which refers to the situation where an SA does not provide the

       information referred to in Article 61(5) GDPR within one month of receiving a mutual assistance
       request from another SA. Article 61(8) GDPR provides that the ‘urgent need to act under Article 66(1)

       [GDPR] shall be presumed to be met and require an urgent binding decision from the Board pursuant
       to Article 66(2) [GDPR]’. If such a presumption applies, the urgent nature of an Article 66(2) request
                                                                                                   413
       for an urgent binding decision can be presumed and does not need to be demonstrated           .





       406See paragraph 205 above.
       407
       408See paragraphs 215-216 above
          Article 51(1) GDPR and Recital 123 GDPR.
       40EDPBBindingDecision3/2022,paragraph278 and EDPB Binding Decision 4/2022, paragraph 280 (referring to
       CJEU Judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, ECLI:EU:C:2020:559, paragraph 111).
       410
       411Judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, ECLI:EU:C:2020:559, paragraph 112.
          See EDPB analysis under 4.2.1.3
       412See Section 1 of this urgent binding decision.
       413EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 170.




       Adopted                                                                                                 56224. As mentioned, the NO SA Mutual Assistance Request was made on 5 May 2023 - see paragraphs 10,

       13, and 15 above describing the NO SA Mutual Assistance Request and the response provided by the
       IE SA.


       4.2.2.1    Summary of the position of the NO SA

225. The NO SA considers that Article 61(8) GDPR is applicable in this case       414 because the IE SA replied ‘No,

       I cannot comply with the request’ to the NO SA Mutual Assistance Request ‘without providing any
       specific justification other than referring to another letter it sent to all of the CSAs on 31 May 2023’    415.

       The NO SA also argues that the ‘IE SA did not provide a reasoned refusal’ as per Article 61(4) GDPR,
       ‘nor did it inform [the NO SA] of results or progress of any measures taken in order to respond to [their]
       request to ban the unlawful processing of personal data and to enforce compliance with Article 6(1)

       [GDPR]’  41. According to the NO SA, the content of the letter of 31 May 2023 was a simple
       announcement of when the IE SA would finalise its review of the Meta IE Compliance Reports, but it

       ‘didnotprovideanyinformationonthespecific enforcementplan[they]requested,nordiditannounce
       any specific or envisaged enforcement action with respect to Meta IE, despite [their] request to that
              417
       effect’   .

226. In view of the NO SA there ‘were no measures taken in order to respond to the request’, and within a

       month from the NO SA Mutual Assistance request, ‘the IE SA had complied with neither of [their]
       demands’   41. The NO SA also indicates that their demands remain unfulfilled due to the fact that the

       IE SA considers it fair and reasonable not to engage in enforcement measures despite its conclusion
       that Meta IE is currently failing to rely on a valid lawful basis for behavioural advertising   419.

227. To support the view that Article 61(8) GDPR is applicable to the present case, the NO SA refers to an

       opinion of Advocate General Bobek stating that where a LSA fails to address a CSA mutual assistance
       request, the latter may adopt provisional measures in circumstances in which ‘the urgent need to act
                                               420
       ispresumed andneednotbeproven’            .TheNOSAalsomentionsthe existenceofprecedentdecisions
       applying the Article 61(8) GDPR presumption, in particular a decision from the IT SA related to Meta IE

       where the SA similarly considered that a failure from the LSA to address their request legitimately
       allowed for a derogation to the cooperation mechanism and the triggering of an Article 66 GDPR
                            421
       urgency procedure      .

228. The NO SA underlines that - contrary to the factual circumstances that led the EDPB to conclude that
                                                                422
       Article 61(8) was not applicable in a previous case          - ‘the communications regarding the present
       matter between the NO SA and the IE SA were made using the procedure for MA [Mutual Assistance]



       414NO SA Request to the EDPB, p. 7-8.
       415NO SA Request to the EDPB, p. 8.
       416NO SA Request to the EDPB, p. 8.
       417
          NO SA Request to the EDPB, p. 8.
       418NO SA Request to the EDPB, p. 8;
       419NO SA Request to the EDPB, p. 8, referring to the IE SA Final Position Paper. It may be useful to also note that
       the NO SA, in its Letter to the IE SA of 21 September 2023 (p.1), states they understand the IE SA has chosen not

       to follow the NO SA Mutual Assistance Request because in spite of preliminarily concluding that Meta IE is still
       notoperatingincompliancewithArt.6(1)GDPRtheydidnotindicateanycorrespondingenforcementmeasures.
       420NO SA Request to theEDPB,p. 9, referring to Opinion of Advocate General Bobek in Case C‑645/19, Facebook
       Ireland and Others, paragraph 119 and paragraph 135.
       421
          NO SA Request to the EDPB, p. 9, referring to Italian SA’s decision of 21 December 2022 [9853406], available
       at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9853406#english.
       422NO SA Request to the EDPB, p.9 referring to EDPB Urgent Binding Decision 01/2021, paragraphs. 171-181.




       Adopted                                                                                                     57       requests pursuant to Article 61(1) GDPR, and not the procedure for Voluntary Mutual Assistance
                            423
       (“VM[A]”) requests’    .

       4.2.2.2   Summary of the position of the controller

                                                                                                         424
229. Meta IE argues that, in this case, no ‘presumption of urgency arises under Article 61(8) GDPR’         . Meta
       IE indicates that in order to rely on Article 61(8) GDPR presumption of urgency, the NO SA ‘must show

       that the [IE SA] failed to respond to the [NO SA’s Mutual Assistance Request]’ but considers that the
       NO SA ‘cannot show this’   425. Meta IE states that the NO SA’s ‘attempt to rely on the presumption of

       urgency in Article 61(8) GDPR is misconceived as a matter of law and contradicts the factual record of
       communications’ between the IE SA and the NO SA         426. According to Meta IE, the IE SA ‘adequately
       addressed the [NO SA Mutual Assistance Request] by providing the information the [NO SA]requested’

       and the NO SA ‘distort[s] and mischaracterize[s] the substance and nature of the correspondence’ with
       the IE SA427.


230. In MetaIE’sview,the NO SA MutualAssistance Requestdid not ‘request the[IE SA] to detail a “specific
       enforcement plan” or “specific or envisaged enforcement action” that it would “impose on [Meta IE] in

       the event of non-compliance”, as this is not what is entailed by the request of the NO SA to the IE SA
       to share “a timeline specifying how it will ensure in an expedient manner that Meta [IE] complies with
                            428
       Article 6(1) GDPR”’    . Rather, according to Meta IE, this wording referred to a request to share a
       timeline, which the IE SA provided ‘on numerous occasions’      429and this demonstrates that there was

       ‘noinactionorfailuretocommunicatebythe[IESA]whichthe[NOSA]cannowrelyontoinvokeArticle
       61(8) [GDPR]’ 430.

231. According to Meta IE, ‘the [IE SA]’s decision not to immediately implement the[NOSA]’s own preferred

       enforcement measures did not amount to a failure to adequately respond to the [NO SA Mutual
       AssistanceRequest].NothinginArticle61(1)GDPRrequiressuchblindobediencebyanLSAtowhatever

       actions a CSA might request it to take. [...] The [IE SA] adequately addressed the [NO SA Mutual
       Assistance Request] by providing the information the [NO SA] requested’      431. It also states that ‘Article

       61(5) GDPR [...] does not require an LSA to commit in advance to impose any specific corrective
       measures within any specific timeframe’     43. Meta IE further elaborates that while ‘Article 61 GDPR

       cannot be used by a single SA to demand that an LSA adopt corrective measures with respect to
       processing that is subject to an ongoing LSA-led compliance proceeding’, the IE SA later provided
                                                                            433
       reasons ‘for declining to issue an immediate ban on processing’         . In this regard, Meta IE is of the
       opinion that corrective measures cannot be requested ‘with respect to processing that is subject to an

       ongoing LSA-led compliance proceeding’ as this could ‘undermine the one-stop shop mechanism and


       423NO SA Request to the EDPB, p.9-10.
       424Meta IE’s Submissions of 25 August 2023, p. 18-21; Meta IE’s Submissions of 16 October 2023, p. 5-8;
       Annexure 1 to Meta IE’s 16 October 2023 Letter, p.17; Annexure 12 to Meta IE’s 16 October 2023 Letter, p.49-

       53.
       425Meta IE’s Submissions of 25 August 2023, p. 19; Meta IE’s Submissions of 16 October 2023, p. 5.
       426Meta IE’s Submissions of 26 September 2023, p. 5.
       427Meta IE’s Submissions of 16 October 2023, p. 5.
       428
          Meta IE’s Submissions of 26 September 2023, p. 5, referring to the NO SA Mutual Assistance Request.
       429Meta IE’s Submissions of 25 August 2023, p. 19.
       430Meta IE’s Submissions of 26 September 2023, p. 7.
       431Meta IE’s Submissions of 26 September 2023, p. 2; Meta IE’s Submissions of 16 October 2023, p. 5.
       432
          Meta IE’s Submissions of 16 October 2023, p. 5.
       433Meta IE’s Submissions of 16 October 2023, p. 6, referring to (i) Meta IE’s Merit Complaint submitted to the
       OsloDistrictCourtannexedtoMetaIE’sSubmissionsof16October2023,andto(ii)theIESAFinalPositionPaper.




       Adopted                                                                                                  58       the LSA’s duty to consider all CSAs views in connection with that mechanism’         434. In addition, Meta IE

       argues that the request ban on processing had already been ‘considered and rejected by the EDPB in a
       prior Article 65 GDPR binding decision’   435.


232. In Meta IE’s view, the IE SA addressed the NO SA’s Mutual Assistance Request via the IE SA Update to
       CSAs of 31 May 2023as it contained ‘relevant information’ and allowed to inform the NO SA of ‘the
                                                                                436
       progress of the measures taken in order to’ address the request            . Considering that the IE SA did
       address the request on 31 May 2023, it therefore did not refuse to do so when it provided its negative
       response on IMI on 2 June 2023 because this response was accompanied with a reference to the IE SA

       Update to CSAs of 31 May 2023        437. Meta IE further details that the IE SA had explained that the
       negativeresponseonIMIwastheresultofa‘mistake’andthattheNOSA’smessagetotheIESAshows

       that the NO SA ‘did not believe [...] that the [IE SA] had failed to respond’ to the request    438. In support
       of this, Meta IE mentions a message from the NO SA to the IE SA stating: ‘Thank you for your message

       of 2 June 2023. We understand that you will revert towards the end of June’ and ‘we will await your
       response towards the end of June’    439.


