EDPB - Urgent Binding Decision 01/2023
From GDPRhub
| EDPB - Urgent Binding Decision 01/2023 | |
|---|---|
 | |
| Authority: | EDPB |
| Jurisdiction: | European Union |
| Relevant Law: | Article 6(1)(f) GDPR Article 6(1)(b) GDPR Article 58(2)(f) GDPR Article 60 GDPR Article 61 GDPR Article 66 GDPR Article 66(2) GDPR Article 41 CFREU |
| Type: | Other |
| Outcome: | n/a |
| Started: | 26.09.2023 |
| Decided: | 27.10.2023 |
| Published: | 07.12.2023 |
| Fine: | n/a |
| Parties: | Meta Platfroms Ireland Ltd |
| National Case Number/Name: | Urgent Binding Decision 01/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | co |
The EDPB issued an urgent binding decision pursuant to Article 66(2) GDPR ordering a ban on Meta Platforms Ireland’s processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR .
English Summary
Facts
On 31 December 2022, the Irish DPC as Lead Supervisory Authority in a cross-border case, issued two final decisions concerning, respectively Meta’s Facebook and Instagram services as controllers. These were adopted on the basis of two binding decisions by the EDPB, Binding Decisions 3/2022 and 4/2022 adopted by the EDPB on 5 December 2022 pursuant to Article 65(1)(a) GDPR.
On 5 April 2023, the DPC communicated to the concerned supervisory authorities via the IMI system Meta’s compliance reports showing their efforts to comply with the decisions by the DPC. In these reports, Meta stated that it changed its legal basis for behavioural advertising from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR, backed by a Legitimate Interest assessments. These documents were submitted to the CSAs so that they could assess whether the measures adopted by Meta could be considered effective in guaranteeing compliance with the orders in the DPC decision.
The Norwegian DPA (Datatilsynet) communicated to the DPC that it had doubts regarding the legitimacy of Meta’s choice of Article 6(1)(f) GDPR as a legal basis. Thereafter, the DPC shared two other letters from Meta to the CSAs substantiating its compliance efforts and the CSAs submitted their opinion to the DPC which were then sent back to Meta for feedback. On 5 May 2023, the Norwegian DPA transmitted a mutual assistance request to the DPC under Article 61(1) GDPR, asking the DPC to order a temporary ban on Meta’s processing for purposes of behavioural advertising based on Article 6(1)(f) GDPR and requesting the DPC to specify how it will ensure that Meta complies with Article 6(1) GDPR. On 30 May 2023, the Dutch DPA also asked the Irish DPC to provide its conclusions on the compliance efforts undertaken by Meta in a mutual assistance request under Article 61 GDPR. The DPC stated that it would be able to respond to the mutual assistance requests and draw its conclusion on the compliance reports only at the end of June 2023. The DPC also replied to the Norwegian DPA request for mutual assistance stating that it could not comply with it and the Norwegian DPA asked the DPC to at least inform it as to whether it would follow the Norwegian DPA’s mutual assistance request.
On 13 June 2023, the DPC stated that it would do so only after the delivery of CJEU judgment in case C-252/21 Meta Platforms and Others v Bundeskartellamt in July. Following the publication of judgment, the Irish DPC issued a provisional position paper with its preliminary conclusion on 11 July 2023, stating that Meta failed to comply with the orders of its decisions. The DPC’s provisional position paper was then submitted to the CSAs for feedback.
On 14 July 2023, the Norwegian DPA imposed a temporary ban on Meta and Facebook Norway on the processing of personal data of Norwegian data subjects for purposes of behavioural advertising based on Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. After a further set of exchanges between Meta and the Norwegian DPA, and Meta’s statement that it would shift to Article 6(1)(a) GDPR as a legal basis, the Norwegian DPA imposed a coercive fine on Meta and Facebook Norway for non-compliance with its order.
On 18 August 2023, the DPC communicated to the CSAs its final position on Meta’s compliance with tis decisions and concluded that Meta failed to demonstrate compliance but that it is reasonable to give Meta a chance to rely on consent as a legal basis. On 21 September 2023, the Norwegian DPA submitted to the DPC its view on the state of the proceedings and argued that it still considered the adoption of urgent measures necessary, asking the DPC to reconsider its position.
Given the negative response of the DPC, on 26 September 2023 the Norwegian DPA made a request to the EDPB to issue an urgent binding decision under Article 66(2) GDPR, asking that final measures be adopted.
Holding
First of all, the EDPB Secretariat assessed the request and asked the Norwegian DPA to submit further documentation paying particular attention to scrutinize the right to good administration under Article 41 CFREU. On 17 October, the EDPB assessed the completeness of the file and established its competence to deal with the request to issue an urgent binding decision.
1. Competence of the EDPB
For the EDPB to be competent to issue an urgent binding decision, two conditions must be given, namely: that a DPA has taken provisional measures under Article 66(1) GDPR and the same DPA made a request to issue a binding decision under Article 66(2) GDPR. In this case, the Norwegian DPA followed these two steps, hence the EDPB considered itself competent to deal with the request.
2. The right to good administration
In the second place, the EDPB made sure to act in accordance with the right to good administration under Article 41 of the Chartere of Fundamental Rights of the European Union (CFREU) and Article 11(1) of the EDPB Rules of Procedure. It also considered Meta’s position and ascertained that all the documents it received were also known to Meta, so that the procedure would respect Meta’s right to be heard. The EDPB concluded that Meta did not have an opportunity to make its views known on the procedure and asked Meta to provide written submissions.
3. On the need to request final measures
Further, the EDPB considered whether the adoption of urgent final measures was necessary, which is the case when one or several infringements exist and when an urgency situation justifies derogation from the ordinary procedure.
3.1.Infringments of the GDPR
First, as regards the existence of GDPR infringement(s) by Meta, the EDPB considered both the position of the Norwegian DPA and of the DPC in relation to the reliance of Meta on Article 6(1)(b) GDPR for behavioural advertising. The EDPB concluded that Meta was still processing location data and advertisement interaction data for purposes of behavioural advertising relying on Article 6(1)(b) GDPR, although it was previously declared unlawful by the DPC. Hence the EDPB held that Meta was still acting in violation of Article 6(1) GDPR.
Secondly, the EDPB assessed whether Meta was still processing personal data for purposes of behavioural advertising on the basis of Article 6(1)(f) GDPR. The EDPB considered that in line with the DPC’s decision, Meta was supposed to bring its processing into compliance with Article 6(1) GDPR, specifying that it may include but is “not limited to the identification of an appropriate alternative legal basis”.
The EDPB assessed the existence of the three cumulative conditions needed to satisfy the requirements of Article 6(1)(f) GDPR and concluded that Meta unlawfully relied on Article 6(1)(f) GDPR as a legal basis, since:
“the interests and fundamental rights of data subjects override the legitimate interests put forward by Meta IE for the processing of personal data collected on Meta’s products for the purposes of behavioural advertising”
In light of these findings, the EDPB concluded that there was an ongoing infringement of Article 6(1) GDPR by Meta.
Thirdly, the EDPB considered Meta’s infringement of the duty to comply with decisions by supervisory authorities, against Article 60(10) GDPR, which constitutes an independent violation of the GDPR. On he basis of the positions of the Irish and Norwgian DPAs, the EDPB held that:
“Meta IE did not achieve compliance with the IE SA Decisions within the deadline for compliance and is therefore currently in breach of its duty to comply with decisions by supervisory authorities.”
3.2. Urgency
The EDPB reiterated in its decision that the issuing of an urgent binding decision is an exceptional circumstance and it can only be granted if the regular consistency mechanism cannot be applied due to such urgency, as per Article 66(2) GDPR.
First, the EDPB assessed the existence of urgency on the basis of the position of the Norwegian DPA, the elements in the file and the circumstances of the infringement, that is the nature, gravity, duration and number of data subjects affected by the infringement. In this regard, the EDPB held, as it also previously stated in its binding decisions that the nature and gravity of the infringements were significant. Also the duration of the infringement was considered that:
“the fact that the processing activities are still performed without reliance on an appropriate legal basis represents an element in favour of concluding that there is an urgent need for final measures to be adopted”.
Hence the EDPB concluded that “failing to put an end to the processing activities at stake and to enforce the IE SA Decisions exposes data subjects to a risk of serious and irreparable harm”.
Secondly, the EDPB addressed the necessity to derogate from the standard cooperation and consistency mechanism, and it concluded that the fact that the DPC did not adopt any final measures to put an end to Meta’s GDPR infringements despite the risk of serious and irreparable harm for data subjects “shows that the regular cooperation and consistency mechanism is not providing satisfactory results”.
Thirdly, the EDPB examined whether the legal presumption of urgency provided in Article 61(8) GDPR was given in the case in question. Under Article 61(8) GDPR, if a DPA does not provide the information requested in a mutual assistance request within one month, urgency will be presumed. In this case, the Norwegian DPA had made such a request but received an unmotivated negative answer from the Irish DPC. The EDPB reiterated the importance of the cooperation mechanism and the fact that mutual assistance is at the core of such cooperation. Further, the authorities receiving a mutual assistance request have a series of procedural and substantive obligations under Article 61 GDPR to respond to such request. The EDPB also stressed that the mutual assistance request is a one-to-one procedure between the requesting and requested authorities. From a procedural point of view, the EDPB considered that the Irish DPC fulfilled its duty to respond to the request within the established time limit. As regards the substance of the reply by the DPC, however, the EDPB held that even though the DPC later explained that its answer that it could not comply with the request was a mistake, the DPC
“does not state it tried to amend its answer – for instance to provide the reasons for any refusal to comply with the request - or sought assistance to do so within the one-month deadline.”
Under Article 61(4) GDPR, the DPC might have refused to comply with the request but it also needed to give reasons explaining that compliance would infringe the GDPR or Member state law. Hence, the EDPB concluded that the DPC failed to provide a substantive reasoned response to the Norwegian DPA’s mutual assistance request within one month, thus the urgency could be presumed in accordance with Article 61(8) GDPR.
4. On the appropriate final measures
In its last point, the EDPB considered all the elements brought forward by the DPAs and the nature, gravity and duration of the infringements by Meta in order to assess the appropriateness of a ban on processing as a final measure. In particular, the seriousness of the infringement and the fact that the deadline for compliance had expired three months before, “provide arguments in favour of considering that the imposition of a ban would be appropriate, necessary and proportionate today”.
As a consequence, the EDPB ordered a ban on processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR, pursuant to Article 58(2)(f) GDPR, to be effective one week after notification to Meta. The EDPB added that the geographical scope of the measures should extend to the entire EEA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Urgent Binding Decision 01/2023 requested by the
Norwegian SA for the ordering of final measures regarding
Meta Platforms Ireland Ltd (Art. 66(2) GDPR)
Adopted on 27 October 2023
Adopted 1Table of contents
1 Summary of facts............................................................................................................................. 4
1.1 Summary of the relevant events............................................................................................. 4
1.2 Submission of the request to the EDPB and related events ................................................. 14
2 Competence of the EDPB to adopt an urgent binding decision under Article 66(2) GDPR.......... 15
2.1 The SA has taken provisional measures under Article 66(1) GDPR....................................... 15
2.2 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the EEA.......... 16
2.3 Conclusion............................................................................................................................. 16
3 The right to good administration.................................................................................................. 16
4 On the need to request final measures......................................................................................... 17
4.1 On the existence of infringements........................................................................................ 17
4.1.1 On the infringement of Article 6(1) GDPR..................................................................... 18
4.1.2 On the infringement of the duty to comply with decisions by supervisory authorities42
4.2 On the existence of urgency to adopt final measures by way of derogation from the
cooperation and consistency mechanisms ....................................................................................... 45
4.2.1 On the existence of urgency and the need to derogate from the cooperation and
consistency mechanisms............................................................................................................... 46
4.2.2 On the application of a legal presumption of urgency justifying the need to derogate
from the cooperation and consistency mechanisms.................................................................... 56
4.2.3 Conclusion as to the existence of urgency.................................................................... 65
5 On the appropriate final measures............................................................................................... 65
5.1 Content of the final measures............................................................................................... 65
5.1.1 Summary of the position of the NO SA ......................................................................... 65
5.1.2 Summary of the position of Meta IE and Facebook Norway ........................................ 66
5.1.3 Analysis of the EDPB...................................................................................................... 69
5.1.4 Conclusion..................................................................................................................... 76
5.2 Adoption of the final measures and notification to the controller....................................... 76
6 Urgent Binding Decision................................................................................................................ 77
7 Final remarks................................................................................................................................. 78
Adopted 2The European Data Protection Board
Having regard to Article 66 of Regulation 2016/679/EU of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) (hereinafter ‘GDPR’) ,
HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37thereof,asamended
by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 , 2
Having regard to Articles 11, 13, 23 and 39 of the EDPB Rules of Procedure 3, hereinafter the ‘EDPB
RoP’.
Whereas:
(1) The main role of the European Data Protection Board (hereinafter the ‘EDPB’ or the ‘Board’) is to
ensurethe consistentapplicationoftheGDPRthroughoutthe EEA.Tothiseffect,itcanadopt opinions
and binding decisions under different circumstances described under Articles 63 to 66 GDPR, within
the consistency mechanism. The GDPR also established a cooperation mechanism, as it follows from
Article 60 GDPR that the lead supervisory authority (hereinafter ‘LSA’) shall cooperate with the other
supervisory authorities concerned (hereinafter ‘CSAs’) in an endeavour to reach consensus.
(2) Pursuant to Article 66(1) GDPR, in exceptional circumstances, where a supervisory authority (‘SA’)
considers that there is an urgent need to act in order to protect the rights and freedoms of data
subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64
and65GDPRortheprocedurereferredtoinArticle 60GDPR,immediatelyadoptprovisionalmeasures
intended to produce legal effects on its own territory with a specified period of validity which shall not
exceed three months.
(3)InaccordancewithArticle66(2)GDPR,whereasupervisoryauthorityhastakenameasurepursuant
to Article 66(1) GDPR and considers that final measures need urgently be adopted, it may request an
urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such
opinion or decision.
(4) In accordance with Article 13(2) EDPB RoP, the supervisory authority requesting an urgent binding
decision shall submit any relevant document. When necessary, the documents submitted by the
competent supervisory authority shall be translated into English by the EDPB Secretariat. Once the
Chair and the competent supervisory authority have decided that the file is complete, it is
communicated via the EDPB Secretariat to the members of the Board without undue delay.
(5)Pursuant to Article 66(4)GDPR and Article 13(1) EDPB RoP, the urgent binding decision of the EDPB
shall be adopted by simple majority of the members of the EDPB within two weeks following the
decision by the Chair and the competent supervisory authority that the file is complete.
1
2OJ L 119, 4.5.2016, p. 1.
References to ‘Member States’ made throughout this decision should be understood as references to ‘EEA
Member States’. References to ‘EU’ should be understood, where relevant, as references to ‘EEA’.
3EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 6 April 2022.
Adopted 3 1 SUMMARY OF FACTS
1. This document contains an urgent binding decision adopted by the EDPB pursuant to Article 66(2)
GDPR, following a request made by the Norwegian supervisory authority - ‘Datatilsynet’ (hereinafter,
the ‘NO SA’) within the framework of the urgency procedure under Article 66 GDPR.
1.1 Summary of the relevant events
2. On 31 December 2022, the Irish supervisory authority (‘Data Protection Commission’, hereinafter the
‘IE SA’) issued a final decision concerning the inquiry IN-18-5-5 (hereinafter, the ‘IE SA FB Decision’,
related to the Facebook Service)and a final decision concerning the inquiry IN-18-5-7 (hereinafter, the
‘IE SA IG Decision’, related to the Instagram Service) in which it found that Meta Platforms Ireland Ltd
(hereinafter, ‘Meta IE’) did not rely on a valid legal basis for processing personal data for behavioural
4
advertising purposes . These two decisions (hereinafter, collectively, the ‘IE SA Decisions’) were
adopted on the basis of EDPB Binding Decisions 3/2022 and 4/2022, adopted by the EDPB pursuant to
5
Article 65(1) (a) GDPR on 5 December 2022 (hereinafter, the ‘EDPB Binding Decisions’) .
3. Each of the IE SA Decisions concluded that Meta IE was not entitled to rely on Article 6(1)(b) GDPR to
carry out processing of personal data for the purpose of behavioural advertising in the context of the
Facebook Terms of Service / Instagram Terms of Use and included an order, addressed to Meta IE, to
bring its processing of personal data for behavioural advertising purposes into compliance with Article
7
6(1) GDPR within three months .
4. On 5 April 2023, the IE SA shared with the CSAs , using the Internal Market Information system
9
(hereinafter, ‘IMI’) , Meta IE’s compliance reports regarding the Facebook Service (IN-18-5-5) and the
Instagram Service (IN-18-5-7) (hereinafter collectively, the ‘Meta IE Compliance Reports’ or the
10
‘Compliance Reports’) and supporting material that Meta IE submitted to the IE SA on 3 April 2023
4 Decision of the Irish Data Protection Commission of 31 December 2022, DPC Inquiry Reference: IN-18-5-5,
concerning a complaint directed against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in
respect of the Facebook Service (the ‘IE SA FB Decision’); Decision of the Irish Data Protection Commission of 31
December 2022, DPC Inquiry Reference: IN-18-5-7, concerning a complaint directed against Meta Platforms
Ireland Limited (formerly Facebook Ireland Limited) in respect of the Instagram Service (the ‘IE SA IG Decision’).
5 EDPB Binding Decision 3/2022, adopted on 05 December 2022 (hereinafter ‘EDPB Binding Decision 3/2022’);
EDPB Binding Decision 4/2022 adopted on 05 December 2022 (hereinafter ‘EDPB Binding Decision 4/2022’). In
each of these binding decisions the EDPB instructed the IE SA to alter its Finding 2 of its Draft Decision, which
concluded that Meta IE may rely on Art. 6(1)(b) GDPR in the context of its offering of the Facebook Terms of
Service or the Instagram Terms of Use and to include an infringement of Art. 6(1) GDPR based on the
shortcomings that the EDPB has identified in the EDPB Binding Decisions. The reasoning of the EDPB is available
in paragraphs 94-133 and 484 of EDPB Binding Decision 3/2022 and in paragraphs 97-137 and 451 of EDPB
Binding Decision 4/2022.
6IE SA FB Decision, Finding 2, p. 49; IE SA IG Decision, Finding 2, p. 49.
7 IE SA FB Decision, paragraphs 8.8, 10.44; IE SA IG Decision, paragraphs 212, 417. The deadline for compliance
8ith the orders in the IE SA Decisions fell on 5 April 2023.
In the cases leading to the adoption of the IE SA Decisions, all EEA SAs were CSAs pursuant to the GDPR (IE SA
FB Decision, Schedule 1, paragraph 1.10; IE SA IG Decision, Appendix 1 - Schedule 1, paragraph 6).
9More specifically, the IE SA shared on 5 April 2023 the Meta IE Compliance Reports via two IMI workflows, one
for the IE SA FB Decision and one for the IE SA IG Decision respectively (hereinafter, collectively, the ‘IE SA IMI
Informal Consultations’ or the ‘IMI Informal Consultations’).
10Meta IE’s Compliance Report regarding the Facebook Service (IN-18-5-5) of 3 April 2023 (hereinafter, ‘Meta
IE Compliance Report on IE SA FB Decision’), paragraphs 2.1 and 2.3 and Meta IE’s Compliance Report
Adopted 4 with the aim of showing compliance with the IE SA Decisions. In its Compliance Reports, Meta IE
indicated that it changed its legal basis for the majority 11of its processing of personal data for
behavioural advertising purposes from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR as of 5 April 2023,
which was the deadline for compliance with the IE SA Decisions . Specifically for reliance on Article
13
6(1)(f) GDPR, Meta IE provided legitimateinterests assessmentsas supporting materials (hereinafter
collectively, the ‘Meta IE Legitimate Interests Assessments’). Without providing its own analysis on
the Compliance Reports, the IE SA invited all the CSAs to assess the extent to which the measures
implemented by Meta IE achieved compliance with the orders in the IE SA Decisions and welcomed
feedback from the CSAs by 5 May 2023. The deadline was later on extended to 15 May 2023 . 14
5. Onthesameday,theNOSAemailedtheIESAinrespectofMetaIE’schangeoflegalbasistolegitimate
interest, expressing strong doubts as to whether this legal basis could be validly relied on and asking
for the IE SA’s preliminary view on this.
6. On 6 April 2023, upon request of the IE SA, the EDPB Secretariat circulated a message from the IE SA
to the members of the Enforcement expert subgroup within the EDPB. Such message aimed to attract
15
allCSAs’attentiontotheIESAIMIInformalConsultationscirculatedbytheIESAviaIMI .Onthesame
day, the IE SA replied to the NO SA’s email of 5 April 2023, pointing to the message from the IE SA to
the CSAs circulated by the EDPB Secretariat.
7. On 13 April 2023, the IE SA shared with the CSAs via IMI two further letters from Meta IE (one on the
IE SA FB Decision and one on the IE SA IG Decision) dated 12 April 2023, providing further information
on its compliance efforts in relation to the IE SA Decisions.
8. On 14 April 2023, the NO SA responded negatively to a meeting request from Meta IE dated 28 March
2023, pointing out that the case is handled by the IE SA as the LSA.
9. Some CSAs asked for clarifications on the procedure being followed, for example on the reasons why
the IE SA did not at that point share its assessment of Meta IE’s compliance with the orders in the IE
SA Decisions. The IE SA clarified, first, that the assessment of compliance with the orders in the IE SA
Decisions would be carried out on a joint basis, more specifically by way of an assessment carried out
by the CSAs at the same time as the LSA, and that this sequencing of the process was aimed to ensure
a timely and consistent approach, in line with the deadline for compliance determined by the EDPB,
regarding the Instagram Service (IN-18-5-7) of 3 April 2023 (hereinafter, ‘Meta IE Compliance Report on IE SA
11 Decision’), paragraphs 2.1 and 2.3.
According to the Compliance Reports, Meta IE continued to process limited categories of non-behavioural
information toshow advertising onFacebook or Instagrambased onArt. 6(1)(b) GDPR. See Meta IE Compliance
Report on IE SA FB Decision, paragraphs 3.1.3 and 5.8.2, and Meta IE Compliance Report on IE SA IG Decision,
paragraphs 3.1.3 and 5.8.2.
12
Meta IE Compliance Report on IE SA FB Decision, paragraph 2.1; Meta IE Compliance Report on IE SA IG
Decision, paragraph 2.1.
13Meta IE’s Legitimate Interests Assessments Behavioural Advertising Processing of 3 April 2023, Annex 4 to
Meta IE Compliance Report on IE SA FBDecision and Annex 4 toMeta IE ComplianceReport on IE SA IG Decision.
14Following requests from two of the CSAs, the deadline to share feedback was extended until 15 May 2023. In
15ct, the IE SA waited for a few more days, giving the opportunity to further CSAs to share their views.
In the same message, the IE SA also specified: ‘As you will also recall, IE SA confirmed, during the Article 65
[GDPR] discussions, that any assessment of compliance with the orders made [in the IE SA Decisions] would be
carried out on a joint basis, the same as in previous cases, whereby the IE SA together with all CSAs would jointly
assess the extent to which any action taken has achieved compliance with the terms of the order’.
Adopted 5 formulated on the basis that urgent action was required to be taken by Meta IE to address the
16 17
infringement . The IE SA also clarified that it would not issue a new draft decision .
10. Several CSAs provided their feedback on the way in which Meta IE complied with the IE SA Decisions.
• The Österreichische Datenschutzbehörde (Austrian supervisory authority - hereinafter, the ‘AT
SA’) shared its views that processing operations in connection with behavioural advertising
could not be based on Article 6(1) (f) GDPR . 18
• The Integritetsskyddsmyndigheten (Swedish supervisory authority - hereinafter, the ‘SE SA’)
stressed the importance of adhering to any applicable EDPB guidelines 19.
• The Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (hereinafter, the ‘DE
Hamburg SA’) shared its views stating that ‘at this stage, consent would be the only possible
legal basis to comply with’ the orders in the IE SA Decisions, and expressing concerns regarding
the indications that sensitive data are processed without consent and regarding the processing
activities for which Meta IE continued to rely upon Article 6(1)(b) GDPR . 20
• The Autoriteit Persoonsgegevens (Dutch supervisory authority - hereinafter the ‘NL SA’) shared
its views that ‘the interests listed by [Meta IE] in the/its Legitimate Interest Assessment cannot
be considered as “legitimate interests” in the sense of Article 6(1) (f) GDPR’, the processing of
personal data is not ‘necessary’ for the purpose of the declared interests, and the ‘fundamental
rights and freedoms of the data subject override the interest of [Meta IE] and the third parties
21
involved’ .
• The NO SA transmitted on 5 May 2023 a formal mutual assistance request under Article 61 (1)
22
GDPR (hereinafter, the ‘NO SA Mutual Assistance Request’) to the LSA using the dedicated
16
These clarifications were made by the IE SA on 26 April 2023 as a reply to a question of the FR SA of 25 April
2023 made in the IE SA IMI Informal Consultations.
17The SE SA asked for clarification on the procedure being followed on 4 May 2023 via the IMI Informal
Consultations. The IE SA replied on 5 May 2023.
18
TheseviewsweresharedasareplytotheIESAIMIinformalconsultationconcerningonlytheIESAFBDecision
(Comment of the AT SA of 18 April 2023), see footnote 9. The AT SA also indicated that a balancing test was also
difficult because the term ‘Behavioural Advertising Processing’ was not defined in the Privacy Policy and what
this actually entailed was not entirely clear. The AT SA also made reference to the reasoning in its relevant and
reasonedobjectiontotheIESA’sdraftdecision intheprocedureleading totheadoptionoftheIESA FBDecision.
19
Comment of the SE SA of 4 May 2023 as a reply to the IE SA IMI Informal Consultations, see footnote 9.
20Commentofthe DE Hamburg SAof4May2023as areply to the IE SA IMI InformalConsultations,see footnote
9. In its comments, the DE Hamburg SA stated that there ‘are strong indications that sensitive data stemming
from different sources are processed without consent against the Art. 9 (1) GDPR’ and that ‘consent [is] the only
possible legal basis for that kind of processing’ and made further remarks on this issue. The DE Hamburg SA also
stated that the ‘processing described or indicated in the updated Terms of Use and [Meta IE] Privacy Notice
cannot be based on Art. 6 (1) (b) GDPR’.
21CommentoftheNLSAof4May2023,paragraph3-attachedasareplytotheIESAIMIInformalConsultations,
see footnote 9. The NL SA, in its comments, also ‘urgently asks the [IE SA] to swiftly undertake adequate actions
in order to cease the continuous illegality of the invasive processing of personal data of millions of users’
(paragraph 4). In addition to providing detailed views on the applicability of Art. 6(1)(f) GDPR (paragraphs 8-63),
theNLSAalsostresseditsconcernsabouttheprocessingofspecialcategoriesofdataandaboutthecompatibility
of the processing of the amount of data at stake with the principles of data minimisation and purpose limitation
(paragraphs 6-7).
22Comment of the NO SA of 5 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote 9),
attaching a copy of the NO SA Mutual Assistance Request introduced on 5 May 2023.
Adopted 6 IMI flow 23. The NO SA requested the IE SA to (1) issue a temporary ban on Meta IE’s processing
ofpersonaldataforbehaviouraladvertisingpurposesbasedonArticle6(1)(f)GDPRand(2)share
a timeline with the NO SA and the CSAs specifying how the IE SA will ensure in an expedient
manner that Meta IE complies with Article 6(1) GDPR.
• The Agencia Española de Protección de Datos (Spanish supervisory authority - hereinafter the
‘ES SA’) shared its views stating that ‘the submitted Legitimate Interest Assessment does not
demonstrate that the processing carried out by [Meta IE] with the purpose of behavioural
advertisement be based on Article 6(1)(f) GDPR since it does not meet the requirements of this
Article’ .
• The Tietosuojavaltuutetun toimisto (Finnish supervisory authority - hereinafter the ‘FI SA’)
shared its views on 15 May 2023 that ‘based on the information available, it does not seem that
[Meta IE] would have brought all its processing activities into compliance with the GDPR and
25
would meet the requirements of the GDPR’ .
• In addition, the Garante per la protezione dei dati personali (Italian supervisory authority -
hereinafter, the ‘IT SA’) shared its views on 23 May 2023 saying that ‘[Meta IE’s] proposal is not
such as to adequately implement the order to bring the processing into compliance insofar as it
misclassifies part of the user-related information and thereby applies the legal basis of
23The formal NO SA Mutual Assistance Request contained two requests labelled as follows: ‘Pursuant to Art.
61(1) GDPR,thefollowingrequestsaremade:i.Wekindly requestthattheIESAissuesatemporarybanon[Meta
IE]’s processing of personal data for behavioural advertising purposes on Facebook and Instagram based on Art.
6(1)(f) GDPR, in accordance with Art. 58(2)(f) GDPR. The ban should last until the lead and concerned supervisory
authorities are satisfied that [Meta IE] has provided adequate and sufficient commitments to ensure compliance
withArt.6(1)GDPRandArt.21GDPR,inlinewithArt.31GDPR.Thiswillgiveustheopportunitytofurtherengage
with [Meta IE] and make sure that it commits to fully respect its obligations under the GDPR, while preventing
any further risks for data subjects stemming from [Meta IE]’s non-compliant behavioural advertising practices.
Please note that in our view, behavioural advertising includes any activities where advertising is targeted on the
basis of a data subject’s behaviour or movements, including advertising based on perceived location’. ii. ‘We
kindly requestthat the IE SA shares a timeline specifying how it will ensure in an expedient manner that [Meta IE]
complies with Art. 6(1) GDPR. We should be grateful if the IE SA, by 5 June 2023, would share the timeline and
confirm that a temporary ban will be issued. If the IE SA is not in a position to comply with our request regarding
[Meta IE], we may need to consider our options in relation to the adoption of provisional measures in Norway
pursuant to Art. 66 GDPR. We hope that this will not be necessary and look forward to cooperating further with
the IE SA within the framework of the cooperation mechanisms set out in Chapter VII GDPR’.
24These views were shared as a reply in the IESA IMI informal consultation concerning only the IE SA IG Decision
(Comment of the ES SA of 12 May 2023). More specifically, the ES SA argued that the interests listed by Meta IE
are ‘purely economic or commercial interests’ of Meta IE or third parties, and that in respect of the condition of
necessity of the processing ‘the direct link between the processing and the legitimate interest should be
established and prove that there are no less intrusive alternatives for the data subjects that could serve the
interest equally effectively’ (p. 4). The ES SA also noted some shortcomings in the balancing test carried out by
25ta IE (Comment of the ES SA of 12 May 2023, p. 5).
Comment of the FI SA of15 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote9). More
specifically, the FI SA expressed doubts about legitimate interest being the most suitable legal basis in the case
at hand and argued that the Legitimate Interests Assessment carried out by Meta IE ‘seems to be rather one-
sided and superficial and fails to convince why the interests of [Meta IE] or third parties should override the
interests and fundamental rights of the data subjects’ (Comment of the FI SA of 15 May 2023, p. 2) and ‘fails to
take duly into consideration the volume of the processing and the high number of users of the said services’
(CommentoftheFISAof15May2023,p.2-3).TheFISAalsonotedthatcertaincategoriesofpersonaldataseem
to still be unlawfully collected for behavioural advertising purposes under Art. 6(1)(b) GDPR (Comment of the FI
SA of 15 May 2023, p. 2).
Adopted 7 contractual performance under Article 6(1)(b) GDPR to the serving of ads which, actually, are
behavioural in nature’ 26; the IT SA also highlighted some concerns concerning the switch to
27
legitimate interest for the other processing activities for behavioural advertising purposes .
11. The IE SA shared with Meta IE the feedback received from the CSAs and invited Meta IE to provide
28
submissions on these views by 2 June 2023 .
12. On 30 May 2023, the NL SA sent the IE SA a request for mutual assistance under Article 61 GDPR
(hereinafter, the ‘NL SA Mutual Assistance Request’) asking the IE SA to provide its conclusion as to
whether Meta IE could rely on Article 6 (1) (f) GDPR, its conclusion as to whether Meta IE complies
with the IE SA Decisions and as to a timeframe, which appropriate and expedient action will be taken
to ensure that Meta IE acts in compliance with Article 6 GDPR . 29
13. On 31 May 2023, the IE SA provided an update to all CSAs via the IE SA IMI Informal Consultations
(hereinafter, the ‘IE SA Update to CSAs of 31 May 2023’, informing them about the NL SA Mutual
Assistance Request and highlighting that it will be in a position to complete its own assessment of the
Meta IE Compliance Reports and share its assessment with the NO SA and NL SA (who lodged Article
61 GDPR requests) and all other CSAs by the end of June 2023. In particular, the IE SA indicated that
theyhad‘receivedalloftheassessmentsfromCSAs’and‘forwardedthemto[MetaIE]forittoconsider
the views expressed and to detail any changes that it proposes to implement on foot of the CSA
assessments’. Furthermore, the IE SA stated that it will ‘complete its own assessment of [Meta IE]’s
compliance reports’ after receiving Meta IE’s response. The IE SA also stated ‘it will be in a position to
complete its own assessment of [Meta IE]’s compliance reports and to share its assessment with the
Norwegian and Dutch supervisory authorities (both of which have lodged Article 61 requests for
mutual assistance) and with all other CSAs by the end of June 2023’.
