EDPB - Urgent Binding Decision 01/2023
EDPB - Urgent Binding Decision 01/2023 | |
---|---|
Authority: | EDPB |
Jurisdiction: | European Union |
Relevant Law: | Article 6(1)(f) GDPR Article 6(1)(b) GDPR Article 58(2)(f) GDPR Article 60 GDPR Article 61 GDPR Article 66 GDPR Article 66(2) GDPR Article 41 CFREU |
Type: | Other |
Outcome: | n/a |
Started: | 26.09.2023 |
Decided: | 27.10.2023 |
Published: | 07.12.2023 |
Fine: | n/a |
Parties: | Meta Platfroms Ireland Ltd |
National Case Number/Name: | Urgent Binding Decision 01/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | co |
The EDPB issued an urgent binding decision pursuant to Article 66(2) GDPR ordering a ban on Meta Platforms Ireland’s processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR .
English Summary
Facts
On 31 December 2022, the Irish DPC as Lead Supervisory Authority in a cross-border case, issued two final decisions concerning, respectively Meta’s Facebook and Instagram services as controllers. These were adopted on the basis of two binding decisions by the EDPB, Binding Decisions 3/2022 and 4/2022 adopted by the EDPB on 5 December 2022 pursuant to Article 65(1)(a) GDPR.
On 5 April 2023, the DPC communicated to the concerned supervisory authorities (CSAs) via the IMI system Meta’s compliance reports showing their efforts to comply with the decisions by the DPC. In these reports, Meta stated that it changed its legal basis for behavioural advertising from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR, backed by a legitimate Interest assessments. These documents were submitted to the CSAs so that they could assess whether the measures adopted by Meta could be considered effective in guaranteeing compliance with the orders in the DPC decision.
The Norwegian DPA (Datatilsynet) communicated to the DPC that it had doubts regarding the legitimacy of Meta’s choice of Article 6(1)(f) GDPR as a legal basis. Thereafter, the DPC shared two other letters from Meta to the CSAs substantiating its compliance efforts and the CSAs submitted their opinion to the DPC which were then sent back to Meta for feedback. On 5 May 2023, the Norwegian DPA transmitted a mutual assistance request to the DPC under Article 61(1) GDPR, asking the DPC to order a temporary ban on Meta’s processing for purposes of behavioural advertising based on Article 6(1)(f) GDPR and requesting the DPC to specify how it will ensure that Meta complies with Article 6(1) GDPR. On 30 May 2023, the Dutch DPA also asked the Irish DPC to provide its conclusions on the compliance efforts undertaken by Meta in a mutual assistance request under Article 61 GDPR. The DPC stated that it would be able to respond to the mutual assistance requests and draw its conclusion on the compliance reports only at the end of June 2023. The DPC also replied to the Norwegian DPA request for mutual assistance stating that it could not comply with it. The Norwegian DPA asked the DPC to at least inform it as to whether it would potentially follow the Norwegian DPA’s mutual assistance request, but indicated that it would still wait for the DPC's position at the end of June.
On 13 June 2023, however, the DPC stated that it would share its provisional assessment only after the delivery of CJEU judgment in case C-252/21 Meta Platforms and Others v Bundeskartellamt in July. Following the publication of judgment, the Irish DPC issued a provisional position paper with its preliminary conclusion on 11 July 2023, stating that Meta failed to comply with the orders of its decisions. The DPC’s provisional position paper was then submitted to the CSAs for feedback.
Preoccupied by the inactivity of the DPC, the Norwegian DPA imposed a temporary ban on Meta and Facebook Norway on the processing of personal data of Norwegian data subjects for purposes of behavioural advertising based on Article 6(1)(b) GDPR and Article 6(1)(f) GDPR on 14 July 2023. After a further set of exchanges between Meta and the Norwegian DPA, and Meta’s statement that it would shift to Article 6(1)(a) GDPR as a legal basis, the Norwegian DPA imposed a coercive fine on Meta and Facebook Norway for non-compliance with its order.
On 18 August 2023, the DPC communicated to the CSAs its final position on Meta’s compliance with its decisions and concluded that Meta failed to demonstrate compliance but that it was reasonable to give Meta a chance to rely on consent as a legal basis.
On 21 September 2023, the Norwegian DPA submitted to the DPC its view on the state of the proceedings and argued that it still considered the adoption of urgent measures necessary, asking the DPC to reconsider its position.
Given the negative response of the DPC, on 26 September 2023, the Norwegian DPA made a request to the EDPB to issue an urgent binding decision under Article 66(2) GDPR, asking that final measures be adopted.
Holding
First of all, the EDPB Secretariat assessed the request and asked the Norwegian DPA to submit further documentation paying particular attention to scrutinize the right to good administration under Article 41 CFREU. On 17 October, the EDPB assessed the completeness of the file and established its competence to deal with the request to issue an urgent binding decision.
1. Competence of the EDPB
For the EDPB to be competent to issue an urgent binding decision, two conditions must be given, namely: that a DPA has taken provisional measures under Article 66(1) GDPR and the same DPA made a request to issue a binding decision under Article 66(2) GDPR. In this case, the Norwegian DPA followed these two steps, hence the EDPB considered itself competent to deal with the request.
2. The right to good administration
In the second place, the EDPB made sure to act in accordance with the right to good administration under Article 41 of the Chartere of Fundamental Rights of the European Union (CFREU) and Article 11(1) of the EDPB Rules of Procedure. It also considered Meta’s position and ascertained that all the documents it received were also known to Meta, so that the procedure would respect Meta’s right to be heard. The EDPB concluded that Meta did not have an opportunity to make its views known on the procedure and asked Meta to provide written submissions.
3. On the need to request final measures
Further, the EDPB considered whether the adoption of urgent final measures was necessary, which is the case when one or several infringements exist and when an urgency situation justifies derogation from the ordinary procedure.
3.1.Infringments of the GDPR
First, as regards the existence of GDPR infringement(s) by Meta, the EDPB considered both the position of the Norwegian DPA and of the DPC in relation to the reliance of Meta on Article 6(1)(b) GDPR for behavioural advertising. The EDPB concluded that Meta was still processing location data and advertisement interaction data for purposes of behavioural advertising relying on Article 6(1)(b) GDPR, although it was previously declared unlawful by the DPC. Hence the EDPB held that Meta was still acting in violation of Article 6(1) GDPR.
Secondly, the EDPB assessed whether Meta was still processing personal data for purposes of behavioural advertising on the basis of Article 6(1)(f) GDPR. The EDPB considered that in line with the DPC’s decision, Meta was supposed to bring its processing into compliance with Article 6(1) GDPR, specifying that it may include but is “not limited to the identification of an appropriate alternative legal basis”.
The EDPB assessed the existence of the three cumulative conditions needed to satisfy the requirements of Article 6(1)(f) GDPR and concluded that Meta unlawfully relied on Article 6(1)(f) GDPR as a legal basis, since “the interests and fundamental rights of data subjects override the legitimate interests put forward by Meta IE for the processing of personal data collected on Meta’s products for the purposes of behavioural advertising”
In light of these findings, the EDPB concluded that there was an ongoing infringement of Article 6(1) GDPR by Meta.
Thirdly, the EDPB considered Meta’s infringement of the duty to comply with decisions by supervisory authorities, against Article 60(10) GDPR, which constitutes an independent violation of the GDPR. On he basis of the positions of the Irish and Norwgian DPAs, the EDPB held that “Meta IE did not achieve compliance with the IE SA Decisions within the deadline for compliance and is therefore currently in breach of its duty to comply with decisions by supervisory authorities.”