233. Meta IE considers that the NO SA did not object to the IE SA Provisional Position Paper and did not
       mention any alleged failure by the IE SA to respond to the NO SA Mutual Assistance Request, ‘despite

       invoking Article 61(8) GDPR in the [NO SA] Order to attempt to argue that urgency may be presumed
       due to an alleged failure to respond by the [IE SA]’  440. Furthermore, Meta IE argues that the NO SA ‘did

       not raise any complaints about the[IE SA]’s proposed timetable prior to issuing theOrder, even though
       that is what it would have been expected to do first if it had genuine concerns about urgency’        44.

234. Concerning the NO SA’s reference to the opinion of Advocate General Bobek in Case C-645/19, Meta

       IE indicates that ‘considering the lengthy procedural history, which includes the [IE SA] imposing the
       NOYB Decisions and properly conducting an ongoing compliance procedure, the NO SA cannot

       reasonably argue that the[IE SA] has failed to act. The [IE SA] is acting, and also fully cooperating with,
       the other SAs’ 442.


       4.2.2.3    Analysis of the EDPB

235. The cooperation mechanism in the GDPR provides for different tools for the SAs to exchange among

       themselves and perform their tasks. One of such tools is mutual assistance pursuant to Article 61
       GDPR. Under this provision, SAs ‘shall provide each other with relevant information and mutual

       assistance in order to implement and apply [the GDPR] in a consistent manner, and shall put in place


       434
          Meta IE’s Merits Complaint submitted to the Oslo District Court annexed to Meta IE’s Submissions of 16
       October 2023, p. 52.
       435Meta IE’s Merits Complaint submitted to the Oslo District Court annexed to Meta IE’s Submissions of 16
       October 2023, p. 52, referring to (i) EDPB Binding Decision 3/2022, paragraph 285 and to (ii) EDPB Binding

       Decision 4/2022, paragraph 287.
       436Meta IE’s Submissions of 16 October 2023, p. 5, referring to the IE SA Update to CSAs of 31 May 2023.
       437Meta IE’s Submissions of 16 October 2023, p. 6.
       438Meta IE’s Submissions of 16 October 2023, p. 6.
       439
          Meta IE’s Submissions of 16 October 2023, p. 6, referring to the message sent by the NO SA to the IE SA via
       the IMI flow relating to the NO SA Mutual Assistance Request on 9 June 2023.
       440Meta IE’s Submissions of 25 August 2023, p.9, referring to an email dated 14 July 2023 from the NO SA to the
       IE SA informing of the Provisional Measures being taken.
       441
          Meta IE’s Submissions of 26 September 2023, under footnote 41 p. 12.
       442Meta IE’s Complaint to the NO SA regarding the NO SA Order, 1 August 2023, p. 17; Meta IE’s Submissions of
       25 August 2023, p.21.




       Adopted                                                                                                     59                                                             443
       measuresfor effective cooperationwith oneanother’        .Thesame provisionalsoexplains that mutual
       assistance ‘shall cover, in particular, information requests and supervisory measures, such as requests
                                                                                            444
       to carry out prior authorisations and consultations, inspections and investigations’   .

236. The EDPB recalls that Article 61 GDPR on mutual assistance belongs to Section 1 of Chapter VII of the
       GDPR related to cooperation. In this regard, the EDPB considers Article 61 GDPR to be one of the

       mechanismsforsupervisoryauthorities toensure properand efficient cooperation.Consequently, the
       concept of mutual assistance rooted in the GDPR entails ‘sincere and effective cooperation’      445and
       requires concrete actions from a supervisory authority receiving a mutual assistance request

       (hereinafter, ‘Requested SA’). More specifically, the obligations of a Requested SA can be listed in a
       logical sequence as follows:

           •   Article 61(2) GDPR: ‘each SA shall take all appropriate measures required to reply to a request

               of another SA’;
           •   Article 61(2) GDPR: the Requested SA shall reply within a specific timeframe (‘without undue

               delay and no later than one month after receiving the request’);
           •   Article61(4) GDPR:the Requested SAmust‘complywiththerequest’inallcases exceptforthe

               situations mentioned in Article 61(4) (a) and (b);
           •   Article61(5)GDPR,firstsentence:‘therequestedSAshallinformtherequestingSAoftheresult

               or, as the case may be, of the progress of the measures taken in order to respond to the
               request’;

           •   Article 61(5) GDPR,secondsentence: ‘therequested SAshall providereasonsforany refusal to
               comply with a request pursuant to paragraph 4’;

           •   Article 61(6) GDPR: the Requested SA shall, as a rule, supply the information by electronic
               means, using a standardised format.


237. Article 61(9) GDPR provides the possibility for the European Commission (hereinafter the ‘EC’) to
       specify, by means of implementing acts, the format and procedures for mutual assistance and the

       arrangementsfortheexchangeofinformationbyelectronicmeansbetweenSAs.On16May2018,the
       EC adopted an implementing act relating to the use of the EC Internal Market Information system for
       GDPR consistency and cooperation procedures, including for Article 61 GDPR mutual assistance

       requests (IMI) (hereinafter, the ‘IMI Implementing Act’) 446.

238. The IMI procedure dedicated to Article 61 GDPR mutual assistance requests is a one-to-one workflow.
       This entails that the request can only be addressed to, and received by, the Requested SA. Similarly,

       the reply will only be addressed to, and received by, the SA that made the mutual assistance request
       (hereinafter, the ‘Requesting SA’). Pursuant to Article 3(3) of the IMI Implementing Act, this dedicated

       workflow is to be used for the different exchanges between authorities in the framework of an Article


       44Article 61(1) GDPR.
       44Article 61(1) GDPR.
       44Onhow a ‘lead supervisory authority cannot, in the exercise of its competences, [...]eschew essential dialogue

       with and sincere and effective cooperation with the other supervisory authorities concerned’, see Judgment of
       the Court of Justice (Grand Chamber) of 15 June 2021, in case Facebook Ireland Ltd and Others v
       Gegevensbeschermingsautoriteit, C-645/19, ECLI:EU:C: 2021:483, paragraph 63.
       44EC Implementing Decision (EU) 2018/743 of 16 May 2018 on a pilot project to implement the administrative
       cooperation provisions set out in Regulation (EU) 2016/679 of the European Parliament and of the Council by
       means of the Internal Market Information System C/2018/2814, https://eur-lex.europa.eu/legal-

       content/EN/TXT/?uri=uriserv%3AOJ.L .2018.123.01.0115.01.ENG&toc=OJ%3AL%3A2018%3A123%3ATOC.



       Adopted                                                                                              60       61 GDPR mutual assistance request. This includes, in particular, ‘requesting mutual assistance from
       another supervisory authority in the form of information and/or supervisory measures’, ‘responding to
       a mutual assistance request including acceptance or in exceptional cases refusals to comply with the

       request’, and ‘communication of the progress and the result of measures taken in order to respond to
       the request’44. The use of this dedicated IMI workflow also allows for the automatic monitoring of the

       one-month deadline to reply to a request pursuant to Article 61(2) GDPR.

239. Being a one-to-one workflow in the IMI, an Article 61 GDPR mutual assistance procedure is a type of
       bilateral communication to be distinguished from other bilateral or multilateral communication

       channels that are made available in IMI for other types of GDPR cooperation mechanisms. While a
       mutual assistance request can be connected to developments occurring within multilateral
       communication channels, the initiation of a mutual assistance request by a supervisory authority

       opens a dedicated workflow for exchanges between the Requesting and Requested SAs only.

240. Pursuant to Article 61 GDPR, a Requested SA is under a legal obligation to address a mutual assistance
       request. The only possibility for a Requested SA to refuse to address a request is where it provides
                                                                                                     448
       reasons for refusing to comply, in line with the two limited exceptions of Article 61(4) GDPR    and as
       provided in the last sentence of Article 61(5) GDPR 44. While the possibility to provide information on
       the results or progress of the measures taken within the one-month timeframe gives some discretion

       to the Requested SA, the duty to cooperate also implies that the Requested SA must always take
       certain concrete steps to address the given request, or duly justify why it does not do so. In an
       exceptional situation where a Requested SA does not provide appropriate information on the

       measurestaken,theprogressmade,oronthedulyreasonedgroundswhyitcannotsatisfytherequest,
       within one month of receiving the request, the Requesting SA may consider that the conditions of

       Article 61(8) GDPR are met.

241. In light of the above developments, the EDPB considers that the obligation for the Requested SA to
       address a mutual assistance request implies the need to fulfil procedural and substantive criteria.

242. The need to fulfil the procedural criteria mainly derives from Article 61, paragraphs 6 and 9 GDPR,

       togetherwithArticle3(3)oftheIMIImplementingAct.Theproceduralcriteriarelateto theprocedural
       formalities that need to be respected to address a mutual assistance request.

243. For what concerns, on the other hand, the obligation to fulfil substantive criteria, the EDPB considers
       thatthisarisesfromtheprovisionsmentionedabove,namely (i)thewordingofArticle61(4)GDPRand

       Article61(5)GDPR,providingforapossibilitytorefusetocomplywithmutualassistancerequestsonly
       based on the limited grounds listed in the GDPR, and providing reasons for any refusal, and (ii) the

       qualification of mutual assistance as a tool for cooperation. This imposes the need to examine the
       content of the reply and the actions taken by a Requested SA to evaluate whether or not a given
       request has been addressed.

244. The list provided by Article 61(1) GDPR is not exhaustive (‘in particular’). As such, it does not list or

       excludespecificallytheimpositionofcorrectivemeasures.However,theEDPBconsidersthat thisdoes



       44EC Implementing Decision (EU) 2018/743 of 16 May 2018, Article 3(3).
       44Art. 61(4) GDPR states ‘The requested supervisory authority shall not refuse to comply with the request unless:
       (a) it is not competent for the subject-matter of the request or for the measures it is requested to execute; or (b)

       compliance with the request would infringe this Regulation or Union or Member State law to which the
       supervisory authority receiving the request is subject.’
       44‘The requested supervisory authority shall provide reasons for any refusal to comply with a request pursuant
       to paragraph 4’.


       Adopted                                                                                              61       not, in any event, remove the duty of the Requested SA, pursuant to Article 61 (4) and 61 (5) GDPR
       and the general duty of cooperation, to provide reasons for any refusal to comply with a request.