14. Also, on 31 May 2023, Meta IE sent a letter to the IE SA providing its views and comments on the
process that was being followed by the IE SA and asking for an extension of its deadline to provide a
reply. In this context, it also provided some comments to the IE SA on the CSAs' feedback and some
preliminary comments on the requests for urgent enforcement action from some CSAs.
26
Comment of the IT SA of 23 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote 9). As
indicated in footnote 11, Meta IE indicated in its Compliance Reports the fact that it continued to process some
data under Art. 6(1)(b) GDPR. The IT SA argued in this respect that ‘[Meta IE]’s distinction between non-
behavioural and behavioural advertising can be said to be artificial and based merely on language’ (Comment of
the IT SA of 23 May 2023, p. 1)
27
Comment of the IT SA of23May2023 as areply to the IESA IMI Informal Consultations(see footnote 9). More
specifically, according to the IT SA, ‘it is as if the controller was shifting the burden of proof regarding legitimate
interest as the legal basis of processing on the data subjects – who conversely should be called into play as key
actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the necessity of the
processing and performing the required balancing exercise’ (Comment of the IT SA of 23 May 2023, p. 2). The IT
SAalsounderlinedthat‘theprocessingoperationsunderpinningtheuseofOnlineBehaviouralAdvertisingshould
more appropriately be grounded in consent as a legal basis within the meaning of Art. 6(1) (a) GDPR’ (p.3).
28On12May2023and16May2023,theIESAsenttwoletterstoMetaIE,providing MetaIE with thefirstreplies
received from CSAs informing Meta IE that some CSAs requested an extension of time to provide a response. On
25 May 2023, the IE SA transmitted to Meta IE the latest comments from CSAs with respect to the way in which
Meta IE complied with the IE SA Decisions. The IE SA invited Meta IE to provide submissions by 2 June COB. On
26 May 2023, the IE SA shared an update with all CSAs, informing them that their responses were forwarded to
Meta IE, whose response was awaited by 2 June 2023.
29The IE SA provided a reply on 31 May 2023. On the same day, the IE SA provided an update to CSAs in the IMI
Informal Consultations, described in the following paragraph.
Adopted 815. On 2 June 2023, the IE SA provided a reply to the NO SA Mutual Assistance Request. In the notification
formused,theIESAstatedthatitcould notcomplywiththerequest(bycheckingapre-codetextbox),
andinvitedtheNOSAtolookatthe‘detailedresponseuploadedbythe[IESA]’intheIESAIMIInformal
Consultations (see above, paragraph 13).
16. On 9 June 2023, the NO SA further replied to the IE SA, via the IE SA IMI flow relating to the NO SA
Mutual Assistance Request, asking whether the IE SA could ‘share their preliminary thoughts or non-
bindingly indicate whether [it] may potentially be inclined to follow [the NO SA Mutual Assistance
Request]’.InthesamemessagetheNOSAindicatedthatitwouldinanycaseawaittheIESA’sresponse
towards the end of June.
17. On 13 June 2023, the IE SA informed all CSAs via the IE SA IMI Informal Consultations that it would
await the judgment of the Court of Justice of the European Union in Case C-252/21 (Meta Platforms
Inc. v Bundeskartellamt) (hereinafter, the ‘CJEU Bundeskartellamt Judgment’) before sharing its
assessment of the Meta IE Compliance Reports . The IE SA, noting the NO SA Mutual Assistance
Request and the NL SA Mutual Assistance Request, indicated their intention to finalise their
assessment as soon as possible after the CJEU Bundeskartellamt Judgment expected on 4 July 2023.
18. On 14 June 2023, the IE SA sent a letter to Meta IE replying to its letter of 31 May 2023. The IE SA
explained its intention to wait for the CJEU Bundeskartellamt Judgment before circulating its
provisional assessment of the steps taken by Meta IE in purported compliance with the orders in the
IE SA Decisions, as well as the expected next steps leading to the issuance of the final outcome of the
assessment of compliance. In the same letter, the IE SA informed Meta IE that it no longer required it
to make submissions in reply to the CSAs’ initial observations.
19. On 21 June 2023, Meta IE shared with the IE SA its views on the concerns raised by some of the CSAs
and regarding potential urgent proceedings. On 23 June 2023, the IE SA shared via the IMI Informal
Consultations the communication received from Meta IE on 21 June 2023. The IE SA stated that Meta
IE specified that this communication is without prejudice to Meta IE’s position that it brought its
processing into compliance with the orders in the IE SA Decisions.
20. On 30 June 2023, Meta IE shared by letter additional information with the IE SA regarding the IE SA’s
proposed compliance assessment. In this letter, Meta IEoutlined its views on the next steps envisaged
by the IE SA and provided information and arguments on what it considered to be misunderstandings
underpinning the views provided by the CSAs on the Meta IE Compliance Reports . 31
21. On 4 July 2023, the Court of Justice of the European Union delivered the CJEU Bundeskartellamt
32
Judgment . On 6 July 2023, the IE SA indicated to all the CSAs via the IE SA IMI Informal Consultations
30
31The CJEUhad just announcedthat it would deliver the judgment beforethe IE SAgave this update to theCSAs.
Letter from Meta IE to the IE SA of 30 June 2023. Meta IE’s comments on the next steps envisaged by the IE SA
are available in paragraphs 1-3 of this letter. Meta IE also provided clarifications, information and arguments on
what it considered to be misunderstandings underpinning the views provided by the CSAs on the Meta IE
Compliance Reports in paragraph 7. By way of example, Meta IE stated that it ‘does not engage in a “balancing”
exercise on receipt of a valid objection’, that the IE SA Decisions only apply to processing for behavioural
advertising purposes (and not to processing of non-behavioural information for advertising purposes), and that
the assessment of ‘Behavioural Advertising Processing’ only concerns data relating to activity on Facebook and
Instagram (on-platform data). Meta IE also clarified that it relies on Art. 6(1)(a) GDPR to process information
provided to Meta IE by third party advertising partners (‘off-platform data‘) for the purposes of showing
personalised advertisements.
32JudgmentoftheCourtofJusticeoftheEuropeanUnionof4July2023,MetaPlatformsInc.vBundeskartellamt,
C-252/21, EU:C:2023:537.
Adopted 9 thatitwasconsideringsuchjudgmentinthecontextoffinalisingitsprovisionalassessmentofthesteps
taken by Meta IE in purported compliance with the IE SA Decisions 3.
22. On 11 July 2023, the IE SA issued a provisional position paper (‘IE SA Provisional Position Paper’) in
which it preliminarily concluded that Meta IE had not complied with the orders in the IE SA Decisions,
34
and shared it with the CSAs alongside a letter dated 30 June 2023 received from Meta IE . The IE SA
invited the CSAs to share their views on the IE SA Provisional Position Paper by 21 July 2023 . 35
23. Between 20 July 2023 and 21 July 2023, two CSAs shared their views on the IE SA Provisional Position
36
Paper via the IE SA IMI Informal Consultations . The IE SA shared these CSAs’ views with Meta IE on
21 July 2023.
24. On14 July2023,the NO SA imposed a temporaryban onMeta IE andFacebook NorwayAS (‘Facebook
Norway’) regarding the processing of personal data of data subjects in Norway for behavioural
advertising for which Meta IE relies on Article 6(1)(b) GDPR or Article 6(1)(f) GDPR (the ‘NO SA Order’
or the ‘Provisional Measures’). On the same day, the NO SA informed by email the IE SA of the
Provisional Measures being taken on the basis of Article 66(1) GDPR. On 7 August 2023, the NO SA
rejected Meta IE’s and Facebook Norway’s request for deferred implementation of the NO SA Order.
25. On 20 July 2023, the IE SA shared an update to the CSAs via the IE SA IMI Informal Consultations,
informing the CSAs of its views on the NO SA Order. It also stated that it did not mean to refuse to
comply with the NO SA Mutual Assistance Request as this was a result of ‘incorrectly (and
inadvertently)’checking a boxand that, inits view,itscommunicationto the NO SAof2 June2023was
referring to two documents shared with all CSAs on 31 May 2023 , which ‘directed to the subject
matter of the NO SA [Mutual Assistance Request]’ and were ‘clearly engaging with the substance of
the NO SA [Mutual Assistance Request] [...]’.
26. On 24 July 2023, the NO SA answered to questions from a politician in the Irish national parliament on
the NO SA Mutual Assistance Request. In its reply, the NO SA describes the reply provided by the IE SA
to the NO SA Mutual Assistance Request and explains the reasons behind the issuance of the
ProvisionalMeasures,expressingitsconcernsthat‘whileitisvery clearthat[MetaIE]doesnotcomply
with the GDPR,failing to takespecific andresolute enforcementactionwould leadtoa cat-and-mouse
game whereby [Meta IE] is able to evade compliance indefinitely’ and that ‘simply stating that [Meta
IE] does not comply with the GDPR [...] without imposing any specific order spelling out what [Meta
IE] must potentially do to comply with the law and by which date, will allow [Meta IE] to further delay
compliance’.
33In the same communication, the IE SA also indicated they expected to be in a position to circulate their
provisional assessment the following week, and that they would then give the CSAs a period of ten days to
respond. While the NO SA and the IE SA indicated that this update occurred on 5 July 2023, according to the IMI
34ports relating to the IE SA IMI Informal Consultations, this update seems to have been sent on 6 July 2023.
This letter was already mentioned above in paragraph 20.
This update was shared by the IE SA via the IE SA IMI Informal Consultations. Together with the IE SA Provisional
Position Paper and the Letter from Meta IE to the IE SA of 30 June 2023, the IE SA also shared again the Meta IE
Compliance Reports (already shared on 5 April 2023 with the CSAs).
35
In the same communication, the IE SA also indicated that it would then provide the CSAs’ views on the IE SA
Provisional Position Paper to Meta IE inviting it to make its submissions by 4 August 2023.
36The NL SA shared its views via a document attached on 20 July 2023 and the DE Hamburg SA via a document
attached on 21 July 2023.
37See paragraph 13 above.
Adopted 1027. On 27 July 2023, Meta IE sent a letter to the IE SA stating that it intends to ground its processing for
behavioural advertising purposes 38on consent (Article 6(1)(a) GDPR) (by way of “Meta IE’s Consent
Proposal”Meta IE’s Consent Proposal)
39
. The IE SA
shared this letter with the CSAs via the IE SA IMI Informal Consultations.
28. On the same day, Meta IE sent a letter to the NO SA, making reference to the letter sent to the IE SA
andrequesting the NO SA to lift the ProvisionalMeasuresin lightof Meta IE’s commitments tothe LSA
to ensure compliance by way of relying upon consent.
29. On 1 August 2023, the IE SA replied to Meta IE taking note of Meta IE’s intention to implement the
necessary measures to enable it to rely on Article 6(1)(a) GDPR
4.
30. Meanwhile, on 1 August 2023, Meta IE and Facebook Norway lodged a complaint with the NO SA
requesting that it lifts the NO SA Order. On 3 August 2023, the NO SA rejected this complaint and on
the following day the NO SA sent a letter to Meta IE and Facebook Norway requesting confirmation as
to whether the NO SA Order would be complied with.
31. On 4 August 2023, Meta IE provided its response to the IE SA Provisional Position Paper. On the same
date, Meta IE and Facebook Norway replied to the NO SA that they have, in their view, complied with
the NO SA Order, and requested the Oslo District Court to grant a preliminary injunction against the
NO SA Order.
32. On 7 August 2023, the NO SA decided to impose a coercive fine on Meta IE and Facebook Norway for
the non-compliance with the NO SA Order. On 14 August 2023, Meta IE requested the deferred
implementation of the coercive fine imposed on Meta IE and Facebook Norway, at least until the Oslo
District Court has ruled on Meta IE’s and Facebook Norway’s applications for a preliminary injunction.
On 25 August 2023, the NO SA rejected Meta IE’s and Facebook Norway’s request for deferred
implementation of the coercive fine.
33. On 8 August 2023, Meta IE and Facebook Norway sent a letter to the Ministry of Local Government
and Regional Development of Norway, asking it to consider Meta IE’s and Facebook Norway’s
complaints against the NO SA Order submitted to the NO SA on 1 August 2023 . The Ministry of Local
38
39
40 This letter was shared by the IE SA with the CSAs via the IE SA IMI Informal Consultations. The IE SA also
highlighted that all the correspondence from Meta IE should be treated as confidential.
41 Meta IE sustained that the Ministry should have declared the complaint valid and the decision should have
been repealed, indicating that ‘the audit did not give [Meta IE] necessary notice of its proposed actions and did
not give [Meta IE] the necessary opportunity to be heard’. In addition, Facebook Norway was of the opinion that
the NO SA wrongfully indicated Facebook Norway as an addressee of the decision.
Adopted 11 Government and Regional Development of Norway responded on 10 August 2023, refusing to
accommodate the request and indicating that it did not have the authority to handle complaints
against the NO SA Order.
34. On 10 August 2023, Meta IE sent a letter to the IE SA
highlighted its concerns arising from the Article 66 GDPR
proceedings arising from the Provisional Measures and running in parallel to the process led by the IE
SA.
35. The IE SA responded on 11 August 2023. In its letter, the IE SA
highlighted that it considered it is not for it to second-guess the decision of the NO SA to
trigger the application of the urgency procedure and that the Article 66 GDPR procedure would take
its own course.
36. The proceedings concerning the request for preliminary injunction lodged with the Oslo District Court
further developed and the parties submitted written pleadings . 42
37.
43
.
38. On 18 August 2023, the IE SA shared with all CSAs its final position paper (‘IE SA Final Position Paper’),
in which the IE SA concluded that Meta IE failed to demonstrate compliance with the orders in the IE
44
SA Decisions . The IE SA also indicated its view that in light of the Meta IE’s Consent Proposal, it is fair
42On 10 August 2023 and 11 August 2023, respectively, Meta IE and Facebook Norway and the NO SA submitted
their written pleadings to the Oslo District Court. Meta IE requested provisional injunctions to avoid damage
following an alleged invalid administrative decision and Facebook Norway claimed that the NO SA’s justification
was inadequate. The NO SA responded to the request for a preliminary injunction claiming, inter alia, that there
was no case processing error that may have affected the content of the decision, the conditions for urgent
measures for adopting its decision were met, the decision did not violate Article 84 GDPR (proportionality) and
that an injunction by the Oslo District Court would have been in a manifest disparity with the damages or
inconveniences Norway would have been inflicted. Meta IE then submitted further written pleadings to the Oslo
District Court on 14 August 2023. On 15 August 2023, Meta IE and Facebook Norway complained against the NO
SAabouttheNOSA’srejectionoftheircomplaint.MetaIEandFacebookNorwayreiteratethattheappealbefore
the Ministry should be admissible and that they have the right to appeal the decision of the Ministry (contrary
to the Ministry’s declaration) according to administrative law. On 16 August 2023, the NO SA submitted further
written pleadings to the Oslo District Court, while Meta IE and Facebook Norway submitted their additional
43itten pleadings on 18 August 2023.
44Together with the IE SA Final Position Paper, the IE SA shared with the CSAs the same supporting materials as
shared together with the IE SA Provisional Position Paper. See above paragraph 22.
Also, on 17 August 2023, the IE SA provided an update to all CSAs via the IE SA IMI Informal Consultations,
informing them mainly of the fact that the copies of the relevant communications to which the IE SA was party
were transmitted to the NO SA and Meta IE to ensure that both the NO SA and Meta IE were in a position to put
the full suite of communications before the Oslo District Court.
Adopted 12 and reasonable to give Meta IE an opportunity to demonstrate that it can rely on consent as its lawful
45
basis rather than engaging in enforcement measures .
39. On 25 August 2023, Meta IE and Facebook Norway submitted, each, to the NO SA their comments on
the NO SA’s intended request for an urgent binding decision from the EDPB pursuant to Article 66 (2)
GDPR, which was specified in the NO SA Order.
40. On 28 August 2023, Meta IE and Facebook Norway complained against the NO SA regarding the
coercive fine it had imposed. Meta IE and Facebook Norway asked the NO SA to revoke the
enforcement decision or, at least, to lower the amount.
41. On 6 September 2023, the Oslo District Court decided not to grant the petitions from Meta IE and
Facebook Norway for a preliminary injunction against the NO SA Order.
42.
46.
.
43.
47.
44. On 21 September 2023, the NO SA sent a letter to the IE SA outlining their views on the current state
of play. More specifically, the NO SA stated that it considered there is still an urgent need for a ban of
the unlawful processing of personal data carried out by Meta IE despite the Meta IE’s Consent
48
Proposal , and that such a ban would
representanincentiveforMetaIEtoswiftlybringprocessingintocompliance .Thus,theNOSAasked
the IE SA to reconsider their position, outlined in the IE SA Final Position Paper that enforcement
45
IE SA Final Position Paper, paragraph 9.2.
46
47
48
Letter of the NO SA to the IE SA of 21 September 2023, p. 2.
49Letter of the NO SA to the IE SA of 21 September 2023, p. 3.
Adopted 13 measuresarenotnecessaryatthispointintime 50.TheletteralsomentionedthattheNOSArequested
submissions from Meta IE about its intention to ask the EDPB for an urgent binding decision, but may
consider not making such request should the IE SA decide to adopt enforcement measures . 51
45. On 26 September 2023, Meta IE and Facebook Norway made submissions in relation to the request of
the NO SA for an urgent binding decision of the EDPB and the NO SA lodged its request to the EDPB on
IMI. Further details on this are available below .2
46. On 27 September 2023, the IE SA replied to the letter of the NO SA of 21 September 2023, outlining
its views on the NO SA’s position and course of action. More specifically, the IE SA recalled that the
EDPB explicitly declined to instruct the IE SA to impose a temporary ban in the EDPB Binding Decisions
and explained that each of the IE SA Decisions ‘made provision for enforcement measures, namely,
the orders for compliance, under which [Meta IE]’s proposals for the adoption of one or more
alternative legal bases for the [processing operations at stake] would be assessed, and ruled on, on
their respective merits’ . The IE SA also expressed the view that ‘it is inaccurate to suggest that the [IE
SA] could impose an immediate ban on processing, whilst continuing to progress its assessment of
[Meta IE]’s proposed consent-based model, in conjunction with its CSA colleagues’ . 54
47. On 11 October 2023, the NO SA replied to the letter of the IE SA of 27 September 2023. In this letter,
the NO SA expressed its concern that despite the LSA and CSAs ‘agreeing that [Meta IE] cannot base
processing of personal data for behavioural advertising on Article 6(1)(b) GDPR or Article 6(1)(f) GDPR,
[Meta IE] continues to violate Article 6(1) GDPRand the [IE SA Decisions], and such violation continues
to be tolerated’ . The NO SA reiterated its view that ‘corrective measures can and should be imposed
56
on [Meta IE] as soon as possible to stop [Meta IE]’s current illegal processing activities’ .
48. The IE SA further replied on 13 October 2023. In its letter, the IE SA argued that the request of the NO
SA to the EDPB amounts, in substance, to a demand for enforcement action against the IE SA for its
(alleged) failure to implement the IE SA Decisions and to an attempt to use the Article 66 GDPR
procedure as a means to procure an order from the EDPB to compel the IE SA to impose an EEA-wide
ban on Meta IE’s processing of personal data for behavioural advertising purposes 57. The IE SA also
expressed its view that it did put in place an enforcement procedure following the IE SA Decisions,
consistent with the EDPB Binding Decisions 58.
49. On16October2023,Meta IEandFacebookNorwayinitiatedlegalproceedingsbeforetheOsloDistrict
Court to demand the invalidation of the NO SA Order.
1.2 Submission of the request to the EDPB and related events
50Letter of the NO SA to the IE SA of 21 September 2023, p. 3.
51Letter of the NO SA to the IE SA of 21 September 2023, p. 3.
52See paragraph 67 below.
53
Letter of the IE SA to the NO SA of 27 September 2023, p. 3.
54Letter of the IE SA to the NO SA of 27 September 2023, p. 4.
55Letter of the NO SA to the IE SA of 11 October 2023, p. 1.
56Letter of the NO SA to the IE SA of 11 October 2023, p. 1.
57
Letter of the IE SA to the NO SA of 13 October 2023, p. 2-3, in which the IE SA also states that: ‘while, subject
to ongoing litigation in Norway, [Meta IE]’s Norwegian subsidiary is accruing liabilities on a daily basis by
reference to the fine recently applied by NO SA, [Meta IE]’s processing operations as they relate to behavioural
advertising remain unchanged at this point’.
58
Letter of the IE SA to the NO SA of 13 October 2023, p. 3-6.
Adopted 1450. As mentioned above, on 26 September 2023, the NO SA used IMI to request the EDPB to adopt an
urgentbindingdecisionpursuanttoArticle66(2)GDPR,withtheeffectoforderingtheimplementation
of final measures (hereinafter, the ‘NO SA Request to the EDPB’ or ‘Request to the EDPB’).
51. Following the submission of the NO SA Request to the EDPB, the EDPB Secretariat assessed the
completeness of the file on behalf of the Chair of the EDPB.
52. In the context of the assessment of the completeness of the file, the EDPB Secretariat contacted the
NO SA on 4 October 2023 and 11 October 2023 requesting further documents and clarifications. In
both cases, the NO SA responded on the same day by providing clarifications and uploading additional
documents on IMI.
53. The EDPB Secretariat also contacted the IE SA on 5 October 2023, requesting additional documents
andclarifications.FollowingarequestsentbytheIESAtoextendthedeadlineinitiallyseton6October,
the EDPB Secretariat extended the deadline to 9 October 2023. On 9 October, the IE SA replied by
attaching some of the additional documents and providing some clarifications. On the basis of the
reply, the EDPB Secretariat requested on the same day some further information and provided
clarifications onthequestionsithadpreviouslyasked.On10October2023,theIESArespondedto the
EDPB Secretariat’s email of 9 October 2023, highlighting the need for appropriate time to carry out
verifications. On 11 October 2023, the EDPB Secretariat responded to the IE SA’s email identifying
certainitemsasmattersofpriority.On12October2023,theIESArespondedtotheEDPBSecretariat’s
request providing several documents and clarifications.
54. A matter of particular importance that was scrutinised by the EDPB Secretariat was the right to good
administration, as required by Article 41 of the Charter of Fundamental Rights of the European Union
(hereinafter,the‘Charter’).FurtherdetailsonthistopicareprovidedinSection3ofthisurgentbinding
decision.
55. On 12 October 2023, the decision on the completeness of the file was then taken by the Chair of the
EDPB and on 13 October 2023 by the NO SA in line with Article 13(2) of the EDPB RoP. The file was
circulated by the EDPB Secretariat to all the members of the EDPB on 13 October 2023.
56. On 17 October 2023, following a request of the IE SA to include an additional letter sent by the IE SA
totheNOSAon13October2023,theEDPBdecided toincludeitinthefile,onthebasisofArticle11(2)
EDPB RoP.
2 COMPETENCE OF THE EDPB TO ADOPT AN URGENT BINDING
DECISION UNDER ARTICLE 66(2) GDPR
57. The EDPB is competent to issue an urgent binding decision under Article 66(2) GDPR to the extent that
thefollowingconditionsaremet:anSAhastakenprovisionalmeasurespursuanttoArticle66(1)GDPR,
59
and there is a request from this SA pursuant to Article 66(2) GDPR.
2.1 The SA has taken provisional measures under Article 66(1) GDPR
58. On 14 July 2023, the NO SA adopted provisional measures pursuant to Article 66(1) GDPR, prohibiting
Meta IE from processing the personal data of data subjects residing in Norway for targeting
59See Art. 66(2) GDPR and EDPB Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from
the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook
Ireland Limited (hereinafter ‘EDPB Urgent Binding Decision 01/2021’), adopted on 12 July 2021, section 2.
Adopted 15 advertisements on the basis of observed behaviour for which Meta IE relies on Article 6(1)(b) GDPR or
Article 6(1)(f) GDPR.
59. The EDPB therefore considers that this condition is satisfied.
2.2 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the
EEA
60. On 26 September 2023, the NO SA requested the EDPB to adopt an urgent binding decision pursuant
to Article 66(2) GDPR, by introducing a formal request in the IMI system (Article 17 of the EDPB RoP).
61. The EDPB therefore considers that this condition is satisfied.
2.3 Conclusion
62. The EDPB concludes it is competent to adopt an urgent binding decision under Article 66(2) GDPR.
3 THE RIGHT TO GOOD ADMINISTRATION
63. The EDPB is subject to Article 41 of the Charter (right to good administration). This is also reflected in
Article 11(1) EDPB RoP.
64. Similarly to what is provided under Article 65(2) GDPR, an urgent binding decision of the EDPB is
addressed to the lead supervisory authority and all the supervisory authorities concerned, and is
60
binding on them . It is not aimed to address directly any third party.
65. Nevertheless, the EDPB assessed whether all the documents it received to be used in order to take its
decision were known by Meta IE and Facebook Norway, and whether Meta IE and Facebook Norway
were offered the opportunity to exercise their right to be heard on all the elements of fact and law to
be used by the EDPB to take its decision.
66. In this respect, the NO SA informed the EDPB Secretariat that it made available all the documents it
submitted to the EDPB to Meta IE and Facebook Norway. The other documents (submitted by the IE
SA), if not already known to the companies, were made available to them by the EDPB Secretariat by
way of letters of 13 October 2023 and 18 October 2023 . 62
67. On 17 September 2023, the NO SA sent a letter to Meta IE and Facebook Norway asking for their
submissions on its draft request for an Article 66(2) GDPR urgent binding decision from the EDPB.
Following extensions of the deadline initially set, these submissions were provided on 26 September
2023 (hereinafter, ‘Meta IE’s Submissions of 26 September 2023’ and ‘Facebook Norway’s
Submissions of 26 September 2023’). These submissions also attached Meta IE’s and Facebook
Norway’sprevioussubmissionsof25August2023 concerning the intentionof theNO SA to request an
urgent binding decision of the EDPB (‘Meta IE’s Submissions of 25 August 2023’ and ‘Facebook
Norway’s Submissions of 25 August 2023’). In addition to these submissions, the file submitted to the
EDPB also included multiple documents produced by Meta IE and/or Facebook Norway in the context
oftheassessmentofcompliancewiththeIESADecisionsand/orinthecontextofthelegalproceedings
60Art. 65(2) GDPR. According to Art. 66(4) GDPR, this provision is derogated in respect of the deadline for
61option; therefore, the last sentence of Art. 65(2) GDPR fully applies.
Letter of the EDPB Chair to Meta IE and Facebook Norway of 13 October 2023.
62Letter of the EDPB Chair to Meta IE and Facebook Norway of 18 October 2023.
Adopted 16 63
concerning the NO SA Order , where Meta IE’s and Facebook Norway’s positions in respect of the
elements being considered by the EDPB were clarified.
68. On the basis ofthe assessment performed by the EDPBSecretariat,Meta IE andFacebook Norwayhad
not yet had an opportunity to make their views known on some elements of fact and law included in
some documents of the file to be used by the EDPB to take its decision. The Chair of the EDPB invited
bywayofherletterof13October2023 MetaIEandFacebookNorwaytoprovidewrittensubmissions
to the EDPB on these elements. These submissions, together with annexes, were provided by Meta IE
and Facebook Norway on 16 October 2023 (‘Meta IE’s Submissions of 16 October 2023” and
65
“Facebook Norway’s Submissions of 16 October 2023’) and were subsequently added to the file.
69. On 18 October 2023, the Chair of the EDPB sent a new letter to Meta IE and Facebook Norway
informing them of the document added to the file on 17 October 2023 and providing them with an
opportunity to make written submissions on it. Meta IE and Facebook Norway made written
submissionson19October2023(‘Meta IEandFacebookNorway’sSubmissionsof19October2023’),
which were added to the file.
70. The EDPB notes that Meta IE and Facebook Norway received the opportunity to make their views
regarding all the legal and factual elements used by the EDPB to take this decision. Therefore, in case
Meta IE and Facebook Norway would be found to be entitled to a right to be heard in this procedure,
it would be in any case fully respected.
4 ON THE NEED TO REQUEST FINAL MEASURES
71. TheEDPBconsidersthatinorderforanurgentbindingdecisionadoptedpursuanttoArticle66(2)GDPR
toorderfinalmeasurestwocumulativeconditionsneedtobefulfilled:theexistenceofone(orseveral)
infringement(s) and the existence of an urgency situation justifying a derogation from the regular
cooperation procedure.
72. Consequently, the sections below assess first the existence of infringements (Section 4.1), then the
existence of an urgency situation (Section 4.2).
4.1 On the existence of infringements
63By way of example, these documents included the Letter from Meta IE to the IE SA of 31 May 2023, the letter
from Meta IE to the IE SA of 21 June 2023, the Letter from Meta IE to the IE SA of 30 June 2023, Meta IE’s
Response to the IE SA Provisional Position Paper of 4 August 2023, Letter from Meta IE to the IE SA of 27 July
6423, Letter from Meta IE to the NO SA of 27 July 2023.
Letter of the Chair of the EDPB to Meta IE and Facebook Norway of 13 October 2023, replying to their letter of
28 September 2023 where they requested that Meta IE and Facebook Norway be granted access to any
documents in the administrative file, and tobe afforded an opportunitytomake submissions afterreviewing the
file in advance of the EDPB reaching a final decision.
65On 18 October 2023, Meta IE and Facebook Norway provided new versions of two of their annexes. In these
letters of 16 October 2023, Meta IE and Facebook Norway also informed the EDPB that they filed a complaint
before the Oslo District Court challenging and seeking to invalidate the NO SA Order on the merits.
Adopted 17 4.1.1 On the infringement of Article 6(1) GDPR
4.1.1.1 Summary of the overall position of the NO SA
73. TheNOSArequestedtheEDPBtoadoptanurgentbindingdecisionorderingfinalmeasurestobetaken
across the EEA to ensure that ‘personal data shall not be processed for behavioural advertising based
on Article 6(1)(b) [GDPR] or Article 6(1)(f) GDPR in the context of the Services’ . In the NO SA Request
to the EDPB, the NO SA defines ‘behavioural advertising’ as ‘targeting ads on the basis of observed
behaviour’ . In the view of the NO SA, this includes ‘targeting ads on the basis of inferences drawn
from observed behaviour as well as on the basis of data subjects’ movements, estimated location and
how data subjects interact with ads and user-generated content’ . This definition is in line with their
69
understanding of the scope of the IE SA Decisions .
74. In the NO SA Request to the EDPB, the NO SA states that ‘[Meta IE] has failed to ensure compliance
70
with(...)[theIESADecisions]’ .According to the NOSA,thereisconsensusamong theCSAsthat Meta
IE’s processing of personal data for behavioural advertising purposes is currently infringing the GDPR,
and in particular Article 6(1)(b) GDPR, Article 6(1)(f) GDPR, and the duty to comply with the decisions
of the SAs .1
75. The NO SA’s analysis is based on the following elements:
• Despite the IE SA Decisions, Meta IE still relies on Article 6(1)(b) GDPR to process (1) location
information, including GPS location, data subjects’ activity on Meta products and the places
data subjects like to go and the businesses and people data subjects are near; and (2)
information about ads that Meta IE shows and how data subjects engage with those ads; for
the purpose of behavioural advertising . 72
• Meta IE relies on Article 6(1)(f) GDPR to process some personal data for the purpose of
behavioural advertising, while Article 6(1)(f) GDPR is not an appropriate legal basis for this
processing .73
• The IE SA also considers thatMeta IE failed to demonstrate that it has a lawful basis to process
platform behavioural data for behavioural advertising , and did not provide any
documentation confirming that it stopped processing personal data for the purpose of
75
behavioural advertising on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR .
66NO SA Request to the EDPB, p. 12.
67NO SA Request to the EDPB, p. 12.
68NO SA Request to the EDPB, p. 3-4, referring to the NO SA Order.
69
NO SA Order, p. 3.
70NO SA Request to the EDPB, p. 6.
71NO SA Request to the EDPB, p. 5-7.
72NO SA Request to the EDPB, p. 4 which refers to the NO SA Order. See also NO SA Order, section 7.2.1.1.
73
NO SA Request to the EDPB, p. 4. The NO SA Request to the EDPB only mentions that Meta IE changed its legal
basis for ‘some of its processing’ of personal data. Meta IE clarifies in its Letter to the IE SA of 30 June 2023 that
these changes relate to the personal data collected on its products (paragraph 7c). A description of this data is
provided in section 2.3 of the Meta IE Compliance Reports.
74
NO SA Request to the EDPB, p. 5.
75NO SA’s Decision to Impose a Coercive Fine on Meta IE and Facebook Norway of 7 August 2023, p. 4.
Adopted 1876. The NO SA states that Meta IE has already been given enough time to bring its processing into
compliance with Article 6(1) GDPR, and takes the view that ‘[Meta IE] is making use of dilatory
76
strategies’ .