3.2. Urgency
The EDPB reiterated in its decision that the issuing of an urgent binding decision is an exceptional circumstance and it can only be granted if the regular consistency mechanism cannot be applied due to such urgency, as per Article 66(2) GDPR.
First, the EDPB assessed the existence of urgency on the basis of the position of the Norwegian DPA, the elements in the file and the circumstances of the infringement, that is the nature, gravity, duration and number of data subjects affected by the infringement. In this regard, the EDPB held, as it also previously stated in its binding decisions that the nature and gravity of the infringements were significant. Also the duration of the infringement was considered. In particular, “the fact that the processing activities are still performed without reliance on an appropriate legal basis represents an element in favour of concluding that there is an urgent need for final measures to be adopted”.
Hence the EDPB concluded that “failing to put an end to the processing activities at stake and to enforce the IE SA Decisions exposes data subjects to a risk of serious and irreparable harm”.
Secondly, the EDPB addressed the necessity to derogate from the standard cooperation and consistency mechanism, and it concluded that the fact that the DPC did not adopt any final measures to put an end to Meta’s GDPR infringements despite the risk of serious and irreparable harm for data subjects “shows that the regular cooperation and consistency mechanism is not providing satisfactory results”.
Thirdly, the EDPB examined whether the legal presumption of urgency provided in Article 61(8) GDPR was given in the case in question. Under Article 61(8) GDPR, if a DPA does not provide the information requested in a mutual assistance request within one month, urgency will be presumed. In this case, the Norwegian DPA had made such a request but received an unmotivated negative answer from the Irish DPC. The EDPB reiterated the importance of the cooperation mechanism and the fact that mutual assistance is at the core of such cooperation. Further, the authorities receiving a mutual assistance request have a series of procedural and substantive obligations under Article 61 GDPR to respond to such request. The EDPB also stressed that the mutual assistance request is a one-to-one procedure between the requesting and requested authorities. From a procedural point of view, the EDPB considered that the Irish DPC fulfilled its duty to respond to the request within the established time limit. As regards the substance of the reply by the DPC, however, the EDPB held that even though the DPC later explained that its answer that it could not comply with the request was a mistake, the DPC “does not state it tried to amend its answer – for instance to provide the reasons for any refusal to comply with the request - or sought assistance to do so within the one-month deadline.”
Under Article 61(4) GDPR, the DPC might have refused to comply with the request but it also needed to give reasons explaining that compliance would infringe the GDPR or Member state law. Hence, the EDPB concluded that the DPC failed to provide a substantive reasoned response to the Norwegian DPA’s mutual assistance request within one month, thus the urgency could be presumed in accordance with Article 61(8) GDPR.
4. On the appropriate final measures
In its last point, the EDPB considered all the elements brought forward by the DPAs and the nature, gravity and duration of the infringements by Meta in order to assess the appropriateness of a ban on processing as a final measure. In particular, the seriousness of the infringement and the fact that the deadline for compliance had expired three months before, “provide arguments in favour of considering that the imposition of a ban would be appropriate, necessary and proportionate today”.
As a consequence, the EDPB ordered a ban on processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR, pursuant to Article 58(2)(f) GDPR, to be effective one week after notification to Meta. The EDPB added that the geographical scope of the measures should extend to the entire EEA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Urgent Binding Decision 01/2023 requested by the Norwegian SA for the ordering of final measures regarding Meta Platforms Ireland Ltd (Art. 66(2) GDPR) Adopted on 27 October 2023 Adopted 1Table of contents 1 Summary of facts............................................................................................................................. 4 1.1 Summary of the relevant events............................................................................................. 4 1.2 Submission of the request to the EDPB and related events ................................................. 14 2 Competence of the EDPB to adopt an urgent binding decision under Article 66(2) GDPR.......... 15 2.1 The SA has taken provisional measures under Article 66(1) GDPR....................................... 15 2.2 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the EEA.......... 16 2.3 Conclusion............................................................................................................................. 16 3 The right to good administration.................................................................................................. 16 4 On the need to request final measures......................................................................................... 17 4.1 On the existence of infringements........................................................................................ 17 4.1.1 On the infringement of Article 6(1) GDPR..................................................................... 18 4.1.2 On the infringement of the duty to comply with decisions by supervisory authorities42 4.2 On the existence of urgency to adopt final measures by way of derogation from the cooperation and consistency mechanisms ....................................................................................... 45 4.2.1 On the existence of urgency and the need to derogate from the cooperation and consistency mechanisms............................................................................................................... 46 4.2.2 On the application of a legal presumption of urgency justifying the need to derogate from the cooperation and consistency mechanisms.................................................................... 56 4.2.3 Conclusion as to the existence of urgency.................................................................... 65 5 On the appropriate final measures............................................................................................... 65 5.1 Content of the final measures............................................................................................... 65 5.1.1 Summary of the position of the NO SA ......................................................................... 65 5.1.2 Summary of the position of Meta IE and Facebook Norway ........................................ 66 5.1.3 Analysis of the EDPB...................................................................................................... 69 5.1.4 Conclusion..................................................................................................................... 76 5.2 Adoption of the final measures and notification to the controller....................................... 76 6 Urgent Binding Decision................................................................................................................ 77 7 Final remarks................................................................................................................................. 