245. Moving on to the case at hand, the EDPB notes that on 5 May 2023 a formal Article 61 GDPR mutual
       assistance request was initiated by the NO SA via the creation of a dedicated IMI workflow. The NO SA
       Mutual Assistance Request contained two different requests:


               (i) ‘that the IE SA issues a temporary ban on Meta IE’s processing of personal data for
               behavioural advertising purposes on Facebook and Instagram based on Article 6(1)(f) GDPR, in
               accordance with Article 58(2)(f) GDPR’    45;


               (ii) ‘that the IE SA shares a timeline specifying how it will ensure in an expedient manner that
               [Meta IE] complies with Article 6(1) GDPR’.

246. In the NO SA Mutual Assistance Request, the NO SA also specified that they would ‘be grateful if the

       IE SA, by 5 June 2023, would share the timeline and confirm that a temporary ban will be issued’ and
       that ‘If the IE SA is not in a position to comply with our request regarding [Meta IE], we may need to
       consider our options in relation to the adoption of provisional measures in Norway pursuant to Article

       66 of the GDPR. We hope that this will not be necessary and look forward to cooperating further with
       the IE SA within the framework of the cooperation mechanisms set out in Chapter VII of the GDPR’.

247. The NO SA Mutual Assistance Request was also uploaded by the NO SA as a comment on the Meta IE

       Compliance Reports, shared with the LSA and all CSAs within the IE SA IMI Informal Consultations.
       Other CSAs shared their feedback on the Compliance Reports in the same period, as described above
                                                                                                          451
       in paragraph 10, and some of them also addressed concerns on actions taken by the IE SA              . In this
       context, on 30 May 2023, the NL SA also made a mutual assistance request, as described above in
       paragraph 12. Analysing, first of all, whether the procedural criteria were met by the IE SA’s response

       to the NO SA Mutual Assistance Request, the EDPB notes that it is on 2 June 2023 that the first


       450The wording of the NO SA Mutual Assistance Request then goes on as follows: ‘The ban should last until the
       lead and concerned supervisory authorities are satisfied that [Meta IE] has provided adequate and sufficient

       commitments to ensure compliance with Articles 6(1) and 21 GDPR, in line with Article 31 GDPR. This will give us
       the opportunity to further engage with Meta and make sure that it commits to fully respect its obligations under
       the GDPR, while preventing any further risks for data subjects stemming from [Meta IE]’s non-compliant
       behavioural advertising practices. Please note that in our view, behavioural advertising includes any activities
       where advertising is targeted on the basis of a data subject’s behaviour or movements, including advertising

       451ed on perceived location’.
          Several CSAs expressed concerns about:
       (i) The IE SA not sharing its own legal assessment (e.g. FR SA on 25 April 2023; DE Hamburg SA on 4 May 2023).
       In response, the IE SA invited the CSAs to ‘carry out their own assessments of the compliance material’ and
       outlined that ‘the finding of infringement of Article 6(1) [GDPR] and the requirement for a corresponding order
       to be imposed, were determined by the EDPB’ which ’overturned the views originally expressed by the IE SA in its

       draft decision‘ (IE SA request for CSAs views circulated via the IMI on 26 April 2023);
       (ii) The measures suggested by the controller to comply with the IE SA decisions - in particular the reliance on
       Article 6(1)(b) GDPR and Article 6 (1)(f) GDPR for behavioural advertising - which raised concerns and criticisms
       forwhichseveralCSAsrequestedimmediateactionsfromtheIESA (e.g.viewsofDEHamburgSAon4May2023;
       views of NL SA on 4 May 2023; comment of the SE SA on 4 May 2023).

       Similarly, theNO SAhadpreviouslycontacted theIE SAviaemail on 5 April to express their ‘strongdoubts’about
       Meta using Article 6(1)(f) in the context of behavioural advertising, as well as their fear of a ‘real risk to data
       subject's rights’, and asking the IE SA for their assessment and intentions for regulatory action. On 4 May 2023,
       the IE SA had indicated via the IE SA IMI Informal Consultations that they would ‘not be preparing any further
       decision in this matter’ and that they would rely on their assessment of compliance, carried out jointly together

       with all CSAs, IE SA Information on Procedure (response to SE SA), dated 4 May 2023.



       Adopted                                                                                                    62       procedural development from the IE SA occurred within the Art. 61 IMI workflow initiated by the NO

       SA. This is when the IE SA specified they ‘cannot comply with the request’ (by way of checking a pre-
       filled text box on IMI), and indicated in a comment they had further detailed their response under
                                                                                    452
       previous communications located in the IMI Informal Consultations               . The IE SA made reference to
       the IE SA Update to CSAs of 31 May 2023 (see above paragraph 13). Therefore, the EDPB considers

       that the IE SA addressed the NO SA Mutual Assistance Request from a procedural standpoint.

248. The EDPB also analyses the substance of the reply provided by the IE SA to assess whether the NO SA
       Mutual Assistance Request was addressed within the one-month deadline set by the legislator. It is in

       particular relevant to assess whether the IE SA, refusing to comply with the NO SA Mutual Assistance
       Request,providedthereasonsforsuch refusalinaccordancewith Article61(5)GDPR.Whilespecifying

       they‘cannotcomplywiththerequest’,theIESAindicatedinacommenttheyhadfurtherdetailedtheir
       response under previous communications located in the IE SA IMI Informal Consultations              453. The IE SA
                                                                                                        454
       made reference to the IE SA Update to CSAs of 31 May 2023 (see above paragraph 13)                  .

249. AccordingtotheIESA,the IESAUpdate toCSAsof31 May2023whichitsreplyof2June2023referred

       to was ‘directed to the subject matter of the NO SA [Mutual Assistance Request]’ and was ‘clearly
       engaging with the substance of the NO SA [Mutual Assistance Request] [...] directly, and in a fulsome
                 455
       manner’     . Consequently, the IE SA considers it did not refuse to engage with the NO SA’s request for
       mutual assistance by means of its communication of 2 June 2023           456.

250. The content of the IE SA Update to CSAs of 31 May 2023 relates to the information about the
                                                                                                                      457
       continuation oftheassessmentof the Meta IECompliance Reportspursuant to Article60(10)GDPR                         .
       In fact, it was a mere confirmation of the approach already suggested to all CSAs prior to the NO SA
                                      458
       Mutual Assistance Request        .



       452NO SA mutual assistance request IMI dedicated flow.    453More specifically the message from the IE SA stated:
       ‘Dear Colleagues, Please see detailed response uploaded by the [IE SA] under [the IMI Informal Consultations]

       453 further information. Best regards, IE SA’.
          Morespecifically themessage from the IE SA stated:‘DearColleagues, Please seedetailed responseuploaded
       by the [IE SA] under [the IMI Informal Consultations] for further information. Best regards, IE SA’.
       Such response was the IE SA Update to CSAs of 31 May 2023 (see paragraph 13 above). The LSA referred to two

       454ferent communications issued to all CSAs via the IMI Informal Consultations.
          The IE SA indicated that they had ‘received all of the assessments from CSAs’ and ‘forwarded them to [Meta
       IE] for it to consider the views expressed and to detail any changes that it proposes to implement on foot of the
       CSA assessments’. Furthermore, the IE SA stated that it will ‘complete its own assessment of [Meta IE]’s

       compliance reports’ ‘once the IE SA receives [Meta IE]’s response’. The IE SA also stated ‘it will be in a position to
       completeitsownassessmentof[MetaIE]’s[ComplianceReports]andtoshareitsassessmentwiththeNorwegian
       and Dutch supervisory authorities (both of which have lodged Article 61 requests for mutual assistance) and with
       all other CSAs by the end of June 2023‘.
       455
       456Views of IE SA on NO SA Order, p.2.
          Views of IE SA on NO SA Order, p.2, referring to IE SA’s Response to the NO SA Mutual Assistance Request.
       457The LSA indicated that they had ‘received all of the assessments from CSAs’ and ‘forwarded them to [Meta IE]
       for it to consider the views expressed and to detail any changes that it proposes to implement on foot of the CSA

       assessments’. Furthermore, the LSA stated that it will ‘complete its own assessment of Meta [IE]’s [C]ompliance
       [R]eports’ ‘once the IE SA receives Meta IE’s response’. The LSA also stated ‘it will be in a position to complete its
       own assessment of Meta’s compliance reports and to share its assessment with the Norwegian and Dutch
       supervisory authorities (both of which have lodged Article 61 requests for mutual assistance) and with all other
       CSAs by the end of June 2023’.
       458
          IE SA Information on Procedure (response to SE SA), dated 4 May 2023 (prior to the NO SA Mutual Assistance
       Request). In this communication, the LSA indicated to all CSAs - via the IMI Informal Consultations - that the ‘IE
       SA will not be preparing any further decision in this matter’ and that they would rely on their assessment of
       compliance, carried out jointly together with all CSAs.



       Adopted                                                                                                         63251. The EDPB notes that the IE SA Update to CSAs of 31 May 2023 makes reference to the NO SA Mutual
      Assistance Request, by saying: ‘The IE SA anticipates that it will be in a position to complete its own
      assessment of Meta IE Compliance Reports and to share its assessment with the [NO SA] and [NL SA]

      (both of which have lodged Article 61 requests for mutual assistance) and with all other CSAs by the
      end of June 2023’.

252. However, the EDPB considers that:

          •   the second request in the NO SA Mutual Assistance Request was a request for ‘a timeline

              specifying how [the IE SA] will ensure in an expedient manner that [Meta IE] complies with
              Article 6(1) GDPR’. The IE SA Update to CSAs of 31 May 2023 does provide a timeline of the

              next steps in the process envisaged by the IE SA for the assessment of the Meta IE Compliance
              Reports (with the last step being the completion of the IE SA’s own assessment and its sharing

              with the CSAs by the end of June 2023). However, there are no details as to how the IE SA
              considered that the completion of the assessment of the Compliance Reports would ‘ensure
              in an expedient manner that [Meta IE] complies with Article 6(1) GDPR’. While there is an

              implicit (and, in any event, only partial) connection, further motivation in this regard would
              have been necessary.

          •   the first request in the NO SA Mutual Assistance Request was a request for the imposition of
              a “temporary ban on Meta’s processing of personal data for behavioural advertising purposes

              on Facebook and Instagram based on Article 6(1)(f) GDPR, in accordance with Article 58(2)(f)
              GDPR’. The IE SA Update to CSAs of 31 May 2023 does not include any reasoning as to the IE

              SA’s acknowledgement or consideration of this request.