77. The NO SA considers that there is sufficient information to allow the EDPB to conclude that
infringements are taking place . 77
4.1.1.2 Inappropriate reliance on Article 6(1)(b) GDPR
4.1.1.2.1 Summary of the position of the NO SA
78. The NO SA takes the view that Meta IE’s infringement of Article 6(1)(b) GDPR in the context of its
behavioural advertising processing activities was confirmed by the EDPB Binding Decisions and the IE
SADecisionswhichconcluded,inlinewiththeviewsexpressedinpreviousEDPBguidelines,thatArticle
6(1)(b) GDPR is an unsuitable legal basis for behavioural advertising processing activities, both
generally and in the case at issue . 78
79. The NO SA finds that Meta IE has incorrectly understood what constitutes ‘processing of personal data
for the purposes of behavioural advertising’ in the IE SA Decisions . It states that Meta IE’s processing
80 81
of data subjects’ location data and engagement with ads is part of Meta IE’s processing of personal
data for the purpose of behavioural advertising concerned by the IE SA Decisions 82, and that, pursuant
83
to those decisions, such processing which is based on Article 6(1)(b)GDPR, is unlawful .
4.1.1.2.2 Summary of the position of the controller
80. MetaIEstatesthat,priortotheIE SADecisions,itreliedonArticle 6(1)(b)GDPR inagoodfaithmanner
and its ‘bona fide belief that it was lawful for it to do so’ , considering that different national courts
found that Meta IE may validly rely on Article 6(1)(b) GDPR to process personal data for the purposes
of behavioural advertising . 85
76
NO SA Request to the EDPB, p. 6.
77NO SA Request to the EDPB, p. 7.
78NO SA Request to the EDPB, footnotes 4 and 10, referring to EDPB Guidelines 8/2020 on the targeting of social
media users, paragraphs 49 and 71.
79
NO SA Order, section 7.2.1.1, p. 14 (referring to the IE SA FB Decision paragraph 10.44(b) and the IE SA IG
Decision paragraph 417(b), respectively).
80According to the NO SA, ‘[Meta IE]’s use of location data to inform which ads are displayed to data subjects
clearly constitutesBehaviouralAdvertising.Itisuncleartouswhatthislocationisestimatedonthebasisof,ifnot
the data subject’s behaviour’. NO SA Order, section. 7.2.1.1, p. 15.
81According to the NO SA, ‘For information about data subjects’ engagement with ads, we understand that data
subjects may click on “Hide Ad” and that one effect of this would be that the particular ad is not shown to that
data subject again. We agree with [Meta IE]’s assertion set out in its letter of 30 June 2023 that this in itself does
not constitute processing for Behavioural Advertising. However, to the extent that this or any other engagement
with an ad is used to inform which other ads a data subject should see, we find that the processing of personal
82ta does take place for Behavioural Advertising’, NO SA Order, section. 7.2.1.1, p. 15.
NO SA Order, section. 7.2.1.1, p. 15. The NO SA also states this in the NO SA Mutual Assistance Request, p. 5.
83NO SA Order, p. 15.
84Meta IE’s Submissions of 25 August 2023, paragraph 65.
85
Meta IE’s Submissions of 25 August 2023, paragraph 65; Written Pleading of 18 August 2023 from Meta IE to
Oslo District Court, p. 6.
Adopted 19 86
81. Meta IE acknowledges that the IE SA Decisions concluded differently to these cases , and argues that
it took since then substantial steps to bring its processing activities into ‘what it believes was
87
compliance with those decisions’ . Meta IE states that it changed its legal basis from Article 6(1)(b)
GDPR to Article 6(1)(f) GDPR for the processing of personal data collected on Meta’s products for the
88
purposes of behavioural advertising to comply with the IE SA Decisions . It states further that it relies
on Article 6(1)(a) GDPR to process personal data obtained from third party advertising partners 8.
82. In relation to the definition of what behavioural advertising encompasses, Meta IE states that its
processing of personal data for the purpose of behavioural advertising comprises the use of
‘information collected on Meta’s products about a user’s behaviour over time in order to assess and
understand users’ interests and preferences’. According to Meta IE, this includes signals such as ‘a
user’s activity across Meta’s products, engagement with content such as other users’ posts or which
pages they visit, the individuals and groups they communicate with, and/or what the user searches
90
for’ . Meta IE states that it processes this personal data to assess and understand users’ interests and
preferences, and to provide them with behavioural advertisements . 91
83. However, Meta IE takes the view that its processing of a) demographic data (including location data),
b) In-use app, browser and device data c) advertisement shown and d) advertisement interaction
data does not constitute behavioural advertising, and therefore falls beyond the scope of the IE SA
Decisions 93.Inthisrespect,MetaIEarguesthatitsprocessingofsuchdataonthebasisofArticle6(1)(b)
GDPR is valid .4
84.
95
.
4.1.1.2.3 Analysis of the EDPB
85. The EDPBBindingDecisionsinstructed, inter alia, the IESA to findaninfringementofArticle 6(1)GDPR
on the ground that Meta IE inappropriately relied upon Article 6(1)(b) GDPR to process personal data
for the purposes of behavioural advertising, and therefore lacked a legal basis to process this data for
this purpose . In relation to this, the EDPB also instructed the IE SA to include in each of its final
86Written Pleading of 18 August 2023 from Meta IE to Oslo District Court, p. 6.
87Meta IE’s Submissions of 25 August 2023, paragraph 65; Written Pleading of 18 August 2023 from Meta IE to
Oslo District Court, p. 6.
88
Meta IE Compliance Report on IE SA FB Decision, paragraphs 2.1 and 2.3 and Meta IE Compliance Report on IE
SA IG Decision, paragraphs 2.1 and 2.3.
89 Such data includes information from third party websites, apps and certain offline interactions (such as
purchases). See Meta IE Letter to the IE SA of 30 June 2023, paragraph 7c and footnote 150 below.
90Meta IE Compliance Report on IE SA FB Decision, paragraph 2.2; Meta IE Compliance Report on IE SA IG
Decision, paragraph 2.2
91Meta IE Compliance Report on IE SA FB Decision, paragraph 2.2; Meta IE Compliance Report on IE SA IG
Decision, paragraph 2.2.
92As described in section 5.8.2 of the Meta IE Compliance Reports.
93Meta IE’s Request for preliminary injunction of 4 August 2023, p. 27.
94
95Meta IE’s Request for preliminary injunction of 4 August 2023, p. 27.
96
EDPB Binding Decision 3/2022, paragraphs 133 and 484; EDPB Binding Decision 4/2022, paragraphs 137 and
451.
Adopted 20 decisions an order for Meta IE to bring it processing of personal data for the purpose of behavioural
advertising in the context of the Facebook and Instagram services into compliance with Article 6(1)
GDPR within three months 97.
86. On the basis of the EDPB Binding Decisions, the IE SA Decisions ordered Meta IE to bring its processing
into compliance with Article 6(1) GDPR , the IE SA ordered Meta IE to take the necessary actions to
bring into compliance with Article 6(1) GDPR and to address the finding that Meta IE is not entitled to
processpersonaldataforthepurposeofbehaviouraladvertisingonthebasisofArticle6(1)(b)GDPR . 99
The EDPB notes that the IE SA made clear that such action may include, but is not limited to, the
identification of an appropriate alternative legal basis in Article 6(1) GDPR 100.
87. In the Compliance Reports, Meta IE indicated that it changed the legal basis it relies on for the
processingof personaldata collectedon itsproductsforbehavioural advertising purposesfromArticle
6(1)(b)GDPR to Article6(1)(f)GDPRasof 5April2023, which wasthedeadlineforcompliance withthe
101
IE SA Decisions . Meta IE also states that it still relies on Article 6(1)(b) GDPR to process what it
considers to be ‘limited categories of non-behavioural information’ to show advertising on Facebook
102
and Instagram .
88. In the IE SA Final Position Paper assessing Meta IE’s compliance with the IE SA Decisions and taking
into consideration the comments received by the CSAs on such compliance, the IE SA addressed two
key questions relevant for the purpose of this section of this urgent binding decision: the definition of
behavioural advertising and whether the processing of Meta IE for advertising purposes relying upon
103
Article 6(1)(b) GDPR falls within such definition .
89. As to the definition of behavioural advertising, the IE SA referred to the definition provided by the
104
Article 29 Working Party in its Opinion 2/2010 being referred to by Meta IE in the Compliance
Reports 10:
‘Behavioural advertising is advertising that is based on the observation of the behaviour of
individuals over time. Behavioural advertising seeks to study the characteristics of this
behaviour through their actions (repeated site visits, interactions, keywords, online content) in
order to develop a specific profile and thus provide data subjects with advertisements tailored
to match their inferred interests’ 106.
97
EDPB Binding Decision 3/2022, paragraphs 288 and 493; EDPB Binding Decision 4/2022, paragraphs 290 and
459.
98See IE SA FB Decision, paragraph 10.44b; IE SA IG Decision, paragraph 212. See also IE SA Final Position Paper,
paragraph 2.1.
99
IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 212.
100IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 212.
101Meta IE Compliance Report on IE SA FB Decision, paragraph 2.1; Meta IE Compliance Report on IE SA IG
Decision, paragraph 2.1.
102
Meta IE Compliance Report on IE SA FB Decision, paragraph 3.1.3; Meta IE Compliance Report on IE SA IG
Decision, paragraph 3.1.3.
103IE SA Final Position Paper, paragraphs 7.3 - 7.22.
104IE SA Final Position Paper, paragraph 7.5, referring to Article 29 Working Party Opinion 2/2010 adopted on 22
June 2010, p. 5.
105Meta IE Compliance Report on IE SA FB Decision, p. 4; Meta IE Compliance Report on IE SA IG Decision, p.4.
106Article 29 Working Party Opinion 2/2010 adopted on 22 June 2010, p. 5.
Adopted 2190. TodefinewhethertheprocessingofMetaIEforadvertisingpurposesrelyinguponArticle6(1)(b)GDPR
falls within such definition, the IE SA also referred to the description of Meta IE’s processing for
107
behavioural advertising purposes provided by the EDPB in the EDPB Binding Decisions :
‘[Meta IE] collects data on its individual users and their activities on and off its Facebook social
networkservicevianumerousmeanssuchastheserviceitself,otherservicesoftheMetagroup
including Instagram, WhatsApp and Oculus, third party websites and apps via integrated
programming interfaces such as Facebook Business Tools or via cookies, social plug-ins, pixels
and comparable technologies placed on the internet user’s computer or mobile device.
According to the descriptions provided, [Meta IE] links these data with the user’s Facebook
accounttoenableadvertiserstotailortheiradvertisingtoFacebook’sindividualusersbasedon
their consumer behaviour, interests, purchasing power and personal situation. This may also
include the user’s physical location to display content relevant to the user’s location’10.
91. The IE SA noted that Meta IE relies on Article 6(1)(b) GDPR for a more limited set of personal data for
109
advertising purposes in the Facebook and Instagram services . The EDPB notes that Meta IE argues
that it is relying on Article 6(1)(b) GDPR for the processing of ‘limited non-behavioural information’ to
show advertisements, as described in its Compliance Reports 110:
‘a) Demographic data. This consists of age users provide, gender users provide, and estimated
general location. The use of demographic data is required to ensure advertising is appropriate
in accordance with the Terms of Use/Service. For example, (...) (c) relying on location is
necessary to ensure advertisements that [Meta IE] show users are in an appropriate language
and relate to an appropriately located company or service (e.g., [Meta IE] does not show users
advertisements for products which are not available in their country);
b) In-use app, browser and device data. (...) This includes the type of device being used, the
language chosen on the device at that time and the version of the Facebook/Instagram app
being used. These data points are necessary to deliver advertisements appropriately. For
example,toproperlyformattheadvertisementtomeettheviewingrequirementsofthedevice,
to avoid users being shown advertisements for apps which are not supported by the operating
systemontheirdevice,andensurethattheadvertisementisinthechosenlanguageoftheuser;
c) Advertisements shown. This consists of information on whether the advertisement is
rendered and delivered to a user. This information is a basic metric which [Meta IE] needs in
order, for example, to ensure the number of advertisements that [Meta IE] shows to users is at
an appropriate level and to ensure that the same advertisements are not being directed to the
user repeatedly. The information does not indicate whether the user has actually noticed the
advertisement;
d) Advertisement interaction data. This consists of two forms of information provided by users
if they choose to interact with advertisements: (a) to provide negative feedback on their
advertising experience, for example by selecting to “hide” or report an advertisement; and (b)
107IE SA Final Position Paper, paragraph 7.4, referring to EDPB Binding Decision 3/2022, paragraphs 95-96 and
EDPB Binding Decision 4/2022, paragraphs 98-99.
10EDPB Binding Decision 3/2022, paragraphs 95-96 and EDPB Binding Decision 4/2022, paragraphs 98-99.
10IE SA Final Position Paper, paragraphs 2.2, 4.5 and 7.6.
110
As referred to in the IE SA Final Position Paper, paragraph 7.6.
Adopted 22 to provide positive feedback on their advertising experience, for example by clicking
advertisements they find relevant’. 111
92. The EDPB notes the IE SA’s following findings:
• In relation to location data, the IE SA took the view that Meta IE did not provide sufficient
information to allow the IE SA to understand why location data would fall outside the
112
definition of behavioural data . According to the IE SA, Meta IE did not explain whether it is
processing the user’s physical location or the location that they proactively provide to Meta IE
to target ads to them.
• In relation to device data, the IE SA indicated that device information could also be used to
identify different market segments, which in turn could be processed for behavioural
advertising purposes 113.
• In relation to advertisements shown, the IE SA indicated that more clarity from Meta IE would
be required as to whether Meta IE only analyses records of ads shown (which, according to
the IE SA, are not amounting to behavioural data) or also behavioural ads presented by other
tools through a shared interface screen, which would also add to the behavioural processing
by Meta IE 114.
• In relation to advertisement interaction data, the IE SA underlined that ‘interaction data’ was
listed in the definition of behavioural advertising in the Article 29 Working Party Opinion,
115
which was incorporated by Meta IE into its Compliance Reports . The IE SA therefore
underlined the lack of clarity on how Meta IE would then distinguish ‘advertisement
interaction data’, listed in point d) above from ‘interaction data’ included in the Article 29
Working Party Opinion 2/2010. The IE SA raised concerns as to the fact that Meta IE stated
that it relies on Article 6(1)(b) GDPR in circumstances where the user provides positive
advertising feedback 116. According to the IE SA, this falls within the definition of behavioural
111
Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2; Meta IE Compliance Report on IE SA IG
Decision, paragraph 5.8.2.
112In particular,the IE SAstatedthat‘[Meta IE]hasexplainedthe usesof this data, but notwhy theseusesdo not
amount to behavioural processing. For example, it is unclear if location data is used by [Meta IE] to tailor ads to
users on the basis of visits to certain types of shops, their travel to business hubs or holiday destinations, or the
times of year at which they travel. If [Meta IE] use location data in these ways, then this would be processing
personal data for the purposes of behavioural advertising, both by reference to the EDPB’s description of such
advertising, as set out at paragraph 7.4 above, and by reference to the Article 29 Working Party Opinion relied
on by [Meta IE]’, IE SA Final Position Paper, paragraph 7.11.
113The IE SA stated that ‘it is unclear whether [Meta IE] identifies device information as a different market
segment. While the processing of device information to serve ads may not amount to behavioural advertising, it
ispossiblethat[MetaIE]identifiescertaindevicesasadifferentmarketsegment.Thetypeofdevicecouldindicate
spending power or history, which could be processed for behavioural purposes’, IE SA Final Position Paper,
paragraph 7.12.
114
115IE SA Final Position Paper, paragraph 7.13.
Article 29 Working Party Opinion 2/2010 adopted on 22 June 2010, p. 5 referred to in Meta IE Compliance
Report on IE SA FB Decision, p. 4 and Meta IE Compliance Report on IE SA IG Decision, p. 4.
116The IE SA’s concerns relate in particular to Meta IE’s statement that when ‘the user provides positive
advertising feedback (e.g., actively choosing to click on a specific ad they find relevant and want to see), [Meta
IE] similarly needs to use that information to ensure it is providing the user with an appropriate and relevant
personalised advertising experience pursuant to the Terms of Service’, see IE SA Final Position Paper, paragraph
7.14, referring to Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2 and Meta IE Compliance
Report on IE SA IG Decision, paragraph 5.8.2.
Adopted 23 advertising provided by the Article 29 Working Party Opinion 2/2010 as it involves Meta IE
’117
‘inferringconclusionsaboutuserpreferencesfromusers’interactionwithanadvertisement .
Following further information provided by Meta IE on 30 June 2023 to the IE SA on negative
advertisingfeedback 11,theIESAindicatedthat,totheextentthatMetaIE‘processespersonal
data solely to prevent a specific hidden ad being shown to a user, then the [IE SA] agrees that
this does not amount to behavioural advertising. However, to the extent that [Meta IE] infers
a user’s advertising preferences from the fact that they have hidden an ad, then this does fall
withinthedefinitionofbehaviouraladvertising’ 119.TheIESAaddedthat‘[MetaIE]submissions
are too vague to determine whether it processes personal data just to hide the specific ad, or
whether it draws inferences from the choice to hide an ad. The reference in the justification of
this processing to a user’s “personal advertising experience” indicates that the decision to hide
120
onead could beused toinferpreferencesabout theadsthat a user receives moregenerally’ .
TheEDPBnotesthatthisappreciationisinlinewiththeobservationsmadebytheDEHamburg
121
SA .The IE SA thereforeprovidedthat‘it appearsfrom theinformationprovidedby[MetaIE]
that it uses data about hidden ads to engage in behavioural advertising’. The IE SA also
provided similar conclusions for the positive feedback, raising that ‘Using information about
click-throughs to determine what types of ads a user wants to see in the future falls plainly
within the definition of behavioural advertising provided by [Meta IE] to the [IE SA]’ 12.
93. In light of the above, the EDPB notes that the IE SA found that Meta IE still conducts some processing
for the purposes of behavioural advertising in reliance on Article 6(1)(b) GDPR 123.
94. In addition, the IE SA also indicated the lack of sufficient information to explain why categories (a) to
(d) were not behavioural data 124. The EDPB also notes that on this basis, the IE SA found that Meta IE
had not demonstrated compliance with the IE SA Decisions as regards reliance on Article 6(1)(b) GDPR
for behavioural advertising 12.
95. The EDPB notes that this view was also expressed by certain CSAs replying to the IE SA IMI Informal
Consultations. More specifically, the FI SA stated that ‘the following personal data seems to be still
unlawfully collected for behavioural advertising purposes under Article 6(1)(b) [GDPR]: “Information
117
IE SA Final Position Paper, paragraph 7.15.
118Meta IE said that ‘with respect to negative advertising feedback, if a user selects the option that is available
to “Hide Ad – never see this ad again,” then [Meta IE] needs to use that information to ensure that choice
regarding the user’s personal advertising experience (i.e., what advertisements they do not want to see) is
respected’, IE SA Final Position Paper, paragraph 7.16.
119IE SA Final Position Paper, paragraph 7.16, referring to the comments of the DE Hamburg SA on the IE SA
Provisional Position Paper.
120IE SA Final Position Paper, paragraph 7.16.
121
‘Allowing[MetaIE]tofurtherjustifywhetheritprocessespersonaldataonlytohideaparticularad,orwhether
it draws inferences from the decision to hide an ad, is nothing more than leaving a choice not to describe the
actual purpose of the processing, to formally fall short of the definition of behavioural advertising. In doing so,
hiding certain ads without anything deriving from that decision would contradict [Meta IE]´s business model. To
the extent that this or other engagement with an ad is used to learn what other ads a data subject should see,
Hamburg SA notes that the processing of personal data serves purposes of behavioural advertising’, Views of DE
Hamburg SA of 4 May 2023; as referred to in the IE SA Final Position Paper, paragraph 7.17.
122IE SA Final Position Paper, paragraph 7.19.
123
IE SA Final Position Paper, paragraph 6.2 and paragraph 8.1.
124IE SA Final Position Paper, paragraph 7.22.
125IE SA Final Position Paper, paragraphs 7.1, 7.22 and 8.1.
Adopted 24 about ads we show you and how you engage with those ads” and “Location information”’. 126The IT SA
also stated that ‘[Meta IE]’s proposal is not such as to adequately implement the order to bring the
processing into compliance insofar as it misclassifies part of the user-related information and thereby
applies the legal basis of contractual performance under Article 6(1)(b) GDPR to the serving of ads
which, actually, are behavioural in nature’ 12.
96. The EDPB observes that if any of the data listed in paragraph 91 of this urgent binding decision may be
considered as falling within the scope of the definition of behavioural advertising, there are grounds
forfinding thatMetaIEisinfringingArticle6(1)GDPR.Thisis becauseMetaIE wouldstill beprocessing
personal data for the purpose of behavioural advertising on the basis of Article 6(1)(b)GDPR, although
it was considered unlawful by the IE SA Decisions 12.
97. Inthisrespect,theEDPBsharestheIESA’sviewthatMetaIEstillconductssomeprocessingofpersonal
data for the purposes of behavioural advertising in reliance on Article 6(1)(b) GDPR 12, at least for the
following categories of data:
• Location data - the EDPB finds, in line with the view of the IE SA, that Meta IE failed to
demonstrate that its processing of location data does not constitute processing for the
130
purpose of behavioural advertising . It is unclear to the EDPB, as it is to the NO SA and the IE
SA, on which basis the location is estimated, if not the data subject’s behaviour. The EDPB
consequently finds, in line with the view of the NO SA, that Meta IE’s processing of location
131
data to inform which ads are displayed to data subjects constitutes behavioural advertising .
• Advertisement interaction data - the EDPB finds, in line with the view of the IE SA, that Meta
IE failed to demonstrate that its processing of advertisement interaction data does not
constitute processing for the purpose of behavioural advertising. The EDPB shares the view of
the IE SA that ‘[Meta IE] is recording the behaviour of the users when they are presented with
adsandusethattotailorfuturepresentationofads’ 132.TheEDPBconsequentlyfindsthatMeta
IE’s processing of advertisement interaction data constitutes behavioural advertising for the
following reasons:
o As rightly pointed out by the IE SA, the EDPB recalls that interaction is listed among
the data types in the definition of behavioural advertising in the Article 29 Working
Party Opinion 2/2010 13.
o The EDPB observes that irrespective of whether the data subject provides negative or
positivefeedbackon theadstheysee, MetaIEstatesthattheinteractionswill beused
134
toprovidean‘appropriateandrelevantadvertisingexperience’ whichindicatesthat
Meta IE is inferring conclusions about user preferences from such interaction.
126Views of the FI SA of 15 May 2023, p. 2.
127Views of IT SA on IE SA FB Decision of 23 May 2023, p. 2, and views of IT SA in IE SA IG Decision of 23 May
2023, p. 2.
128
In this respect, the IE SA Decisions implemented the findings described in the EDPB Binding Decision 3/2022,
paragraphs 94-133 and the EDPB Binding Decision 4/2022, paragraphs 97-137.
129See paragraphs 92-93 above.
130IE SA Final Position Paper, paragraph 7.11.
131
132IE SA Final Position Paper, paragraph 7.11.
IE SA Final Position Paper, paragraph 7.14.
133IE SA Final Position Paper, paragraph 7.14.
134Meta IE Compliance Report on IE SA FB Decision, p. 16.
Adopted 25 o With respect to negative feedback (i.e., where the data subject clicks to hide/report
an ad), the EDPB observes that Meta IE states that it needs to use this information ‘to
ensure that choice regarding the user’s personal advertising experience (i.e., what
135
advertisements they do not want to see) is respected’ . The EDPB also observes that
MetaIEstatesthat theoptions‘HideAd’and‘Report Ad’areusedto‘directlyinfluence
the ads [users] see’ 13. The EDPB shares the view of the IE SA that ‘the reference in the
justification of this processing to a user’s “personal advertising experience” indicates
that the decision to hide one ad could be used to infer preferences about the ads that
137
a user receives more generally’ and therefore that ‘it appears from the information
provided by [Meta IE] that it uses data about hidden ads to engage in behavioural
138
advertising’ .
o With respect to positive feedback, the EDPB observes that Meta IE states that when
‘the user provides positive advertising feedback (e.g., actively choosing to click on a
specific ad they find relevant and want to see), [Meta IE] similarly needs to use that
information to ensure it is providing the user with an appropriate and relevant
139
personalised advertising experience pursuant to the Terms of Service’ .
Consequently, the EDPB also shares the view of the IE SA that this practice falls within
the definition of behavioural advertising provided by the WP29 Opinion as it involves
Meta IE ‘inferring conclusions about user preferences from users’ interaction with an
’140
advertisement .
98. In conclusion, the EDPB finds that Meta IE is inappropriately relying on Article 6(1)(b) GDPR to process
location data and advertisement interaction data collected on its products for the purpose of
behavioural advertising.
99. In addition, the EDPB shares the view of the IE SA that Meta IE did not provide sufficient information
to explain whyother categoriesofdata processed by Meta IEdo notamount to behaviouraldata,such
141
as device data and advertisements shown . In this respect, the EDPB finds, in line with the view of
the IE SA, that in relation to device data, if Meta IE would use device data to identify different market
segments, this would constitute a processing for behavioural advertising for which it would rely
inappropriately on Article 6(1)(b), infringing Article 6(1) GDPR 142.
135Letter from Meta IE to the IE SA of 30 June 2023, p. 5.
136Meta IE’s submissions of 16 October 2023 to the Oslo District Court. For Instagram specifically, also see the
screenshots included in p. 35 of the Annex 3 to the Compliance Report on IE SA IG Decision.
137IE SA Final Position Paper, paragraph 7.16.
138IE SA Final Position Paper, paragraph 7.18.
139Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2 and Meta IE Compliance Report on IE SA IG
140ision, paragraph 5.8.2.
IE SA Final Position Paper, paragraph 7.15.
141See paragraph 89 above.
142The IE SA stated that ‘it is unclear whether [Meta IE] identifies device information as a different market
segment. While the processing of device information to serve ads may not amount to behavioural advertising, it
ispossiblethat[MetaIE]identifiescertaindevicesasadifferentmarketsegment.Thetypeofdevicecouldindicate
spending power or history, which could be processed for behavioural purposes’, IE SA Final Position Paper,
paragraph 7.12.
Adopted 26 4.1.1.3 Inappropriate reliance on Article 6(1)(f) GDPR
4.1.1.3.1 Summary of the position of the NO SA
100. The NO SA considers that Article 6(1)(f) GDPR does not constitute an appropriate legal basis under
143
Article 6(1) GDPR for Meta IE’s behavioural advertising processing .
101. The NO SA refers to the IE SA Final Position Paper, in which the IE SA concluded that Meta IE continues
to fail to rely onavalidlegalbasis toprocesspersonaldata for behaviouraladvertising purposesunder
Article 6(1) GDPR, despite Meta IE’s switch to Article 6(1)(f) GDPR as a legal basis for its behavioural
advertising processing on 5 April 2023 14. The NO SA outlines that this conclusion was supported by
145
several CSAs explicitly, without any objection being raised by the other CSAs .
102. Further, the NO SA states that paragraph 117 of the CJEU Bundeskartellamt Judgment validates the
conclusion that Article 6(1)(f) GDPR does not constitute an appropriate legal basis for Meta IE’s
behavioural advertising processing 146. In this respect, the NO SA acknowledges Meta IE’s view that the
judgment is irrelevant and relates to a different aspect of Meta IE’s processing for behavioural
advertising 147. However, the NO SA argues that the ruling does apply to Meta IE’s behavioural
148
advertising practices in general and, therefore, that it cannot be disregarded .
4.1.1.3.2 Summary of the position of the controller
103. In its Compliance Reports, Meta IE states that it has changed its legal basis from Article 6(1)(b) GDPR
to Article 6(1)(f) GDPR for ‘Behavioural Advertising Processing’ - solely for personal data collected on
Meta’s products 149- to comply with the IE SA Decisions 150.
104. Asmentionedinparagraph81above,MetaIEdefinesthescopeofthisprocessingoperationprocessed
on the basis of Article 6(1)(f) GDPR as follows:
‘Behavioural Advertising Processing comprises the use by [Meta IE] of information collected on
[Meta’s] products about a user’s behaviour over time in order to assess and understand users’
143NO SA Request to the EDPB, p. 4.
144NO SA Request to the EDPB, p. 5. As specified in paragraph 104 below, Meta IE defines the scope of this
processing operation processed on the basis of Art. 6(1)(f) GDPR as relating to personal data collected on Meta’s
products.
145NO SA Request to the EDPB, p. 5.
146NO SA Request to the EDPB, p. 5.
147NO SA Request to the EDPB, p. 6. As specified in paragraphs 109 and 142 below, in paragraph 1.5 (A) of Meta
IE’s Response to the IE SA’s Provisional Position Paper of 4 August 2023, Meta IE considers that the
Bundeskartellamt Judgment ‘does not rule out Article 6(1)(f) [GDPR] “as a matter of principle” as a valid legal
basis for [Meta IE]’s Behavioral Advertising Processing. The judgment assessed Article 6(1)(f) [GDPR] (and the
element of “necessity”) in the context of different processing than is at-issue here (i.e., data collected off-[Meta],
and to a limited extent cross-product data processing, as opposed to data collected on-[Meta] products). (...)
Further,theCJEUdidnot(andcouldnotasamatteroflaw)issueablanketfindingthatusers’interestswillalways
outweigh [Meta IE]’s and third parties’ legitimate interests in the context of personalised advertising (...).’
148NO SA Request to the EDPB, p. 6.
149
Meta IE indicates to rely on Art. 6(1)(a) GDPR to process personal data about users’ activity off-Meta’s
products (such as on third-party websites, apps and certain offline interactions (e.g., purchases)), obtained by
MetaIEfromthirdpartyadvertisingpartnersforthepurposesofshowingpersonalisedadvertisingtotheseusers
onFacebookorInstagram(seeMetaIEComplianceReportonIESAFBDecision,p.12,paragraph3.1.2,andMeta
IE Compliance Report on IE SA IG Decision, p. 13, paragraph 3.1.2).
150Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision, p.
4.
Adopted 27 interests and preferences. This includes signals such as a user’s activity across [Meta’s]
products, engagement with content such as other users’ posts or which pages they visit, the
individuals and groups they communicate with, and/or what the user searches for. [Meta IE]
uses all of these signals to assess and understand users’ interests and preferences and to
provide them with behavioural advertisements.’ (emphasis added in bold) 151
105. With respect to the above, the EDPB notes that the personal data processed for behavioural
advertising purposes on the basis of Article 6(1)(f) GDPR is collected ‘on’ and ‘across’ Meta’s products
and that these terms are used interchangeably by Meta IE.
106. Meta IE also refers to its updated privacy policies for Facebook and Instagram, which provide the list
of categories of personal data processed for this purpose 152.
107. In Meta IE’s view, it was entitled to consider that it could switch to Article 6(1)(f) GDPR for its
behaviouraladvertisingprocessingtocomplywiththeIESADecisions 153.AccordingtoMetaIE,neither
the EDPB Binding Decisions nor the IE SA Decisions ordered Meta IE to rely on a specific legal basis
under Article 6(1) GDPR, such as Article 6(1)(a) GDPR 154. Meta IE argues that it is only once the IE SA
adopted the IE SA Final Position Paper on 18 August 2023 that an authority concluded that Meta IE’s
reliance on Article 6(1)(f) GDPR was insufficient to comply with the IE SA Decisions 155. Meta IE argues
that prior to this date ‘[s]ome SA submissions are inconsistent with one another and cannot be
reconciled (for example (...) certain SAs appear to consider that consent is the only viable basis possible
156
whereas others accept Article 6(1)(f) GDPR is viable)’ .
157
108. Meta IE carried out Legitimate Interests Assessments annexed to its Compliance Reports , in which
it concludes that Article 6(1)(f) GDPR constitutes an appropriate legal basis for behavioural
158
advertising . Meta IE reiterates this conclusion on 4 August 2023, after having made a commitment
to switch to Article 6(1)(a) GDPR through the Meta IE’s Consent Proposal 15. In addition, Meta IE
highlighted that it ‘expended significant resources’ and implemented ‘very substantial steps’ to switch
from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR to comply with the deadline of 5 April 2023 16.
109. With respect to the CJEU Bundeskartellamt Judgment, Meta IE takes the view that this case ‘does not
rule out Article 6(1)(f) [GDPR] as a matter of principle as a valid legal basis’ for Meta IE’s behavioural
151
Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision, p.
4.
152Meta IE Compliance Report on IE SA FB Decision, p. 4-5, and Meta IE Compliance Report on IE SA IG Decision,
p. 4-5.
153
Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 22. See
also Meta IE’s letter to the IE SA of 27 July 2023, p. 1-2.
154Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 4 and
16.
155
Meta IE’s Submissions of 26 September 2023, p. 11 and Meta IE’s Submissions of 16 October 2023, p.5.
156Letter from Meta IE to the IE SA regarding process and urgency of 31 May 2023, p. 3.
157Meta IE’s Legitimate Interests Assessments Behavioural Advertising Processing of 3 April 2023, Annex 4 to
Meta IE Compliance Report on IE SA FBDecision and Annex 4 toMeta IE ComplianceReport on IE SA IG Decision.
158
Annex 4 to the Meta IE Compliance Report on IE SA FB Decision and to Meta IE Compliance Report on IE SA
IG Decision, p. 4, and Meta IE Compliance Report on IE SA FB Decision, p. 11, Meta IE Compliance Report on IE
SA IG Decision, p. 12.
159Meta IE’s Request for preliminary injunction, 4 August 2023, p. 27.