78 Adopted 2The European Data Protection Board Having regard to Article 66 of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter ‘GDPR’) , HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37thereof,asamended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 , 2 Having regard to Articles 11, 13, 23 and 39 of the EDPB Rules of Procedure 3, hereinafter the ‘EDPB RoP’. Whereas: (1) The main role of the European Data Protection Board (hereinafter the ‘EDPB’ or the ‘Board’) is to ensurethe consistentapplicationoftheGDPRthroughoutthe EEA.Tothiseffect,itcanadopt opinions and binding decisions under different circumstances described under Articles 63 to 66 GDPR, within the consistency mechanism. The GDPR also established a cooperation mechanism, as it follows from Article 60 GDPR that the lead supervisory authority (hereinafter ‘LSA’) shall cooperate with the other supervisory authorities concerned (hereinafter ‘CSAs’) in an endeavour to reach consensus. (2) Pursuant to Article 66(1) GDPR, in exceptional circumstances, where a supervisory authority (‘SA’) considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and65GDPRortheprocedurereferredtoinArticle 60GDPR,immediatelyadoptprovisionalmeasures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. (3)InaccordancewithArticle66(2)GDPR,whereasupervisoryauthorityhastakenameasurepursuant to Article 66(1) GDPR and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision. (4) In accordance with Article 13(2) EDPB RoP, the supervisory authority requesting an urgent binding decision shall submit any relevant document. When necessary, the documents submitted by the competent supervisory authority shall be translated into English by the EDPB Secretariat. Once the Chair and the competent supervisory authority have decided that the file is complete, it is communicated via the EDPB Secretariat to the members of the Board without undue delay. (5)Pursuant to Article 66(4)GDPR and Article 13(1) EDPB RoP, the urgent binding decision of the EDPB shall be adopted by simple majority of the members of the EDPB within two weeks following the decision by the Chair and the competent supervisory authority that the file is complete. 1 2OJ L 119, 4.5.2016, p. 1. References to ‘Member States’ made throughout this decision should be understood as references to ‘EEA Member States’. References to ‘EU’ should be understood, where relevant, as references to ‘EEA’. 3EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 6 April 2022. Adopted 3 1 SUMMARY OF FACTS 1. This document contains an urgent binding decision adopted by the EDPB pursuant to Article 66(2) GDPR, following a request made by the Norwegian supervisory authority - ‘Datatilsynet’ (hereinafter, the ‘NO SA’) within the framework of the urgency procedure under Article 66 GDPR. 1.1 Summary of the relevant events 2. On 31 December 2022, the Irish supervisory authority (‘Data Protection Commission’, hereinafter the ‘IE SA’) issued a final decision concerning the inquiry IN-18-5-5 (hereinafter, the ‘IE SA FB Decision’, related to the Facebook Service)and a final decision concerning the inquiry IN-18-5-7 (hereinafter, the ‘IE SA IG Decision’, related to the Instagram Service) in which it found that Meta Platforms Ireland Ltd (hereinafter, ‘Meta IE’) did not rely on a valid legal basis for processing personal data for behavioural 4 advertising purposes . These two decisions (hereinafter, collectively, the ‘IE SA Decisions’) were adopted on the basis of EDPB Binding Decisions 3/2022 and 4/2022, adopted by the EDPB pursuant to 5 Article 65(1) (a) GDPR on 5 December 2022 (hereinafter, the ‘EDPB Binding Decisions’) . 3. Each of the IE SA Decisions concluded that Meta IE was not entitled to rely on Article 6(1)(b) GDPR to carry out processing of personal data for the purpose of behavioural advertising in the context of the Facebook Terms of Service / Instagram Terms of Use and included an order, addressed to Meta IE, to bring its processing of personal data for behavioural advertising purposes into compliance with Article 7 6(1) GDPR within three months . 4. On 5 April 2023, the IE SA shared with the CSAs , using the Internal Market Information system 9 (hereinafter, ‘IMI’) , Meta IE’s compliance reports regarding the Facebook Service (IN-18-5-5) and the Instagram Service (IN-18-5-7) (hereinafter collectively, the ‘Meta IE Compliance Reports’ or the 10 ‘Compliance Reports’) and supporting material that Meta IE submitted to the IE SA on 3 April 2023 4 Decision of the Irish Data Protection Commission of 31 December 2022, DPC Inquiry Reference: IN-18-5-5, concerning a complaint directed against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in respect of the Facebook Service (the ‘IE SA FB Decision’); Decision of the Irish Data Protection Commission of 31 December 2022, DPC Inquiry Reference: IN-18-5-7, concerning a complaint directed against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in respect of the Instagram Service (the ‘IE SA IG Decision’). 5 EDPB Binding Decision 3/2022, adopted on 05 December 2022 (hereinafter ‘EDPB Binding Decision 3/2022’); EDPB Binding Decision 4/2022 adopted on 05 December 2022 (hereinafter ‘EDPB Binding Decision 4/2022’). In each of these binding decisions the EDPB instructed the IE SA to alter its Finding 2 of its Draft Decision, which concluded that Meta IE may rely on Art. 6(1)(b) GDPR in the context of its offering of the Facebook Terms of Service or the Instagram Terms of Use and to include an infringement of Art. 6(1) GDPR based on the shortcomings that the EDPB has identified in the EDPB Binding Decisions. The reasoning of the EDPB is available in paragraphs 94-133 and 484 of EDPB Binding Decision 3/2022 and in paragraphs 97-137 and 451 of EDPB Binding Decision 4/2022. 6IE SA FB Decision, Finding 2, p. 49; IE SA IG Decision, Finding 2, p. 49. 7 IE SA FB Decision, paragraphs 8.8, 10.44; IE SA IG Decision, paragraphs 212, 417. The deadline for compliance 8ith the orders in the IE SA Decisions fell on 5 April 2023. In the cases leading to the adoption of the IE SA Decisions, all EEA SAs were CSAs pursuant to the GDPR (IE SA FB Decision, Schedule 1, paragraph 1.10; IE SA IG Decision, Appendix 1 - Schedule 1, paragraph 6). 9More specifically, the IE SA shared on 5 April 2023 the Meta IE Compliance Reports via two IMI workflows, one for the IE SA FB Decision and one for the IE SA IG Decision respectively (hereinafter, collectively, the ‘IE SA IMI Informal Consultations’ or the ‘IMI Informal Consultations’). 10Meta IE’s Compliance Report regarding the Facebook Service (IN-18-5-5) of 3 April 2023 (hereinafter, ‘Meta IE Compliance Report on IE SA FB Decision’), paragraphs 2.1 and 2.3 and Meta IE’s Compliance Report Adopted 4 with the aim of showing compliance with the IE SA Decisions. In its Compliance Reports, Meta IE indicated that it changed its legal basis for the majority 11of its processing of personal data for behavioural advertising purposes from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR as of 5 April 2023, which was the deadline for compliance with the IE SA Decisions . Specifically for reliance on Article 13 6(1)(f) GDPR, Meta IE provided legitimateinterests assessmentsas supporting materials (hereinafter collectively, the ‘Meta IE Legitimate Interests Assessments’). Without providing its own analysis on the Compliance Reports, the IE SA invited all the CSAs to assess the extent to which the measures implemented by Meta IE achieved compliance with the orders in the IE SA Decisions and welcomed feedback from the CSAs by 5 May 2023. The deadline was later on extended to 15 May 2023 . 14 5. Onthesameday,theNOSAemailedtheIESAinrespectofMetaIE’schangeoflegalbasistolegitimate interest, expressing strong doubts as to whether this legal basis could be validly relied on and asking for the IE SA’s preliminary view on this. 6. On 6 April 2023, upon request of the IE SA, the EDPB Secretariat circulated a message from the IE SA to the members of the Enforcement expert subgroup within the EDPB. Such message aimed to attract 15 allCSAs’attentiontotheIESAIMIInformalConsultationscirculatedbytheIESAviaIMI .Onthesame day, the IE SA replied to the NO SA’s email of 5 April 2023, pointing to the message from the IE SA to the CSAs circulated by the EDPB Secretariat. 7. On 13 April 2023, the IE SA shared with the CSAs via IMI two further letters from Meta IE (one on the IE SA FB Decision and one on the IE SA IG Decision) dated 12 April 2023, providing further information on its compliance efforts in relation to the IE SA Decisions. 