253. The EDPB notes that while the IE SA explained after the expiry of the one-month deadline that the
      negative answer to the NO SA Mutual Assistance Request was the result of a mistake (a text box
                                                459
      ‘incorrectly (and inadvertently) checked’)  , the IE SA does not state it tried to amend its answer - for
      instance to provide the reasons for any refusal to comply with the request - or sought assistance to do

      so within the one-month deadline.

254.   The EDPB also takes note of the IE SA’s view shared on 27 September 2023 that the part of the NO SA
      Mutual Assistance Request pertaining to a ban was not ‘validly made by reference to the provisions of
      Article 61 GDPR’ and that it was not ‘open to the [NO SA] to demand, by way of mutual assistance
                                                                                              460
      request, that the [IE SA] impose a temporary ban on the Processing Operations’ at stake    .

255. However, Article 61(4), letter (b) GDPR envisages the possibility for the Requested SA to refuse to
      complywithamutualassistancerequestinasituationwhereitconsidersthatcompliancewithitwould

      infringe the GDPR or EU or Member State law to which the Requested SA is subject. Nevertheless, in
      thiscircumstance,asalreadyunderlinedunderparagraph240,theRequestedSAthatwishestoinvoke
      thisgroundforrefusalneedstomotivateitsresponsepursuanttoArticle61(5)GDPR.TheIESAUpdate

      to CSAs of 31 May 2023 or the message in the MA Request workflow of 2 June 2023 do not provide
      any justification for not addressing the request under the limited exceptions of Article 61(4) GDPR. In
      addition, the views shared on 27 September 2023 were way beyond the expiration of the one month



      459
      460Communication of IE SA to all CSAs dated 20 July 2023, p. 2.
         Letter from the IE SA to the NO SA dated 27 September 2023, p. 3. In this regard the IE SA further argued that
      the EDPB Binding Decisions ‘explicitly declined to impose a temporary ban’ (p. 3) and that ‘Putting in place an
      immediatebanonprocessingwhichisisolatedanddivorcedfromanyunderlyinglegalprocedurewouldinevitably
      expose the [IE SA] to significant legal risk and lead to litigation’ (p. 4).


      Adopted                                                                                             64       deadline. Therefore, the EDPB considers that, within one month of receiving the request, the LSA did
       not provide the reasons for refusal to comply with the request pursuant to Article 61(5) GDPR.


256. In light of the above, the EDPB considers that the IE SA failed to provide a substantive reply the NO SA
       Mutual Assistance Request.

257. ConsideringthefactthatArticle61(8)GDPRprovidesexplicitlythatthepresumptionofurgencyapplies

       in case the [Requested SA] does not provide the information in [Article 61(5)] within the one month of
       receiving the request, the EDPB therefore considers that the presumption set by Article 61(8) GDPR
       is applicable in this specific case. Consequently, the EDPB finds that urgency may be presumed on

       the basis of Article 61(8) GDPR, which further corroborates the need to derogate from the regular
       cooperation and consistency mechanisms      46.


       4.2.3 Conclusion as to the existence of urgency

258. The EDPB considers that the elements analysed above justify the urgency for the EDPB to request the
       IE SA to order final measures under Article 66(2) GDPR. The EDPB considers that the urgent need to

       order final measures is clear in light of the risks that the infringements represent for the rights and
       freedoms of the data subjects without the adoption of final measures       462. Furthermore, the EDPB
                                                                                       463
       considers that such urgency may be presumed pursuant to Article 61(8) GDPR        . The EDPB therefore
       considers that there is urgency for the IE SA to order final measures in this case.



       5 ON THE APPROPRIATE FINAL MEASURES

259. On the basis of the analysis above (see sections 4.1 and 4.2), the conditions relating to the existence

       of infringements and to an urgent need to act in this case are met. The EDPB therefore proceeds with
       the analysis of which final measures, if any, it should order in this specific case. A request from a SA

       under Article 66(2) GDPR is aimed to address a situation where such SA, after adopting provisional
       measures under Article 66(1) GDPR, ‘considers that final measures need urgently be adopted’.


       5.1 Content of the final measures

       5.1.1 Summary of the position of the NO SA


260. In the NO SA Request to the EDPB, the NO SA requests that ‘final measures, in line with the provisional
       measures [the NO SA] imposed in Norway, be imminently adopted’      464. In the NO SA Order, the NO SA
       prohibited for three months Meta IE and Facebook Norway from processing personal data of data

       subjects residing in Norway for behavioural advertising on the basis of Article 6(1)(b) GDPR or Article
       6(1)(f) GDPR from 4 August 2023 to 3 November 2023      465. The NO SA provides that the NO SA Order

       will be lifted before that date if remedial measures are implemented so that adequate and sufficient
       commitments to ensure compliance with Article 6(1) GDPR and Article 21 GDPR can be provided       466. In
       casetheorderisnot compliedwith,theNOSAannounces,intheNOSAOrderitself,thatit maydecide

       to impose a coercive fine of up to NOK 1 000 000 per day of non-compliance on Meta IE and/or

       461
       462lso see the EDPB Urgent Binding Decision 01/2021, paragraph 181.
         As demonstrated in section 4.2.2.3 above.
       46As demonstrated in section 4.2.1.3 above.
       46NO SA Request to the EDPB, p. 12.
       46NO SA Order, p. 3.
       466
         NO SA Order, p. 3.



       Adopted                                                                                              65       FacebookNorway,individuallyorcollectively        467.AsMetaIEandFacebookNorwaydidnotcomplywith

       the NO SA Order, the NO SA imposed a daily coercive fine, which started to accrue on 14 August
       2023  46.


261. The NO SA also points out that, with respect to the objective that the final measures should seek to
       achieve, ‘it is necessary to ensure that “[p]ersonal data shall not be processed for Behavioural
                                                                                                                    469
       Advertising based on Article 6(1)(b) [GDPR] or [Article] 6(1)(f) GDPR in the context of the Services”’         .
       TheNOSArequeststhatanyfinalmeasureshoulddemand“swiftcompliance”withoutfurtherdelay                           47.


262. With respect to the geographical scope of the final measures requested, the NO SA asked that ‘the
       measures should be applied EEA-wide, to avoid derogating from the harmonisation and consistency
                                        471
       that the GDPR aims to ensure’       .

263. The NO SA considers that Meta IE has a ‘readily available procedure to terminate this processing
       rapidly’, as it already implemented an objection mechanism in the EEA in relation to its processing for

       behavioural advertising in reliance of Article 6(1)(f) GDPR. In other words, the NO SA argues that
       suspending this processing activity could be achieved through the use of a process similar to the one

       used by Meta IE in the context of the objection mechanism, and that nothing - from a technical
       perspective - prevents Meta IE from suspending the behavioural advertising processing in the EEA            472.


264. To support this request, the NO SA points out that (1) final measures should urgently be adopted
       because the processing of personal data violates the rights and freedoms of data subjects in all EEA

       states, (2) the IE SA Decisions are applicable for users in all EEA states, and (3) there is consensus at
       European level between the IE SA and the CSAs that the processing continues to be unlawful            473.


       5.1.2 Summary of the position of Meta IE and Facebook Norway

265. Meta IE points out that in its view ‘it is not clear which final measures the [NO SA] is seeking to request
                         474
       from the EDPB’      . According to Meta IE, the NO SA Order ‘comprises three core elements: (i) the
       imposition of a temporary ban [...]; (ii) the imposition of daily administrative fines [...]; and (iii) the
                                                                                              475
       lifting of that ban subject to receiving adequate commitments from [Meta IE]’            . Meta IE alleges it is
       not clear whether the NO SA intends to pursue each of these elements, or others, as part of its
                476
       request    .

266. Meta IE considers that the NO SA Request to the EDPB constitutes partly ‘an attempt to re-litigate
       objections that the [NO SA] has already raised in the NOYB Inquiries at the Article 65 GDPR stage and

       which have already been rejected by the EDPB’       477. According to Meta IE, the NO SA’s actions ‘appear
       to be motivated by (unwarranted) dissatisfaction with the [IE SA]’s handling of the enforcement of the




       467NO SA Order, p. 4.
       468NO SA’s Decision to impose a coercive fine on Meta IE and Facebook Norway of 7 August 2023, p. 3.
       469
          NO SA Request to the EDPB, p. 12.
       470NO SA Request to the EDPB, p. 12.
       471NO SA Request to the EDPB, p. 12.
       472NO SA Request to the EDPB, p. 12-13.
       473
          NO SA Request to the EDPB, p. 12.
       474Meta IE’s Submissions of 26 September 2023, p. 13.
       475Meta IE’s Submissions of 26 September 2023, p. 13.
       476Meta IE’s Submissions of 26 September 2023, p. 13.
       477
          Meta IE’s Submissions of 26 September 2023, p. 3, 13. See also Meta IE’s Submissions of 16 October 2023, p.
       8.




       Adopted                                                                                                      66       NOYB Decisions’. The controller states then that it ‘cannot be sanctioned based on factors that are
       outside its sphere of influence’  47.


267. In addition, Meta IE provided arguments in respect of the possible content of the final measures to be
       ordered by the EDPB, setting out elements for each possible measure identified. Meta IE also argues

       that, in general, only the provisional measures adopted by the requesting SA can be adopted as final
       measures under the Article 66(2) GDPR procedure         47. In Meta IE’s view, it is unclear whether the EDPB

       is competent to order final measures on an EEA-wide basis, or whether it is limited to only ordering
       measures with respect to the country of the requesting CSA, and it is unclear whether the EDPB is
                                                              480
       competent to adopt final measures permanently             . On this matter, Meta IE also made reference to
       the fact that the EDPB has itself requested the EU legislator to clarify this    481.


268. Regarding a possible deletion order for data already unlawfully collected
                                           whiletheNOSA has notexplicitlyrequestedsuchfinal measure,Meta
                                                                                         482
       IE clarified its view that such request would be unlawful and unnecessary            . More specifically, Meta
       IE argues that the NO SA Order did not issue a deletion order as part of its Provisional Measures
                                               483
       adopted under Article 66(1) GDPR          . Further, Meta IE highlights that the EDPB Binding Decisions
       rejected objections from the NO SA that aimed to impose a deletion order on Meta IE            484.


                                     485.


                                486.


                                487. In any event, Meta IE notes that the personal data previously collected for

       behavioural advertising is also processed for other purposes that are not related to advertising, such
                                        488
       as security, fraud and safety      . Meta IE considers that ‘a controller cannot be compelled to delete
       personal data where it is validly collected and processed for different purposes pursuant to valid legal

       bases, even in cases where its legal basis for one distinct set of processing is subsequently held to be
       invalid’489.