160
Meta IE’s Submissions of 26 September 2023, p. 10 and Meta IE’s Submissions of 16 October 2023, p.5. See
also Meta IE’s Submissions of 25 August 2023, p. 33.
Adopted 28 advertising processing activities, given that the CJEU ‘did not (and could not as a matter of law) issue
a blanket finding that users’ interests will always outweigh [Meta IE]’s and third parties’ legitimate
interests in the context of personalised advertising’ 161. It argues that the CJEU Bundeskartellamt
Judgment relates to a different processing than the processing covered by the EDPB Binding Decisions
and the IE SA Decisions. More specifically, Meta IE points out that this judgment relates to personal
data collected off-Meta, as opposed to data collected on-Meta products. Notably, Meta IE states that
the scope of the case, ‘excludes processing for behavioural advertising purposes when using personal
data collected across different [Meta IE]’s products’, while acknowledging that the case focuses ‘to a
lesser extent’ on ‘the processing of personal data collected across various [Meta IE]’s products’ 16.
110. Lastly, despite considering that it can lawfully rely on Article 6(1)(f) GDPR, Meta IE announced that,
taking into account the ‘different views’ of the IE SA both in the IE SA Provisional Position Paper and
regarding the interpretation of the CJEU Bundeskartellamt Judgment, it was willing to switch to
163
consent for the processing at stake .
164
.
165
.
166.
167.
4.1.1.3.3 Analysis of the EDPB
111. In the IE SA Decisions, Meta IE was directed to take the necessary action to address the finding that
Meta IE is not entitled to carry out the processing operations at stake on the basis of Article 6(1)(b)
GDPR,wasordered tobringits processingof personaldatafor the purposesofbehaviouraladvertising
into compliance with Article 6(1) GDPR and it was specified that such action is ‘not limited to the
161
Meta IE’s Response to IE SA’s Provisional Position Paper, 4 August 2023, section 1.5 (A) and also section 2 for
a more detailed analysis.
162 Meta IE’s Request for preliminary injunction, 4 August 2023, p. 27.
163 Meta IE’s letter to the IE SA of 27 July 2023, p. 1-2.
164 Meta IE’s letter to the IE SA of 27 July 2023, p. 2.
165 Meta IE’s letter to the IE SA of 27 July 2023, p. 2.
166
IE SA’s letter to Meta IE of 11 August 2023, p. 2.
167 IE SA’s letter to Meta IE of 11 August 2023, p. 2.
Adopted 29 identification of an appropriate alternative legal basis’, but may include the implementation of ‘any
necessary measures required to satisfy the conditionality associated with that/those alternative legal
basis/bases’ 16.
112. TheEDPBnotesthat,accordingtoMetaIEComplianceReportsandtheIESAFinalPositionPaper,Meta
169
IE relies on Article 6(1)(f) GDPR to process personal data collected on Meta’s products for the
purposes of behavioural advertising since 5 April 2023 170.
113. Pursuant to Article 6(1)(f) GDPR, Recital 47 GDPR and the CJEU’s settled case-law 171, three cumulative
conditions must be met to be able to rely on Article 6(1)(f) GDPR, ‘namely, first, the pursuit of a
legitimate interest by the data controller or by a third party; second, the need to process personal data
for the purposes of the legitimate interests pursued; and third, [according to a balancing test] that the
interests or fundamental freedoms and rights of the person concerned by the data protection do not
172
take precedence over the legitimate interest of the controller or of a third party’ .
114. More specifically, the first condition relates to the existence of legitimate interests pursued by the
controller or a third party.
115. Meta IE has identified different interests that it considers legitimate and on which it relies for the
processing at stake. These interests are pursued either by Meta IE or third parties, namely businesses
that use Facebook/Instagram and other users of Meta’s products 173. More specifically, Meta IE
identified the four following legitimate interests:
• (1)Meta IE’s‘interest and theinterestsofother userstoprovidea positiveuserexperiencethat
users will want to engage with, and which is tailored to users - providing quality targeted and
personalised ads is a core element of the wider user experience across Meta Products’,
• (2) Meta IE’s ‘interest and the interests of other users to enable [Meta IE] to generate revenue
and continue to innovate, improve and develop the Meta Products and new technologies’,
• (3) Meta IE’s and third parties’ (e.g. advertisers) interests ‘to provide businesses, both big and
small, the opportunity to connect with the users who are most likely to be interested in their
products and services’, and
• (4) Meta IE’s ‘interests and the interests of third parties (e.g. advertisers) and other users, for
businesses, both big and small, to be able to promote their products and services to users’ 17.
168
IE SA FB Decision, paragraph 8; and IE SA IG Decision, paragraph 212.
169IE SA Final Position Paper, paragraph 7.23, p. 11-12, referring to Meta IE’s Letter to the IE SA of 30 June 2023,
and Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision,
p. 4.
170
IE SA Final Position Paper, paragraph 7.25, p. 12, and Meta IE Compliance Report on IE SA FB Decision, p. 4,
and Meta IE Compliance Report on IE SA IG Decision, p. 4.
171As recently recalled in the CJEU Bundeskartellamt Judgment, paragraph 106, which refers to previous case-
law. The IE SA Final Position Paper also recalls and applies this test in paragraphs 7.27 and seq., p. 12-21.
172See paragraph 106 of the CJEU Bundeskartellamt Judgment.
173
Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p.
6.
174Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p.
6.
Adopted 30116. These four categories of interests are further broken down in several sub-interests in Meta IE
Legitimate Interests Assessments 17. For example, the first and the second legitimate interests also
include the following sub-interest: ‘[For other Facebook and Instagram users:] The enjoyment of
Facebook and Instagram services free of charge’. 176
117. As recalled by the IE SA, the given legitimate interests must be ‘sufficiently clearly articulated and [be]
real and present, corresponding to current activities or to benefits that are expected in the near
future’ 177.
118. The EDPB notes that the IE SA concluded that the interests listed by Meta IE in its Compliance Reports
can meet these criteria 178.
119. The second condition relates to the necessity of the processing for the pursuit of those interests (or
‘necessity test’).
120. In its Compliance Reports, Meta IE considers that: (1) the processing at stake is necessary to pursue
and achieve the legitimate interests identified by Meta IE 179, (2) this processing is reasonable and
180
proportionate to achieve the legitimate interests pursued and (3) no viable alternatives exist that
would allow the legitimate interests to be achieved 181.
121. In that regard, the IE SA considers that Meta IE failed to demonstrate in its Compliance Reports that
its behavioural advertising processing was necessary to the different legitimate interests it
identified 182. More specifically, the IE SA points out that Meta IE’s explanations regarding the impact
of the processing at stake are ‘too vague’ and therefore they do not allow the IE SA to determine that
there is a less intrusive alternative that Meta IE could pursue 183. In addition, the IE SA considers that
Meta IE Legitimate Interests Assessments do not apply the necessity test for each of the legitimate
interest on which it relies 184.
122. More specifically, regarding the first interest set out by Meta IE, the IE SA refers to the EDPB Binding
Decision 3/2022 and concludes that behavioural advertising is not in the interest of all Meta IE’s users,
185
but only of some users . Therefore, according to the IE SA, Meta IE has not explained the need to
175
MetaIELegitimateInterestsAssessmentsBehaviouralAdvertisingProcessingof3April2023,Annex4toMeta
IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 9-
13.
176MetaIELegitimateInterestsAssessmentsBehaviouralAdvertisingProcessingof3April2023,Annex4toMeta
IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 9.
This sub-interest is further detailed on p. 12 of Meta’s Legitimate Interests Assessments.
177IE SA Final Position Paper, paragraph 7.33, referring to the EDPB Binding Decision 02/2022, paragraph 110.
178
IE SA Final Position Paper, paragraph 7.33, p. 13-14.
179Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision,
p.6, both referring to sections 2.b, 2.c., and 3.a of Meta IE Legitimate Interests Assessments.
180Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision, p.
7, both referring to section 3.b of Meta IE Legitimate Interests Assessments.
181Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision, p.
7, both referring to sections 3.c, 3.d, and 3.e of Meta IE Legitimate Interests Assessments.
182
183IE SA Final Position Paper, paragraph 7.50, p. 18.
IE SA Final Position Paper, paragraph 6.3, p. 5.
184IE SA Final Position Paper, paragraph 7.41, referring to Meta IE Legitimate Interests Assessments Behavioural
Advertising Processing of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB Decision and Annex 4
to Meta IE Compliance Report on IE SA IG Decision.
185IE SA Final Position Paper, paragraphs 7.43-7.44, p. 16.
Adopted 31 process the personal data of all of its users ‘for the purposes of realising the interests of those users
186
who want to receive behavioural advertising’ .
123. Further, regarding the second, third and fourth interests put forward by Meta IE in its Compliance
187
Reports , the IE SA concludes that Meta IE’s arguments are not sufficiently substantiated because of
the vagueness and the lack of specificity of the analysis 188. In particular, Meta IE has not explained
which specific categories of personal data Meta IE needs to process or which processing operations
need to take place to achieve the above interests 189.
124. When conducting the ‘necessity test’ in the Meta IE Legitimate Interests Assessments, Meta IE claims
that ‘Without the Processing, which as explained above is essential in order to monetise Facebook and
Instagram, [Meta IE] would not be able to provide the services to users free of charge in the same
manner as it does currently. This in turn would jeopardise the attainment of the legitimate interests
identified above’ 190. According to Meta IE, if it did not carry out the processing of personal data
collected on its products for the purpose of behavioural advertising and if it only carried out the
‘limited’ processing it engages in when data subjects object, it ‘would significantly impact the user
experienceonFacebook andInstagram (in part, duetolessinnovation happeningon theplatformsdue
to reduced revenue) and it would also impact [Meta IE]’s ability to provide Facebook and Instagram
free of charge (regardless of the financial means of the user) to users as this is largely due to the
revenues that [Meta IE] makes from enabling advertisers to effectively advertise to Instagram and
191
Facebook users’ .
125. However, the IE SA points out that Meta IE’s privacy policy states that Meta IE is pursuing a legitimate
interest ‘to generate revenue’, which is different than providing services for free 19. According to the
IE SA, given that other types of advertising may also generate revenue, it cannot be concluded that
behavioural advertising is necessary to generate ‘any revenue at all’ 193.
126. The IE SA also highlights that ‘there is no explanation as to why it is necessary to process all the data
categories that [Meta IE] uses for behavioural advertising in order to provide the services for free’ 19.
Against this background, the IE SA concludes that Meta IE’s claim that it is necessary to carry out
behavioural advertising to provide Meta IE’s services is not sufficiently granular 195. In particular, it is
unclear whether, through this argument, Meta IE is saying that (1) Meta IE is unable to provide
FacebookandInstagramforfreeunlessitprocessesthepersonaldataofallofitsusersforthepurpose
186
IE SA Final Position Paper, paragraph 7.44, p. 16.
187Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p.
6.
188IE SA Final Position Paper, paragraphs 7.45 and 7.50, p. 16 and 18.
189
IE SA Final Position Paper, paragraph 7.45, p. 16.
190MetaIELegitimateInterestsAssessments BehaviouralAdvertisingProcessingof3April2023,Annex4toMeta
IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p.
21, section 3a.
191
MetaIELegitimateInterestsAssessments BehaviouralAdvertisingProcessingof3April2023,Annex4toMeta
IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p.
24, section 3d.
192IE SA Final Position Paper, paragraph 7.46, p. 17.
193
IE SA Final Position Paper, paragraph 7.46, p. 17.
194IE SA Final Position Paper, paragraph 7.47, p. 17.
195IE SA Final Position Paper, paragraph 7.47, p. 17.
Adopted 32 of behavioural advertising, or (2) Meta IE is still able to provide Facebook and Instagram for free by
196
processing the personal data of some of its users who do not object to behavioural advertising .
127. The IE SA’s conclusion for the second condition was shared by a number of CSAs in their comments
and reactions on the Compliance Reports:
• On 4 May 2023, the NL SA outlined that ‘[t]he massive processing of users’ (special) personal
data for the purpose of behavioural advertising is not ‘necessary’ for the purposes of the
197
declared interests’ .
• On 23 May 2023, the IT SA notes in relation to Meta IE Legitimate Interests Assessments that
‘it is as if the controller were shifting the burden of proof regarding legitimate interest as the
legal basis of processing on the data subjects – who conversely should be called into play as
key actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the
necessity of the processing and performing the required balancing exercise’ 19.
• In the NO SA Order, the NO SA argues that Meta IE fails to show that it fulfils the ‘necessity
test’ based on (1) the absence of assessment of the necessity of each interest put forward by
Meta IE, (2) the absence of a substantiated assessment regarding alternative advertising
models that could be viable, (3) the incorrect finding in Meta IE Legitimate Interests
Assessments that its behavioural advertising processing is unlikely to have an adverse impact
ondata subjects,and (4)theinappropriatereference to the fact thatother businessesarealso
carrying out behavioural advertising, which does not have an impact on the lawfulness of such
processing 19.
128. According to the settled case-law of the CJEU, when applying the necessity test, ‘it should be borne in
mind that derogations and limitations in relation to the protection of personal data must apply only in
200
so far as is strictly necessary’ .
129. In its Bundeskartellamt Judgment, the CJEU also recalled that this second condition requires ‘to
ascertain that the legitimate data processing interests pursued cannot reasonably be achieved just as
effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, in
particular the rights to respect for private life and to the protection of personal data guaranteed by
201
Articles 7 and 8 of the Charter’ . This condition must also be examined in conjunction with the
principle of data minimisation under Article 5(1)(c) GDPR 202.
196IE SA Final Position Paper, paragraph 7.47, p. 17.
197Views of the NL SA of 4 May 2023 on Meta IE’s choice of a new legal basis for the processing of personal data
198Meta IE in the framework of Behavioural Advertising on its platforms Facebook and Instagram, paragraph 3.
Views of IT SA on the IE SA FB Decision of 23 May 2023, p. 2, and views of IT SA on the IE SA IG Decision of 23
May 2023, p. 2.
199NO SA Order, p. 17-18.
200Judgment of 4 May 2017, Rīgas satiksme, C-13/16, ECLI:EU:C:2017:43, paragraph 30 and cited case-law;
Judgment of 11 December 2014, Ryneš, C-212/13, ECLI:EU:C:2014:2428, paragraph 28; Judgment of 11
December 2019, Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, paragraph 46.
201CJEU Bundeskartellamt Judgment, paragraph 108.
202CJEU Bundeskartellamt Judgment, paragraph 109.
Adopted 33130. In the EDPB Binding Decisions, the EDPB considered that there are realistic, less intrusive alternatives
203
to behavioural advertising, making the processing at stake not ‘necessary’ .
131. Inlight ofthe above,the EDPBconsidersthat therearegrounds forconcluding, asthe IE SA did 204,that
Meta IE failed to fulfil the second condition of the ‘necessity test’ to be able to rely on Article 6(1)(f)
GDPR for the processing of personal data collected on Meta’s products for purposes of behavioural
205
advertising, in particular whether there are no other means that are less intrusive alternatives and
regarding compliance with the principle of data minimisation under Article 5(1)(c) GDPR 20.
132. The third condition relates to the ‘balancing test’.
133. In its Compliance Reports referring to the Meta IE Legitimate Interests Assessments, Meta IE has
concluded that, in light of the ‘extensive measures and safeguards’ it implemented, the potential risks
207
to data subjects identified are ‘appropriately mitigated’ .
134. More specifically, Meta IE refers inter alia to the following safeguards: the measures implemented to
ensure transparency towards data subjects (e.g. through privacy policies and ‘Help center’ articles),
the publication of advertising policies for users, the existence of restrictions on targeting criteria, the
existence of control tools (in relation to advertising in general or to specific ads that are displayed to
users) 208,thepossibilitytoobjecttotheprocessing 209andthepossibilitytoexercisedatasubjects’data
210
protectionrights .Metaalsoarguesthatthelanguage introducedtoexplainthechangeoflegalbasis
and the impact on users, including their ability to object to the behavioural advertising processing at
stake, ‘have been implemented to ensure that users have a reasonable expectation of Behavioural
Advertising Processing and are aware of their right to object to this processing 211’. In Meta IE’s
Legitimate Interests Assessments, Meta further claims that ‘Users reasonably expect the processing of
Platform Behavioural Information for behavioural advertising, taking into account the robust
203EDPB Binding Decision 3/2022, paragraph 121 and the EDPB Binding Decision 4/2022, paragraph 124. As
eluded to in the EDPB Binding Decisions, the AT SA, PL SA (only for EDPB Binding Decision 3/2022) and SE SAs
mention as examples contextual advertising based on geography, language and content, which do not involve
intrusivemeasuressuch asprofiling andtracking ofusers.Thisanalysiswasmadeinthecontextofthelegalbasis
of Art. 6(1)(b) GDPR.
204
205IE SA Final Position Paper, paragraph 7.50, p. 18 and paragraph 6.3., p. 5.
IE SA Final Position Paper, paragraphs 7.46-7.48, p. 17.
206IE SA Final Position Paper, paragraph 7.45, p. 16, and an analysis of the principle of data minimisation is
included in paragraph 7.59, p. 19, with respect to the balancing test.
207
Meta IE Compliance Report on IE SA FB Decision, p. 10 and Meta IE Compliance Report on IE SA IG Decision,
p. 11, both referring to sections 4 and in particular sections 4.2.b and 4.2.c of Meta IE Legitimate Interests
Assessments.
208Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB
Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.c. on the implemented
safeguards.SomesafeguardsarereiteratedinMetaIEComplianceReportonIESA FBDecision,p.7-10andMeta
IE Compliance Report on IE SA IG Decision, p. 7-12.
209Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA
FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.e. on the opt-out tools.
210Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA
FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.f. on data protection
rights.
211
Meta IE Compliance Report on IE SA FB Decision, p. 7 and Meta IE Compliance Report on IE SA IG Decision,
p. 7.
Adopted 34 transparency [Meta] has implemented (...), which contributes to managing user expectations around
212
the Processing and personalised advertising more broadly’ .
135. In that regard, the EDPB notes that the IE SA concluded that, due to the failure to facilitate the right to
213
object under Article 21 GDPR , the lack of any consideration of the right to private life (as enshrined
in Article 7 of the Charter) 214 or data minimisation 21, and the insufficient consideration of the impact
216
of the processing on the purpose limitation principle , Meta IE has not demonstrated that its
legitimate interests in processing for behavioural advertising outweigh the fundamental rights and
217
freedoms of data subjects . In particular regarding the right to object, the IE SA pointed out inter alia
that ‘there is no ability in these [objection] tools to turn off processing of data collected directly by
[Meta IE] for advertising purposes, including content, audio, metadata about content, apps and
features used, transactions, hashtag and the time, frequency and duration of activities on [Meta IE]
products’ as these categories of data would still be used for the purpose of behavioural advertising
according to Meta IE’s privacy policy 21.
136. The IE SA also refers to a previous CJEUjudgment of 24 September 2019, where the CJEU held that the
data subjects’ fundamental rights under Articles 7 and 8 of the Charter ‘override, as a rule (...) the
219
economic interest’ of a private operator .
137. The conclusion of the IE SA regarding the third condition was shared by a number of CSAs in their
comments and reactions on the Meta IE Compliance Reports:
• On 4 May 2023, the NL SA concluded that ‘[t]he fundamental rights and freedoms of the data
subject override the interest of [Meta IE] and the third parties involved’ 22. The NL SA raised
the following considerations:
o ‘some of the data processed by [Meta IE] for the purpose of behavioural advertising
are special, sensitive kinds of personal data, which increase the weight attached to
221
the interests of data subjects in the balancing act ’
o ‘Not only the type but also the sheer amount of data that is processed by a company
with the size of [Meta IE] should be taken into account in the balancing act. For the
purposes of behavioural advertisement, [Meta IE] processes a broad spectrum of
(special) personal data from millions of users. These data are analysed and possibly
222
stored, adjusted, and reused on a daily basis. ’
212Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA
FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 7.
213
IE SA Final Position Paper, paragraphs 7.60.-7.66., p. 19-21.
214IE SA Final Position Paper, paragraphs 7.57, p. 19.
215IE SA Final Position Paper, paragraph 7.59, p. 19.
216IE SA Final Position Paper, paragraph 7.58, p. 19.
217
IE SA Final Position Paper, paragraph 7.67, p. 21, and paragraph 6.3., p. 5.
218IE SA Final Position Paper, paragraph 7.65., p. 20-21, referring in footnote 29 to p. 54-55 of Meta IE’s privacy
policy.
219IESAFinalPositionPaper,paragraph7.57.,p.19,referringtoJudgmentoftheCourtofJusticeoftheEuropean
Union of 24 September 2019, GC and Others, C-136/17; ECLI:EU:C:2019:773, paragraph 53. In this case, the
private operator was a search engine. Also see case-law cited.
220Views of the NL SA of 4 May 2023 on Meta IE’s choice of a new legal basis for the processing of personal data
by Meta IE in the framework of Behavioural Advertising on its platforms Facebook and Instagram, paragraph 3.
221
Views of the NL SA of 14 May 2023, paragraph 43.
222Views of the NL SA of 14 May 2023, paragraph 44.
Adopted 35 o ‘With regard to user expectations, the NL SA points out that, in line with the principle
of accountability, the assessment of user expectations should take place before the
processing is initiated under Art. 6(1)(f) GDPR. Controllers cannot simply "retroactively
adjust" the expectations of existing users and bring processing in line with Art. 6(1)(f)
GDPR, simply by providing them with some information – especially not when the
essence of this information is hard to grasp. 22’
o ‘Furthermore,asalsoconcludedbytheEDPBinitsdecision3/2022,20theNLSAagrees
withtheEDPBthatusersdonotsignupto[MetaIE]’sservicestobeservedpersonalized
content but for the sake of connecting with friends and family. Even in its changed
Terms of Service, [Meta IE] presents its services as “services that enable people to
connect with each other, build communities…”. The connection to
people/friends/family is therefore still theservicewith which [Meta IE] seeks to attract
newusers.Eventhough“buildingbusinesses”isinsertedasathird“goa”oftheservices
of [Meta IE], this does not create the reasonable expectation that users’ personal data
224
will be processed for the purpose of behavioural advertising’ .
o ‘NL SA therefore concludes that users do not expect or should reasonably expect that
their data are processed for the sake of behavioural advertising as done by [Meta
IE].25’
o ‘Consideringthegravityoftherisksidentified,NLSAfindsthat[MetaIE]indeedtreads
very lightly on these risks and their mitigation.26’
o ‘The NL SA therefore finds that the right to object as provided for in the GDPR, a core
right when processing is undertaking on the basis of Art. 6(1)(f) GDPR, is therefore not
227
properly respected by [Meta IE]’ .
• On 12 May 2023, the ES SA identified the following shortcoming in Meta IE’s assessment of
the balancing test:
o ‘Regarding the impact on data subjects, it is not established that it does not concern
sensitive data.
o As regards the way in which data is processed, data is processed massively,
comprehensively and in combination with all types of data obtained from other
sources, without taking into account the principle of data minimization.
o As regards the data subject’s reasonable expectations, the data typology reflected in
the privacy policy is not easily understandableto the average user, who does not know
exactlywhatdataisbeingprocessedandwhattheextentofsuchprocessingis.Inorder
for the user to know what type of data is being processed and how they are being
processed, the user must also look up several documents.
o As regards the position of the controller and the data subject, there is no balance of
power, Meta [IE] is a large company which imposes its conditions on its users without
they have the possibility of choosing or not certain processing operations and which of
223Views of the NL SA of 14 May 2023, paragraph 45.
224Views of the NL SA of 14 May 2023, paragraph 46.
225
226Views of the NL SA of 14 May 2023, paragraph 49.
Views of the NL SA of 14 May 2023, paragraph 51.
227Views of the NL SA of 14 May 2023, paragraph 63.
Adopted 36 their data are processed. There is also no analysis of how the [processing] affects
vulnerable sectors, and how to mitigate possible negative effects.
o Finally, with regard to the additional safeguards included to prevent undue impact on
data subjects, as already stated, the principle of data minimization is not taken into
account, there is no indication of what actions [Meta IE] takes to prevent the
processing of sensitive data indirectly and, as explained below, the GDPR is not
228
complied with regard to the right to object.’ [emphasis added in bold]
• On 15 May 2023, the FI SA stated that ‘[Meta IE]´s legal interests assessment (...) seems to be
rather one-sided and superficial and fails to convince why the interests of [Meta IE] or third
parties should override the interests and fundamental rights of the data subjects’ 229.
• On 23 May 2023, the IT SA notes in relation to Meta IE Legitimate Interests Assessments that
‘it is as if the controller were shifting the burden of proof regarding legitimate interest as the
legal basis of processing on the data subjects – who conversely should be called into play as
key actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the
230
necessity of the processing and performing the required balancing exercise’ .
• In the NO SA Order, the NO SA rejects Meta IE’s assumption that the data subjects
undisputedly want and expect behavioural advertising based on monitoring and profiling of
their behaviour 231. Therefore, according to the NO SA, Meta IE’s assessment of the elements
of Article 6(1)(f) GDPR has been skewed 23. In addition, the NO SA refers to the paragraph 117
of the CJEU Bundeskartellamt Judgment, which held that ‘data subjects cannot reasonably
expect that the operator of the social network will process that user’s personal data, without
his or her consent, for the purposes of personalised advertising’ 233. Further, the NO SA
considers that informing data subjects about behavioural advertising processing does not
mean that it falls within their reasonable expectations and in any case, data subjects are not
realistically able to read the privacy policies of every service used, including Meta IE’s privacy
234
policies . The NO SA also argues that Meta IE fails to show that Meta IE’s interests outweigh
the rights and freedoms of data subjects 23.
236
138. The IE SA made an overall conclusion on the three-step test that Meta IE has not demonstrated
compliance with Article 6(1)(f) GDPR for the processing at stake 237. The IE SA highlighted, both in the
IE SA Provisional Position Paper and IE SA Final Position Paper that this conclusion stems from the
following reasons: (1) ‘[Meta IE] has not made out that the processing is necessary for legitimate
interests. Its explanations of the impact of the processing on its business are too vague to allow the [IE
228Views of the ES SA of 12 May 2023, p. 5.
229ViewsoftheFISAof15May2023,preliminary remarksonMeta´snewlegalbasisinrelationtotheprocessing
of personal data for the purposes of behavioural advertising in Facebook and Instagram services, p. 2.
230ViewsofITSAonthelegalbasisorderandtransparency orderrelatingtotheIE SAFBDecision,p.2,and views
of IT SA on the legal basis order and transparency order relating to the IE SA IG Decision of 23 May 2023, p. 2.
231NO SA Order, p. 15-16.
232
NO SA Order, p. 15-16.
233NO SA Order, p. 17.
234NO SA Order, p. 16.
235NO SA Order, p. 17-23.
236
IE SA Final Position Paper, paragraphs 7.27-7.28, p. 12-13, referring to the CJEU Bundeskartellamt Judgment,
paragraph 126.
237IE SA Final Position Paper, paragraph 7.30, p. 13.
Adopted 37 SA] to determine that there is no less intrusive alternative that can be pursued’, (2) ‘[Meta IE] has not
demonstrated that the balancing favours its processing. In particular, the opt-out mechanism provided
does not comply with the GDPR’ 238. The conclusions of the IE SA regarding the results of the three-step
testwassharedbyanumberofCSAs,whichalsoraisedtheinappropriaterelianceby Meta IEtoArticle
6(1)(f) GDPR:
• On 18 April 2023, the AT SA stated that processing operations in connection with ‘behavioural
239
advertising processing’ cannot be based on Article 6(1)(f) GDPR .
• On 12 May 2023, the ES SA indicated that Meta IE Legitimate Interests Assessments ‘did not
demonstrate that the processing carried out by Meta IE with the purpose of behavioural
advertisement can be based on [A]rticle 6(1)(f) [GDPR] since it does not meet the requirements
of this article’0.
• In the NL SA Mutual Assistance Request sent on 30 May 2023, the NL SA expressed concerns
as to Meta IE’s reliance on Article 6(1)(f) GDPR, taking into account ‘thefact that thecontroller
could not have been unaware of already established guidance from the EDPB, nor of the
position of several CSAs on the matter, but chose to explore the path of Article 6(1)(f) [GDPR]
241
regardless’ . The NL SA states that ‘Meta [IE] cannot invoke Article 6(1)(f) [GDPR] as a valid
legalbasistoprocessthepersonaldataofitsusersforthepurposesofbehaviouraladvertising’,
and that this conclusion is ‘in line with several EDPB and WP29 Guidance documents, which
underpin that the appropriateness of using Article 6(1)(f) [GDPR] as a legal basis for the
242
processing concerned is highly questionable’ .
139. In previous judgments, the CJEU clarified that when carrying out the ‘balancing test’, the data
controller ‘must take account of the significance of the data subject’s rights arising from Articles 7 and
8 of the Charter’ 24.
140. In its Bundeskartellamt Judgment, the CJEU held the following obiter dictum:
‘as can be seen from recital 47 of the GDPR, the interests and fundamental rights of the data
subject may in particular override the interest of the data controller where personal data are
244
processed in circumstances where data subjects do not reasonably expect such processing .’
‘(...) such processing must also be necessary in order to achieve that interest and the interests
or fundamental freedoms and rights of the data subject must not override that interest. In the
contextofthatbalancing oftheopposingrightsatissue,namely,thoseofthecontroller,onthe
one hand, and those of the data subject, on the other, account must be taken, as has been
noted (...) above, in particular of the reasonable expectations of the data subject as well as the
scale of the processing at issue and its impact on that person. 24’
238IE SA Final Position Paper, paragraph 6.3, p. 5 ; IE SA Provisional Position Paper, paragraph 5.3, p. 4 (in
239ghtly different terms).
IMI report on Compliance in the Facebook case.
240Views of the ES SA, 12 May 2023, p. 6.
241NL SA Mutual Assistance Request, p. 2.
242NL SA Mutual Assistance Request, p. 1, where a reference is made to the EDPB Guidelines 8/2020 on the
targeting of social media users.
244CJEU Bundeskartellamt Judgment, paragraph 112.
244CJEU Bundeskartellamt Judgment, paragraph 112.
245CJEU Bundeskartellamt Judgment, paragraph 116.
Adopted 38 ‘In this regard, it is important to note that, despite the fact that the services of an online social
network such as Facebook are free of charge, the user of that network cannot reasonably
expectthattheoperatorofthesocialnetworkwillprocessthatuser’spersonaldata,without
his or her consent, for the purposes of personalised advertising. In those circumstances, it
must be held that the interests and fundamental rights of such a user override the interest of
thatoperatorinsuchpersonalisedadvertisingbywhichitfinancesitsactivity,withtheresult
that the processing by that operator for such purposes cannot fall within the scope of point
246
(f) of the first subparagraph of Article 6(1) of the GDPR.’ [emphasis added]
141. In the IE SA Provisional Position Paper issued before the CJEU Bundeskartellamt Judgment, the IE SA
provisionallyfoundthatMetaIEhadnotdemonstratedcompliancewithArticle6(1)(f)GDPR 247asMeta
IE had not demonstrated that it could rely on Article 6(1)(f) GDPR 248. The IE SA then confirmed that
Meta IE has not demonstrated compliance with Article 6(1)(f) GDPR following the analysis of the CJEU
Bundeskartellamt Judgment as it states in its Final Position Paper that ‘Prior to the date of [the
Bundeskartellamt]judgment,the[IESA]hadanalysed[MetaIE]’srelianceonArticle6(1)(f)[GDPR]and
had come to the provisional conclusion that [Meta IE] had not demonstrated compliance with that
provision’ and that‘theCJEUindicated that there aresignificant barriers to [Meta IE] seeking to rely on
249
Article 6(1)(f) [GDPR] for the behavioural advertising processing at issue in that judgment’ .
142. The EDPB notes Meta IE’s arguments regarding the alleged irrelevance of the CJEU Bundeskartellamt
250
Judgment . Meta considers that this judgment ‘does not rule out Article 6(1)(f) [GDPR] “as a matter
of principle” as a valid legal basis for [Meta IE]’s Behavioral Advertising Processing. The judgment
assessed Article 6(1)(f) [GDPR] (and the element of “necessity”) in the context of different processing
than is at-issue here (i.e., data collected off-[Meta] 25, and to a limited extent cross-product data
processing, as opposed to data collected on-[Meta] products). (...) Further, the CJEU did not (and could
not as a matter of law) issue a blanket finding that users’ interests will always outweigh [Meta IE]’s
and third parties’ legitimate interests in the context of personalised advertising (...) 252.’
143. As regards the scope of the CJEU Bundeskartellamt Judgment, the EDPB notes the references made to
data collection from other services of the group to which an operator belongs 25.
246
CJEU Bundeskartellamt Judgment, paragraph 117.
247IE SA Provisional Position Paper, paragraph 6.26, p. 11.
248IE SA Provisional Position Paper, paragraph 5.3, p. 4.
249IE SA Final Position Paper, paragraph 7.26, p. 12.
250
MetaIE’sResponsetoIESA’sProvisionalPositionPaperof4August2023,section1.5(A).SeealsoENGVersion
of Meta IE Merits Complaint submitted to the Oslo District Court of 16 October 2023 (corrected), p. 38 and Meta
IE’s Submissions of 26 September 2023, p. 10-11.
251Data collected ‘off’-Meta products refers data collected outside of Meta’s products, such as on third-party
websites, apps and certain offline interactions (e.g., purchases).