8. On 14 April 2023, the NO SA responded negatively to a meeting request from Meta IE dated 28 March 2023, pointing out that the case is handled by the IE SA as the LSA. 9. Some CSAs asked for clarifications on the procedure being followed, for example on the reasons why the IE SA did not at that point share its assessment of Meta IE’s compliance with the orders in the IE SA Decisions. The IE SA clarified, first, that the assessment of compliance with the orders in the IE SA Decisions would be carried out on a joint basis, more specifically by way of an assessment carried out by the CSAs at the same time as the LSA, and that this sequencing of the process was aimed to ensure a timely and consistent approach, in line with the deadline for compliance determined by the EDPB, regarding the Instagram Service (IN-18-5-7) of 3 April 2023 (hereinafter, ‘Meta IE Compliance Report on IE SA 11 Decision’), paragraphs 2.1 and 2.3. According to the Compliance Reports, Meta IE continued to process limited categories of non-behavioural information toshow advertising onFacebook or Instagrambased onArt. 6(1)(b) GDPR. See Meta IE Compliance Report on IE SA FB Decision, paragraphs 3.1.3 and 5.8.2, and Meta IE Compliance Report on IE SA IG Decision, paragraphs 3.1.3 and 5.8.2. 12 Meta IE Compliance Report on IE SA FB Decision, paragraph 2.1; Meta IE Compliance Report on IE SA IG Decision, paragraph 2.1. 13Meta IE’s Legitimate Interests Assessments Behavioural Advertising Processing of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FBDecision and Annex 4 toMeta IE ComplianceReport on IE SA IG Decision. 14Following requests from two of the CSAs, the deadline to share feedback was extended until 15 May 2023. In 15ct, the IE SA waited for a few more days, giving the opportunity to further CSAs to share their views. In the same message, the IE SA also specified: ‘As you will also recall, IE SA confirmed, during the Article 65 [GDPR] discussions, that any assessment of compliance with the orders made [in the IE SA Decisions] would be carried out on a joint basis, the same as in previous cases, whereby the IE SA together with all CSAs would jointly assess the extent to which any action taken has achieved compliance with the terms of the order’. Adopted 5 formulated on the basis that urgent action was required to be taken by Meta IE to address the 16 17 infringement . The IE SA also clarified that it would not issue a new draft decision . 10. Several CSAs provided their feedback on the way in which Meta IE complied with the IE SA Decisions. • The Österreichische Datenschutzbehörde (Austrian supervisory authority - hereinafter, the ‘AT SA’) shared its views that processing operations in connection with behavioural advertising could not be based on Article 6(1) (f) GDPR . 18 • The Integritetsskyddsmyndigheten (Swedish supervisory authority - hereinafter, the ‘SE SA’) stressed the importance of adhering to any applicable EDPB guidelines 19. • The Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (hereinafter, the ‘DE Hamburg SA’) shared its views stating that ‘at this stage, consent would be the only possible legal basis to comply with’ the orders in the IE SA Decisions, and expressing concerns regarding the indications that sensitive data are processed without consent and regarding the processing activities for which Meta IE continued to rely upon Article 6(1)(b) GDPR . 20 • The Autoriteit Persoonsgegevens (Dutch supervisory authority - hereinafter the ‘NL SA’) shared its views that ‘the interests listed by [Meta IE] in the/its Legitimate Interest Assessment cannot be considered as “legitimate interests” in the sense of Article 6(1) (f) GDPR’, the processing of personal data is not ‘necessary’ for the purpose of the declared interests, and the ‘fundamental rights and freedoms of the data subject override the interest of [Meta IE] and the third parties 21 involved’ . • The NO SA transmitted on 5 May 2023 a formal mutual assistance request under Article 61 (1) 22 GDPR (hereinafter, the ‘NO SA Mutual Assistance Request’) to the LSA using the dedicated 16 These clarifications were made by the IE SA on 26 April 2023 as a reply to a question of the FR SA of 25 April 2023 made in the IE SA IMI Informal Consultations. 17The SE SA asked for clarification on the procedure being followed on 4 May 2023 via the IMI Informal Consultations. The IE SA replied on 5 May 2023. 18 TheseviewsweresharedasareplytotheIESAIMIinformalconsultationconcerningonlytheIESAFBDecision (Comment of the AT SA of 18 April 2023), see footnote 9. The AT SA also indicated that a balancing test was also difficult because the term ‘Behavioural Advertising Processing’ was not defined in the Privacy Policy and what this actually entailed was not entirely clear. The AT SA also made reference to the reasoning in its relevant and reasonedobjectiontotheIESA’sdraftdecision intheprocedureleading totheadoptionoftheIESA FBDecision. 19 Comment of the SE SA of 4 May 2023 as a reply to the IE SA IMI Informal Consultations, see footnote 9. 20Commentofthe DE Hamburg SAof4May2023as areply to the IE SA IMI InformalConsultations,see footnote 9. In its comments, the DE Hamburg SA stated that there ‘are strong indications that sensitive data stemming from different sources are processed without consent against the Art. 9 (1) GDPR’ and that ‘consent [is] the only possible legal basis for that kind of processing’ and made further remarks on this issue. The DE Hamburg SA also stated that the ‘processing described or indicated in the updated Terms of Use and [Meta IE] Privacy Notice cannot be based on Art. 6 (1) (b) GDPR’. 21CommentoftheNLSAof4May2023,paragraph3-attachedasareplytotheIESAIMIInformalConsultations, see footnote 9. The NL SA, in its comments, also ‘urgently asks the [IE SA] to swiftly undertake adequate actions in order to cease the continuous illegality of the invasive processing of personal data of millions of users’ (paragraph 4). In addition to providing detailed views on the applicability of Art. 6(1)(f) GDPR (paragraphs 8-63), theNLSAalsostresseditsconcernsabouttheprocessingofspecialcategoriesofdataandaboutthecompatibility of the processing of the amount of data at stake with the principles of data minimisation and purpose limitation (paragraphs 6-7). 22Comment of the NO SA of 5 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote 9), attaching a copy of the NO SA Mutual Assistance Request introduced on 5 May 2023. Adopted 6 IMI flow 23. The NO SA requested the IE SA to (1) issue a temporary ban on Meta IE’s processing ofpersonaldataforbehaviouraladvertisingpurposesbasedonArticle6(1)(f)GDPRand(2)share a timeline with the NO SA and the CSAs specifying how the IE SA will ensure in an expedient manner that Meta IE complies with Article 6(1) GDPR. • The Agencia Española de Protección de Datos (Spanish supervisory authority - hereinafter the ‘ES SA’) shared its views stating that ‘the submitted Legitimate Interest Assessment does not demonstrate that the processing carried out by [Meta IE] with the purpose of behavioural advertisement be based on Article 6(1)(f) GDPR since it does not meet the requirements of this Article’ . • The Tietosuojavaltuutetun toimisto (Finnish supervisory authority - hereinafter the ‘FI SA’) shared its views on 15 May 2023 that ‘based on the information available, it does not seem that [Meta IE] would have brought all its processing activities into compliance with the GDPR and 25 would meet the requirements of the GDPR’ . • In addition, the Garante per la protezione dei dati personali (Italian supervisory authority - hereinafter, the ‘IT SA’) shared its views on 23 May 2023 saying that ‘[Meta IE’s] proposal is not such as to adequately implement the order to bring the processing into compliance insofar as it misclassifies part of the user-related information and thereby applies the legal basis of 23The formal NO SA Mutual Assistance Request contained two requests labelled as follows: ‘Pursuant to Art. 