       478Meta IE’s Submissions of 26 September 2023, p. 17.
       479
       480Meta IE’s Submissions of 26 September 2023, p. 13-14.
          Meta IE’s Submissions of 26 September 2023, p. 13, footnote 44.
       481Meta IE’s Submissions of 26 September 2023, p. 13, footnote 44, referring to section 6.2 of EDPB-EDPS Joint
       Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down

       additionalprocedural rules relating tothe enforcementof Regulation(EU) 2016/679, atparagraphs 113-116 and
       121. In this Joint Opinion, the EDPB and the EDPS provided their views on the proposed regulation made by the
       EuropeanCommissionwhich,accordingtotheEDPBandtheEDPS,undulyrestrictstheapplicationoftheurgency

       procedure under Article 66(2) GDPR.
       482Meta IE’s Submissions of 26 September 2023, p. 14-15.
       483Meta IE’s Submissions of 26 September 2023, p. 14.
       484Meta IE’s Submissions of 26 September 2023, p. 14. This argument relates to the objections made by the NO

       SAtothedraftdecisionsoftheIESAintheFacebookandInstagramcases,requestinganordertodeletepersonal
       dataprocessedunderArt.6(1)(b)GDPR,whichtheEDPBconsiderednottomeetthethresholdofArt.4(24)GDPR
       (in EDPB Binding Decision 3/2022, paragraph 483 and EDPB Binding Decision 4/2022, paragraph 450).
       485
          Meta IE’s Submissions of 26 September 2023, p. 14.
       486Meta IE’s Submissions of 26 September 2023, p. 14.
       487Meta IE’s Submissions of 26 September 2023, p. 14.
       488
       489Meta IE’s Submissions of 26 September 2023, p. 14-15.
          Meta IE’s Submissions of 26 September 2023, p. 15.




       Adopted                                                                                                       67269. Regarding a possible suspension order or ban applicable to all EEA users, Meta IE considers that the
                                                                                                         490
       NOSA’srequestforashortimplementationdeadlineisallegedly‘flawedandnotfeasible’                        .According
       to Meta IE, building the supporting infrastructure and rolling out the objection mechanism entailed

       ‘hundreds of thousands of hours of work’ on Meta IE’s side by multi-disciplinary teams including
       product, machinelearning andinfrastructure engineers,userexperience designers,operations,policy,

       marketing and legal to design, build and implement the systems, processes and user experience
       required to enable Meta IE to meet the different requirements of Article 6(1)(f) GDPR           49. In Meta IE’s

       view, the NO SA’s assertion that implementing a process similar to the objection mechanism could
       form some ‘sort of instant compliance solution’ is ‘flawed’      49.


                                                                                                          493. In other

       words, Meta IE argues that a change of legal basis for its behavioural advertising processing before
                          would simply not be feasible.


270. Meta IE also quotes the arguments put forward by the IE SA in that regard: ‘Putting in place an
       immediate ban on processing which is isolated and divorced from any underlying legal procedure (...),

       would inevitably expose the [IE SA] to significant legal risk and lead to litigation. In the context of such
       litigation,the[IESA]wouldbecalledontojustifyitsdecisiontodepartfromthecourseofactionrooted

       in [IE SA Decisions] (uncontested by the EDPB and/or the CSAs), in favour of an alternative, summary
       procedure involving the immediate imposition of a ban on processing’         494.


271. Regarding fines specifically, Meta IE argues that the NO SA is not entitled to ask for a fine as a final
       measure   49, since the NO SA Order did not include fines as a provisional measure under Article 66(1)

       GDPR. More generally, Meta IE also claims that fines are not an appropriate form of final measures
       underArticle 66(2)GDPR      49,andthattheEDPBisnotcompetenttoadoptsuchadecisionunderArticle
                     497
       66(2) GDPR      . As the Article 66(2) GDPR procedure constitutes a derogation to the standard
       cooperation procedure, Meta IE, highlighting the need for a restrictive interpretation of Article 66
       GDPR, is of the opinion that any final measures ‘can only be those that are urgently needed to bring

       the infringement to an end’    498. According to Meta IE, all the final measures that do not achieve this
       objective must be adopted within the framework of the one-stop-shop and the consistency

       mechanism    499. Lastly, in Meta IE’s view, fines are not appropriate to ensure the immediate protection
       of data subjects  50. Meta IE also argues that fines would be inappropriate in the circumstances of this

       case, where high fines have already been imposed by the IE SA in the IE SA Decisions and where Meta
       IE                                                                    engagedingoodfaithwiththeIESA          501.






       490Meta IE’s Submissions of 26 September 2023, p. 15.
       491Meta IE’s Submissions of 26 September 2023, p. 15.
       492Meta IE’s Submissions of 26 September 2023, p. 15.
       493
          Meta IE’s Submissions of 25 August 2023, p. 23-24.
       494Meta IE’s Merits Complaint submitted to the Oslo District Court, p. 26, referring to the Letter of the IE SA to
       the NO SA of 27 September 2023.
       495Meta IE’s Submissions of 26 September 2023, p. 3.
       496
          Meta IE’s Submissions of 26 September 2023, p. 16.
       497Meta IE’s Submissions of 26 September 2023, p. 16.
       498Meta IE’s Submissions of 26 September 2023, p. 16.
       499Meta IE’s Submissions of 26 September 2023, p. 16.
       500
          Meta IE’s Submissions of 26 September 2023, p. 16.
       501Meta IE’s Submissions of 26 September 2023, p. 16.




       Adopted                                                                                                       68                                                                                        According to Meta IE, the
       NO SA Request to the EDPB ‘already has, and will continue to, generate a huge amount of

       administrative work for the EDPB, the CSAs, the LSA and Meta [IE],

                    502
                       . Meta IE considers that, in light of the fact that a potential urgent binding decision may
       extend beyond Norway, ‘any attempt to perpetuatetheprovisions of the [NO SA] Order by way of such

       a decision only serves to exacerbate this misuse of the urgency procedure and the violation of [Meta
       IE]’s rights’0.


272. Facebook Norway highlights that it is not, and has never been, a party to the inquiries leading to the
       adoptionoftheIESADecisions       504.ItalsohighlightsthattheIESADecisionsareonlyaddressedtoMeta

       IE, in its capacity of sole data controller for the purpose of behavioural advertising on Facebook and
       Instagram. Facebook Norway points out that it is a separate and independent legal entity that does

       not offer Facebook or Instagram either in Norway or elsewhere, and is not the data controller for the
       concerned behavioural advertising processing       50. Furthermore, Facebook Norway maintains that it
                                                                    506
       should not have been the addressee of the NO SA Order          .

273. Meta IE and Facebook Norway have also expressed the view that the IE SA has already exercised

       corrective powers against Meta IE in the IE SA Decisions, and that anyways the enforcement of
       corrective orders is a matter for the LSA and governed by the applicable national law      507.


       5.1.3 Analysis of the EDPB

274. In addition to the elements enshrined in the NO SA Request to the EDPB, the EDPB takes into

       consideration the elements and arguments put forward by the IE SA. The IE SA considers that the NO
       SA Request to the EDPB seeks to obtain an urgent binding decision from the EDPB, ‘the net effect of
                                                                                        508
       which would be to compel the [IE SA], as LSA, to impose an EEA-wide ban’            . However, according to
       the IE SA, it is already leading an ongoing ‘enforcement procedure’, whereby it is, along with the CSAs,
       assessing ‘a defined set of proposals, by which [Meta IE] proposes to achieve compliance’ with Article

       6(1) GDPR and the IE SA Decisions     50. This process is happening by involving the CSAs in accordance
       withtheGDPR’scooperationand consistencyframework             510.Morespecifically,the IESAhighlightsthat

       it ‘is currently engaged in a cooperative process to give effect to these orders in a manner that permits
       all CSAs to make observations on [Meta IE]’s proposed course of action’      51.




       502Meta IE’s Submissions of 16 October 2023, p. 9.
       503
          Meta IE’s Submissions of 25 August 2023, p. 28.
       504Facebook Norway’s Submissions of 25 August 2023, p. 13. See also Facebook Norway’s Submissions of 16
       October 2023, p. 4.
       505Facebook Norway’s Submissions of 25 August 2023, p. 13; Facebook Norway’s Submissions of 16 October

       2023, p. 4; see also Letter from Facebook Norway to Ministry of Local Government and Regional Development
       of 8 August 2023, p. 2.
       506Facebook Norway’s Submissions of 26 September 2023, p. 1. See also Facebook Norway’s Submissions of 16
       October 2023, p. 4.
       507
          Meta IE’s and Facebook Norway’s Submissions of 19 October 2023, p. 1-2.
       508Letter from the IE SA to the NO SA of 13 October 2023, p. 3.
       509Letter from the IE SA to the NO SA of 13 October 2023, p. 4.
       510CommunicationofIESAtoCSAsof20July2023,p.1.SeealsoLetterfromtheIESAtotheNOSAof13October

       2023, p. 4-6.
       511Letter from the IE SA to the NO SA of 27 September 2023, p. 3




       Adopted                                                                                                    69275.   AccordingtotheIESA,nofinalmeasuresorderedbytheEDPBwouldbeappropriate,asitwoulddivert
       resources from the IE SA-led process under the GDPR’s cooperation and consistency framework       512. In

       addition, according to the IE SA, the NO SA’s legal justifications to suggest immediate enforcement
       action by the LSA are ‘rooted in hypothetical arguments’ 513.


276. In this regard, the EDPB acknowledges that, since the moment the IE SA shared with the CSAs the
       Compliance Reports on 5 April 2023, there has been an ongoing process consisting in the assessment
       of the compliance efforts by Meta IE represented by the switch on 3 April 2023 to Article 6(1)(f) GDPR

       as legal basis for most of the personal data collected on Meta’s products for behavioural advertising
       purposes and later on, by the Meta IE’s Consent Proposal, and that this process was led by the IE SA in

       its role as LSA in cooperation with the CSAs, which were invited to submit their views on multiple
       occasions.

277. However, in light of the elements described above, namely the existence of ongoing infringements of
                                                                                                            514
       Article6(1)GDPR-thattheEDPBhasalreadylabelledasa‘veryserioussituationofnon-compliance’                 ,
       and of the duty to comply with decisions of SAs, and the existence of an urgent need to act despite the

       ongoing process led by the IE SA, as motivated above in Section 4.2 of this urgent binding decision, the
       EDPB considers that, at this point of time, there is a need to order final measures as further
       enforcement measures are necessary.