252Meta IE’s Response to IE SA’s Provisional Position Paper of 4 August 2023, section 1.5 (A) and section 2 for a
more detailed analysis of the CJEU Bundeskartellamt Judgment.
253In that regard, paragraph 86 of the CJEU Bundeskartellamt Judgment states: ‘By Questions 3 and 4, which it is
appropriate to examine together, the referring court asks, in essence, whether and under what conditions points
(b)and(f)ofthefirstsubparagraphofArticle6(1)oftheGDPRmustbeinterpretedasmeaningthattheprocessing
of personal data by the operator of an online social network, which entails the collection of data of the users of
such a network from other services of the group to which that operator belongs or from visits by those users to
third-party websites or apps, the linking of those data with the social network account of those users and the use
of such data, may be considered to be necessary for theperformance of a contract to which the data subjects are
party, within the meaning of point (b), or for the purposes of the legitimate interests pursued by the controller or
Adopted 39144. The EDPB acknowledges that the behavioural advertising processing that Meta carries out in reliance
254
ofArticle6(1)(f)GDPRandthatisexaminedforthepurposeofthissection4.1.1.3 relatestopersonal
data collected on Meta’s products while, according to Meta IE, the CJEU Bundeskartellamt Judgment
mostly relates to personal data obtained from third party advertising partners outside of Meta’s
products. However, the EDPB considers that this Judgment, addressed to Meta IE, Meta Platforms Inc.
255
and Facebook Deutschland GmbH , outlines the way the balancing exercise may be carried out for
the purpose of behavioural advertising, which is also relevant for personal data collected on Meta’s
products.
145. The EDPB recalls its previous guidelines where it highlighted that ‘it would be difficult for controllers to
justify using legitimate interests as a lawful basis for intrusive profiling and tracking practices for
marketing or advertising purposes, for example those that involve tracking individuals across multiple
websites, locations, devices, services or data-brokering. 256’
146. The EDPB considers that this guidance is relevant for the processing at stake carried out by Meta IE,
which,asprovidedintheEDPBBindingDecisions,isintrusivegivenitsscaleandtheextensiveamounts
of data that is processed by Meta IE 257. In those decisions, the EDPB outlined ‘the complexity, massive
scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the
Facebook [or Instagram] service’ 25. In other words, ‘[b]ehavioural advertising, as briefly described in
[paragraph 95 of the EDPB Binding Decision 3/2022 and paragraph 98 of the Binding Decision
4/2022 259] is a set of processing operations of personal data of great technical complexity, which has a
by a third party, within the meaning of point (f). That court asks, in particular, whether, to that end, certain
interests which it explicitly lists constitute ‘legitimate interests’ within the meaning of the latter provision.’
254
Meta IE indicates to rely on Art. 6(1)(a) GDPR to process personal data obtained by Meta IE from third party
advertising partners. Such data is about users’ activity off-Meta’s products. See footnotes 89 and 149 above in
that regard.
255The request for a preliminary ruling in the CJEU Bundeskartellamt Judgment has been made in proceedings
betweenMetaPlatformsInc.,formerlyFacebookInc.,MetaPlatformsIrelandLtd,formerlyFacebookIrelandLtd,
andFacebookDeutschlandGmbH,ontheonehand,andtheBundeskartellamt.MetaIEoperatestheonlinesocial
network Facebook in the EU. See CJEU Bundeskartellamt Judgment, paragraphs 2 and 26.
256Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes
of Regulation 2016/679, adopted on 3 October 2017, as last Revised and Adopted on 6 February 2018, endorsed
by the EDPB on 25 May 2018, p. 15. This was referred to by the NO SA in the NO SA Order, p. 9. This same
statement wasreiterated by the EDPB in theEDPB Guidelines on the targeting of social media users, Version 2.0,
adopted on 13 April 2021, paragraph 56.
257EDPB Binding Decision 3/2022, paragraph 444 and EDPB Binding Decision 4/2022, paragraph 413.
258
EDPB Binding Decision 3/2022, paragraph 96 and the EDPB Binding Decision 4/2022, paragraph 99.
259Paragraph 95 of EDPB Binding Decision 3/2022 states: ‘These requests for preliminary rulings mention that
[Meta IE] collects data on its individual users and their activities on and off its Facebook social network service
via numerous means such as the service itself, other services of the Meta group including Instagram, WhatsApp
and Oculus, third party websites and apps via integrated programming interfaces such as Facebook Business
Tools or via cookies, social plug-ins, pixels and comparable technologies placed on the internet user’s computer
or mobile device. According to the descriptions provided, [Meta IE] links these data with the user’s Facebook
account to enable advertisers to tailor their advertising to Facebook’s individual users based on their consumer
behaviour, interests, purchasing power and personal situation. This may also include the user’s physical location
to display content relevant to the user’s location. Meta IE offers its services to its users free of charge and
generates revenue through this personalised advertising that targets them, in addition to static advertising that
is displayed to every user in the same way.’
Paragraph 98 of EDPB Binding Decision 4/2022 states: ‘These requests for preliminary rulings mention that Meta
IE collects data on its individual users and their activities on and off its Facebook service via numerous means
suchastheserviceitself,otherservicesoftheMetagroupincludingInstagram,WhatsAppandOculus,thirdparty
websites and apps via integrated programming interfaces such as Facebook Business Tools or via cookies, social
Adopted 40 particularlymassiveandintrusivenature” 260.TheIESAreiteratedthisconclusionintheIESADecisions:
‘ItisthereforeclearthattheBoardconsiders(...)thenatureandscopeoftheprocessingtobeextensive,
complex, intrusive and on a massive scale’ 261.
147. In light of the above and taking into account the legal analysis provided by the IE SA (see for example
in paragraphs 135 and 138 above, as supported by the assessment performed by the of the CSAs), the
EDPB considers that the interests and fundamental rights of data subjects override the legitimate
interests put forward by Meta IE for the processing of personal data collected on Meta’s products for
the purposes of behavioural advertising, with the result that Meta IE did not fulfil the third condition
of Article 6(1)(f) GDPR.
148. In light of the above analysis of the EDPB from paragraph 111 to 147, the EDPB considers that Meta IE
inappropriately relies on Article 6(1)(f) GDPRto process personal data collected on its products for the
purpose of behavioural advertising.
4.1.1.3.4 Conclusion as to the infringement of Article 6(1) GDPR
149. The compliance approach adopted by Meta IE has been assessed in the IE SA Final Position Paper as
follows:
• Meta IE seeks to still rely on Article 6(1)(b) GDPR to process some specific categories of
personal data 262, for advertising purposes 263;
• Meta IE seeks to rely on Article 6(1)(f) GDPR to process other personal data for the purposes
of behavioural advertising 264- solely for personal data collected on Meta’s products 265;
• Meta IE relies on Article 6(1)(a) GDPR to process personal data provided to Meta IE by third
party advertising partners 266.
150. Meta IE is willing to rely on Article 6(1)(a)
GDPR as its legal basis
267
through the Meta IE’s Consent Proposal .
151. The EDPB highlights the need to assess the compliance of the processing activities within the scope of
the IE SA Decisions with Article 6(1) GDPR at this point in time.
plug-ins, pixels and comparable technologies placed on the internet user’s computer or mobile device164.
According to the descriptions provided, Meta IE links these data with the user’s Facebook account to enable
advertiserstotailortheiradvertisingtoFacebook’sindividualusersbasedontheirconsumerbehaviour,interests,
purchasing power and personal situation. This may also include the user’s physical location to display content
relevanttotheuser’slocation.MetaIEoffersitsservicestoitsusersfreeofchargeandgeneratesrevenuethrough
this personalised advertising that targets them, in addition to static advertising that is displayed to every user in
the same way.’
260
261EDPB Binding Decision 3/2022, paragraph 123 and the EDPB Binding Decision 4/2022, paragraph 126.
IE SA FB Decision, paragraph 9.23 and IE SA IG Decision, paragraph 243.
262See paragraph 91 above.
263IE Final Position Paper, paragraphs 6.2 and 7.1-7.22.
264
265IE Final Position Paper, paragraphs 6.3 and 7.23-7.67.
IE Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to the IE SA of 30 June 2023.
266IE SA Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to the IE SA of 30 June 2023.
267Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2.
Adopted 41 268. For the sake of clarity, the EDPB specifies that Meta IE’s Consent Proposal
was not assessed in its merits for the purposes of this urgent binding decision. In this regard, the EDPB
may only take note of the existence of an ongoing evaluation of the Meta IE’s Consent Proposal by the
IE SA and the CSAs.
152. According to the EDPB, there is an ongoing infringement of Article 6(1) GDPR arising from
inappropriate reliance on Article 6(1)(b) GDPR for processing of personal data, including location data
and advertisement interaction data collected, on Meta’s products for behavioural advertising
269
purposes .
153. Inaddition,theEDPBconcludes thatthereisanongoinginfringementofArticle6(1)GDPRarisingfrom
inappropriate reliance on Article 6(1)(f) GDPR for processing personal data collected on Meta’s
products for behavioural advertising purposes 27.
4.1.2 On the infringement of the duty to comply with decisions by supervisory authorities
4.1.2.1 Summary of the overall position of the NO SA
154. According to the NO SA, since the deadline for complying with the IE SA Decisions was 5 April 2023 but
the infringement of Article 6(1) GDPR still persists more than six months later, Meta IE failed to ensure
271
compliance with the IE SA Decisions, and hence infringed its duty to comply with the SAs’ decisions .
The NO states further that there is consensus on the European level between the IE SA and the CSAs
272
that the processing continues to be unlawful , and that ‘as acknowledged by the IE SA itself, Meta IE
has failed to ensure compliance with [the IE SA Decisions]’ 273. The NO SA stated that this non-
274
compliance constitutes in itself an independent violation of the GDPR for which Article 83(5)(e)
GDPRenvisagesafinewhichmaybeimposedinadditiontothefinesimposedbytheIESADecisions 275.
4.1.2.2 Summary of the position of the controller
155. MetaIEstatedthat,priortotheIESADecisions,itreliedonArticle6(1)(b)GDPRinagoodfaithmanner
276
and its ‘bona fide belief that it was lawful for it to do so’ .
156. Following to the IE SA Decisions, Meta IE argued that it took substantial steps to bring its processing
277
activities into ‘what it believes was compliance with [the IE SA] decisions’ , including by changing its
legal basis from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR for the processing of personal data
278
collected on its products for the purposes of behavioural advertising .
268
269See the analysis carried out above in Section 4.1.1.2.3 and paragraphs 98-99.
270See the analysis carried out above in Section 4.1.1.3.3 and paragraph 148.
271NO SA Request to the EDPB, p. 6.
272
NO SA Request to the EDPB, p.12.
273NO SA Request to the EDPB, p. 6.
274NO SA Request to the EDPB, p. 6 and Letter from the NO SA to the IE SA dated 11 October 2023, p. 2.
275NO SA Request to the EDPB, p. 6.
276
Letter from Meta IE to NO SA of 4 August 2023, in relation to right to be heard, paragraph 65.
277Letter from Meta IE to NO SA of 4 August 2023, in relation to the right to be heard, dated paragraph 65.
278 Meta IE’s Compliance Report regarding the Facebook Service (IN-18-5-5) of 3 April 2023 (hereinafter,
‘Compliance Report on IE SA FB Decision’), paragraph 2.1 and Meta IE’s Compliance Report regarding the
Instagram Service (IN-18-5-7) of 3 April 2023 (hereinafter, ‘Compliance Report on IE SA IG Decision’), paragraph
2.1 (together, the ‘Compliance Reports’).
Adopted 42157. Meta IE takes the view that neither the EDPB Binding Decisions nor the IE SA Decisions ordered Meta
IE to rely on a specific legal basis for the processing of personal data collected on its products for
behavioural advertising purpose under Article 6(1) GDPR, such as Article 6(1)(a) GDPR 27. As a result,
Meta IE still currently seeks to rely on Article 6(1)(b) GDPR to process some specific categories of
personaldatathatitdoesnotconsidertobebehaviouraldata 28,andonArticle6(1)(f)GDPRtoprocess
281
other personal data for the purposes of behavioural advertising - solely for personal data collected
on its products 282.
158. After considering the IE SA Provisional Position Paper (including the IE SA’s interpretation of the CJEU
Bundeskartellamt Judgment), Meta IE stated that it was willing to implement the necessary measures
to rely on Article 6(1)(a) GDPR as its legal basis for processing for the purpose of behavioural
advertising through the Meta IE’s Consent Proposal 28.
159. After considering the IE SA’s Final Position Paper, Meta IE stated that it considered itself as compliant
with the IE SA Decisions
284
.
285
.
4.1.2.3 Analysis of the EDPB
160. TheEDPBrecallsthatArticle60(10)GDPRprovidesforthedutyforthecontrollerto‘takethenecessary
measures to ensure compliance with the decision [taken in the context of the cooperation mechanism]
as regards processing activities in the context of all its establishments in the Union’ 28.
161. The EDPB also recalls that non-compliance with an order of an SA pursuant to Article 58(2) GDPR
constitutes an infringement that may be sanctioned by way of an administrative fine pursuant to
287
Article 83(5)(e) GDPR and Article 83(6) GDPR .
279Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 4 and
280
See paragraph 91 above and the IE SA Final Position Paper, paragraphs 6.2 and 7.1-7.22.
281IE SA Final Position Paper, paragraphs 6.3 and 7.23-7.67.
282See paragraph 104 above and the IE SA Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to
the IE SA of 30 June 2023.
283Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2.
284Meta IE’ Submissions of 25 August 2023, paragraph 61.
285Meta IE’s Submissions of 25 August 2023, paragraph 64.
286
Article 60 GDPR.
287According to Art. 83(5)(e) GDPR, ‘non-compliance with an order or a temporary or definitive limitation on
processingorthesuspensionofdataflowsbythesupervisory authoritypursuanttoArticle 58(2)[GDPR]orfailure
to provide access in violation of Article 58(1) [GDPR]’ is an infringement that ‘shall, in accordance with
paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 %
of the total worldwide annual turnover of the preceding financial year, whichever is higher’. Art. 83(6) GDPR
provides: ‘Non-compliance with an order by the supervisory authority as referred to in Article 58(2) [GDPR] shall,
in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the
case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year,
whichever is higher’.
Adopted 43162. The EDPB confirms, in line with the view of the NO SA 288, that non-compliance with decisions of
289
supervisory authorities is in itself an independent violation of the GDPR .
163. As already noted above, the IE SA Decisions required Meta IE to, inter alia, take the necessary action
to address the finding that Meta IE is not entitled to process personal data for behavioural advertising
on the basis of Article 6(1)(b) GDPR and to bring its processing of personal data for behavioural
290
advertising purposes into compliance with Article 6(1) GDPR. Also, the IE SA made clear that the
actions Meta IE should take to comply with the IE SA Decisions may include, but were not limited to,
291
the identification of an appropriate alternative legal basis in Article 6(1) GDPR and may include the
implementation of any necessary measures required to satisfy the conditionality associated with
292
that/those alternative legal basis/bases . The deadline for compliance with the IE SA Decisions was
5 April 2023.
The EDPB notes that in the IE SA Final Position Paper, the IE SA found that Meta IE failed to
demonstrate compliance with the IE SA Decisions, and states that Meta IE ‘failed to demonstrate that
it no longer relies on Article 6(1)(b) GDPR to process personal data for behavioural advertising’ and
‘failed to demonstrate that it has a lawful basis to process Platform behavioural Data for behavioural
293
advertising’ .
164. The EDPB notes that the NL SA also stated that ‘As Meta [IE] has publicly stated that it already makes
useofArticle6(1)(f)[GDPR]asalegalbasis,thisconclusionmeansthat-atthemoment-personaldata
of millions of European data subjects are being processed without there being a valid legal basis. This
moreovermeansthat Meta[IE]doesnotcomplywiththe[IESA]’s orderinthe[IESADecisions]tobring
294
these processing operations in line with Article 6 GDPR’.
165. The EDPB notes the view of the IE SA that neither the GDPR nor Irish national law prescribes the
mannerinwhichtheassessmentofthestepstakenby thecontrollerinpurportedcompliance withthe
orders of an SA should be carried out 295. In this respect, the EDPB notes that Meta IE does not contest
that the IE SA’s findings made subsequently to the IE SA Decisions are made ‘to implement the existing
[IE SA] decisions pursuant to Article 60(10) GDPR’. 296
166. In respect of Meta IE’s argument that it fully complied with the IE SA Decisions by taking, first,
substantial steps to bring its processing activities into compliance by 5 April 2023 297and, secondly,
steps in the direction of theMeta IE’s Consent Proposal 29, the EDPB highlights that these elements do
288
Letter from the NO SA to the IE SA of 17 September 2023 in relation to the right to be heard, p. 7.
289‘Non-compliance with a corrective power previously ordered may be considered either as an aggravating
factor, or as a different infringement in itself, pursuant to Art. 83(5)(e) and Art. 83(6) GDPR. Therefore, due note
should be taken that the same non-compliant behaviour cannot lead to a situation where it is punished twice’,
EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1, paragraph 103.
290See IE SA FB Decision, paragraph 10.44b; IE SA IG Decision, paragraph 212.
291IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 10.
292
IE SA FB Decision, paragraph 8; and IE SA IG Decision, paragraph 212.
293IE SA Final Position Paper, section 8, p. 25. In relation to Meta IE’s reliance on Article 6(1)(b) GDPR, also see
paragraphs 96-99 above. In relation to Meta IE’s reliance on Art. 6(1)(f) GDPR, also see paragraphs 121, 135, 138
above.
294
NL SA Mutual Assistance Request, p. 2.
295Letter of the IE SA to Meta IE of 14 June 2023, p. 1-2.
296Meta IE’s Submissions of 26 September 2023, p. 12 and 13.
297Meta IE’s Submissions of 26 September 2023, p. 10 and Meta IE’s Submissions of 16 October 2023, p. 5. See
also Meta IE’s Submissions of 25 August 2023, p. 33.
298Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2.
Adopted 44 notinthemselvescontradicttheconclusionthatatthispointintimecompliancewithArticle6(1)GDPR
for the processing activities within the scope of the IE SA Decisions has not yet been achieved while
the deadline to implement the IE SA Decisions was 5 April 2023.
4.1.2.4 Conclusion as to the infringement of the duty to comply with decisions by supervisory
authorities
167. InlightofitsfindingsthatMetaIEstillreliesinappropriatelyonArticle6(1)(b)GDPRtoprocesspersonal
data, including location data and advertisement interaction data, collected on its products for the
purpose of behavioural advertising 300and on Article 6(1)(f) GDPR to process personal data collected
onitsproductsforthepurposeofbehaviouraladvertising 301theEDPBfinds,inlinewiththeconclusions
302 303 304
drawn by the IE SA and with the views expressed in particular by the NO SA in the
courseof the proceedings, that Meta IE did not achievecompliancewith the IE SADecisions within the
deadline for compliance and is therefore currently in breach of its duty to comply with decisions by
supervisory authorities.
4.2 On the existence of urgency to adopt final measures by way of derogation
from the cooperation and consistency mechanisms
168. The second element to assess pursuant to Article 66(2) GDPR is the existence of an urgency situation
justifying a derogation from the regular cooperation procedure.
169. TheurgentinterventionoftheEDPBpursuanttoArticle66(2)GDPRisexceptional,andderogatesfrom
the general rules applicable to the regular consistency and cooperation mechanisms.
170. Considering the fact that the urgency procedure under Article 66(2) GDPR is a derogation to the
standardconsistencyand cooperationmechanisms,itmustbeinterpretedrestrictively.Therefore,the
EDPB may request final measures under Article 66(2) GDPR only if the regular cooperation or
consistency mechanisms cannot be applied in their usual manner, due to the urgency of the
situation30.
171. In addition, Article 61(8) GDPR provides that, where an SA does not provide the information referred
to in Article 61(5) GDPR within one month of receiving a mutual assistance request from another SA,
the ‘urgent need to act under Article 66(1) [GDPR] shall be presumed to be met and require an urgent
binding decision from the Board pursuant to Article 66(2) [GDPR]’. If such a presumption applies, the
urgent natureofan Article 66(2)requestforan urgentbinding decisioncan be presumed and doesnot
306
need to be demonstrated .
299
LetterfromNO SAtoMetaIE andFacebookNorway of17September2023 in relationtotherighttobeheard,
p. 9.
30See paragraphs 98-99, and 152 above.
30See paragraphs 148 and 153 above.
30IE SA Final Position Paper, section 8, p. 25.
303
NO SA Request to the EDPB, p. 6.
304
30EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 167.
30EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 170.
Adopted 45172. In the present procedure, the NO SA requested the EDPB to adopt a decision pursuant to Article 66(2)
GDPR, in order to urgently request the IE SA to impose final measures on Meta IE. The request has
been made following to the adoption of provisional measures pursuant to Article 66(1) GDPR 307which
are only applicable in Norway, and are only valid for three months.
173. In the sections below, the EDPB analyses first whether the circumstances of the present case
demonstrate theexistence ofurgencyandtheneedtoderogatefromthecooperationandconsistency
mechanisms(section4.2.1below)beforeanalysingwhetherthepresumptiondescribedinArticle61(8)
GDPR is applicable to the circumstances of the case (section 4.2.2).
4.2.1 On the existence of urgency and the need to derogate from the cooperation and
consistency mechanisms
4.2.1.1 Summary of the position of the NO SA
174. The NO SA considers that ‘Regardless of the applicability of the Article 61(8) presumption, in the
present case there is an urgent need for a binding decision from the EDPB in accordance with Article
66(2) GDPR, in order to protect the rights and freedoms of data subjects’ 30.
175. According to the NO SA, the processing in question is detrimental to individuals’ fundamental rights,
and failing to put an end to this processing would thus expose these data subjects to a risk of serious
and irreparable harm 309. In more details, the NO SA takes the view that:
• Theinfringementshavebeenoccurringforasignificantamountoftimeandareofanespecially
serious nature, as they have a considerable impact on the users of Meta’s products whose
online activities are ‘constantly, intrusively and opaquely monitored and profiled by Meta’,
which ‘may give rise to the feeling that their private life is being continuously surveilled’.10
• The infringements affect over 250 million average monthly active users in the EU, including
vulnerable data subjects in need of particular protection, such as minors, elderly people and
311
people with cognitive disabilities .
• The filtering of the specific ads that are displayed on Facebook or Instagram has an adverse
312
effect on data subjects’ freedom of information and on political participation while creating
‘a potential for reinforcement of existing stereotypes, and it can leave data subjects open to
discrimination’ 313.
• Not taking urgent action to ensure compliance with the IE SA Decisions would deprive data
subjects of the right to seek an effective remedy against a data controller from SAs under
314
Article 77 GDPR .
307
Art. 66(4) GDPR; as described in Section 2.1 above.
308NO SA Request to the EDPB, p. 10.
309NO SA Request to the EDPB, p. 10.
310NO SA Request to the EDPB, p. 10, referring to CJEU Bundeskartellamt Judgment, paragraph 118.
311
NO SA Request to the EDPB, p. 10.
312NO SA Order, p. 22.
313NO SA Request to the EDPB, p. 10; NO SA Order, p. 22.
314NO SA Order, p. 28.
Adopted 46 • The NO SA is of the view that there is no measure that could be applied retroactively to repair
the violation of the rights and freedoms of data subjects 315.
176. In addition, the NO SA states that there has been a ‘continued refrainment from enforcement’ on the
part of the IE SA 31. The NO SA takes the view that despite the fact that infringements are taking place
appears uncontroversial among supervisory authorities, ‘the IE SA appears to be unwilling to demand
that such infringements be ceased without any further delays’ 31. In this respect, the NO SA states that
thefailuretofirmlyandexpedientlyreacttonon-compliancewiththeIESADecisionsnotonlydeprives
datasubjectsoftheprotectiontheyareentitledto,butisalsocontrarytosupervisoryauthorities’duty
to ensure that the GDPR is respected in practice 318.
177. More generally, in the view of the NO SA, not reacting to Meta IE’s prolonged state of non-compliance
319
would set a dangerous precedent as it would ‘invite dilatory strategies from non-compliant
controllers’andunderminetheauthorityoftheIESA,theCSAsandtheEDPB 320.FortheNOSA,afailure
to adopt the requested urgent binging decision in the present circumstances would entail serious risks
that the Article 66 GDPR mechanism would turn in to a ‘paper tiger’ 32.
178. The NO SA argues that an EDPB urgent binding decision would be a narrow and strictly limited
exceptiontotheprimacyoftheLSAinensuringcompliancewithanArticle60GDPRdecisionandwould
322
not set a precedent for derogating from the standard one-stop-shop cooperation procedure as it
would be issued after the completion of an Article 60 GDPR process, following the adoption by the IE
323
SA of the IE SA Decisions and given the fact that the IE SA does not envisage to start a new Article
60 GDPR procedure 32.
179. Further, the NO SA argues that final measures would not interfere with
commitment to change the legal basis for behavioural
325
advertising to consent . According to the NO SA, ‘if Meta [IE] would be ordered to stop all such
processing activities based on Article 6(1)(b) [GDPR] and [Article 6(1)] (f) pending the identification of
a valid legal basis, it would have an incentive to expeditiously identify adequate and lawful solutions to
resume its processing activities as soon as possible’ 326.
180.
315
NO SA Rejection of Meta IE and Facebook Norway’s Request for Deferred Implementation of the Order dated
7 August 2023, p. 1.
316NO SA Order, p. 12.
317
NO SA Request to the EDPB, p. 6.
318NO SA Request to the EDPB, p. 6.
319Letter of NO SA to IE SA of 11 October 2023, p. 11.
320NO SA Order, p. 28; NO SA Request NO SA Request to the EDPB, p. 12.
321
NO SA Request to the EDPB, p. 12, referring to the opinion of Advocate General Bobek in Case C‑645/19,
Facebook Ireland and Others, paragraph 119 and paragraph 122.
322NO SA Request to the EDPB, p. 12.
323
NO SA Request to the EDPB, p. 10-11, referring to IE SA Information on Procedure (response to SE SA) of 4
May 2023 where the IE SA had indicated via the IE SA IMI Informal Consultations that they would ‘not be
preparing any further decision in this matter’.
324NO SA Request to the EDPB, p. 11.
325
NO SA Request to the EDPB, p. 11-12.
326NO SA Request to the EDPB, p. 11-12.
Adopted 47 327
’ .
328
.
181. The NO SA also recalls that in any event, the Meta IE’s Consent Proposal does not eliminate the urgent
need to adopt final measures 329.
330.
331. Therefore, in
the NO SA’s view, final measures constitute ‘the only way’ to stop the harm to data subjects’
fundamental rights 33.
4.2.1.2 Summary of the position of the controller
182. According to Meta IE, the circumstances of the case do not justify an urgent decision of the EDPB
pursuanttoArticle66(2)GDPR 333.Inparticular,MetaIE recallsapriordecisionoftheEDPBstatingthat
‘the urgency procedure under Article 66(2) GDPR is a derogation to the standard consistency and
cooperation mechanisms, it must be interpreted restrictively. Therefore, the EDPB will request final
measures underArticle66(2)[GDPR] onlyif theregularcooperationor consistencymechanismscannot
be applied in their usual manner due to the urgency of the situation’ 334.
183. In this respect, Meta IE notes that the comments received by the IE SA from the CSAs show that the
cooperation and consistency mechanism being led by the IE SA (which incorporates the views of
numerous CSAs in addition to the views of the NO SA), is clearly functioning in accordance with Article
60 GDPR, and argues that there is no reason to derogate from that mechanism 335. For this reason, in
Meta IE’s view, the NO SA’s invocation of Article 66(1) GDPR and the NO SA Request to the EDPB are
improper 33.
184. According to Meta IE, the urgency procedure interferes with the regular cooperation mechanism that
the IE SA has been following to implement the IE SA Decisions 337. Meta IE’s view is that the process of
327LetterofNOSAtoIESAof11October2023,p.2.SeealsoNOSARejectionofMetaIE’sandFacebookNorway’s
RequestforDeferredImplementationoftheCoerciveFineof7August2023,p.1-2,wheretheNOSAgivesseveral
arguments related to the fact that Meta IE has ‘not implemented any measures that would warrant lifting the
Orderorwaivingthecoercivefine,as thepersonal
data of data subjects in Norway continue to be unlawfully processed for behavioural advertising purposes [...],
.
328NO SA Request to the EDPB, p. 11.
329NO SA Request to the EDPB, p. 11.
330NO SA Request to the EDPB, p. 8.
331
NO SA Request to the EDPB, p. 8.
332NO SA Request to the EDPB, p. 12.
333Letter from Meta IE to IE SA of 31 May 2023, p.5; Letter from Meta IE to IE SA regarding potential urgent
334ceedings of 21 June 2023, p. 4.
Letter from Meta IE to IE SA dated 31 May 2023, p. 5, referring to EDPB Urgent Binding Decision 01/2021,
paragraphs 195-196.
335Meta IE’s Submissions of 16 October 2023, p. 4.
336
Meta IE’s Submissions of 16 October 2023, p. 4.
337Meta IE’s Submissions of 26 September 2023, p. 12-13.
Adopted 48 engagement between Meta IE and the IE SA pursuant to Articles 56(6) GDPR and Article 60(10) GDPR
remains ongoing, and that there are no exceptional circumstances that would allow the NO SA to
bypass such process 338.
185. In addition, according to Meta IE, ‘the NO SA’s action directly conflicts with and undermines (i) the
authority of the LSA, (ii) the role of other supervisory authorities across the EU/EEA who are
339
appropriately engaging via the LSA-led process and (iii) the GDPR’s one-stop-shop mechanism’ .
186. Meta IE also states that the existence of a disagreement between a LSA and a CSA does not, in itself,
create a situation of urgency as such 340. In this respect, it states that ‘the fact that the [NO SA] appears
to disagree with the [IE SA] cannot justify it resorting to the use of Article 66(2)
[GDPR]’ 341. Meta IE also states that there is no precedent for a SA using Article 66(2) GDPR to seek to
‘overrule and dictate the process that a LSA has put in place to assess compliance with the LSA’s own
orders’ 342.
187. Regarding the nature of the infringements, Meta IE is of the view that the NO SA does not provide
evidence of their alleged seriousness, and states that behavioural advertising is a common practice,
widespread beyond Meta’s services 343.
188. Meta IE also argues that the fact that the behavioural advertising processing has been ongoing for
manyyearsdoesnotjustifyanyurgencybut,rather,provesthatthereisnonewelementofurgency 344.
Meta IE highlights that the processing at stake in this case is the same processing as the one that has
been ‘thesubject of detailed consideration by the[IE SA] (...)for over 4 years and by the EDPB, with the
345
awareness of SAs throughout’ . In this respect, Meta IE also recalls that in the EDPB Urgent Binding
Decision 01/2021, the EDPB has established that ‘the mere continuation of processing, cannot, on its
346
own, justify an urgent need to act’ .
189. Meta IE considers that the EDPB Binding Decisions did not mandate it to rely on Article 6(1)(a) GDPR
forbehaviouraladvertising processinganddidnotconcludeeither thatArticle6(1)(f)GDPRwasnotan
338
Letter from Meta IE to IE SA of 31 May 2023, p. 5; Letter from Meta IE to IE SA regarding potential urgent
proceedings of 21 June 2023, p. 4.
.
339Letter from Meta IE to the IE SA of 10 August 2023, p. 2.
340Meta IE’s Submissions of 26 September 2023, p. 1-2, 8. See also Meta IE’s Submissions of 16 October 2023, p.
5.
341Meta IE’s Submissions of 26 September 2023, p. 12.
342Meta IE’s Submissions of 26 September 2023, p. 2.
343MetaIE’sSubmissionsof26September2023,p.9.Morespecifically,MetaIEhighlightsthattheminimumage
for using Facebook and Instagram is 13 andfor users agedbetween 13 and 17 only theage and locationare used
to display ads.
344Meta IE’s Submissions of 26 September 2023, p. 8-9. Meta IE also reiterated that the ‘alleged “urgency”
claimed by the [NO SA] cannot be premised on the relevant processing (i.e. [Meta IE]’s use of on-platform data
for behavioural advertising purposes), given this processing has been ongoing for years with the full knowledge
of regulators, and the only recent development is that [Meta IE] has increased the level of data subjects’ control
over this processing’, see Meta IE’s Submissions of 16 October 2023, p. 5.
345See also Letter from Meta IE to IE SA of 31 May 2023, p. 5. Also see Letter from Meta IE to IE SA regarding
potential urgent proceedings of 21 June 2023, p. 3.
346Letter from Meta IE to IE SA of 31 May 2023, p. 5, referring to the EDPB Urgent Binding Decision 01/2021,
paragraphs 195-196.
Adopted 49 appropriate legal basis for the processing of personal data collected on Meta’s products for the
347
purpose of behavioural advertising . Meta IE argues that it was only with the IE SA Final Position
Paper that it became clear to it that its reliance on Article 6(1)(f) GDPR for such processing did not
348
comply with the IE SA Decisions .
190. Meta IE also argues that the IE SA is not refraining from enforcing the GDPR against it, given that the
IE SA shared a timeline with the CSAs and issued the IE SA Provisional Position Paper and then the IE
SAFinalPositionPaper 34.
35.