61(1) GDPR,thefollowingrequestsaremade:i.Wekindly requestthattheIESAissuesatemporarybanon[Meta IE]’s processing of personal data for behavioural advertising purposes on Facebook and Instagram based on Art. 6(1)(f) GDPR, in accordance with Art. 58(2)(f) GDPR. The ban should last until the lead and concerned supervisory authorities are satisfied that [Meta IE] has provided adequate and sufficient commitments to ensure compliance withArt.6(1)GDPRandArt.21GDPR,inlinewithArt.31GDPR.Thiswillgiveustheopportunitytofurtherengage with [Meta IE] and make sure that it commits to fully respect its obligations under the GDPR, while preventing any further risks for data subjects stemming from [Meta IE]’s non-compliant behavioural advertising practices. Please note that in our view, behavioural advertising includes any activities where advertising is targeted on the basis of a data subject’s behaviour or movements, including advertising based on perceived location’. ii. ‘We kindly requestthat the IE SA shares a timeline specifying how it will ensure in an expedient manner that [Meta IE] complies with Art. 6(1) GDPR. We should be grateful if the IE SA, by 5 June 2023, would share the timeline and confirm that a temporary ban will be issued. If the IE SA is not in a position to comply with our request regarding [Meta IE], we may need to consider our options in relation to the adoption of provisional measures in Norway pursuant to Art. 66 GDPR. We hope that this will not be necessary and look forward to cooperating further with the IE SA within the framework of the cooperation mechanisms set out in Chapter VII GDPR’. 24These views were shared as a reply in the IESA IMI informal consultation concerning only the IE SA IG Decision (Comment of the ES SA of 12 May 2023). More specifically, the ES SA argued that the interests listed by Meta IE are ‘purely economic or commercial interests’ of Meta IE or third parties, and that in respect of the condition of necessity of the processing ‘the direct link between the processing and the legitimate interest should be established and prove that there are no less intrusive alternatives for the data subjects that could serve the interest equally effectively’ (p. 4). The ES SA also noted some shortcomings in the balancing test carried out by 25ta IE (Comment of the ES SA of 12 May 2023, p. 5). Comment of the FI SA of15 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote9). More specifically, the FI SA expressed doubts about legitimate interest being the most suitable legal basis in the case at hand and argued that the Legitimate Interests Assessment carried out by Meta IE ‘seems to be rather one- sided and superficial and fails to convince why the interests of [Meta IE] or third parties should override the interests and fundamental rights of the data subjects’ (Comment of the FI SA of 15 May 2023, p. 2) and ‘fails to take duly into consideration the volume of the processing and the high number of users of the said services’ (CommentoftheFISAof15May2023,p.2-3).TheFISAalsonotedthatcertaincategoriesofpersonaldataseem to still be unlawfully collected for behavioural advertising purposes under Art. 6(1)(b) GDPR (Comment of the FI SA of 15 May 2023, p. 2). Adopted 7 contractual performance under Article 6(1)(b) GDPR to the serving of ads which, actually, are behavioural in nature’ 26; the IT SA also highlighted some concerns concerning the switch to 27 legitimate interest for the other processing activities for behavioural advertising purposes . 11. The IE SA shared with Meta IE the feedback received from the CSAs and invited Meta IE to provide 28 submissions on these views by 2 June 2023 . 12. On 30 May 2023, the NL SA sent the IE SA a request for mutual assistance under Article 61 GDPR (hereinafter, the ‘NL SA Mutual Assistance Request’) asking the IE SA to provide its conclusion as to whether Meta IE could rely on Article 6 (1) (f) GDPR, its conclusion as to whether Meta IE complies with the IE SA Decisions and as to a timeframe, which appropriate and expedient action will be taken to ensure that Meta IE acts in compliance with Article 6 GDPR . 29 13. On 31 May 2023, the IE SA provided an update to all CSAs via the IE SA IMI Informal Consultations (hereinafter, the ‘IE SA Update to CSAs of 31 May 2023’, informing them about the NL SA Mutual Assistance Request and highlighting that it will be in a position to complete its own assessment of the Meta IE Compliance Reports and share its assessment with the NO SA and NL SA (who lodged Article 61 GDPR requests) and all other CSAs by the end of June 2023. In particular, the IE SA indicated that theyhad‘receivedalloftheassessmentsfromCSAs’and‘forwardedthemto[MetaIE]forittoconsider the views expressed and to detail any changes that it proposes to implement on foot of the CSA assessments’. Furthermore, the IE SA stated that it will ‘complete its own assessment of [Meta IE]’s compliance reports’ after receiving Meta IE’s response. The IE SA also stated ‘it will be in a position to complete its own assessment of [Meta IE]’s compliance reports and to share its assessment with the Norwegian and Dutch supervisory authorities (both of which have lodged Article 61 requests for mutual assistance) and with all other CSAs by the end of June 2023’. 14. Also, on 31 May 2023, Meta IE sent a letter to the IE SA providing its views and comments on the process that was being followed by the IE SA and asking for an extension of its deadline to provide a reply. In this context, it also provided some comments to the IE SA on the CSAs' feedback and some preliminary comments on the requests for urgent enforcement action from some CSAs. 26 Comment of the IT SA of 23 May 2023 as a reply to the IE SA IMI Informal Consultations (see footnote 9). As indicated in footnote 11, Meta IE indicated in its Compliance Reports the fact that it continued to process some data under Art. 6(1)(b) GDPR. The IT SA argued in this respect that ‘[Meta IE]’s distinction between non- behavioural and behavioural advertising can be said to be artificial and based merely on language’ (Comment of the IT SA of 23 May 2023, p. 1) 27 Comment of the IT SA of23May2023 as areply to the IESA IMI Informal Consultations(see footnote 9). More specifically, according to the IT SA, ‘it is as if the controller was shifting the burden of proof regarding legitimate interest as the legal basis of processing on the data subjects – who conversely should be called into play as key actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the necessity of the processing and performing the required balancing exercise’ (Comment of the IT SA of 23 May 2023, p. 2). The IT SAalsounderlinedthat‘theprocessingoperationsunderpinningtheuseofOnlineBehaviouralAdvertisingshould more appropriately be grounded in consent as a legal basis within the meaning of Art. 6(1) (a) GDPR’ (p.3). 28On12May2023and16May2023,theIESAsenttwoletterstoMetaIE,providing MetaIE with thefirstreplies received from CSAs informing Meta IE that some CSAs requested an extension of time to provide a response. On 25 May 2023, the IE SA transmitted to Meta IE the latest comments from CSAs with respect to the way in which Meta IE complied with the IE SA Decisions. The IE SA invited Meta IE to provide submissions by 2 June COB. On 26 May 2023, the IE SA shared an update with all CSAs, informing them that their responses were forwarded to Meta IE, whose response was awaited by 2 June 2023. 29The IE SA provided a reply on 31 May 2023. On the same day, the IE SA provided an update to CSAs in the IMI Informal Consultations, described in the following paragraph. Adopted 815. On 2 June 2023, the IE SA provided a reply to the NO SA Mutual Assistance Request. In the notification formused,theIESAstatedthatitcould notcomplywiththerequest(bycheckingapre-codetextbox), andinvitedtheNOSAtolookatthe‘detailedresponseuploadedbythe[IESA]’intheIESAIMIInformal Consultations (see above, paragraph 13). 