278. With respect to the possible content of the specific final measures, the EDPB considers that it can
       order final measures other than the provisional measures adopted under Article 66(1) GDPR or than

       those referred to in the request made pursuant to Article 66(2) GDPR. The GDPR does not indeed
       provide such limitations on the final measures, and the EDPB, while taking into consideration the
       request made pursuant to Article 66(2) GDPR as well the other elements of the file, is entrusted to

       ensure the correct and consistent application of GDPR when performing activities under the
       consistency mechanism   515. Therefore, the EDPB is competent under Article 66(2) GDPR to order the

       final measures that are appropriate on the basis of the circumstances of the case.

279. Inthecaseathand,theEDPBconsidersitappropriatetoanalysewhetherabanonprocessingshould
       beimposed, bearing in mind that the NOSA Request to the EDPB asksthat ‘finalmeasures, inlinewith
                                                                                           516
       the provisional measures [the NO SA] imposed in Norway, be imminently adopted’        , and that the NO
       SA Order included a prohibition from processing personal data of data subjects residing in Norway for

       behavioural advertising on the basis of Article 6(1)(b) GDPR or Article 6(1)(f) GDPR.

280. Inrespect of thepossible impositionof aban onprocessing,theIE SAconsiders that ‘the formoforder
       sought by the [NO SA] is not one that could lawfully be delivered by the [IE SA] in the manner now
                  517
       demanded’     . Thisis,first, because the EDPBdeclined toinstruct theIESA to imposeatemporaryban




       512
       513etter from the IE SA to the NO SA of 13 October 2023, p. 5.
         Letter from the IE SA to the NO SA of 27 September 2023, p. 4.




       514
         EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284.
       51Art. 63 GDPR, Art. 65 GDPR, Art. 70(1) GDPR, Art. 70(1)(a) GDPR, and Art. 70(1)(t) GDPR.
       51NO SA Request to the EDPB, p. 12.
       51Letter from the IE SA to the NO SA of 27 September 2023, p. 3.




       Adopted                                                                                              70       in the EDPB Binding Decisions    518, and secondly because the IE SA Decisions ‘made provision for
       enforcement measures, namely, the orders for compliance, under which [Meta IE]’s proposals for the

       adoption of one or more alternative legal bases for the Processing Operations would be assessed, and
       ruled on, on their respective merits’ 51. The IE SA concludes that ‘the EDPB recognised, explicitly, that

       a process would need to be put in place in which the Controller would identify the means by which it
       proposed to achieve compliance with its obligations, and, further, that, acting together in the context

       of the co-operation and consistency mechanism provided for at Chapter VII of the GDPR, the [IE SA]
       and the CSAs would in turn be required to test those proposals and assess whether or not they are
       sufficient to achieve compliance with the requirements of Article 6(1) [GDPR] and the [IE SA]
                 520
       Decisions’   .

281. According to the IE SA, the imposition of a ban on processing ‘which is isolated and divorced from any

       underlying legal procedure would inevitably expose the [IE SA] to significant legal risk and lead to
       litigation’,wheretheIESA‘wouldbecalledontojustifyitsdecisiontodepartfromthecourseofaction
       rooted in [the IE SA Decisions] (uncontested by the EDPB and/or the CSAs), in favour of an alternative,
                                                                                           521
       summary procedure involving the immediate imposition of a ban on processing’           . In this regard the
       IE SA also argues that ‘it is inaccurate to suggest that the [IE SA] could impose an immediate ban on

       processing, whilst continuing to progress its assessment of [Meta IE]’s proposed consent model, in
       conjunction with its CSA colleagues’  52.

282. In this respect, the EDPB highlights that the fact that it chose not to instruct the IE SA to impose a

       temporary ban in the EDPB Binding Decisions, considering at that time that the imposition of an order
       to bring processing into compliance within a short time frame would be appropriate, does not in itself

       rule out the possibility than a ban would be needed today. Likewise, the fact that the IE SA Decisions,
       adopted on the basis of the EDPB Binding Decisions, do not provide for a ban on processing does not
       prevent the EDPB from ordering final measures in the form of a ban on processing in the context of

       this urgent procedure, taking into account the facts that occurred following the adoption of the IE SA
       Decisions. In this regard, the EDPB also recalls that the IE SA acknowledged in the IE SA Final Position
                                                                                            523
       Paper that ‘enforcement measures may [...] have been necessary at this juncture’        .

283. In the next paragraphs, the EDPB will assess the appropriateness, necessity and proportionality of a
       ban on processing. Article 58(2)(f) GDPR provides supervisory authorities with the power to impose a

       temporary or definitive limitation including a ban on processing.

284. Recital 129 GDPR provides elements to assess whether a specific measure is appropriate. More
       specifically, consideration should be given to ensuring that the measure chosen does not create

       ‘superfluous costs’ and ‘excessive inconveniences’ for the persons concerned in light of the objective
       pursued. When choosing the appropriate corrective measure, there is a need to assess whether the

       chosen measure is necessary to enforce the GDPR and achieve protection of the data subjects with
       regard to the processing of their personal data, which is the objective being pursued. Compliance with




       518Letter from the IE SA to the NO SA of 27 September 2023, p. 3. See also Letter from the IE SA to the NO SA of
       13 October 2023, p. 3-4 (where the IE SA also states the EDPB did not instruct the IE SA to adopt an automatic
       ban or a ban to be imposed should Meta IE fail to achieve compliance within a defined date).
       519
       520Letter from the IE SA to the NO SA of 27 September 2023, p. 3.
          Letter from the IE SA to the NO SA of 13 October 2023, p. 4.
       521Letter from the IE SA to the NO SA of 27 September 2023, p. 4.
       522Letter from the IE SA to the NO SA of 27 September 2023, p. 4.
       523IE SA Final Position Paper, paragraph 9.2.




       Adopted                                                                                                 71       the principle of proportionality requires ensuring that the chosen measure does not create
       disproportionate disadvantages in relation to the aim pursued     52.


285. As a first element, the EDPB would like to recall its reasoning in the EDPB Binding Decisions. In such
       decisions, as pointed out by the IE SA and by Meta IE, the EDPB analysed at that point of time whether

       a ban constituted an appropriate corrective measure to be imposed in the IE SA Decisions, due to the
       presence of some relevant and reasoned objections putting forward this request          52. Several of the
       elements that the EDPB considered at the time are helpful to be considered in this urgent binding

       decision, too.

286. The EDPB highlighted in the EDPB Binding Decisions that the infringement of Article 6(1) GDPR found
       in the case at hand constituted a very serious situation of non-compliance with the GDPR, in relation

       to processing of extensive amounts of data, which is essential to the controller’s business model, thus
       harming the rights and freedoms of millions of data subjects in the EEA; therefore, the corrective

       measure chosen in the circumstances of this case should aim to bring the processing into compliance
       with the GDPR thus minimising the potential harm to data subjects created by the violations of the
             526
       GDPR    .

287. Therefore, according to the EDPB Binding Decisions, considering the nature and gravity of the
       infringementofArticle6(1)(b)GDPR,aswellasthenumberofdatasubjectsaffected,itwasparticularly

       important that appropriate corrective measures be imposed, in addition to a fine, in order to ensure
       that Meta IE complies with this provision of the GDPR    52.

288. It is also important to note that the EDPB considered that it is not necessary to establish an urgent

       necessity for imposing a temporary ban because nothing in the GDPR limits the application of Article
       58(2)(f) GDPR to exceptional circumstances    52.

289. While in the EDPB Binding Decisions the EDPB took note of the elements raised by the objections to

       justify the need for imposing a temporary ban, consisting in essence in the need to halt the processing
       activities that are being undertaken in violation of the GDPR until compliance is ensured in order to

       avoid further prejudicing data subject rights, it considered that the objective of ensuring compliance
       and bringing the harm to the data subjects to an end could be adequately met also by amending the

       order to bring processing into compliance envisaged in the IE SA draft decisions to reflect Meta IE’s


       524EDPB Binding Decision 3/2022, paragraph 284 and EDPB Binding Decision 4/2022, paragraph 286.
       525More specifically, in the dispute leading to the adoption of EDPB Binding Decision 3/2022, certain objections
       requestedtheimpositionofabanorlimitationonprocessingoranordertoabstainfromtheprocessingactivities

       intheabsenceofavalidlegalbasis(inparticular,theobjectionsoftheAT,NL,DEandNOSAs).TheEDPBanalysed
       the merits of the objections of the AT and NL SAs (found to be relevant and reasoned in paragraph 266 of EDPB
       Binding Decision 3/22) and did not take any position on the merits of the other objections on this matter that
       were found to be not relevant and reasoned, namely the objections of the DE and NO SAs (see paragraph 268 of
       Binding Decision 3/2022).

       Concerning, instead, the dispute leading to the adoption of EDPB Binding Decision 4/2022, certain objections
       requestedtheimpositionofabanorlimitationonprocessingoranordertoabstainfromtheprocessingactivities
       intheabsenceofavalidlegalbasis(inparticular,theobjectionsoftheAT,NL,DEandNOSAs).TheEDPBanalysed
       the merits of the objections of the AT and NL SAs (found to be relevant and reasoned in paragraph 269 of EDPB
       Binding Decision 4/2022) and did not take any position on the merits of the other objections on this matter that

       were found to be not relevant and reasoned, namely the objections of the DE and NO SAs (see paragraph 271 of
       Binding Decision 4/2022).
       526EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284.
       527EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281.
       528EDPB Binding Decision 3/2022, paragraph 283 and EDPB Binding Decision 4/2022, paragraph 285.




       Adopted                                                                                                 72       infringement of Article 6(1) GDPR   529. The EDPB noted in this regard that this measure would require

       Meta IE to put in place the necessary technical and operational measures to achieve compliance
       within a set timeframe    530. Such timeframe was established to be necessarily a ‘short period of
             531
       time’   .The EDPB Binding Decisions comprised, eventually, instructions to the IE SA to include in the
       IE SA Decisions orders for Meta IE to bring its processing of personal data for the purpose of

       behavioural advertising in the context of the Facebook service into compliance with Article 6(1) GDPR
       within three months    53. In this respect, the EDPB considered this deadline for compliance to be

       necessary and proportionate, considering that the interim period for compliance ‘will involve a
       serious ongoing deprivation of their rights’ and the significant financial, technological, and human
                                        533
       resources available to Meta IE      .