191. Meta IE states further that any urgent binding decision would be counterproductive
, and ultimately harm the interests of data
subjects while generating administrative work for the EDPB, the IE SA, the CSAs and Meta IE 35. In this
respect, it also highlights that the measures requested by the NO SA through the urgency proceedings
had already been considered as objections during the previous Article 65 GDPR process, and rejected
352
by the EDPB in the EDPB Binding Decisions .
353
.
4.2.1.3 Analysis of the EDPB
192. Article 66(2) GDPR requires the SA requesting an urgent binding decision to provide reasons for
requesting such opinion. This includes the need for the requesting SA to demonstrate an urgent need
to act.
193. Therefore, the EDPB analyses, whether, on the basis of the views of the NO SA and of the controller,
as well as on the basis of the elements in the file, the condition of urgency is met.
194. In this respect, the EDPB considered in a past decision that the nature, gravity and duration of an
infringement, as well as the number of data subjects affected and the level of damage suffered by
them, may play an important part when deciding whether or not there is an urgent need to act in a
354
particular case .
195. In relation to the nature and gravity of the infringements, the EDPB notes that its findings that Meta
IE still relies inappropriately on Article 6(1)(b) GDPR to process personal data, including location data
and advertisement interaction data collected on its products for the purpose of behavioural
355
advertising and on Article 6(1)(f) GDPR to process personal data collected on its products for the
347Meta IE’s Submissions of 26 September 2023, p. 10.
348Meta IE’s Submissions of 26 September 2023, p. 10 (Meta IE refers to national courts in the EU holding, prior
totheIESADecisions,thatArt.6(1)(b)GDPRisanappropriatelegalbasis,andtothefactthat previousdecisions
from the IE SA initially confirmed the possibility to rely on Art. 6 (1) (b) GDPR). See also Meta IE’s Submissions of
16 October 2023, p. 5.
349Meta IE’s Submissions of 26 September 2023, p. 7 and 9.
350
Meta IE’s Submissions of 26 September 2023, p. 11.
351Meta IE’s Submissions of 26 September 2023, p. 3; see also Meta IE’s Submissions of 25 August 2023,
paragraphs 46-48.
352Meta IE’s Submissions of 26 September 2023, p. 7-8.
353
Meta IE’s Submissions of 26 September 2023, p. 9.
354EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 169.
355See paragraphs 98-995 and 152 above.
Adopted 50 356
purpose of behavioural advertising relate to the same processing activities as those referred to in
the IE SA Decisions adopted on the basis of EDPB Binding Decisions.
196. In this respect, the EDPB recalls its finding from the EDPB Binding Decisions, i.e. that the nature and
gravity of the infringement of Article 6(1) GDPR are such that a risk of damage caused to data subjects
is consubstantial with the finding of the infringement itself 357. In relation to Meta IE’s infringements of
Article 6(1) GDPR with respect to behavioural advertisement practices, the EDPB found that they
constituted a very serious situation of non-compliance with the GDPR, in relation to processing of
extensive amounts of data 358, which is essential to the controller’s business model, and harming the
rights and freedoms of millions of data subjects in the EEA 359.
197. The EDPB also already highlighted in its EDPB Binding Decisions the ‘complexity, massive scale and
intrusiveness of the behavioural advertising practice that [Meta IE] conducts’ 36. This view is still
currently shared by the NO SA, which finds that Meta IE’s users’ online activities are ‘constantly,
intrusively and opaquely monitored and profiled’ by Meta IE, which ‘may give rise to the feeling that
361
their private life is being continuously surveilled’ . This view is also still shared by the NL SA, which
expressed greatconcerns withrespect to the processingactivities atstakeinlightof‘thelargeamount
of personal data being processed, the number of data subjects involved as well as the nature of the
data that is being processed – including video, audio and mouse movement’ 362.
198. The EDPB also clarified that at the time of the adoption of the EDPB Binding Decisions, bringing the
processingintocompliancewiththeGDPRwouldallowtominimisethepotentialharmtodatasubjects
363
created by the violations of the GDPR . In the EDPB Binding Decisions, the elements of the ‘nature
and gravity of the infringement’ 364and the ‘number of data subjects affected’ - which were and still
365
aresignificant -ledtheEDPBtoconcludethat‘itisparticularlyimportantthatappropriatecorrective
measuresbeimposed[...]inorderto ensurethat[MetaIE]complieswiththisprovisionoftheGDPR’ 366.
199. When determining the transition period for bringing Meta IE’s processing into compliance with the
GDPR, the EDPB requested that the IE SA gives ‘due regard to the harm caused to the data subjects by
367
the continuation of [Meta IE]’s infringement of Article 6(1) GDPR during this period’ .
200. The need for urgent action was fully acknowledged and clearly indicated in the IE SA Decisions 368.
356
See paragraphs 148 and 153 above.
357EDPB Binding Decision 3/2022, paragraph 446 and EDPB Binding Decision 4/2022, paragraph 415.
358EDPB Binding Decision 3/2022, paragraph 444 and EDPB Binding Decision 4/2022, paragraph 413.
359
EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284.
360EDPB Binding Decision 3/2022, paragraph 96 and EDPB Binding Decision 4/2022, paragraph 99.
361NO SA Request to the EDPB, p. 10, referring to CJEU Bundeskartellamt Judgment, paragraph 118.
362NL SA Mutual Assistance Request, p. 2.
363
EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284.
364EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281.
365EDPB Binding Decision 3/2022, paragraph 445 and EDPB Binding Decision 4/2022, paragraph 414.
366
367EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281.
EDPB Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288.
368IESAFBDecision,paragraph8.10(‘[...]IdonotagreewithFacebook’ssubmissionthatthe[IESA]hasdiscretion
to delay the activation of the timeline for compliance [...]. It is clear, from paragraph 286 of the Article 65 [GDPR]
Decision, that the EDPB considered it necessary for Facebook to take the remedial action required to address the
relevant infringements “within three months”. While Facebook has correctly identified that the EDPB has not
expressly identified the starting point of this compliance period, the [IE SA]’s view is that it goes without saying
that the starting point has to be the adoption and notification of the [IE SA]’s final decision, given that this is the
earliest time from which the applicable timeline for compliance can start to run. Any contrary suggestion would
Adopted 51201. In relation to the duration of the infringement and considering the above findings that Meta IE still
relies inappropriately on Article 6(1)(b) GDPR and Article 6(1)(f) GDPR to process personal data
collected on its products for the purpose of behavioural advertising 369 despite the fact that the
deadline for complying with the IE SA Decisions was 5 April 2023, the EDPB finds that data subjects are
still faced with data processing activities that are unlawful 37. In relation to Meta’s argument that it is
only on 18 August 2023 that the IE SA concluded that Meta IE’s reliance on Article 6(1)(f) GDPR for
behaviouraladvertisingpurposewasinsufficienttocomplywiththeIESADecisions 371,theEDPBshares
the view of the NL SA expressed already on 30 May 2023 that ‘the controller could not have been
unaware of already established guidance from the EDPB, nor of the position of several CSAs on the
372
matter, but chose to explore the path of Article 6(1)(f) [GDPR] regardless’ .
202. In this respect, the EDPB can only note that every additional day during which the processing activity
at stake takes place without reliance on an appropriate legal basis causes supplementary harm to the
data subjects and allows Meta to continue to collect significant amounts of personal data of millions
of European individuals on a daily basis and to generate significant revenue from the unlawful
processing of the personal data of millions of data subject in the EEA 37. It also observes, in line with
the position of the NO SA, that there are no measures that could be applied retroactively to repair the
violation of the rights and freedoms of data subjects 374.
203. Therefore, while in some cases the fact that an infringement has been continuing for a long time may
serve to demonstrate that an urgent need to act does not arise 37, as recalled by Meta IE 376, the EDPB
considers in this case that the situation is different. To the contrary, in this case, the fact that the
processing activities are still performed without reliance on an appropriate legal basis represents an
element in favour of concluding that there is an urgent need for final measures to be adopted, since
despite the orders given in the IE SA Decisions and the different discussions regarding their
implementations, Meta IE still processes unlawfully personal data and still does not comply with the
IE SA decisions 377This is not dispelled by Meta IE’s arguments on the fact that more transparency and
an opt-out mechanism were implemented 378, as these elements do not solve the underlying issue of
the lawfulness of the processing 379and the related harm caused on data subjects.
be inconsistent with the need for urgent action that was clearly indicated to be required in paragraphs 286, 288
and 290 of the Article 65 Decision. It would further render meaningless the EDPB’s consideration of the
compliance period in terms of a fixed number of months (in this case, three)’). An analogous wording is present
in paragraph 214 of the IE SA IG Decision.
369See paragraphs 152 and 153 above.
370
EDPB Binding Decision 3/2022, paragraph 446 and EDPB Binding Decision 4/2022, paragraph 415.
371Meta IE’s Submissions of 26 September 2023, p. 11 and Meta IE’s Submissions of 16 October 2023, p.5.
372NL SA Mutual Assistance Request, p. 2.
373In this respect, Meta IE states that ‘any suspension of behavioural advertising in Norway for nearly a three
month period would irreparably damage [Meta IE] as it would suffer (i) many millions of Euros in lost advertising
revenue during this period’, see Meta IE’s Letter to the NO SA of 14 August 2023, p.9.
374NOSARejectionofMetaIE’sandFacebookNorway’sRequestforDeferredImplementationoftheOrderdated
7 August 2023, p. 1.
375
See, for instance, EDPB Urgent Binding Decision 01/2021, paragraphs 195-196.
376Letter from Meta IE to IE SA of 31 May 2023, p. 5, referring to the EDPB Urgent Binding Decision 01/2021,
paragraphs 195-196.
377See sections 4.1.1.4 and 4.1.2.4 above.
378
Meta IE’s Submissions of 26 September 2023, p. 9.
379See paragraphs 152 and 153 above.
Adopted 52204. The EDPB recalls in this respect the NO SA’s argument that the failure to firmly and expediently react
to non-compliance with the IE SA Decisions deprives data subjects of the protection that they are
entitled to 380.
205. The EDPB finds, in light of the above and in line with the view of the NO SA, that failing to put an end
tothe processingactivities atstakeand toenforcetheIESADecisionsexposes datasubjects toarisk
381
of serious and irreparable harm . The NO SA, alongside other CSAs, have also expressed the view
that further measures are urgently needed in this case not only to address the situation of non-
compliance with the GDPR but also put an end to the harm to data subjects.
206. The SE SA expressed the need for further action after the circulation of Meta IE Compliance Reports
382
and asked ‘the [IE] SA what procedure [the SE SA] can expect going forward’ .
207. The NL SA
”383, echoing its previous call to the IE SA “to swiftly undertake adequate actions in
order to cease the continuous illegality of the invasive processing of personal data of millions of
users’ 38. It is also important to recall the NL SA Mutual Assistance Request 38, according to which
‘appropriate and expedient action is required to protect the fundamental rights of millions of data
subjects in the Netherlands as well as throughout the European Economic Area’ 386 and that SAs should
be ‘acting together’ on this ‘as cooperating European supervisory authorities under the lead of the [IE
SA]’ 38.
208. Similarly, already after the circulation of the IE SA Provisional Position Paper to the CSAs, the DE
Hamburg SA requested the IE SA ‘to swiftly reach a consolidated position that [Meta IE] has not
demonstrated the legal basis and suspend the processing, which is based on Art[icle] 6 (1) [(b) GDPR]
and [Article 6 (1)] (f) GDPR for behavioural advertising’ 388.
209. In the EDPB Binding Decisions, the EDPB made clear that urgent action was already required in
December 2022 and decided that, at that time, the order for compliance to be imposed on Meta IE
should require Meta IE to restore compliance within a short period of time 389. In doing so, the EDPB
380
381NO SA Request to the EDPB, p. 6.
See paragraph 175 above, and NO SA Request to the EDPB, p. 10.
382SE SA comment in IE SA IMI Informal Consultations of 4 May 2023.
383 .
384
Views of the NL SA on the Compliance Reports of 4 May 2023, in IMI informal consultation on FB case and in
IMI informal consultation on IG case, paragraph 4.
385The NL SA made the NO SA Mutual Assistance Request on 30 May 2023 and requested the IE SA to inform
them by 30 June 2023:
(i) ‘Of its conclusion as to whether [Meta IE] can or canno invoke Article 6(1)(f) GDPR for the processing of the
personal data of its users for the purposes of behavioural advertising, more specifically for a large part of the
processing operations for which [Meta IE] previously relied on Article 6(1)(b) [GDPR];’ and
(ii) ‘Of its conclusion as to whether [Meta IE] does or does not comply with the [IE SA]’s final decision of 31
December 2022, ordering [Meta IE] to bring these processing operations in line with Article 6 GDPR;’ and
(iii) ‘Of a timeframe in which appropriate and expedient action will be taken to ensure that [Meta IE] acts in
compliance with Article 6 GDPR, to protect the fundamental rights of millions of data subjects affected by this
processingoperation,intheNetherlandsaswellasthroughouttheEuropeanEconomicArea(EEA).Inthisrespect,
the [NL SA] attaches significant weight to the connection between the controller’s non-compliance with Article 6
GDPR and its failure to comply with the [IE SA]’s order. In our view, this warrants prompt intervention’
386NL SA Mutual Assistance Request, p. 1.
387NL SA Mutual Assistance Request, p. 2.
388
Views of the DE Hamburg SA on IE SA Provisional Position Paper of 21 July 2023, p. 2.
389Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288.
Adopted 53 recalled the IE SA’s reasoning on the three-month deadline already provided by the IE SA its draft
390
decision forcomplianceforthetransparencyinfringements,whichitconsideredtobenecessaryand
proportionate in light of: (1) the potential for harms to the data subjects’ rights that such a measure
entails, considering that the interim period for compliance ‘will involve a serious ongoing deprivation
of their rights’, (2) the significant financial, technological, and human resources and (3) the clear
instructions provided to Meta IE to comply with GDPR 39. The EDPB therefore instructed the IE SA to
include in itsfinaldecision anorder for Meta IE tobringitsprocessingof personaldata forthepurpose
of behavioural advertising in the context of the Facebook service into compliance with Article 6(1)
392
GDPR within three months .
210. Importantly, the understanding that the timeframe to be left to Meta IE to achieve compliance with
the GDPR needed to be a fixed one was also shared by the IE SA in the IE SA Decisions, where the IE SA
referredto theEDPBBindingDecisions andexplainedthatclearly ‘theEDPBconsidereditnecessary for
[Meta IE] to take the remedial action required to address the relevant infringements ‘within three
393
months’ and indicated a ‘need for urgent action’, and with ‘a fixed number of months’ .
211. The EDPB previously established that urgency procedures under Article 66 GDPR are derogations from
the standard consistency and cooperation mechanism and that the requirements of Article 66 GDPR
394
must be interpreted restrictively . Therefore, the EDPB considers that it may request final measures
underArticle 66(2)GDPRonlyiftheregularcooperationorconsistency mechanismscannotbeapplied
395
in their usual manner due to the urgency of the situation . Therefore, the EDPB assesses in this
section whether there is a need to derogate from the regular cooperation and consistency
mechanisms in this case.
212. In this particular case, the IE SA already adopted the IE SA Final Decisions under the one-stop-shop
procedure on the basis of the EDPB Binding Decisions, containing an order for compliance with Article
6(1) GDPR. Pursuant to Article 60(10) GDPR, the controller shall notify the measures taken for
complying with a decision taken in the cooperation mechanism with the LSA, which shall inform the
CSAs.
213. The EDPB Guidelines on the application of Article 60 GDPR highlight that the ‘obligation [of the
controllertonotifytotheLSAthemeasurestakentocomplywiththedecision]ensurestheeffectiveness
of the enforcement. It is also the basis of possible necessary follow-up actions to be commenced by the
LSA, also in cooperation with the other CSAs’ 396.
214. These guidelines further point out that if the LSA concludes that the measures taken are insufficient,
the LSA should, as part of its legal duty to inform the CSAs, consider providing the other CSAs with its
assessmentofthemeasuresadoptedbythecontroller,inparticularinordertodecidewhetherfurther
390
IE SA draft decision relating to Facebook, paragraph 8.4, IE SA draft decision relating to Instagram, paragraph
202.
39Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288.
39Binding Decision 3/2022, paragraph 288 and Binding Decision 4/2022, paragraph 290.
39IE SA FB Decision, paragraph 8.10; IE SA IG Decision, paragraph 214.
394
EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraphs 165-167.
395EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 167. Also see paragraph 169
above.
39EDPB Guidelines 02/2022 on the application of Article 60 GDPR, adopted on 14 March 2022, paragraph 248.
Adopted 54 actions are necessary 397.This indicates that where the measures adopted by the controller are
considered to be insufficient, there may be a need for the LSA to take further actions.
215. In the case at hand, the IE SA concluded in the IE SA Final Position Paper, also relying upon the
comments shared and views expressed by the CSAs, that Meta IE failed to demonstrate compliance
with the IE SA Decisions 398. However, it also considered that it was ‘fair’ and ‘reasonable’ to provide
Meta IE with an opportunity to demonstrate that it can rely on consent as a lawful basis rather than
engaging in enforcement measures 399.
216. The IE SA has also reiterated its position, as LSA, that no further urgent actions are necessary in this
case, as the course of action already being taken, consisting in ‘an enforcement procedure[...] in which
adefinedsetofproposals,bywhich[MetaIE]proposestoachievecompliancewithitsobligationsunder
Article 6 GDPR (and the terms of the [IE SA] Decisions), is the subject of ongoing assessment by the [IE
400
SA] and the CSAs’, is adequately addressing the situation .
217. In this respect, the EDPB acknowledges the need to evaluate the proposal being made by the
controller, and that this entails the ‘examination of a number of particularly complex (and novel)
issues’ 401. The EDPB also fully acknowledges that a ‘regulatory process’ is ‘being conducted under the
GDPR’s cooperation and consistency framework’, led by the IE SA,
402.
218.
403
.
404
.
he EDPB therefore finds that the existence of the Meta IE’s Consent
Proposal does not undermine the need to take actions to ensure that the unlawful processing comes
to an end.
219. In this context, the EDPB notes that the IE SA acknowledged in its Final Position Paper - more than four
monthsafter the deadlineforcompliance-that Meta IEstill infringesthe GDPR 405.The EDPBfindsthat
the fact that the IE SA did not take supervisory measures to put an end to Meta IE’s inappropriate
reliance on 6(1)(b) and 6(1)(f) GDPR and to enforce the IE SA Decisions, despite the risk of serious and
397
EDPB Guidelines 02/2022 on the application of Article 60 GDPR, adopted on 14 March 2022, paragraph 249.
398IE SA Final Position Paper, paragraph 9.2.
399IE SA Final Position Paper, paragraph 9.2.
400Letter of IE SA to NO SA of 13 October 2023, p. 4.
401
Letter of IE SA to NO SA of 13 October 2023, p. 4-5.
402Letter of IE SA to NO SA of 13 October 2023, p. 6.
403Letter of IE SA to NO SA of 13 October 2023, p. 4-5.
404IE SA’s Response to Meta IE of 11 August 2023 p. 2. The
405IE SA Final Position Paper, paragraph 8.1.
Adopted 55 irreparable harm caused to data subjects 406, shows that the regular cooperation and consistency
mechanismisnotprovidingsatisfactoryresults,andthatthereisaneedtorequesttheIESAtourgently
order final measures due to the urgency of the situation. In this respect, the EDPB notes that while
now six months after the deadline for compliance have passed, there is still no clear indication that
compliancewillbereached soonnoristhereaclearindicationthatthe IESA -asLSA-intendstoadopt
407
corrective measures in order to end the ongoing infringements .
220. In conclusion, the EDPB finds, in light of the circumstances described above, that the regular
cooperation or consistency mechanisms cannot be applied in their usual manner, and that due to
the risk of serious and irreparable harm without urgent final measures, there is a need to derogate
from the regular cooperation and consistency mechanisms to order final measures due to the urgency
of the situation.
221. Lastly, the EDPB considers it relevant to recall the SAs’ duty to monitor the application of the GDPR in
order to protect the fundamental rights and freedoms of natural persons in relation to processing and
408
to facilitate the free flow of personal data within the EU . In particular, the EDPB has stated that
when a violation of the GDPRhas been established, competent supervisory authorities are required to
409
react appropriately to remedy this infringement . The powers afforded to SAs by Article 58 GDPRare
aimed to fulfilling this goal. Similarly, the Court of Justice of the European Union held that ‘(...)
[a]lthough the supervisory authority must determine which action is appropriate and necessary (...),
the supervisory authority is nevertheless required to execute its responsibility for ensuring that the
410
GDPR is fully enforced with all due diligence’ .
4.2.2 On the application of a legal presumption of urgency justifying the need to derogate
from the cooperation and consistency mechanisms
222. Intheprecedentsection,theEDPBfoundthatthereisaneedtoderogatefromtheregularcooperation
411
and consistency mechanisms to order final measures due to the urgency of the situation . In this
section, the EDPB assesses whether such urgency and need to derogate from the regular cooperation
and consistency mechanisms may also be presumed on the basis of Article 61(8) GDPR.
412
223. Considering the facts of the case , the EDPB will assess whether this case falls within the description
provided by Article 61(8) GDPR, which refers to the situation where an SA does not provide the
information referred to in Article 61(5) GDPR within one month of receiving a mutual assistance
request from another SA. Article 61(8) GDPR provides that the ‘urgent need to act under Article 66(1)
[GDPR] shall be presumed to be met and require an urgent binding decision from the Board pursuant
to Article 66(2) [GDPR]’. If such a presumption applies, the urgent nature of an Article 66(2) request
413
for an urgent binding decision can be presumed and does not need to be demonstrated .
406See paragraph 205 above.
407
408See paragraphs 215-216 above
Article 51(1) GDPR and Recital 123 GDPR.
40EDPBBindingDecision3/2022,paragraph278 and EDPB Binding Decision 4/2022, paragraph 280 (referring to
CJEU Judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, ECLI:EU:C:2020:559, paragraph 111).
410
411Judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, ECLI:EU:C:2020:559, paragraph 112.
See EDPB analysis under 4.2.1.3
412See Section 1 of this urgent binding decision.
413EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 170.
Adopted 56224. As mentioned, the NO SA Mutual Assistance Request was made on 5 May 2023 - see paragraphs 10,
13, and 15 above describing the NO SA Mutual Assistance Request and the response provided by the
IE SA.
4.2.2.1 Summary of the position of the NO SA
225. The NO SA considers that Article 61(8) GDPR is applicable in this case 414 because the IE SA replied ‘No,
I cannot comply with the request’ to the NO SA Mutual Assistance Request ‘without providing any
specific justification other than referring to another letter it sent to all of the CSAs on 31 May 2023’ 415.
The NO SA also argues that the ‘IE SA did not provide a reasoned refusal’ as per Article 61(4) GDPR,
‘nor did it inform [the NO SA] of results or progress of any measures taken in order to respond to [their]
request to ban the unlawful processing of personal data and to enforce compliance with Article 6(1)
[GDPR]’ 41. According to the NO SA, the content of the letter of 31 May 2023 was a simple
announcement of when the IE SA would finalise its review of the Meta IE Compliance Reports, but it
‘didnotprovideanyinformationonthespecific enforcementplan[they]requested,nordiditannounce
any specific or envisaged enforcement action with respect to Meta IE, despite [their] request to that
417
effect’ .
226. In view of the NO SA there ‘were no measures taken in order to respond to the request’, and within a
month from the NO SA Mutual Assistance request, ‘the IE SA had complied with neither of [their]
demands’ 41. The NO SA also indicates that their demands remain unfulfilled due to the fact that the
IE SA considers it fair and reasonable not to engage in enforcement measures despite its conclusion
that Meta IE is currently failing to rely on a valid lawful basis for behavioural advertising 419.
227. To support the view that Article 61(8) GDPR is applicable to the present case, the NO SA refers to an
opinion of Advocate General Bobek stating that where a LSA fails to address a CSA mutual assistance
request, the latter may adopt provisional measures in circumstances in which ‘the urgent need to act
420
ispresumed andneednotbeproven’ .TheNOSAalsomentionsthe existenceofprecedentdecisions
applying the Article 61(8) GDPR presumption, in particular a decision from the IT SA related to Meta IE
where the SA similarly considered that a failure from the LSA to address their request legitimately
allowed for a derogation to the cooperation mechanism and the triggering of an Article 66 GDPR
421
urgency procedure .
228. The NO SA underlines that - contrary to the factual circumstances that led the EDPB to conclude that
422
Article 61(8) was not applicable in a previous case - ‘the communications regarding the present
matter between the NO SA and the IE SA were made using the procedure for MA [Mutual Assistance]
414NO SA Request to the EDPB, p. 7-8.
415NO SA Request to the EDPB, p. 8.
416NO SA Request to the EDPB, p. 8.
417
NO SA Request to the EDPB, p. 8.
418NO SA Request to the EDPB, p. 8;
419NO SA Request to the EDPB, p. 8, referring to the IE SA Final Position Paper. It may be useful to also note that
the NO SA, in its Letter to the IE SA of 21 September 2023 (p.1), states they understand the IE SA has chosen not
to follow the NO SA Mutual Assistance Request because in spite of preliminarily concluding that Meta IE is still
notoperatingincompliancewithArt.6(1)GDPRtheydidnotindicateanycorrespondingenforcementmeasures.
420NO SA Request to theEDPB,p. 9, referring to Opinion of Advocate General Bobek in Case C‑645/19, Facebook
Ireland and Others, paragraph 119 and paragraph 135.
421
NO SA Request to the EDPB, p. 9, referring to Italian SA’s decision of 21 December 2022 [9853406], available
at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9853406#english.
422NO SA Request to the EDPB, p.9 referring to EDPB Urgent Binding Decision 01/2021, paragraphs. 171-181.
Adopted 57 requests pursuant to Article 61(1) GDPR, and not the procedure for Voluntary Mutual Assistance
423
(“VM[A]”) requests’ .
4.2.2.2 Summary of the position of the controller
424
229. Meta IE argues that, in this case, no ‘presumption of urgency arises under Article 61(8) GDPR’ . Meta
IE indicates that in order to rely on Article 61(8) GDPR presumption of urgency, the NO SA ‘must show
that the [IE SA] failed to respond to the [NO SA’s Mutual Assistance Request]’ but considers that the
NO SA ‘cannot show this’ 425. Meta IE states that the NO SA’s ‘attempt to rely on the presumption of
urgency in Article 61(8) GDPR is misconceived as a matter of law and contradicts the factual record of
communications’ between the IE SA and the NO SA 426. According to Meta IE, the IE SA ‘adequately
addressed the [NO SA Mutual Assistance Request] by providing the information the [NO SA]requested’
and the NO SA ‘distort[s] and mischaracterize[s] the substance and nature of the correspondence’ with
the IE SA427.
230. In MetaIE’sview,the NO SA MutualAssistance Requestdid not ‘request the[IE SA] to detail a “specific
enforcement plan” or “specific or envisaged enforcement action” that it would “impose on [Meta IE] in
the event of non-compliance”, as this is not what is entailed by the request of the NO SA to the IE SA
to share “a timeline specifying how it will ensure in an expedient manner that Meta [IE] complies with
428
Article 6(1) GDPR”’ . Rather, according to Meta IE, this wording referred to a request to share a
timeline, which the IE SA provided ‘on numerous occasions’ 429and this demonstrates that there was
‘noinactionorfailuretocommunicatebythe[IESA]whichthe[NOSA]cannowrelyontoinvokeArticle
61(8) [GDPR]’ 430.
231. According to Meta IE, ‘the [IE SA]’s decision not to immediately implement the[NOSA]’s own preferred
enforcement measures did not amount to a failure to adequately respond to the [NO SA Mutual
AssistanceRequest].NothinginArticle61(1)GDPRrequiressuchblindobediencebyanLSAtowhatever
actions a CSA might request it to take. [...] The [IE SA] adequately addressed the [NO SA Mutual
Assistance Request] by providing the information the [NO SA] requested’ 431. It also states that ‘Article
61(5) GDPR [...] does not require an LSA to commit in advance to impose any specific corrective
measures within any specific timeframe’ 43. Meta IE further elaborates that while ‘Article 61 GDPR
cannot be used by a single SA to demand that an LSA adopt corrective measures with respect to
processing that is subject to an ongoing LSA-led compliance proceeding’, the IE SA later provided
433
reasons ‘for declining to issue an immediate ban on processing’ . In this regard, Meta IE is of the
opinion that corrective measures cannot be requested ‘with respect to processing that is subject to an
ongoing LSA-led compliance proceeding’ as this could ‘undermine the one-stop shop mechanism and
423NO SA Request to the EDPB, p.9-10.
424Meta IE’s Submissions of 25 August 2023, p. 18-21; Meta IE’s Submissions of 16 October 2023, p. 5-8;
Annexure 1 to Meta IE’s 16 October 2023 Letter, p.17; Annexure 12 to Meta IE’s 16 October 2023 Letter, p.49-
53.
425Meta IE’s Submissions of 25 August 2023, p. 19; Meta IE’s Submissions of 16 October 2023, p. 5.
426Meta IE’s Submissions of 26 September 2023, p. 5.
427Meta IE’s Submissions of 16 October 2023, p. 5.
428
Meta IE’s Submissions of 26 September 2023, p. 5, referring to the NO SA Mutual Assistance Request.
429Meta IE’s Submissions of 25 August 2023, p. 19.
430Meta IE’s Submissions of 26 September 2023, p. 7.
431Meta IE’s Submissions of 26 September 2023, p. 2; Meta IE’s Submissions of 16 October 2023, p. 5.
432
Meta IE’s Submissions of 16 October 2023, p. 5.
433Meta IE’s Submissions of 16 October 2023, p. 6, referring to (i) Meta IE’s Merit Complaint submitted to the
OsloDistrictCourtannexedtoMetaIE’sSubmissionsof16October2023,andto(ii)theIESAFinalPositionPaper.
Adopted 58 the LSA’s duty to consider all CSAs views in connection with that mechanism’ 434. In addition, Meta IE
argues that the request ban on processing had already been ‘considered and rejected by the EDPB in a
prior Article 65 GDPR binding decision’ 435.
232. In Meta IE’s view, the IE SA addressed the NO SA’s Mutual Assistance Request via the IE SA Update to
CSAs of 31 May 2023as it contained ‘relevant information’ and allowed to inform the NO SA of ‘the
436
progress of the measures taken in order to’ address the request . Considering that the IE SA did
address the request on 31 May 2023, it therefore did not refuse to do so when it provided its negative
response on IMI on 2 June 2023 because this response was accompanied with a reference to the IE SA
Update to CSAs of 31 May 2023 437. Meta IE further details that the IE SA had explained that the
negativeresponseonIMIwastheresultofa‘mistake’andthattheNOSA’smessagetotheIESAshows
that the NO SA ‘did not believe [...] that the [IE SA] had failed to respond’ to the request 438. In support
of this, Meta IE mentions a message from the NO SA to the IE SA stating: ‘Thank you for your message
of 2 June 2023. We understand that you will revert towards the end of June’ and ‘we will await your
response towards the end of June’ 439.
233. Meta IE considers that the NO SA did not object to the IE SA Provisional Position Paper and did not
mention any alleged failure by the IE SA to respond to the NO SA Mutual Assistance Request, ‘despite
invoking Article 61(8) GDPR in the [NO SA] Order to attempt to argue that urgency may be presumed
due to an alleged failure to respond by the [IE SA]’ 440. Furthermore, Meta IE argues that the NO SA ‘did
not raise any complaints about the[IE SA]’s proposed timetable prior to issuing theOrder, even though
that is what it would have been expected to do first if it had genuine concerns about urgency’ 44.
234. Concerning the NO SA’s reference to the opinion of Advocate General Bobek in Case C-645/19, Meta
IE indicates that ‘considering the lengthy procedural history, which includes the [IE SA] imposing the
NOYB Decisions and properly conducting an ongoing compliance procedure, the NO SA cannot
reasonably argue that the[IE SA] has failed to act. The [IE SA] is acting, and also fully cooperating with,
the other SAs’ 442.
4.2.2.3 Analysis of the EDPB
235. The cooperation mechanism in the GDPR provides for different tools for the SAs to exchange among
themselves and perform their tasks. One of such tools is mutual assistance pursuant to Article 61
GDPR. Under this provision, SAs ‘shall provide each other with relevant information and mutual
assistance in order to implement and apply [the GDPR] in a consistent manner, and shall put in place
434
Meta IE’s Merits Complaint submitted to the Oslo District Court annexed to Meta IE’s Submissions of 16
October 2023, p. 52.
435Meta IE’s Merits Complaint submitted to the Oslo District Court annexed to Meta IE’s Submissions of 16
October 2023, p. 52, referring to (i) EDPB Binding Decision 3/2022, paragraph 285 and to (ii) EDPB Binding
Decision 4/2022, paragraph 287.
436Meta IE’s Submissions of 16 October 2023, p. 5, referring to the IE SA Update to CSAs of 31 May 2023.
437Meta IE’s Submissions of 16 October 2023, p. 6.
438Meta IE’s Submissions of 16 October 2023, p. 6.
439
Meta IE’s Submissions of 16 October 2023, p. 6, referring to the message sent by the NO SA to the IE SA via
the IMI flow relating to the NO SA Mutual Assistance Request on 9 June 2023.
440Meta IE’s Submissions of 25 August 2023, p.9, referring to an email dated 14 July 2023 from the NO SA to the
IE SA informing of the Provisional Measures being taken.