16. On 9 June 2023, the NO SA further replied to the IE SA, via the IE SA IMI flow relating to the NO SA Mutual Assistance Request, asking whether the IE SA could ‘share their preliminary thoughts or non- bindingly indicate whether [it] may potentially be inclined to follow [the NO SA Mutual Assistance Request]’.InthesamemessagetheNOSAindicatedthatitwouldinanycaseawaittheIESA’sresponse towards the end of June. 17. On 13 June 2023, the IE SA informed all CSAs via the IE SA IMI Informal Consultations that it would await the judgment of the Court of Justice of the European Union in Case C-252/21 (Meta Platforms Inc. v Bundeskartellamt) (hereinafter, the ‘CJEU Bundeskartellamt Judgment’) before sharing its assessment of the Meta IE Compliance Reports . The IE SA, noting the NO SA Mutual Assistance Request and the NL SA Mutual Assistance Request, indicated their intention to finalise their assessment as soon as possible after the CJEU Bundeskartellamt Judgment expected on 4 July 2023. 18. On 14 June 2023, the IE SA sent a letter to Meta IE replying to its letter of 31 May 2023. The IE SA explained its intention to wait for the CJEU Bundeskartellamt Judgment before circulating its provisional assessment of the steps taken by Meta IE in purported compliance with the orders in the IE SA Decisions, as well as the expected next steps leading to the issuance of the final outcome of the assessment of compliance. In the same letter, the IE SA informed Meta IE that it no longer required it to make submissions in reply to the CSAs’ initial observations. 19. On 21 June 2023, Meta IE shared with the IE SA its views on the concerns raised by some of the CSAs and regarding potential urgent proceedings. On 23 June 2023, the IE SA shared via the IMI Informal Consultations the communication received from Meta IE on 21 June 2023. The IE SA stated that Meta IE specified that this communication is without prejudice to Meta IE’s position that it brought its processing into compliance with the orders in the IE SA Decisions. 20. On 30 June 2023, Meta IE shared by letter additional information with the IE SA regarding the IE SA’s proposed compliance assessment. In this letter, Meta IEoutlined its views on the next steps envisaged by the IE SA and provided information and arguments on what it considered to be misunderstandings underpinning the views provided by the CSAs on the Meta IE Compliance Reports . 31 21. On 4 July 2023, the Court of Justice of the European Union delivered the CJEU Bundeskartellamt 32 Judgment . On 6 July 2023, the IE SA indicated to all the CSAs via the IE SA IMI Informal Consultations 30 31The CJEUhad just announcedthat it would deliver the judgment beforethe IE SAgave this update to theCSAs. Letter from Meta IE to the IE SA of 30 June 2023. Meta IE’s comments on the next steps envisaged by the IE SA are available in paragraphs 1-3 of this letter. Meta IE also provided clarifications, information and arguments on what it considered to be misunderstandings underpinning the views provided by the CSAs on the Meta IE Compliance Reports in paragraph 7. By way of example, Meta IE stated that it ‘does not engage in a “balancing” exercise on receipt of a valid objection’, that the IE SA Decisions only apply to processing for behavioural advertising purposes (and not to processing of non-behavioural information for advertising purposes), and that the assessment of ‘Behavioural Advertising Processing’ only concerns data relating to activity on Facebook and Instagram (on-platform data). Meta IE also clarified that it relies on Art. 6(1)(a) GDPR to process information provided to Meta IE by third party advertising partners (‘off-platform data‘) for the purposes of showing personalised advertisements. 32JudgmentoftheCourtofJusticeoftheEuropeanUnionof4July2023,MetaPlatformsInc.vBundeskartellamt, C-252/21, EU:C:2023:537. Adopted 9 thatitwasconsideringsuchjudgmentinthecontextoffinalisingitsprovisionalassessmentofthesteps taken by Meta IE in purported compliance with the IE SA Decisions 3. 22. On 11 July 2023, the IE SA issued a provisional position paper (‘IE SA Provisional Position Paper’) in which it preliminarily concluded that Meta IE had not complied with the orders in the IE SA Decisions, 34 and shared it with the CSAs alongside a letter dated 30 June 2023 received from Meta IE . The IE SA invited the CSAs to share their views on the IE SA Provisional Position Paper by 21 July 2023 . 35 23. Between 20 July 2023 and 21 July 2023, two CSAs shared their views on the IE SA Provisional Position 36 Paper via the IE SA IMI Informal Consultations . The IE SA shared these CSAs’ views with Meta IE on 21 July 2023. 24. On14 July2023,the NO SA imposed a temporaryban onMeta IE andFacebook NorwayAS (‘Facebook Norway’) regarding the processing of personal data of data subjects in Norway for behavioural advertising for which Meta IE relies on Article 6(1)(b) GDPR or Article 6(1)(f) GDPR (the ‘NO SA Order’ or the ‘Provisional Measures’). On the same day, the NO SA informed by email the IE SA of the Provisional Measures being taken on the basis of Article 66(1) GDPR. On 7 August 2023, the NO SA rejected Meta IE’s and Facebook Norway’s request for deferred implementation of the NO SA Order. 25. On 20 July 2023, the IE SA shared an update to the CSAs via the IE SA IMI Informal Consultations, informing the CSAs of its views on the NO SA Order. It also stated that it did not mean to refuse to comply with the NO SA Mutual Assistance Request as this was a result of ‘incorrectly (and inadvertently)’checking a boxand that, inits view,itscommunicationto the NO SAof2 June2023was referring to two documents shared with all CSAs on 31 May 2023 , which ‘directed to the subject matter of the NO SA [Mutual Assistance Request]’ and were ‘clearly engaging with the substance of the NO SA [Mutual Assistance Request] [...]’. 26. On 24 July 2023, the NO SA answered to questions from a politician in the Irish national parliament on the NO SA Mutual Assistance Request. In its reply, the NO SA describes the reply provided by the IE SA to the NO SA Mutual Assistance Request and explains the reasons behind the issuance of the ProvisionalMeasures,expressingitsconcernsthat‘whileitisvery clearthat[MetaIE]doesnotcomply with the GDPR,failing to takespecific andresolute enforcementactionwould leadtoa cat-and-mouse game whereby [Meta IE] is able to evade compliance indefinitely’ and that ‘simply stating that [Meta IE] does not comply with the GDPR [...] without imposing any specific order spelling out what [Meta IE] must potentially do to comply with the law and by which date, will allow [Meta IE] to further delay compliance’. 33In the same communication, the IE SA also indicated they expected to be in a position to circulate their provisional assessment the following week, and that they would then give the CSAs a period of ten days to respond. While the NO SA and the IE SA indicated that this update occurred on 5 July 2023, according to the IMI 34ports relating to the IE SA IMI Informal Consultations, this update seems to have been sent on 6 July 2023. This letter was already mentioned above in paragraph 20. This update was shared by the IE SA via the IE SA IMI Informal Consultations. Together with the IE SA Provisional Position Paper and the Letter from Meta IE to the IE SA of 30 June 2023, the IE SA also shared again the Meta IE Compliance Reports (already shared on 5 April 2023 with the CSAs). 35 In the same communication, the IE SA also indicated that it would then provide the CSAs’ views on the IE SA Provisional Position Paper to Meta IE inviting it to make its submissions by 4 August 2023. 36The NL SA shared its views via a document attached on 20 July 2023 and the DE Hamburg SA via a document attached on 21 July 2023. 37See paragraph 13 above. Adopted 1027. On 27 July 2023, Meta IE sent a letter to the IE SA stating that it intends to ground its processing for behavioural advertising purposes 38on consent (Article 6(1)(a) GDPR) (by way of “Meta IE’s Consent Proposal”Meta IE’s Consent Proposal) 39 . The IE SA shared this letter with the CSAs via the IE SA IMI Informal Consultations. 28. On the same day, Meta IE sent a letter to the NO SA, making reference to the letter sent to the IE SA andrequesting the NO SA to lift the ProvisionalMeasuresin lightof Meta IE’s commitments tothe LSA to ensure compliance by way of relying upon consent. 