290. The fact that the three-month timeframe has expired several months ago is an important element to
       be considered, that marks a significant difference compared to the situation that the EDPB analysed in

       the EDPB Binding Decisions. Already the three-month interim period for compliance was considered
       by the EDPB to involve ‘a serious ongoing deprivation’ of data subjects’ rights: the need to ensure that

       this deprivation comes to an end is therefore even clearer now that three times the time initially
       envisaged has passed.


291. As a consequence, the reasoning of the EDPB in the EDPB Binding Decisions on whether a ban needed
       to be imposed in the IE SA Decisions provides arguments in favour of considering that the imposition

       of a ban would be appropriate, necessary and proportionate today, rather than against this.

292. The EDPB also takes note of the NO SA’s argument that Meta IE has a ‘readily available procedure to
       terminate this processing rapidly’, as it already implemented an objection mechanism in the EEA in

       relation to its processing for behavioural advertising in reliance of Article 6(1)(f) GDPR, which allows
       the suspension of the processing    53.


293. The EDPB also notes Meta IE’s argument that a short implementation deadline would not be
       feasible535, considering the need for a complex process for the implementation of a ban involving
                                                   536
       several teams and many hours of work          . More specifically, Meta contests that it can comply ‘(i)
       through blanket application of the [objection mechanism] to all users across the EEA, and then “as a

       next step” (ii) “expanding the [objection mechanism] to include categories of data processing covered
       by the [NO SA Order]”, since already the NO SA acknowledges for step (ii) that this “would require
                                                   537
       redesigning the [objection mechanism]”’       .


       529EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287. In reaching

       thisconclusion,theEDPBhighlightedthatcompliancewiththeprincipleofproportionalityrequiresensuringthat
       the chosen measure does not create disproportionate disadvantages in relation to the aim pursued, and Recital
       129 GDPR provides that consideration should be given to ensuring that the measure chosen does not create
       ‘superfluous costs’ and ‘excessive inconveniences’ for the persons concerned in light of the objective pursued.

       EDPB Binding Decision 3/2022, paragraph 284 and EDPB Binding Decision 4/2022, paragraph 286.
       530EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287.
       531EDPB Binding Decision 3/2022, paragraph 286 and EDPB Binding Decision 4/2022, paragraph 288.
       532EDPB Binding Decision 3/2022, paragraph 288 and EDPB Binding Decision 4/2022, paragraph 290.
       533
          EDPB Binding Decision 3/2022, paragraph 286 and EDPB Binding Decision 4/2022, paragraph 288.
       534NO SA Request to the EDPB, p. 12-13.
       535Meta IE’s Submissions of 26 September 2023, p. 15.
       536Meta IE’s Submissions of 26 September 2023, p. 15.
       537
          Meta IE’s Submissions of 26 September 2023, p. 15 (‘Ignoring [Meta IE]’s arguments, the [NO SA] claims that
       [Meta IE] can comply (i) through blanket application of the [objection mechanism] to all users across the EEA,
       and then “as a next step” (ii) expanding the [objection mechanism] to include categories of data processing




       Adopted                                                                                                   73294. According to the EDPB, the NO SA’s argument on the existence of the objection mechanism is

       reasonableatleastforwhatconcernstheprocessingcurrentlycarriedoutonthebasisofArticle6(1)(f)
       GDPR (i.e. the majority of the processing of personal data collected on Meta’s products currently
                                                                       538
       carried out for the purposes of behavioural advertising)           , also considering that Meta IE did not
       explain why for the processing based on Article 6(1)(f) GDPR a ‘redesigning’ of the mechanism would

       benecessary;also,MetaIEconfirmsthat‘allrelevantobjections’arehonouredleadingtothe‘theuser
       [being] “opted out” of this processing’   539.

295. Additionally, while certainly the imposition of a ban causes significant disadvantages to the
                  540
       controller    , the EDPB considers that such disadvantages are not at this point in time, per se,
       disproportionate compared to the harm caused to data subjects by the unlawful processing and

       continued non-compliance. In this regard, moreover, the EDPB notes that the controller was granted
       the opportunity to take remedies without facing these disadvantages. As highlighted above           541, several

       months have passed since the adoption of the IE SA Decisions and the expiry of the deadline for the
       orders to bring processing into compliance contained therein. At this stage, the controller has

       undertaken efforts to comply with the GDPR but compliance has not yet been achieved, as indicated
       in the IE SA Final Position Paper, and there is still no clear indication that compliance will be reached
       soon 542.The impositionofan orderto bringprocessing intocompliancewithin ashortdeadline didnot

       succeed in reaching the objective it pursued, consisting in ‘ensuring compliance and bringing the harm
       to the data subjects to an end’   54.



       covered by the [NO SA Order]. As the [NO SA]’s argument itself acknowledges in step (ii), compliance with the
       [NO SA Order] (or an urgent binding EDPB decision based on the [NO SA Order]) would require redesigning the

       [objection mechanism]. As a reminder, building the supporting infrastructure and rolling out the [objection
       mechanism] entailed hundreds of thousands of hours of work by multi-disciplinary teams including product,
       machine learning and infrastructure engineers, user experience designers, operations, policy, marketing and
       legal to design, build and implement the systems, processes and user experience required to enable [Meta IE] to

       meet the different requirements of Article 6(1)(f) GDPR. The [NO SA]’s speculative assertion that this could form
       some sort of instant compliance solution is fundamentally flawed’).
       538See Meta IE Compliance Report on IE SA FB Decision, paragraphs 3.1.3 and 5.8.2, and Meta IE Compliance
       Report on IE SA IG Decision, paragraphs 3.1.3 and 5.8.2. See also paragraphs 103-106 above.
       539
          Meta IE’s Merits Complaint submitted to the Oslo District Court on 16 October 2023, p. 14-15 (‘since the
       launch of the Objection Mechanism, Meta [IE] has honoured all relevant objections without qualification and
       without undertaking a balancing assessment to determine whether it has compelling legitimate grounds to
       override the user’s objection. All that is checked is that the objection (i) relates to behavioural advertising
       processing that Meta [IE] presentlyundertakes underArticle 6(1)(f) GDPR, and(ii) is submitted byagenuineuser

       based in the EU/EEA (to confirm Meta [IE] is the controller and the GDPR applies). As soon as Meta [IE]’s
       operations team have confirmed (i) and (ii) based on the limited information that the user is asked to provide,
       the user is “opted-out” of this processing’).
       This is without prejudice to the conclusion of the IE SA in the IE SA Final Position Paper whereby the compliance

       withtheGDPRoftheobjectionmechanismsetupbyMetaIEhasnotbeendemonstrated(paragraphs7.60-7.66).
       540In Meta IE’s Letter to the NO SA of 14 August 2023, Meta IE lists challenges possibly arising from ‘stopping’
       processingofpersonaldataofNorwegianusersforbehaviouraladvertisingpurposes,involvingtheneedtomake
       changestoMetaIE’scodeandrelatedinfrastructure,informusers,provideadvertiserswithappropriateadvance

       notice, waiting for users to update their apps. Meta IE also highlights the possible damage arising from a
       suspension of behavioural advertising in Norway, connected to lost revenue, reputational harm, and future
       revenue losses (p. 8-10).
       541See paragraph 290 above. See also Meta Ireland’s Submissions of 25 August 2023, p. 23-24; Letter from Meta

       542land to NO SA of 14 August 2023, p. 8-9.
         See also Meta IE’s Submissions of 25 August 2023, p. 23-24; Letter from Meta IE to NO SA of 14 August 2023,
       p. 8-9. .
       543EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287.




       Adopted                                                                                                      74296. In light of the elements above, the EDPB considers it appropriate, necessary and proportionate to
       order final measures consisting in a ban on processing, to be adopted on the basis of Article 58(2)(f)

       GDPR.

297. The EDPB considers that, in this particular case, it would be proportionate that a period of
       implementation be provided to enable Meta IE to implement it.

298. The EDPB seizes the occasion to specify that also the NO SA Order was issued on 14 July 2023 but
                                                                            544
       envisaged that it would only become applicable as of 4 August 2023      .

299. At the same time, the period of implementation should be a short one, in light of the urgency of the
       situationasdescribedextensivelyinthesectionsaboveofthisurgentbindingdecisionandinparticular

       of the urgent need to put an end to the unlawful processing being carried out to the detriment of data
       subjects.

300. AccordingtotheEDPB,inlightoftheelementsinthefile,theimplementationofabaninashortperiod

       of time should be technically and practically feasible for Meta IE. This is in particular the case
       considering that Meta IE already envisages the implementation of a consent mechanism
                       . Additionally, Meta IE has been aware of the need to bring the unlawful processing to

       an end since the notification of the IE SA Decisions adopted in December 2022.

301. Therefore, the EDPB considers that, in this particular case, it is proportionate for the ban on
       processing to be effective one week after the notification of the final measures to the controller.


302. Additionally, the EDPB clarifies that the ban should refer to Meta IE’s processing of personal data
       collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b)
       GDPRandArticle6(1)(f)GDPR.Theprocessingactivitiestowhich thebanrefersare:(i)theprocessing

       of personal data, including location data and advertisement interaction data, collected on Meta’s
       products for behavioural advertising purposes, having established in this respect the infringement of

       Article6(1)GDPRarisingfrominappropriaterelianceonArticle6(1)(b)GDPR;(ii)processingofpersonal
       data collected on Meta’s products for behavioural advertising purposes, having ascertained in this
       respect the infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(f)
            545
       GDPR    .

303. The EDPB considers that, in general, the geographical scope of the final measures ordered pursuant
       to Article 66(2)GDPR should be broader than the territory of the requesting SA. While it is provided by

       Article 66(1) GDPR that the urgent provisional measures adopted by a requesting SA only apply to the
       territory of that SA, the intervention of the EDPB aims to ensure a consistent application of the GDPR,
       in light of Articles 63 and 70 GDPR. The final measures should therefore have a broader geographical

       scope to ensure the protection of the rights and freedoms of all the data subjects affected; this scope
       can, depending on the matter, cover several Member States        546. The NO SA requested that final

       measures, if any, ‘should be applied EEA-wide, to avoid derogating from the harmonisation and
       consistency that the GDPR aims to ensure’   547. Since in this case the unlawful processing takes place
       and affect the rights and freedom of data subjects in the entire EEA, the EDPB agrees that the

       appropriate territorial scope is for the final measures to be applicable throughout the entire EEA, and


       54NO SA Order, p. 3-4.
       54A more thorough analysis can be found above in paragraphs 97-99, 103-104, 147-148 and 152-153.
       54EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the

       Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679,
       paragraph 114.
       54NO SA Request to the EDPB, p. 12.