441
Meta IE’s Submissions of 26 September 2023, under footnote 41 p. 12.
442Meta IE’s Complaint to the NO SA regarding the NO SA Order, 1 August 2023, p. 17; Meta IE’s Submissions of
25 August 2023, p.21.
Adopted 59 443
measuresfor effective cooperationwith oneanother’ .Thesame provisionalsoexplains that mutual
assistance ‘shall cover, in particular, information requests and supervisory measures, such as requests
444
to carry out prior authorisations and consultations, inspections and investigations’ .
236. The EDPB recalls that Article 61 GDPR on mutual assistance belongs to Section 1 of Chapter VII of the
GDPR related to cooperation. In this regard, the EDPB considers Article 61 GDPR to be one of the
mechanismsforsupervisoryauthorities toensure properand efficient cooperation.Consequently, the
concept of mutual assistance rooted in the GDPR entails ‘sincere and effective cooperation’ 445and
requires concrete actions from a supervisory authority receiving a mutual assistance request
(hereinafter, ‘Requested SA’). More specifically, the obligations of a Requested SA can be listed in a
logical sequence as follows:
• Article 61(2) GDPR: ‘each SA shall take all appropriate measures required to reply to a request
of another SA’;
• Article 61(2) GDPR: the Requested SA shall reply within a specific timeframe (‘without undue
delay and no later than one month after receiving the request’);
• Article61(4) GDPR:the Requested SAmust‘complywiththerequest’inallcases exceptforthe
situations mentioned in Article 61(4) (a) and (b);
• Article61(5)GDPR,firstsentence:‘therequestedSAshallinformtherequestingSAoftheresult
or, as the case may be, of the progress of the measures taken in order to respond to the
request’;
• Article 61(5) GDPR,secondsentence: ‘therequested SAshall providereasonsforany refusal to
comply with a request pursuant to paragraph 4’;
• Article 61(6) GDPR: the Requested SA shall, as a rule, supply the information by electronic
means, using a standardised format.
237. Article 61(9) GDPR provides the possibility for the European Commission (hereinafter the ‘EC’) to
specify, by means of implementing acts, the format and procedures for mutual assistance and the
arrangementsfortheexchangeofinformationbyelectronicmeansbetweenSAs.On16May2018,the
EC adopted an implementing act relating to the use of the EC Internal Market Information system for
GDPR consistency and cooperation procedures, including for Article 61 GDPR mutual assistance
requests (IMI) (hereinafter, the ‘IMI Implementing Act’) 446.
238. The IMI procedure dedicated to Article 61 GDPR mutual assistance requests is a one-to-one workflow.
This entails that the request can only be addressed to, and received by, the Requested SA. Similarly,
the reply will only be addressed to, and received by, the SA that made the mutual assistance request
(hereinafter, the ‘Requesting SA’). Pursuant to Article 3(3) of the IMI Implementing Act, this dedicated
workflow is to be used for the different exchanges between authorities in the framework of an Article
44Article 61(1) GDPR.
44Article 61(1) GDPR.
44Onhow a ‘lead supervisory authority cannot, in the exercise of its competences, [...]eschew essential dialogue
with and sincere and effective cooperation with the other supervisory authorities concerned’, see Judgment of
the Court of Justice (Grand Chamber) of 15 June 2021, in case Facebook Ireland Ltd and Others v
Gegevensbeschermingsautoriteit, C-645/19, ECLI:EU:C: 2021:483, paragraph 63.
44EC Implementing Decision (EU) 2018/743 of 16 May 2018 on a pilot project to implement the administrative
cooperation provisions set out in Regulation (EU) 2016/679 of the European Parliament and of the Council by
means of the Internal Market Information System C/2018/2814, https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv%3AOJ.L .2018.123.01.0115.01.ENG&toc=OJ%3AL%3A2018%3A123%3ATOC.
Adopted 60 61 GDPR mutual assistance request. This includes, in particular, ‘requesting mutual assistance from
another supervisory authority in the form of information and/or supervisory measures’, ‘responding to
a mutual assistance request including acceptance or in exceptional cases refusals to comply with the
request’, and ‘communication of the progress and the result of measures taken in order to respond to
the request’44. The use of this dedicated IMI workflow also allows for the automatic monitoring of the
one-month deadline to reply to a request pursuant to Article 61(2) GDPR.
239. Being a one-to-one workflow in the IMI, an Article 61 GDPR mutual assistance procedure is a type of
bilateral communication to be distinguished from other bilateral or multilateral communication
channels that are made available in IMI for other types of GDPR cooperation mechanisms. While a
mutual assistance request can be connected to developments occurring within multilateral
communication channels, the initiation of a mutual assistance request by a supervisory authority
opens a dedicated workflow for exchanges between the Requesting and Requested SAs only.
240. Pursuant to Article 61 GDPR, a Requested SA is under a legal obligation to address a mutual assistance
request. The only possibility for a Requested SA to refuse to address a request is where it provides
448
reasons for refusing to comply, in line with the two limited exceptions of Article 61(4) GDPR and as
provided in the last sentence of Article 61(5) GDPR 44. While the possibility to provide information on
the results or progress of the measures taken within the one-month timeframe gives some discretion
to the Requested SA, the duty to cooperate also implies that the Requested SA must always take
certain concrete steps to address the given request, or duly justify why it does not do so. In an
exceptional situation where a Requested SA does not provide appropriate information on the
measurestaken,theprogressmade,oronthedulyreasonedgroundswhyitcannotsatisfytherequest,
within one month of receiving the request, the Requesting SA may consider that the conditions of
Article 61(8) GDPR are met.
241. In light of the above developments, the EDPB considers that the obligation for the Requested SA to
address a mutual assistance request implies the need to fulfil procedural and substantive criteria.
242. The need to fulfil the procedural criteria mainly derives from Article 61, paragraphs 6 and 9 GDPR,
togetherwithArticle3(3)oftheIMIImplementingAct.Theproceduralcriteriarelateto theprocedural
formalities that need to be respected to address a mutual assistance request.
243. For what concerns, on the other hand, the obligation to fulfil substantive criteria, the EDPB considers
thatthisarisesfromtheprovisionsmentionedabove,namely (i)thewordingofArticle61(4)GDPRand
Article61(5)GDPR,providingforapossibilitytorefusetocomplywithmutualassistancerequestsonly
based on the limited grounds listed in the GDPR, and providing reasons for any refusal, and (ii) the
qualification of mutual assistance as a tool for cooperation. This imposes the need to examine the
content of the reply and the actions taken by a Requested SA to evaluate whether or not a given
request has been addressed.
244. The list provided by Article 61(1) GDPR is not exhaustive (‘in particular’). As such, it does not list or
excludespecificallytheimpositionofcorrectivemeasures.However,theEDPBconsidersthat thisdoes
44EC Implementing Decision (EU) 2018/743 of 16 May 2018, Article 3(3).
44Art. 61(4) GDPR states ‘The requested supervisory authority shall not refuse to comply with the request unless:
(a) it is not competent for the subject-matter of the request or for the measures it is requested to execute; or (b)
compliance with the request would infringe this Regulation or Union or Member State law to which the
supervisory authority receiving the request is subject.’
44‘The requested supervisory authority shall provide reasons for any refusal to comply with a request pursuant
to paragraph 4’.
Adopted 61 not, in any event, remove the duty of the Requested SA, pursuant to Article 61 (4) and 61 (5) GDPR
and the general duty of cooperation, to provide reasons for any refusal to comply with a request.
245. Moving on to the case at hand, the EDPB notes that on 5 May 2023 a formal Article 61 GDPR mutual
assistance request was initiated by the NO SA via the creation of a dedicated IMI workflow. The NO SA
Mutual Assistance Request contained two different requests:
(i) ‘that the IE SA issues a temporary ban on Meta IE’s processing of personal data for
behavioural advertising purposes on Facebook and Instagram based on Article 6(1)(f) GDPR, in
accordance with Article 58(2)(f) GDPR’ 45;
(ii) ‘that the IE SA shares a timeline specifying how it will ensure in an expedient manner that
[Meta IE] complies with Article 6(1) GDPR’.
246. In the NO SA Mutual Assistance Request, the NO SA also specified that they would ‘be grateful if the
IE SA, by 5 June 2023, would share the timeline and confirm that a temporary ban will be issued’ and
that ‘If the IE SA is not in a position to comply with our request regarding [Meta IE], we may need to
consider our options in relation to the adoption of provisional measures in Norway pursuant to Article
66 of the GDPR. We hope that this will not be necessary and look forward to cooperating further with
the IE SA within the framework of the cooperation mechanisms set out in Chapter VII of the GDPR’.
247. The NO SA Mutual Assistance Request was also uploaded by the NO SA as a comment on the Meta IE
Compliance Reports, shared with the LSA and all CSAs within the IE SA IMI Informal Consultations.
Other CSAs shared their feedback on the Compliance Reports in the same period, as described above
451
in paragraph 10, and some of them also addressed concerns on actions taken by the IE SA . In this
context, on 30 May 2023, the NL SA also made a mutual assistance request, as described above in
paragraph 12. Analysing, first of all, whether the procedural criteria were met by the IE SA’s response
to the NO SA Mutual Assistance Request, the EDPB notes that it is on 2 June 2023 that the first
450The wording of the NO SA Mutual Assistance Request then goes on as follows: ‘The ban should last until the
lead and concerned supervisory authorities are satisfied that [Meta IE] has provided adequate and sufficient
commitments to ensure compliance with Articles 6(1) and 21 GDPR, in line with Article 31 GDPR. This will give us
the opportunity to further engage with Meta and make sure that it commits to fully respect its obligations under
the GDPR, while preventing any further risks for data subjects stemming from [Meta IE]’s non-compliant
behavioural advertising practices. Please note that in our view, behavioural advertising includes any activities
where advertising is targeted on the basis of a data subject’s behaviour or movements, including advertising
451ed on perceived location’.
Several CSAs expressed concerns about:
(i) The IE SA not sharing its own legal assessment (e.g. FR SA on 25 April 2023; DE Hamburg SA on 4 May 2023).
In response, the IE SA invited the CSAs to ‘carry out their own assessments of the compliance material’ and
outlined that ‘the finding of infringement of Article 6(1) [GDPR] and the requirement for a corresponding order
to be imposed, were determined by the EDPB’ which ’overturned the views originally expressed by the IE SA in its
draft decision‘ (IE SA request for CSAs views circulated via the IMI on 26 April 2023);
(ii) The measures suggested by the controller to comply with the IE SA decisions - in particular the reliance on
Article 6(1)(b) GDPR and Article 6 (1)(f) GDPR for behavioural advertising - which raised concerns and criticisms
forwhichseveralCSAsrequestedimmediateactionsfromtheIESA (e.g.viewsofDEHamburgSAon4May2023;
views of NL SA on 4 May 2023; comment of the SE SA on 4 May 2023).
Similarly, theNO SAhadpreviouslycontacted theIE SAviaemail on 5 April to express their ‘strongdoubts’about
Meta using Article 6(1)(f) in the context of behavioural advertising, as well as their fear of a ‘real risk to data
subject's rights’, and asking the IE SA for their assessment and intentions for regulatory action. On 4 May 2023,
the IE SA had indicated via the IE SA IMI Informal Consultations that they would ‘not be preparing any further
decision in this matter’ and that they would rely on their assessment of compliance, carried out jointly together
with all CSAs, IE SA Information on Procedure (response to SE SA), dated 4 May 2023.
Adopted 62 procedural development from the IE SA occurred within the Art. 61 IMI workflow initiated by the NO
SA. This is when the IE SA specified they ‘cannot comply with the request’ (by way of checking a pre-
filled text box on IMI), and indicated in a comment they had further detailed their response under
452
previous communications located in the IMI Informal Consultations . The IE SA made reference to
the IE SA Update to CSAs of 31 May 2023 (see above paragraph 13). Therefore, the EDPB considers
that the IE SA addressed the NO SA Mutual Assistance Request from a procedural standpoint.
248. The EDPB also analyses the substance of the reply provided by the IE SA to assess whether the NO SA
Mutual Assistance Request was addressed within the one-month deadline set by the legislator. It is in
particular relevant to assess whether the IE SA, refusing to comply with the NO SA Mutual Assistance
Request,providedthereasonsforsuch refusalinaccordancewith Article61(5)GDPR.Whilespecifying
they‘cannotcomplywiththerequest’,theIESAindicatedinacommenttheyhadfurtherdetailedtheir
response under previous communications located in the IE SA IMI Informal Consultations 453. The IE SA
454
made reference to the IE SA Update to CSAs of 31 May 2023 (see above paragraph 13) .
249. AccordingtotheIESA,the IESAUpdate toCSAsof31 May2023whichitsreplyof2June2023referred
to was ‘directed to the subject matter of the NO SA [Mutual Assistance Request]’ and was ‘clearly
engaging with the substance of the NO SA [Mutual Assistance Request] [...] directly, and in a fulsome
455
manner’ . Consequently, the IE SA considers it did not refuse to engage with the NO SA’s request for
mutual assistance by means of its communication of 2 June 2023 456.
250. The content of the IE SA Update to CSAs of 31 May 2023 relates to the information about the
457
continuation oftheassessmentof the Meta IECompliance Reportspursuant to Article60(10)GDPR .
In fact, it was a mere confirmation of the approach already suggested to all CSAs prior to the NO SA
458
Mutual Assistance Request .
452NO SA mutual assistance request IMI dedicated flow. 453More specifically the message from the IE SA stated:
‘Dear Colleagues, Please see detailed response uploaded by the [IE SA] under [the IMI Informal Consultations]
453 further information. Best regards, IE SA’.
Morespecifically themessage from the IE SA stated:‘DearColleagues, Please seedetailed responseuploaded
by the [IE SA] under [the IMI Informal Consultations] for further information. Best regards, IE SA’.
Such response was the IE SA Update to CSAs of 31 May 2023 (see paragraph 13 above). The LSA referred to two
454ferent communications issued to all CSAs via the IMI Informal Consultations.
The IE SA indicated that they had ‘received all of the assessments from CSAs’ and ‘forwarded them to [Meta
IE] for it to consider the views expressed and to detail any changes that it proposes to implement on foot of the
CSA assessments’. Furthermore, the IE SA stated that it will ‘complete its own assessment of [Meta IE]’s
compliance reports’ ‘once the IE SA receives [Meta IE]’s response’. The IE SA also stated ‘it will be in a position to
completeitsownassessmentof[MetaIE]’s[ComplianceReports]andtoshareitsassessmentwiththeNorwegian
and Dutch supervisory authorities (both of which have lodged Article 61 requests for mutual assistance) and with
all other CSAs by the end of June 2023‘.
455
456Views of IE SA on NO SA Order, p.2.
Views of IE SA on NO SA Order, p.2, referring to IE SA’s Response to the NO SA Mutual Assistance Request.
457The LSA indicated that they had ‘received all of the assessments from CSAs’ and ‘forwarded them to [Meta IE]
for it to consider the views expressed and to detail any changes that it proposes to implement on foot of the CSA
assessments’. Furthermore, the LSA stated that it will ‘complete its own assessment of Meta [IE]’s [C]ompliance
[R]eports’ ‘once the IE SA receives Meta IE’s response’. The LSA also stated ‘it will be in a position to complete its
own assessment of Meta’s compliance reports and to share its assessment with the Norwegian and Dutch
supervisory authorities (both of which have lodged Article 61 requests for mutual assistance) and with all other
CSAs by the end of June 2023’.
458
IE SA Information on Procedure (response to SE SA), dated 4 May 2023 (prior to the NO SA Mutual Assistance
Request). In this communication, the LSA indicated to all CSAs - via the IMI Informal Consultations - that the ‘IE
SA will not be preparing any further decision in this matter’ and that they would rely on their assessment of
compliance, carried out jointly together with all CSAs.
Adopted 63251. The EDPB notes that the IE SA Update to CSAs of 31 May 2023 makes reference to the NO SA Mutual
Assistance Request, by saying: ‘The IE SA anticipates that it will be in a position to complete its own
assessment of Meta IE Compliance Reports and to share its assessment with the [NO SA] and [NL SA]
(both of which have lodged Article 61 requests for mutual assistance) and with all other CSAs by the
end of June 2023’.
252. However, the EDPB considers that:
• the second request in the NO SA Mutual Assistance Request was a request for ‘a timeline
specifying how [the IE SA] will ensure in an expedient manner that [Meta IE] complies with
Article 6(1) GDPR’. The IE SA Update to CSAs of 31 May 2023 does provide a timeline of the
next steps in the process envisaged by the IE SA for the assessment of the Meta IE Compliance
Reports (with the last step being the completion of the IE SA’s own assessment and its sharing
with the CSAs by the end of June 2023). However, there are no details as to how the IE SA
considered that the completion of the assessment of the Compliance Reports would ‘ensure
in an expedient manner that [Meta IE] complies with Article 6(1) GDPR’. While there is an
implicit (and, in any event, only partial) connection, further motivation in this regard would
have been necessary.
• the first request in the NO SA Mutual Assistance Request was a request for the imposition of
a “temporary ban on Meta’s processing of personal data for behavioural advertising purposes
on Facebook and Instagram based on Article 6(1)(f) GDPR, in accordance with Article 58(2)(f)
GDPR’. The IE SA Update to CSAs of 31 May 2023 does not include any reasoning as to the IE
SA’s acknowledgement or consideration of this request.
253. The EDPB notes that while the IE SA explained after the expiry of the one-month deadline that the
negative answer to the NO SA Mutual Assistance Request was the result of a mistake (a text box
459
‘incorrectly (and inadvertently) checked’) , the IE SA does not state it tried to amend its answer - for
instance to provide the reasons for any refusal to comply with the request - or sought assistance to do
so within the one-month deadline.
254. The EDPB also takes note of the IE SA’s view shared on 27 September 2023 that the part of the NO SA
Mutual Assistance Request pertaining to a ban was not ‘validly made by reference to the provisions of
Article 61 GDPR’ and that it was not ‘open to the [NO SA] to demand, by way of mutual assistance
460
request, that the [IE SA] impose a temporary ban on the Processing Operations’ at stake .
255. However, Article 61(4), letter (b) GDPR envisages the possibility for the Requested SA to refuse to
complywithamutualassistancerequestinasituationwhereitconsidersthatcompliancewithitwould
infringe the GDPR or EU or Member State law to which the Requested SA is subject. Nevertheless, in
thiscircumstance,asalreadyunderlinedunderparagraph240,theRequestedSAthatwishestoinvoke
thisgroundforrefusalneedstomotivateitsresponsepursuanttoArticle61(5)GDPR.TheIESAUpdate
to CSAs of 31 May 2023 or the message in the MA Request workflow of 2 June 2023 do not provide
any justification for not addressing the request under the limited exceptions of Article 61(4) GDPR. In
addition, the views shared on 27 September 2023 were way beyond the expiration of the one month
459
460Communication of IE SA to all CSAs dated 20 July 2023, p. 2.
Letter from the IE SA to the NO SA dated 27 September 2023, p. 3. In this regard the IE SA further argued that
the EDPB Binding Decisions ‘explicitly declined to impose a temporary ban’ (p. 3) and that ‘Putting in place an
immediatebanonprocessingwhichisisolatedanddivorcedfromanyunderlyinglegalprocedurewouldinevitably
expose the [IE SA] to significant legal risk and lead to litigation’ (p. 4).
Adopted 64 deadline. Therefore, the EDPB considers that, within one month of receiving the request, the LSA did
not provide the reasons for refusal to comply with the request pursuant to Article 61(5) GDPR.
256. In light of the above, the EDPB considers that the IE SA failed to provide a substantive reply the NO SA
Mutual Assistance Request.
257. ConsideringthefactthatArticle61(8)GDPRprovidesexplicitlythatthepresumptionofurgencyapplies
in case the [Requested SA] does not provide the information in [Article 61(5)] within the one month of
receiving the request, the EDPB therefore considers that the presumption set by Article 61(8) GDPR
is applicable in this specific case. Consequently, the EDPB finds that urgency may be presumed on
the basis of Article 61(8) GDPR, which further corroborates the need to derogate from the regular
cooperation and consistency mechanisms 46.
4.2.3 Conclusion as to the existence of urgency
258. The EDPB considers that the elements analysed above justify the urgency for the EDPB to request the
IE SA to order final measures under Article 66(2) GDPR. The EDPB considers that the urgent need to
order final measures is clear in light of the risks that the infringements represent for the rights and
freedoms of the data subjects without the adoption of final measures 462. Furthermore, the EDPB
463
considers that such urgency may be presumed pursuant to Article 61(8) GDPR . The EDPB therefore
considers that there is urgency for the IE SA to order final measures in this case.
5 ON THE APPROPRIATE FINAL MEASURES
259. On the basis of the analysis above (see sections 4.1 and 4.2), the conditions relating to the existence
of infringements and to an urgent need to act in this case are met. The EDPB therefore proceeds with
the analysis of which final measures, if any, it should order in this specific case. A request from a SA
under Article 66(2) GDPR is aimed to address a situation where such SA, after adopting provisional
measures under Article 66(1) GDPR, ‘considers that final measures need urgently be adopted’.
5.1 Content of the final measures
5.1.1 Summary of the position of the NO SA
260. In the NO SA Request to the EDPB, the NO SA requests that ‘final measures, in line with the provisional
measures [the NO SA] imposed in Norway, be imminently adopted’ 464. In the NO SA Order, the NO SA
prohibited for three months Meta IE and Facebook Norway from processing personal data of data
subjects residing in Norway for behavioural advertising on the basis of Article 6(1)(b) GDPR or Article
6(1)(f) GDPR from 4 August 2023 to 3 November 2023 465. The NO SA provides that the NO SA Order
will be lifted before that date if remedial measures are implemented so that adequate and sufficient
commitments to ensure compliance with Article 6(1) GDPR and Article 21 GDPR can be provided 466. In
casetheorderisnot compliedwith,theNOSAannounces,intheNOSAOrderitself,thatit maydecide
to impose a coercive fine of up to NOK 1 000 000 per day of non-compliance on Meta IE and/or
461
462lso see the EDPB Urgent Binding Decision 01/2021, paragraph 181.
As demonstrated in section 4.2.2.3 above.
46As demonstrated in section 4.2.1.3 above.
46NO SA Request to the EDPB, p. 12.
46NO SA Order, p. 3.
466
NO SA Order, p. 3.
Adopted 65 FacebookNorway,individuallyorcollectively 467.AsMetaIEandFacebookNorwaydidnotcomplywith
the NO SA Order, the NO SA imposed a daily coercive fine, which started to accrue on 14 August
2023 46.
261. The NO SA also points out that, with respect to the objective that the final measures should seek to
achieve, ‘it is necessary to ensure that “[p]ersonal data shall not be processed for Behavioural
469
Advertising based on Article 6(1)(b) [GDPR] or [Article] 6(1)(f) GDPR in the context of the Services”’ .
TheNOSArequeststhatanyfinalmeasureshoulddemand“swiftcompliance”withoutfurtherdelay 47.
262. With respect to the geographical scope of the final measures requested, the NO SA asked that ‘the
measures should be applied EEA-wide, to avoid derogating from the harmonisation and consistency
471
that the GDPR aims to ensure’ .
263. The NO SA considers that Meta IE has a ‘readily available procedure to terminate this processing
rapidly’, as it already implemented an objection mechanism in the EEA in relation to its processing for
behavioural advertising in reliance of Article 6(1)(f) GDPR. In other words, the NO SA argues that
suspending this processing activity could be achieved through the use of a process similar to the one
used by Meta IE in the context of the objection mechanism, and that nothing - from a technical
perspective - prevents Meta IE from suspending the behavioural advertising processing in the EEA 472.
264. To support this request, the NO SA points out that (1) final measures should urgently be adopted
because the processing of personal data violates the rights and freedoms of data subjects in all EEA
states, (2) the IE SA Decisions are applicable for users in all EEA states, and (3) there is consensus at
European level between the IE SA and the CSAs that the processing continues to be unlawful 473.
5.1.2 Summary of the position of Meta IE and Facebook Norway
265. Meta IE points out that in its view ‘it is not clear which final measures the [NO SA] is seeking to request
474
from the EDPB’ . According to Meta IE, the NO SA Order ‘comprises three core elements: (i) the
imposition of a temporary ban [...]; (ii) the imposition of daily administrative fines [...]; and (iii) the
475
lifting of that ban subject to receiving adequate commitments from [Meta IE]’ . Meta IE alleges it is
not clear whether the NO SA intends to pursue each of these elements, or others, as part of its
476
request .
266. Meta IE considers that the NO SA Request to the EDPB constitutes partly ‘an attempt to re-litigate
objections that the [NO SA] has already raised in the NOYB Inquiries at the Article 65 GDPR stage and
which have already been rejected by the EDPB’ 477. According to Meta IE, the NO SA’s actions ‘appear
to be motivated by (unwarranted) dissatisfaction with the [IE SA]’s handling of the enforcement of the
467NO SA Order, p. 4.
468NO SA’s Decision to impose a coercive fine on Meta IE and Facebook Norway of 7 August 2023, p. 3.
469
NO SA Request to the EDPB, p. 12.
470NO SA Request to the EDPB, p. 12.
471NO SA Request to the EDPB, p. 12.
472NO SA Request to the EDPB, p. 12-13.
473
NO SA Request to the EDPB, p. 12.
474Meta IE’s Submissions of 26 September 2023, p. 13.
475Meta IE’s Submissions of 26 September 2023, p. 13.
476Meta IE’s Submissions of 26 September 2023, p. 13.
477
Meta IE’s Submissions of 26 September 2023, p. 3, 13. See also Meta IE’s Submissions of 16 October 2023, p.
8.
Adopted 66 NOYB Decisions’. The controller states then that it ‘cannot be sanctioned based on factors that are
outside its sphere of influence’ 47.
267. In addition, Meta IE provided arguments in respect of the possible content of the final measures to be
ordered by the EDPB, setting out elements for each possible measure identified. Meta IE also argues
that, in general, only the provisional measures adopted by the requesting SA can be adopted as final
measures under the Article 66(2) GDPR procedure 47. In Meta IE’s view, it is unclear whether the EDPB
is competent to order final measures on an EEA-wide basis, or whether it is limited to only ordering
measures with respect to the country of the requesting CSA, and it is unclear whether the EDPB is
480
competent to adopt final measures permanently . On this matter, Meta IE also made reference to
the fact that the EDPB has itself requested the EU legislator to clarify this 481.
268. Regarding a possible deletion order for data already unlawfully collected
whiletheNOSA has notexplicitlyrequestedsuchfinal measure,Meta
482
IE clarified its view that such request would be unlawful and unnecessary . More specifically, Meta
IE argues that the NO SA Order did not issue a deletion order as part of its Provisional Measures
483
adopted under Article 66(1) GDPR . Further, Meta IE highlights that the EDPB Binding Decisions
rejected objections from the NO SA that aimed to impose a deletion order on Meta IE 484.
485.
486.
487. In any event, Meta IE notes that the personal data previously collected for
behavioural advertising is also processed for other purposes that are not related to advertising, such
488
as security, fraud and safety . Meta IE considers that ‘a controller cannot be compelled to delete
personal data where it is validly collected and processed for different purposes pursuant to valid legal
bases, even in cases where its legal basis for one distinct set of processing is subsequently held to be
invalid’489.
478Meta IE’s Submissions of 26 September 2023, p. 17.
479
480Meta IE’s Submissions of 26 September 2023, p. 13-14.
Meta IE’s Submissions of 26 September 2023, p. 13, footnote 44.
481Meta IE’s Submissions of 26 September 2023, p. 13, footnote 44, referring to section 6.2 of EDPB-EDPS Joint
Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down
additionalprocedural rules relating tothe enforcementof Regulation(EU) 2016/679, atparagraphs 113-116 and
121. In this Joint Opinion, the EDPB and the EDPS provided their views on the proposed regulation made by the
EuropeanCommissionwhich,accordingtotheEDPBandtheEDPS,undulyrestrictstheapplicationoftheurgency
procedure under Article 66(2) GDPR.
482Meta IE’s Submissions of 26 September 2023, p. 14-15.
483Meta IE’s Submissions of 26 September 2023, p. 14.
484Meta IE’s Submissions of 26 September 2023, p. 14. This argument relates to the objections made by the NO
SAtothedraftdecisionsoftheIESAintheFacebookandInstagramcases,requestinganordertodeletepersonal
dataprocessedunderArt.6(1)(b)GDPR,whichtheEDPBconsiderednottomeetthethresholdofArt.4(24)GDPR
(in EDPB Binding Decision 3/2022, paragraph 483 and EDPB Binding Decision 4/2022, paragraph 450).
485
Meta IE’s Submissions of 26 September 2023, p. 14.
486Meta IE’s Submissions of 26 September 2023, p. 14.
487Meta IE’s Submissions of 26 September 2023, p. 14.
488
489Meta IE’s Submissions of 26 September 2023, p. 14-15.
Meta IE’s Submissions of 26 September 2023, p. 15.
Adopted 67269. Regarding a possible suspension order or ban applicable to all EEA users, Meta IE considers that the
490
NOSA’srequestforashortimplementationdeadlineisallegedly‘flawedandnotfeasible’ .According
to Meta IE, building the supporting infrastructure and rolling out the objection mechanism entailed
‘hundreds of thousands of hours of work’ on Meta IE’s side by multi-disciplinary teams including
product, machinelearning andinfrastructure engineers,userexperience designers,operations,policy,
marketing and legal to design, build and implement the systems, processes and user experience
required to enable Meta IE to meet the different requirements of Article 6(1)(f) GDPR 49. In Meta IE’s
view, the NO SA’s assertion that implementing a process similar to the objection mechanism could
form some ‘sort of instant compliance solution’ is ‘flawed’ 49.
493. In other
words, Meta IE argues that a change of legal basis for its behavioural advertising processing before
would simply not be feasible.
270. Meta IE also quotes the arguments put forward by the IE SA in that regard: ‘Putting in place an
immediate ban on processing which is isolated and divorced from any underlying legal procedure (...),
would inevitably expose the [IE SA] to significant legal risk and lead to litigation. In the context of such
litigation,the[IESA]wouldbecalledontojustifyitsdecisiontodepartfromthecourseofactionrooted
in [IE SA Decisions] (uncontested by the EDPB and/or the CSAs), in favour of an alternative, summary
procedure involving the immediate imposition of a ban on processing’ 494.
271. Regarding fines specifically, Meta IE argues that the NO SA is not entitled to ask for a fine as a final
measure 49, since the NO SA Order did not include fines as a provisional measure under Article 66(1)
GDPR. More generally, Meta IE also claims that fines are not an appropriate form of final measures
underArticle 66(2)GDPR 49,andthattheEDPBisnotcompetenttoadoptsuchadecisionunderArticle
497
66(2) GDPR . As the Article 66(2) GDPR procedure constitutes a derogation to the standard
cooperation procedure, Meta IE, highlighting the need for a restrictive interpretation of Article 66
GDPR, is of the opinion that any final measures ‘can only be those that are urgently needed to bring
the infringement to an end’ 498. According to Meta IE, all the final measures that do not achieve this
objective must be adopted within the framework of the one-stop-shop and the consistency
mechanism 499. Lastly, in Meta IE’s view, fines are not appropriate to ensure the immediate protection
of data subjects 50. Meta IE also argues that fines would be inappropriate in the circumstances of this
case, where high fines have already been imposed by the IE SA in the IE SA Decisions and where Meta
IE engagedingoodfaithwiththeIESA 501.
490Meta IE’s Submissions of 26 September 2023, p. 15.
491Meta IE’s Submissions of 26 September 2023, p. 15.
492Meta IE’s Submissions of 26 September 2023, p. 15.
493
Meta IE’s Submissions of 25 August 2023, p. 23-24.
494Meta IE’s Merits Complaint submitted to the Oslo District Court, p. 26, referring to the Letter of the IE SA to
the NO SA of 27 September 2023.
495Meta IE’s Submissions of 26 September 2023, p. 3.
496
Meta IE’s Submissions of 26 September 2023, p. 16.
497Meta IE’s Submissions of 26 September 2023, p. 16.
498Meta IE’s Submissions of 26 September 2023, p. 16.
499Meta IE’s Submissions of 26 September 2023, p. 16.
500
Meta IE’s Submissions of 26 September 2023, p. 16.
501Meta IE’s Submissions of 26 September 2023, p. 16.
Adopted 68 According to Meta IE, the
NO SA Request to the EDPB ‘already has, and will continue to, generate a huge amount of
administrative work for the EDPB, the CSAs, the LSA and Meta [IE],
502
. Meta IE considers that, in light of the fact that a potential urgent binding decision may
extend beyond Norway, ‘any attempt to perpetuatetheprovisions of the [NO SA] Order by way of such
a decision only serves to exacerbate this misuse of the urgency procedure and the violation of [Meta
IE]’s rights’0.
272. Facebook Norway highlights that it is not, and has never been, a party to the inquiries leading to the
adoptionoftheIESADecisions 504.ItalsohighlightsthattheIESADecisionsareonlyaddressedtoMeta
IE, in its capacity of sole data controller for the purpose of behavioural advertising on Facebook and
Instagram. Facebook Norway points out that it is a separate and independent legal entity that does
not offer Facebook or Instagram either in Norway or elsewhere, and is not the data controller for the
concerned behavioural advertising processing 50. Furthermore, Facebook Norway maintains that it
506
should not have been the addressee of the NO SA Order .