29. On 1 August 2023, the IE SA replied to Meta IE taking note of Meta IE’s intention to implement the necessary measures to enable it to rely on Article 6(1)(a) GDPR 4. 30. Meanwhile, on 1 August 2023, Meta IE and Facebook Norway lodged a complaint with the NO SA requesting that it lifts the NO SA Order. On 3 August 2023, the NO SA rejected this complaint and on the following day the NO SA sent a letter to Meta IE and Facebook Norway requesting confirmation as to whether the NO SA Order would be complied with. 31. On 4 August 2023, Meta IE provided its response to the IE SA Provisional Position Paper. On the same date, Meta IE and Facebook Norway replied to the NO SA that they have, in their view, complied with the NO SA Order, and requested the Oslo District Court to grant a preliminary injunction against the NO SA Order. 32. On 7 August 2023, the NO SA decided to impose a coercive fine on Meta IE and Facebook Norway for the non-compliance with the NO SA Order. On 14 August 2023, Meta IE requested the deferred implementation of the coercive fine imposed on Meta IE and Facebook Norway, at least until the Oslo District Court has ruled on Meta IE’s and Facebook Norway’s applications for a preliminary injunction. On 25 August 2023, the NO SA rejected Meta IE’s and Facebook Norway’s request for deferred implementation of the coercive fine. 33. On 8 August 2023, Meta IE and Facebook Norway sent a letter to the Ministry of Local Government and Regional Development of Norway, asking it to consider Meta IE’s and Facebook Norway’s complaints against the NO SA Order submitted to the NO SA on 1 August 2023 . The Ministry of Local 38 39 40 This letter was shared by the IE SA with the CSAs via the IE SA IMI Informal Consultations. The IE SA also highlighted that all the correspondence from Meta IE should be treated as confidential. 41 Meta IE sustained that the Ministry should have declared the complaint valid and the decision should have been repealed, indicating that ‘the audit did not give [Meta IE] necessary notice of its proposed actions and did not give [Meta IE] the necessary opportunity to be heard’. In addition, Facebook Norway was of the opinion that the NO SA wrongfully indicated Facebook Norway as an addressee of the decision. Adopted 11 Government and Regional Development of Norway responded on 10 August 2023, refusing to accommodate the request and indicating that it did not have the authority to handle complaints against the NO SA Order. 34. On 10 August 2023, Meta IE sent a letter to the IE SA highlighted its concerns arising from the Article 66 GDPR proceedings arising from the Provisional Measures and running in parallel to the process led by the IE SA. 35. The IE SA responded on 11 August 2023. In its letter, the IE SA highlighted that it considered it is not for it to second-guess the decision of the NO SA to trigger the application of the urgency procedure and that the Article 66 GDPR procedure would take its own course. 36. The proceedings concerning the request for preliminary injunction lodged with the Oslo District Court further developed and the parties submitted written pleadings . 42 37. 43 . 38. On 18 August 2023, the IE SA shared with all CSAs its final position paper (‘IE SA Final Position Paper’), in which the IE SA concluded that Meta IE failed to demonstrate compliance with the orders in the IE 44 SA Decisions . The IE SA also indicated its view that in light of the Meta IE’s Consent Proposal, it is fair 42On 10 August 2023 and 11 August 2023, respectively, Meta IE and Facebook Norway and the NO SA submitted their written pleadings to the Oslo District Court. Meta IE requested provisional injunctions to avoid damage following an alleged invalid administrative decision and Facebook Norway claimed that the NO SA’s justification was inadequate. The NO SA responded to the request for a preliminary injunction claiming, inter alia, that there was no case processing error that may have affected the content of the decision, the conditions for urgent measures for adopting its decision were met, the decision did not violate Article 84 GDPR (proportionality) and that an injunction by the Oslo District Court would have been in a manifest disparity with the damages or inconveniences Norway would have been inflicted. Meta IE then submitted further written pleadings to the Oslo District Court on 14 August 2023. On 15 August 2023, Meta IE and Facebook Norway complained against the NO SAabouttheNOSA’srejectionoftheircomplaint.MetaIEandFacebookNorwayreiteratethattheappealbefore the Ministry should be admissible and that they have the right to appeal the decision of the Ministry (contrary to the Ministry’s declaration) according to administrative law. On 16 August 2023, the NO SA submitted further written pleadings to the Oslo District Court, while Meta IE and Facebook Norway submitted their additional 43itten pleadings on 18 August 2023. 44Together with the IE SA Final Position Paper, the IE SA shared with the CSAs the same supporting materials as shared together with the IE SA Provisional Position Paper. See above paragraph 22. Also, on 17 August 2023, the IE SA provided an update to all CSAs via the IE SA IMI Informal Consultations, informing them mainly of the fact that the copies of the relevant communications to which the IE SA was party were transmitted to the NO SA and Meta IE to ensure that both the NO SA and Meta IE were in a position to put the full suite of communications before the Oslo District Court. Adopted 12 and reasonable to give Meta IE an opportunity to demonstrate that it can rely on consent as its lawful 45 basis rather than engaging in enforcement measures . 39. On 25 August 2023, Meta IE and Facebook Norway submitted, each, to the NO SA their comments on the NO SA’s intended request for an urgent binding decision from the EDPB pursuant to Article 66 (2) GDPR, which was specified in the NO SA Order. 40. On 28 August 2023, Meta IE and Facebook Norway complained against the NO SA regarding the coercive fine it had imposed. Meta IE and Facebook Norway asked the NO SA to revoke the enforcement decision or, at least, to lower the amount. 41. On 6 September 2023, the Oslo District Court decided not to grant the petitions from Meta IE and Facebook Norway for a preliminary injunction against the NO SA Order. 42. 46. . 43. 47. 44. On 21 September 2023, the NO SA sent a letter to the IE SA outlining their views on the current state of play. More specifically, the NO SA stated that it considered there is still an urgent need for a ban of the unlawful processing of personal data carried out by Meta IE despite the Meta IE’s Consent 48 Proposal , and that such a ban would representanincentiveforMetaIEtoswiftlybringprocessingintocompliance .Thus,theNOSAasked the IE SA to reconsider their position, outlined in the IE SA Final Position Paper that enforcement 45 IE SA Final Position Paper, paragraph 9.2. 46 47 48 Letter of the NO SA to the IE SA of 21 September 2023, p. 2. 49Letter of the NO SA to the IE SA of 21 September 2023, p. 3. Adopted 13 measuresarenotnecessaryatthispointintime 50.TheletteralsomentionedthattheNOSArequested submissions from Meta IE about its intention to ask the EDPB for an urgent binding decision, but may consider not making such request should the IE SA decide to adopt enforcement measures . 51 45. On 26 September 2023, Meta IE and Facebook Norway made submissions in relation to the request of the NO SA for an urgent binding decision of the EDPB and the NO SA lodged its request to the EDPB on IMI. Further details on this are available below .2 46. On 27 September 2023, the IE SA replied to the letter of the NO SA of 21 September 2023, outlining its views on the NO SA’s position and course of action. More specifically, the IE SA recalled that the EDPB explicitly declined to instruct the IE SA to impose a temporary ban in the EDPB Binding Decisions and explained that each of the IE SA Decisions ‘made provision for enforcement measures, namely, the orders for compliance, under which [Meta IE]’s proposals for the adoption of one or more alternative legal bases for the [processing operations at stake] would be assessed, and ruled on, on their respective merits’ . The IE SA also expressed the view that ‘it is inaccurate to suggest that the [IE SA] could impose an immediate ban on processing, whilst continuing to progress its assessment of [Meta IE]’s proposed consent-based model, in conjunction with its CSA colleagues’ . 