       Adopted                                                                                              75       concurswiththeNOSAontheneedtoavoidfragmentationintheprotectionaffordedtodatasubjects.
       Limiting the scope of the final measures to the Norwegian territory would indeed lead to
       fragmentation in the protection as it would require each CSAs to adopt provisional measures on its

       own territory under Article 66(1) GDPR and to request an EDPB urgent binding decision under Article
       66(2) GDPR leading to the need to adopt final measures limited to their own territory. Such situation

       could also result in a patchwork of final measures and a fragmentation in countries where the SA has
       not acted 54.

304. The EDPB considers that the addressee of the final measures consisting of a ban on processing should

       beMetaIE,whichshalltakethenecessarymeasurestoensurecompliancewiththedecisionasregards
       processing activities in the context of all its establishments in the EEA. In line with this, and since
       Facebook Norway was subject to the NO SA Order alongside Meta IE and considering its submissions,

       Facebook Norway – which is the Norwegian establishment of Meta IE – should be informed of the
       outcome and receive a copy of the final measures and of the EDPB urgent binding decision.


       5.1.4 Conclusion

305. In light of all the elements above, the EDPB considers it necessary to order final measures, consisting
       in a ban on processing pursuant to Article 58(2)(f) GDPR.

306. This ban on processing should be addressed to Meta IE, and become effective one week after the
       notification of the final measures to them.


307. The EDPB considers that the ban should refer to Meta IE’s processing of personal data for behavioural
       advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR across the entire
       EEA, as described above in paragraphs 303-304.


       5.2   Adoption of the final measures and notification to the controller

308. The GDPR does not specify the procedural steps to be taken following the adoption of an urgent
       binding decision by the EDPB pursuant to Article 66(2) GDPR. It is however important to note that the

       two-weekdeadlineforadoptionisspecified‘byderogationfrom[...]Article65(2)[GDPR]’(Article66(4)
       GDPR). Consequently, the EDPB considers that, in addition to Article 65(2) GDPR, the procedure set by

       Article 65(5) GDPR and Article 65(6) GDPR represents a point of reference.

309. The EDPB’s urgent binding decision shall be addressed to the LSA and to all the CSAs and be binding
       on them  54. The Chair of the Board shall notify, without undue delay, the urgent binding decision to
                                                                                               550
       the supervisory authorities concerned, and inform the European Commission thereof         .

310. Taking into consideration that the final measures will have to be applicable throughout the entire EEA
       (as provided in the above sections 5.1.3 and 5.1.4), the EDPB considers that the IESA, in its role of LSA,
       will have to adopt a national decision imposing the measures that the EDPB has considered necessary



       548
          EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the
       Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679,
       paragraph 115.
       549Art. 65(2) GDPR. According to Art. 66(4) GDPR, this provision is derogated in respect of the deadline for
       adoption; therefore, the last sentence of Art. 65(2) GDPR fully applies.
       55See Art. 65(5) GDPR. Considering the fact that the NO SA was the SA making the request pursuant to Article

       66(2), the EDPB will also inform the EFTA Surveillance Authority, in light of Article 1, second paragraph, letter m
       of Decision of the EEA Joint Committee No. 154/2018.



       Adopted                                                                                               76                                                                   551
       to order as final measures pursuant to Article 66(2) GDPR      . This was already envisaged by the IE SA
       itself5.

311. While the procedure set by Article 65(5) GDPR and Article 65(6) GDPR represents a point of reference,

       as mentioned above, the EDPB considers that the deadline set in Article 65(6) for the SA to adopt its
       national decision (one month in Article 65 proceedings) may need to be shortened, on a case by case
       basis, in Article 66 proceedings. The urgency of the procedure is highlighted by the shortening of the

       deadline for the Board to adopt its urgent binding decision or opinion under Article 66(4) GDPR. It
       would therefore counterintuitive, and against the legislator’s will, to imagine that the deadline for the

       SA to adopt its national decision should remain unchanged in Article 66 proceedings. While the EDPB
       acknowledges the need for time allowing the SA to draft a national decision and possibly hear the
       company, in this particular case it is necessary to bear in mind the date of expiry of the Provisional

       Measures (3 November 2023) as well as the prolonged situation of non-compliance leading to the
       urgency of the situation as described above.

312. In this case, the EDPB considers that the national decision needs to be adopted by the IE SA without

       undue delay and at the latest by two weeks after the EDPB has notified its urgent binding decision
       totheIESAandtoalltheCSAs.TheEDPBhighlights,inthisregard,thatadoptingthenationaldecision
       prior to the expiry of the Provisional Measures on 3 November 2023 would be desirable as it would

       allow avoiding a gap in the legal situation for what concerns the Norwegian territory. Additionally, the
       IE SA will have to notify the national decision to Meta IE, attaching the urgent binding decision 553.

313. The EDPB also requests the NO SA to inform Facebook Norway about the outcome of these

       proceedings, by sharing a copy of the national decision of the IE SA and of the urgent binding decision,
       following the notification by the IE SA of its national decision to Meta IE.


       6 URGENT BINDING DECISION


314. In light of the above and in accordance with the tasks of the EDPB under Article 70(1)(t) GDPR to issue

       urgent binding decisions pursuant to Article 66 GDPR, the Board issues the following binding decision
       in accordance with Article 66(2) GDPR.

315. As regards the existence of infringements, based on the evidence provided, the EDPB concludes that
       there is an ongoing infringement of Article 6(1) GDPR arising from inappropriate reliance on Article

       6(1)(b) GDPR for processing of personal data, including location data and advertisement interaction
       data, collected on Meta’s products for behavioural advertising purposes.

316. The EDPB also concludes that there is an ongoing infringement of Article 6(1) GDPR arising from

       inappropriate reliance on Article 6(1)(f) GDPR for processing personal data collected on Meta’s
       products for behavioural advertising purposes.

317. In addition, the EDPB concludes that Meta IE is currently in breach of its duty to comply with decisions

       by supervisory authorities.


       55See Art. 65(6) GDPR.
       55The IE SA considers theNO SA Requestto the EDPB seeksto obtain an urgentbindingdecision from the EDPB,
       ‘the net effect of which would be to compel the [IE SA], as LSA, to impose an EEA-wide ban (...) (In that regard, it
       is ofcoursethecasethat itisnotopentotheEDPBtoexercise correctivepowersdirectly asagainst any controller

       553processor)’. Letter from the IE SA to the NO SA of 13 October 2023, p. 3.
         As described in Art. 65(6) GDPR and paragraph 308 above.



       Adopted                                                                                                77318.   On the existence of urgency, the EDPB considers that, the urgent need to order final measures is clear
       in light of the risks that the infringements represent for the rights and freedoms of the data subjects
                                                554
       without the adoption of final measures      . Because of such risks, the EDPB also finds that there is a
       need to derogate from the regular cooperation and consistency mechanisms to order final measures
       due to the urgency of the situation 555.


319. The EDPBalsoconsiders that the IE SA, bynot providing theinformation referredin Article 61(5) GDPR
       within the one-month deadline, failed to address the NO SA Mutual Assistance Request and that the
       presumption of urgency set by Article 61(8) GDPR is therefore applicable in this specific case, which

       further corroborates the need to derogate from the regular cooperation and consistency
       mechanisms   55.

320. ConsideringtheexistenceoftheaforementionedongoinginfringementsoftheGDPRandtheexistence

       of an urgent need to act despite the ongoing process led by the IE SA, the EDPB considers that, at this
       point of time, further enforcement measures are necessary.

321. Therefore,inlightoftheanalysiscarriedoutabove         557theEDPBconsidersitappropriate,proportionate

       and necessary to order final measures, consisting in a ban on processing pursuant to Article 58(2)(f)
       GDPR.

322. This ban on processing should be addressed to Meta IE, and become effective one week after the

       notification of the final measures to them.

323. The EDPB considers that the ban should refer to Meta IE’s processing of personal data collected on
       Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article

       6(1)(f) GDPR across the entire EEA. The processing activities to which the ban refers are: (i) the
       processing of personal data, including location data and advertisement interaction data, collected on
       Meta’s products for behavioural advertising purposes, having established in this respect the

       infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(b) GDPR; (ii)
       processing of personal data collected on Meta’s products for behavioural advertising purposes, having

       ascertained in this respect the infringement of Article 6(1) GDPR arising from inappropriate reliance
       on Article 6(1)(f) GDPR.

324. The EDPB instructs the IE SA to adopt a national decision containing the final measures ordered by the
       EDPBwithoutunduedelayandatthelatestbytwoweeksaftertheEDPBhasnotifieditsurgentbinding

       decision to the IE SA and to all the CSAs. The IE SA shall notify the national decision, attaching the
       urgent binding decision of the EDPB, to Meta IE without undue delay.

325. The EDPB instructs the NO SA to inform Facebook Norway about the outcome of these proceedings.



       7 FINAL REMARKS


326. This urgent binding decision is addressed to the IE SA, the NO SA and all the other CSAs.

327. TheEDPBconsidersthatitscurrentdecisioniswithoutanyprejudicetoanyassessmentstheEDPBmay
       be called upon to make in other cases, including with the same parties.



       55See section 4.2.1.3 above.
       555
       556ee paragraph 220 above.
         See section 4.2.2.3 above, including paragraph 257.
       55See Sections 5.1.3 and 5.1.4 above.


       Adopted                                                                                                78328. TheIESAshalladoptitsnationaldecisionnolaterthantwoweeksafternotificationoftheEDPBurgent

      binding decision.

329. The IE SA shall notify its national decision and this urgent binding decision to Meta IE without undue
      delay. The IE SA shall inform the EDPB of the date when the national decision is notified to the
      controller.

330. The NO SA shall inform Facebook Norway of the outcome of these proceedings without undue delay

      after the notification of the national decision to Meta IE.

331. The IE SA will communicate itsfinal decisionto the EDPB.Pursuant to Article 70(1)(y)GDPR, theIE SA’s
      final decision communicated to the EDPB will be included in the register of decisions that have been
      subject to the consistency mechanism.



      For the European Data Protection Board

      The Chair

      (Anu Talus)











































      Adopted                                                                                            79