273. Meta IE and Facebook Norway have also expressed the view that the IE SA has already exercised
corrective powers against Meta IE in the IE SA Decisions, and that anyways the enforcement of
corrective orders is a matter for the LSA and governed by the applicable national law 507.
5.1.3 Analysis of the EDPB
274. In addition to the elements enshrined in the NO SA Request to the EDPB, the EDPB takes into
consideration the elements and arguments put forward by the IE SA. The IE SA considers that the NO
SA Request to the EDPB seeks to obtain an urgent binding decision from the EDPB, ‘the net effect of
508
which would be to compel the [IE SA], as LSA, to impose an EEA-wide ban’ . However, according to
the IE SA, it is already leading an ongoing ‘enforcement procedure’, whereby it is, along with the CSAs,
assessing ‘a defined set of proposals, by which [Meta IE] proposes to achieve compliance’ with Article
6(1) GDPR and the IE SA Decisions 50. This process is happening by involving the CSAs in accordance
withtheGDPR’scooperationand consistencyframework 510.Morespecifically,the IESAhighlightsthat
it ‘is currently engaged in a cooperative process to give effect to these orders in a manner that permits
all CSAs to make observations on [Meta IE]’s proposed course of action’ 51.
502Meta IE’s Submissions of 16 October 2023, p. 9.
503
Meta IE’s Submissions of 25 August 2023, p. 28.
504Facebook Norway’s Submissions of 25 August 2023, p. 13. See also Facebook Norway’s Submissions of 16
October 2023, p. 4.
505Facebook Norway’s Submissions of 25 August 2023, p. 13; Facebook Norway’s Submissions of 16 October
2023, p. 4; see also Letter from Facebook Norway to Ministry of Local Government and Regional Development
of 8 August 2023, p. 2.
506Facebook Norway’s Submissions of 26 September 2023, p. 1. See also Facebook Norway’s Submissions of 16
October 2023, p. 4.
507
Meta IE’s and Facebook Norway’s Submissions of 19 October 2023, p. 1-2.
508Letter from the IE SA to the NO SA of 13 October 2023, p. 3.
509Letter from the IE SA to the NO SA of 13 October 2023, p. 4.
510CommunicationofIESAtoCSAsof20July2023,p.1.SeealsoLetterfromtheIESAtotheNOSAof13October
2023, p. 4-6.
511Letter from the IE SA to the NO SA of 27 September 2023, p. 3
Adopted 69275. AccordingtotheIESA,nofinalmeasuresorderedbytheEDPBwouldbeappropriate,asitwoulddivert
resources from the IE SA-led process under the GDPR’s cooperation and consistency framework 512. In
addition, according to the IE SA, the NO SA’s legal justifications to suggest immediate enforcement
action by the LSA are ‘rooted in hypothetical arguments’ 513.
276. In this regard, the EDPB acknowledges that, since the moment the IE SA shared with the CSAs the
Compliance Reports on 5 April 2023, there has been an ongoing process consisting in the assessment
of the compliance efforts by Meta IE represented by the switch on 3 April 2023 to Article 6(1)(f) GDPR
as legal basis for most of the personal data collected on Meta’s products for behavioural advertising
purposes and later on, by the Meta IE’s Consent Proposal, and that this process was led by the IE SA in
its role as LSA in cooperation with the CSAs, which were invited to submit their views on multiple
occasions.
277. However, in light of the elements described above, namely the existence of ongoing infringements of
514
Article6(1)GDPR-thattheEDPBhasalreadylabelledasa‘veryserioussituationofnon-compliance’ ,
and of the duty to comply with decisions of SAs, and the existence of an urgent need to act despite the
ongoing process led by the IE SA, as motivated above in Section 4.2 of this urgent binding decision, the
EDPB considers that, at this point of time, there is a need to order final measures as further
enforcement measures are necessary.
278. With respect to the possible content of the specific final measures, the EDPB considers that it can
order final measures other than the provisional measures adopted under Article 66(1) GDPR or than
those referred to in the request made pursuant to Article 66(2) GDPR. The GDPR does not indeed
provide such limitations on the final measures, and the EDPB, while taking into consideration the
request made pursuant to Article 66(2) GDPR as well the other elements of the file, is entrusted to
ensure the correct and consistent application of GDPR when performing activities under the
consistency mechanism 515. Therefore, the EDPB is competent under Article 66(2) GDPR to order the
final measures that are appropriate on the basis of the circumstances of the case.
279. Inthecaseathand,theEDPBconsidersitappropriatetoanalysewhetherabanonprocessingshould
beimposed, bearing in mind that the NOSA Request to the EDPB asksthat ‘finalmeasures, inlinewith
516
the provisional measures [the NO SA] imposed in Norway, be imminently adopted’ , and that the NO
SA Order included a prohibition from processing personal data of data subjects residing in Norway for
behavioural advertising on the basis of Article 6(1)(b) GDPR or Article 6(1)(f) GDPR.
280. Inrespect of thepossible impositionof aban onprocessing,theIE SAconsiders that ‘the formoforder
sought by the [NO SA] is not one that could lawfully be delivered by the [IE SA] in the manner now
517
demanded’ . Thisis,first, because the EDPBdeclined toinstruct theIESA to imposeatemporaryban
512
513etter from the IE SA to the NO SA of 13 October 2023, p. 5.
Letter from the IE SA to the NO SA of 27 September 2023, p. 4.
514
EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284.
51Art. 63 GDPR, Art. 65 GDPR, Art. 70(1) GDPR, Art. 70(1)(a) GDPR, and Art. 70(1)(t) GDPR.
51NO SA Request to the EDPB, p. 12.
51Letter from the IE SA to the NO SA of 27 September 2023, p. 3.
Adopted 70 in the EDPB Binding Decisions 518, and secondly because the IE SA Decisions ‘made provision for
enforcement measures, namely, the orders for compliance, under which [Meta IE]’s proposals for the
adoption of one or more alternative legal bases for the Processing Operations would be assessed, and
ruled on, on their respective merits’ 51. The IE SA concludes that ‘the EDPB recognised, explicitly, that
a process would need to be put in place in which the Controller would identify the means by which it
proposed to achieve compliance with its obligations, and, further, that, acting together in the context
of the co-operation and consistency mechanism provided for at Chapter VII of the GDPR, the [IE SA]
and the CSAs would in turn be required to test those proposals and assess whether or not they are
sufficient to achieve compliance with the requirements of Article 6(1) [GDPR] and the [IE SA]
520
Decisions’ .
281. According to the IE SA, the imposition of a ban on processing ‘which is isolated and divorced from any
underlying legal procedure would inevitably expose the [IE SA] to significant legal risk and lead to
litigation’,wheretheIESA‘wouldbecalledontojustifyitsdecisiontodepartfromthecourseofaction
rooted in [the IE SA Decisions] (uncontested by the EDPB and/or the CSAs), in favour of an alternative,
521
summary procedure involving the immediate imposition of a ban on processing’ . In this regard the
IE SA also argues that ‘it is inaccurate to suggest that the [IE SA] could impose an immediate ban on
processing, whilst continuing to progress its assessment of [Meta IE]’s proposed consent model, in
conjunction with its CSA colleagues’ 52.
282. In this respect, the EDPB highlights that the fact that it chose not to instruct the IE SA to impose a
temporary ban in the EDPB Binding Decisions, considering at that time that the imposition of an order
to bring processing into compliance within a short time frame would be appropriate, does not in itself
rule out the possibility than a ban would be needed today. Likewise, the fact that the IE SA Decisions,
adopted on the basis of the EDPB Binding Decisions, do not provide for a ban on processing does not
prevent the EDPB from ordering final measures in the form of a ban on processing in the context of
this urgent procedure, taking into account the facts that occurred following the adoption of the IE SA
Decisions. In this regard, the EDPB also recalls that the IE SA acknowledged in the IE SA Final Position
523
Paper that ‘enforcement measures may [...] have been necessary at this juncture’ .
283. In the next paragraphs, the EDPB will assess the appropriateness, necessity and proportionality of a
ban on processing. Article 58(2)(f) GDPR provides supervisory authorities with the power to impose a
temporary or definitive limitation including a ban on processing.
284. Recital 129 GDPR provides elements to assess whether a specific measure is appropriate. More
specifically, consideration should be given to ensuring that the measure chosen does not create
‘superfluous costs’ and ‘excessive inconveniences’ for the persons concerned in light of the objective
pursued. When choosing the appropriate corrective measure, there is a need to assess whether the
chosen measure is necessary to enforce the GDPR and achieve protection of the data subjects with
regard to the processing of their personal data, which is the objective being pursued. Compliance with
518Letter from the IE SA to the NO SA of 27 September 2023, p. 3. See also Letter from the IE SA to the NO SA of
13 October 2023, p. 3-4 (where the IE SA also states the EDPB did not instruct the IE SA to adopt an automatic
ban or a ban to be imposed should Meta IE fail to achieve compliance within a defined date).
519
520Letter from the IE SA to the NO SA of 27 September 2023, p. 3.
Letter from the IE SA to the NO SA of 13 October 2023, p. 4.
521Letter from the IE SA to the NO SA of 27 September 2023, p. 4.
522Letter from the IE SA to the NO SA of 27 September 2023, p. 4.
523IE SA Final Position Paper, paragraph 9.2.
Adopted 71 the principle of proportionality requires ensuring that the chosen measure does not create
disproportionate disadvantages in relation to the aim pursued 52.
285. As a first element, the EDPB would like to recall its reasoning in the EDPB Binding Decisions. In such
decisions, as pointed out by the IE SA and by Meta IE, the EDPB analysed at that point of time whether
a ban constituted an appropriate corrective measure to be imposed in the IE SA Decisions, due to the
presence of some relevant and reasoned objections putting forward this request 52. Several of the
elements that the EDPB considered at the time are helpful to be considered in this urgent binding
decision, too.
286. The EDPB highlighted in the EDPB Binding Decisions that the infringement of Article 6(1) GDPR found
in the case at hand constituted a very serious situation of non-compliance with the GDPR, in relation
to processing of extensive amounts of data, which is essential to the controller’s business model, thus
harming the rights and freedoms of millions of data subjects in the EEA; therefore, the corrective
measure chosen in the circumstances of this case should aim to bring the processing into compliance
with the GDPR thus minimising the potential harm to data subjects created by the violations of the
526
GDPR .
287. Therefore, according to the EDPB Binding Decisions, considering the nature and gravity of the
infringementofArticle6(1)(b)GDPR,aswellasthenumberofdatasubjectsaffected,itwasparticularly
important that appropriate corrective measures be imposed, in addition to a fine, in order to ensure
that Meta IE complies with this provision of the GDPR 52.
288. It is also important to note that the EDPB considered that it is not necessary to establish an urgent
necessity for imposing a temporary ban because nothing in the GDPR limits the application of Article
58(2)(f) GDPR to exceptional circumstances 52.
289. While in the EDPB Binding Decisions the EDPB took note of the elements raised by the objections to
justify the need for imposing a temporary ban, consisting in essence in the need to halt the processing
activities that are being undertaken in violation of the GDPR until compliance is ensured in order to
avoid further prejudicing data subject rights, it considered that the objective of ensuring compliance
and bringing the harm to the data subjects to an end could be adequately met also by amending the
order to bring processing into compliance envisaged in the IE SA draft decisions to reflect Meta IE’s
524EDPB Binding Decision 3/2022, paragraph 284 and EDPB Binding Decision 4/2022, paragraph 286.
525More specifically, in the dispute leading to the adoption of EDPB Binding Decision 3/2022, certain objections
requestedtheimpositionofabanorlimitationonprocessingoranordertoabstainfromtheprocessingactivities
intheabsenceofavalidlegalbasis(inparticular,theobjectionsoftheAT,NL,DEandNOSAs).TheEDPBanalysed
the merits of the objections of the AT and NL SAs (found to be relevant and reasoned in paragraph 266 of EDPB
Binding Decision 3/22) and did not take any position on the merits of the other objections on this matter that
were found to be not relevant and reasoned, namely the objections of the DE and NO SAs (see paragraph 268 of
Binding Decision 3/2022).
Concerning, instead, the dispute leading to the adoption of EDPB Binding Decision 4/2022, certain objections
requestedtheimpositionofabanorlimitationonprocessingoranordertoabstainfromtheprocessingactivities
intheabsenceofavalidlegalbasis(inparticular,theobjectionsoftheAT,NL,DEandNOSAs).TheEDPBanalysed
the merits of the objections of the AT and NL SAs (found to be relevant and reasoned in paragraph 269 of EDPB
Binding Decision 4/2022) and did not take any position on the merits of the other objections on this matter that
were found to be not relevant and reasoned, namely the objections of the DE and NO SAs (see paragraph 271 of
Binding Decision 4/2022).
526EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284.
527EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281.
528EDPB Binding Decision 3/2022, paragraph 283 and EDPB Binding Decision 4/2022, paragraph 285.
Adopted 72 infringement of Article 6(1) GDPR 529. The EDPB noted in this regard that this measure would require
Meta IE to put in place the necessary technical and operational measures to achieve compliance
within a set timeframe 530. Such timeframe was established to be necessarily a ‘short period of
531
time’ .The EDPB Binding Decisions comprised, eventually, instructions to the IE SA to include in the
IE SA Decisions orders for Meta IE to bring its processing of personal data for the purpose of
behavioural advertising in the context of the Facebook service into compliance with Article 6(1) GDPR
within three months 53. In this respect, the EDPB considered this deadline for compliance to be
necessary and proportionate, considering that the interim period for compliance ‘will involve a
serious ongoing deprivation of their rights’ and the significant financial, technological, and human
533
resources available to Meta IE .
290. The fact that the three-month timeframe has expired several months ago is an important element to
be considered, that marks a significant difference compared to the situation that the EDPB analysed in
the EDPB Binding Decisions. Already the three-month interim period for compliance was considered
by the EDPB to involve ‘a serious ongoing deprivation’ of data subjects’ rights: the need to ensure that
this deprivation comes to an end is therefore even clearer now that three times the time initially
envisaged has passed.
291. As a consequence, the reasoning of the EDPB in the EDPB Binding Decisions on whether a ban needed
to be imposed in the IE SA Decisions provides arguments in favour of considering that the imposition
of a ban would be appropriate, necessary and proportionate today, rather than against this.
292. The EDPB also takes note of the NO SA’s argument that Meta IE has a ‘readily available procedure to
terminate this processing rapidly’, as it already implemented an objection mechanism in the EEA in
relation to its processing for behavioural advertising in reliance of Article 6(1)(f) GDPR, which allows
the suspension of the processing 53.
293. The EDPB also notes Meta IE’s argument that a short implementation deadline would not be
feasible535, considering the need for a complex process for the implementation of a ban involving
536
several teams and many hours of work . More specifically, Meta contests that it can comply ‘(i)
through blanket application of the [objection mechanism] to all users across the EEA, and then “as a
next step” (ii) “expanding the [objection mechanism] to include categories of data processing covered
by the [NO SA Order]”, since already the NO SA acknowledges for step (ii) that this “would require
537
redesigning the [objection mechanism]”’ .
529EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287. In reaching
thisconclusion,theEDPBhighlightedthatcompliancewiththeprincipleofproportionalityrequiresensuringthat
the chosen measure does not create disproportionate disadvantages in relation to the aim pursued, and Recital
129 GDPR provides that consideration should be given to ensuring that the measure chosen does not create
‘superfluous costs’ and ‘excessive inconveniences’ for the persons concerned in light of the objective pursued.
EDPB Binding Decision 3/2022, paragraph 284 and EDPB Binding Decision 4/2022, paragraph 286.
530EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287.
531EDPB Binding Decision 3/2022, paragraph 286 and EDPB Binding Decision 4/2022, paragraph 288.
532EDPB Binding Decision 3/2022, paragraph 288 and EDPB Binding Decision 4/2022, paragraph 290.
533
EDPB Binding Decision 3/2022, paragraph 286 and EDPB Binding Decision 4/2022, paragraph 288.
534NO SA Request to the EDPB, p. 12-13.
535Meta IE’s Submissions of 26 September 2023, p. 15.
536Meta IE’s Submissions of 26 September 2023, p. 15.
537
Meta IE’s Submissions of 26 September 2023, p. 15 (‘Ignoring [Meta IE]’s arguments, the [NO SA] claims that
[Meta IE] can comply (i) through blanket application of the [objection mechanism] to all users across the EEA,
and then “as a next step” (ii) expanding the [objection mechanism] to include categories of data processing
Adopted 73294. According to the EDPB, the NO SA’s argument on the existence of the objection mechanism is
reasonableatleastforwhatconcernstheprocessingcurrentlycarriedoutonthebasisofArticle6(1)(f)
GDPR (i.e. the majority of the processing of personal data collected on Meta’s products currently
538
carried out for the purposes of behavioural advertising) , also considering that Meta IE did not
explain why for the processing based on Article 6(1)(f) GDPR a ‘redesigning’ of the mechanism would
benecessary;also,MetaIEconfirmsthat‘allrelevantobjections’arehonouredleadingtothe‘theuser
[being] “opted out” of this processing’ 539.
295. Additionally, while certainly the imposition of a ban causes significant disadvantages to the
540
controller , the EDPB considers that such disadvantages are not at this point in time, per se,
disproportionate compared to the harm caused to data subjects by the unlawful processing and
continued non-compliance. In this regard, moreover, the EDPB notes that the controller was granted
the opportunity to take remedies without facing these disadvantages. As highlighted above 541, several
months have passed since the adoption of the IE SA Decisions and the expiry of the deadline for the
orders to bring processing into compliance contained therein. At this stage, the controller has
undertaken efforts to comply with the GDPR but compliance has not yet been achieved, as indicated
in the IE SA Final Position Paper, and there is still no clear indication that compliance will be reached
soon 542.The impositionofan orderto bringprocessing intocompliancewithin ashortdeadline didnot
succeed in reaching the objective it pursued, consisting in ‘ensuring compliance and bringing the harm
to the data subjects to an end’ 54.
covered by the [NO SA Order]. As the [NO SA]’s argument itself acknowledges in step (ii), compliance with the
[NO SA Order] (or an urgent binding EDPB decision based on the [NO SA Order]) would require redesigning the
[objection mechanism]. As a reminder, building the supporting infrastructure and rolling out the [objection
mechanism] entailed hundreds of thousands of hours of work by multi-disciplinary teams including product,
machine learning and infrastructure engineers, user experience designers, operations, policy, marketing and
legal to design, build and implement the systems, processes and user experience required to enable [Meta IE] to
meet the different requirements of Article 6(1)(f) GDPR. The [NO SA]’s speculative assertion that this could form
some sort of instant compliance solution is fundamentally flawed’).
538See Meta IE Compliance Report on IE SA FB Decision, paragraphs 3.1.3 and 5.8.2, and Meta IE Compliance
Report on IE SA IG Decision, paragraphs 3.1.3 and 5.8.2. See also paragraphs 103-106 above.
539
Meta IE’s Merits Complaint submitted to the Oslo District Court on 16 October 2023, p. 14-15 (‘since the
launch of the Objection Mechanism, Meta [IE] has honoured all relevant objections without qualification and
without undertaking a balancing assessment to determine whether it has compelling legitimate grounds to
override the user’s objection. All that is checked is that the objection (i) relates to behavioural advertising
processing that Meta [IE] presentlyundertakes underArticle 6(1)(f) GDPR, and(ii) is submitted byagenuineuser
based in the EU/EEA (to confirm Meta [IE] is the controller and the GDPR applies). As soon as Meta [IE]’s
operations team have confirmed (i) and (ii) based on the limited information that the user is asked to provide,
the user is “opted-out” of this processing’).
This is without prejudice to the conclusion of the IE SA in the IE SA Final Position Paper whereby the compliance
withtheGDPRoftheobjectionmechanismsetupbyMetaIEhasnotbeendemonstrated(paragraphs7.60-7.66).
540In Meta IE’s Letter to the NO SA of 14 August 2023, Meta IE lists challenges possibly arising from ‘stopping’
processingofpersonaldataofNorwegianusersforbehaviouraladvertisingpurposes,involvingtheneedtomake
changestoMetaIE’scodeandrelatedinfrastructure,informusers,provideadvertiserswithappropriateadvance
notice, waiting for users to update their apps. Meta IE also highlights the possible damage arising from a
suspension of behavioural advertising in Norway, connected to lost revenue, reputational harm, and future
revenue losses (p. 8-10).
541See paragraph 290 above. See also Meta Ireland’s Submissions of 25 August 2023, p. 23-24; Letter from Meta
542land to NO SA of 14 August 2023, p. 8-9.
See also Meta IE’s Submissions of 25 August 2023, p. 23-24; Letter from Meta IE to NO SA of 14 August 2023,
p. 8-9. .
543EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287.
Adopted 74296. In light of the elements above, the EDPB considers it appropriate, necessary and proportionate to
order final measures consisting in a ban on processing, to be adopted on the basis of Article 58(2)(f)
GDPR.
297. The EDPB considers that, in this particular case, it would be proportionate that a period of
implementation be provided to enable Meta IE to implement it.
298. The EDPB seizes the occasion to specify that also the NO SA Order was issued on 14 July 2023 but
544
envisaged that it would only become applicable as of 4 August 2023 .
299. At the same time, the period of implementation should be a short one, in light of the urgency of the
situationasdescribedextensivelyinthesectionsaboveofthisurgentbindingdecisionandinparticular
of the urgent need to put an end to the unlawful processing being carried out to the detriment of data
subjects.
300. AccordingtotheEDPB,inlightoftheelementsinthefile,theimplementationofabaninashortperiod
of time should be technically and practically feasible for Meta IE. This is in particular the case
considering that Meta IE already envisages the implementation of a consent mechanism
. Additionally, Meta IE has been aware of the need to bring the unlawful processing to
an end since the notification of the IE SA Decisions adopted in December 2022.
301. Therefore, the EDPB considers that, in this particular case, it is proportionate for the ban on
processing to be effective one week after the notification of the final measures to the controller.
302. Additionally, the EDPB clarifies that the ban should refer to Meta IE’s processing of personal data
collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b)
GDPRandArticle6(1)(f)GDPR.Theprocessingactivitiestowhich thebanrefersare:(i)theprocessing
of personal data, including location data and advertisement interaction data, collected on Meta’s
products for behavioural advertising purposes, having established in this respect the infringement of
Article6(1)GDPRarisingfrominappropriaterelianceonArticle6(1)(b)GDPR;(ii)processingofpersonal
data collected on Meta’s products for behavioural advertising purposes, having ascertained in this
respect the infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(f)
545
GDPR .
303. The EDPB considers that, in general, the geographical scope of the final measures ordered pursuant
to Article 66(2)GDPR should be broader than the territory of the requesting SA. While it is provided by
Article 66(1) GDPR that the urgent provisional measures adopted by a requesting SA only apply to the
territory of that SA, the intervention of the EDPB aims to ensure a consistent application of the GDPR,
in light of Articles 63 and 70 GDPR. The final measures should therefore have a broader geographical
scope to ensure the protection of the rights and freedoms of all the data subjects affected; this scope
can, depending on the matter, cover several Member States 546. The NO SA requested that final
measures, if any, ‘should be applied EEA-wide, to avoid derogating from the harmonisation and
consistency that the GDPR aims to ensure’ 547. Since in this case the unlawful processing takes place
and affect the rights and freedom of data subjects in the entire EEA, the EDPB agrees that the
appropriate territorial scope is for the final measures to be applicable throughout the entire EEA, and
54NO SA Order, p. 3-4.
54A more thorough analysis can be found above in paragraphs 97-99, 103-104, 147-148 and 152-153.
54EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the
Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679,
paragraph 114.
54NO SA Request to the EDPB, p. 12.
Adopted 75 concurswiththeNOSAontheneedtoavoidfragmentationintheprotectionaffordedtodatasubjects.
Limiting the scope of the final measures to the Norwegian territory would indeed lead to
fragmentation in the protection as it would require each CSAs to adopt provisional measures on its
own territory under Article 66(1) GDPR and to request an EDPB urgent binding decision under Article
66(2) GDPR leading to the need to adopt final measures limited to their own territory. Such situation
could also result in a patchwork of final measures and a fragmentation in countries where the SA has
not acted 54.
304. The EDPB considers that the addressee of the final measures consisting of a ban on processing should
beMetaIE,whichshalltakethenecessarymeasurestoensurecompliancewiththedecisionasregards
processing activities in the context of all its establishments in the EEA. In line with this, and since
Facebook Norway was subject to the NO SA Order alongside Meta IE and considering its submissions,
Facebook Norway – which is the Norwegian establishment of Meta IE – should be informed of the
outcome and receive a copy of the final measures and of the EDPB urgent binding decision.
5.1.4 Conclusion
305. In light of all the elements above, the EDPB considers it necessary to order final measures, consisting
in a ban on processing pursuant to Article 58(2)(f) GDPR.
306. This ban on processing should be addressed to Meta IE, and become effective one week after the
notification of the final measures to them.
307. The EDPB considers that the ban should refer to Meta IE’s processing of personal data for behavioural
advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR across the entire
EEA, as described above in paragraphs 303-304.
5.2 Adoption of the final measures and notification to the controller
308. The GDPR does not specify the procedural steps to be taken following the adoption of an urgent
binding decision by the EDPB pursuant to Article 66(2) GDPR. It is however important to note that the
two-weekdeadlineforadoptionisspecified‘byderogationfrom[...]Article65(2)[GDPR]’(Article66(4)
GDPR). Consequently, the EDPB considers that, in addition to Article 65(2) GDPR, the procedure set by
Article 65(5) GDPR and Article 65(6) GDPR represents a point of reference.
309. The EDPB’s urgent binding decision shall be addressed to the LSA and to all the CSAs and be binding
on them 54. The Chair of the Board shall notify, without undue delay, the urgent binding decision to
550
the supervisory authorities concerned, and inform the European Commission thereof .
310. Taking into consideration that the final measures will have to be applicable throughout the entire EEA
(as provided in the above sections 5.1.3 and 5.1.4), the EDPB considers that the IESA, in its role of LSA,
will have to adopt a national decision imposing the measures that the EDPB has considered necessary
548
EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the
Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679,
paragraph 115.
549Art. 65(2) GDPR. According to Art. 66(4) GDPR, this provision is derogated in respect of the deadline for
adoption; therefore, the last sentence of Art. 65(2) GDPR fully applies.
55See Art. 65(5) GDPR. Considering the fact that the NO SA was the SA making the request pursuant to Article
66(2), the EDPB will also inform the EFTA Surveillance Authority, in light of Article 1, second paragraph, letter m
of Decision of the EEA Joint Committee No. 154/2018.
Adopted 76 551
to order as final measures pursuant to Article 66(2) GDPR . This was already envisaged by the IE SA
itself5.
311. While the procedure set by Article 65(5) GDPR and Article 65(6) GDPR represents a point of reference,
as mentioned above, the EDPB considers that the deadline set in Article 65(6) for the SA to adopt its
national decision (one month in Article 65 proceedings) may need to be shortened, on a case by case
basis, in Article 66 proceedings. The urgency of the procedure is highlighted by the shortening of the
deadline for the Board to adopt its urgent binding decision or opinion under Article 66(4) GDPR. It
would therefore counterintuitive, and against the legislator’s will, to imagine that the deadline for the
SA to adopt its national decision should remain unchanged in Article 66 proceedings. While the EDPB
acknowledges the need for time allowing the SA to draft a national decision and possibly hear the
company, in this particular case it is necessary to bear in mind the date of expiry of the Provisional
Measures (3 November 2023) as well as the prolonged situation of non-compliance leading to the
urgency of the situation as described above.
312. In this case, the EDPB considers that the national decision needs to be adopted by the IE SA without
undue delay and at the latest by two weeks after the EDPB has notified its urgent binding decision
totheIESAandtoalltheCSAs.TheEDPBhighlights,inthisregard,thatadoptingthenationaldecision
prior to the expiry of the Provisional Measures on 3 November 2023 would be desirable as it would
allow avoiding a gap in the legal situation for what concerns the Norwegian territory. Additionally, the
IE SA will have to notify the national decision to Meta IE, attaching the urgent binding decision 553.
313. The EDPB also requests the NO SA to inform Facebook Norway about the outcome of these
proceedings, by sharing a copy of the national decision of the IE SA and of the urgent binding decision,
following the notification by the IE SA of its national decision to Meta IE.
6 URGENT BINDING DECISION
314. In light of the above and in accordance with the tasks of the EDPB under Article 70(1)(t) GDPR to issue
urgent binding decisions pursuant to Article 66 GDPR, the Board issues the following binding decision
in accordance with Article 66(2) GDPR.
315. As regards the existence of infringements, based on the evidence provided, the EDPB concludes that
there is an ongoing infringement of Article 6(1) GDPR arising from inappropriate reliance on Article
6(1)(b) GDPR for processing of personal data, including location data and advertisement interaction
data, collected on Meta’s products for behavioural advertising purposes.
316. The EDPB also concludes that there is an ongoing infringement of Article 6(1) GDPR arising from
inappropriate reliance on Article 6(1)(f) GDPR for processing personal data collected on Meta’s
products for behavioural advertising purposes.
317. In addition, the EDPB concludes that Meta IE is currently in breach of its duty to comply with decisions
by supervisory authorities.
55See Art. 65(6) GDPR.
55The IE SA considers theNO SA Requestto the EDPB seeksto obtain an urgentbindingdecision from the EDPB,
‘the net effect of which would be to compel the [IE SA], as LSA, to impose an EEA-wide ban (...) (In that regard, it
is ofcoursethecasethat itisnotopentotheEDPBtoexercise correctivepowersdirectly asagainst any controller
553processor)’. Letter from the IE SA to the NO SA of 13 October 2023, p. 3.
As described in Art. 65(6) GDPR and paragraph 308 above.
Adopted 77318. On the existence of urgency, the EDPB considers that, the urgent need to order final measures is clear
in light of the risks that the infringements represent for the rights and freedoms of the data subjects
554
without the adoption of final measures . Because of such risks, the EDPB also finds that there is a
need to derogate from the regular cooperation and consistency mechanisms to order final measures
due to the urgency of the situation 555.
319. The EDPBalsoconsiders that the IE SA, bynot providing theinformation referredin Article 61(5) GDPR
within the one-month deadline, failed to address the NO SA Mutual Assistance Request and that the
presumption of urgency set by Article 61(8) GDPR is therefore applicable in this specific case, which
further corroborates the need to derogate from the regular cooperation and consistency
mechanisms 55.
320. ConsideringtheexistenceoftheaforementionedongoinginfringementsoftheGDPRandtheexistence
of an urgent need to act despite the ongoing process led by the IE SA, the EDPB considers that, at this
point of time, further enforcement measures are necessary.
321. Therefore,inlightoftheanalysiscarriedoutabove 557theEDPBconsidersitappropriate,proportionate
and necessary to order final measures, consisting in a ban on processing pursuant to Article 58(2)(f)
GDPR.
322. This ban on processing should be addressed to Meta IE, and become effective one week after the
notification of the final measures to them.
323. The EDPB considers that the ban should refer to Meta IE’s processing of personal data collected on
Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article
6(1)(f) GDPR across the entire EEA. The processing activities to which the ban refers are: (i) the
processing of personal data, including location data and advertisement interaction data, collected on
Meta’s products for behavioural advertising purposes, having established in this respect the
infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(b) GDPR; (ii)
processing of personal data collected on Meta’s products for behavioural advertising purposes, having
ascertained in this respect the infringement of Article 6(1) GDPR arising from inappropriate reliance
on Article 6(1)(f) GDPR.
324. The EDPB instructs the IE SA to adopt a national decision containing the final measures ordered by the
EDPBwithoutunduedelayandatthelatestbytwoweeksaftertheEDPBhasnotifieditsurgentbinding
decision to the IE SA and to all the CSAs. The IE SA shall notify the national decision, attaching the
urgent binding decision of the EDPB, to Meta IE without undue delay.
325. The EDPB instructs the NO SA to inform Facebook Norway about the outcome of these proceedings.
7 FINAL REMARKS
326. This urgent binding decision is addressed to the IE SA, the NO SA and all the other CSAs.
327. TheEDPBconsidersthatitscurrentdecisioniswithoutanyprejudicetoanyassessmentstheEDPBmay
be called upon to make in other cases, including with the same parties.
55See section 4.2.1.3 above.
555
556ee paragraph 220 above.
See section 4.2.2.3 above, including paragraph 257.
55See Sections 5.1.3 and 5.1.4 above.
Adopted 78328. TheIESAshalladoptitsnationaldecisionnolaterthantwoweeksafternotificationoftheEDPBurgent
binding decision.
329. The IE SA shall notify its national decision and this urgent binding decision to Meta IE without undue
delay. The IE SA shall inform the EDPB of the date when the national decision is notified to the
controller.
330. The NO SA shall inform Facebook Norway of the outcome of these proceedings without undue delay
after the notification of the national decision to Meta IE.
331. The IE SA will communicate itsfinal decisionto the EDPB.Pursuant to Article 70(1)(y)GDPR, theIE SA’s
final decision communicated to the EDPB will be included in the register of decisions that have been
subject to the consistency mechanism.
For the European Data Protection Board
The Chair
(Anu Talus)
Adopted 79