54 47. On 11 October 2023, the NO SA replied to the letter of the IE SA of 27 September 2023. In this letter, the NO SA expressed its concern that despite the LSA and CSAs ‘agreeing that [Meta IE] cannot base processing of personal data for behavioural advertising on Article 6(1)(b) GDPR or Article 6(1)(f) GDPR, [Meta IE] continues to violate Article 6(1) GDPRand the [IE SA Decisions], and such violation continues to be tolerated’ . The NO SA reiterated its view that ‘corrective measures can and should be imposed 56 on [Meta IE] as soon as possible to stop [Meta IE]’s current illegal processing activities’ . 48. The IE SA further replied on 13 October 2023. In its letter, the IE SA argued that the request of the NO SA to the EDPB amounts, in substance, to a demand for enforcement action against the IE SA for its (alleged) failure to implement the IE SA Decisions and to an attempt to use the Article 66 GDPR procedure as a means to procure an order from the EDPB to compel the IE SA to impose an EEA-wide ban on Meta IE’s processing of personal data for behavioural advertising purposes 57. The IE SA also expressed its view that it did put in place an enforcement procedure following the IE SA Decisions, consistent with the EDPB Binding Decisions 58. 49. On16October2023,Meta IEandFacebookNorwayinitiatedlegalproceedingsbeforetheOsloDistrict Court to demand the invalidation of the NO SA Order. 1.2 Submission of the request to the EDPB and related events 50Letter of the NO SA to the IE SA of 21 September 2023, p. 3. 51Letter of the NO SA to the IE SA of 21 September 2023, p. 3. 52See paragraph 67 below. 53 Letter of the IE SA to the NO SA of 27 September 2023, p. 3. 54Letter of the IE SA to the NO SA of 27 September 2023, p. 4. 55Letter of the NO SA to the IE SA of 11 October 2023, p. 1. 56Letter of the NO SA to the IE SA of 11 October 2023, p. 1. 57 Letter of the IE SA to the NO SA of 13 October 2023, p. 2-3, in which the IE SA also states that: ‘while, subject to ongoing litigation in Norway, [Meta IE]’s Norwegian subsidiary is accruing liabilities on a daily basis by reference to the fine recently applied by NO SA, [Meta IE]’s processing operations as they relate to behavioural advertising remain unchanged at this point’. 58 Letter of the IE SA to the NO SA of 13 October 2023, p. 3-6. Adopted 1450. As mentioned above, on 26 September 2023, the NO SA used IMI to request the EDPB to adopt an urgentbindingdecisionpursuanttoArticle66(2)GDPR,withtheeffectoforderingtheimplementation of final measures (hereinafter, the ‘NO SA Request to the EDPB’ or ‘Request to the EDPB’). 51. Following the submission of the NO SA Request to the EDPB, the EDPB Secretariat assessed the completeness of the file on behalf of the Chair of the EDPB. 52. In the context of the assessment of the completeness of the file, the EDPB Secretariat contacted the NO SA on 4 October 2023 and 11 October 2023 requesting further documents and clarifications. In both cases, the NO SA responded on the same day by providing clarifications and uploading additional documents on IMI. 53. The EDPB Secretariat also contacted the IE SA on 5 October 2023, requesting additional documents andclarifications.FollowingarequestsentbytheIESAtoextendthedeadlineinitiallyseton6October, the EDPB Secretariat extended the deadline to 9 October 2023. On 9 October, the IE SA replied by attaching some of the additional documents and providing some clarifications. On the basis of the reply, the EDPB Secretariat requested on the same day some further information and provided clarifications onthequestionsithadpreviouslyasked.On10October2023,theIESArespondedto the EDPB Secretariat’s email of 9 October 2023, highlighting the need for appropriate time to carry out verifications. On 11 October 2023, the EDPB Secretariat responded to the IE SA’s email identifying certainitemsasmattersofpriority.On12October2023,theIESArespondedtotheEDPBSecretariat’s request providing several documents and clarifications. 54. A matter of particular importance that was scrutinised by the EDPB Secretariat was the right to good administration, as required by Article 41 of the Charter of Fundamental Rights of the European Union (hereinafter,the‘Charter’).FurtherdetailsonthistopicareprovidedinSection3ofthisurgentbinding decision. 55. On 12 October 2023, the decision on the completeness of the file was then taken by the Chair of the EDPB and on 13 October 2023 by the NO SA in line with Article 13(2) of the EDPB RoP. The file was circulated by the EDPB Secretariat to all the members of the EDPB on 13 October 2023. 56. On 17 October 2023, following a request of the IE SA to include an additional letter sent by the IE SA totheNOSAon13October2023,theEDPBdecided toincludeitinthefile,onthebasisofArticle11(2) EDPB RoP. 2 COMPETENCE OF THE EDPB TO ADOPT AN URGENT BINDING DECISION UNDER ARTICLE 66(2) GDPR 57. The EDPB is competent to issue an urgent binding decision under Article 66(2) GDPR to the extent that thefollowingconditionsaremet:anSAhastakenprovisionalmeasurespursuanttoArticle66(1)GDPR, 59 and there is a request from this SA pursuant to Article 66(2) GDPR. 2.1 The SA has taken provisional measures under Article 66(1) GDPR 58. On 14 July 2023, the NO SA adopted provisional measures pursuant to Article 66(1) GDPR, prohibiting Meta IE from processing the personal data of data subjects residing in Norway for targeting 59See Art. 66(2) GDPR and EDPB Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited (hereinafter ‘EDPB Urgent Binding Decision 01/2021’), adopted on 12 July 2021, section 2. Adopted 15 advertisements on the basis of observed behaviour for which Meta IE relies on Article 6(1)(b) GDPR or Article 6(1)(f) GDPR. 59. The EDPB therefore considers that this condition is satisfied. 2.2 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the EEA 60. On 26 September 2023, the NO SA requested the EDPB to adopt an urgent binding decision pursuant to Article 66(2) GDPR, by introducing a formal request in the IMI system (Article 17 of the EDPB RoP). 61. The EDPB therefore considers that this condition is satisfied. 2.3 Conclusion 62. The EDPB concludes it is competent to adopt an urgent binding decision under Article 66(2) GDPR. 3 THE RIGHT TO GOOD ADMINISTRATION 63. The EDPB is subject to Article 41 of the Charter (right to good administration). This is also reflected in Article 11(1) EDPB RoP. 64. Similarly to what is provided under Article 65(2) GDPR, an urgent binding decision of the EDPB is addressed to the lead supervisory authority and all the supervisory authorities concerned, and is 60 binding on them . It is not aimed to address directly any third party. 65. Nevertheless, the EDPB assessed whether all the documents it received to be used in order to take its decision were known by Meta IE and Facebook Norway, and whether Meta IE and Facebook Norway were offered the opportunity to exercise their right to be heard on all the elements of fact and law to be used by the EDPB to take its decision. 66. In this respect, the NO SA informed the EDPB Secretariat that it made available all the documents it submitted to the EDPB to Meta IE and Facebook Norway. The other documents (submitted by the IE SA), if not already known to the companies, were made available to them by the EDPB Secretariat by way of letters of 13 October 2023 and 18 October 2023 . 62 67. On 17 September 2023, the NO SA sent a letter to Meta IE and Facebook Norway asking for their submissions on its draft request for an Article 66(2) GDPR urgent binding decision from the EDPB. Following extensions of the deadline initially set, these submissions were provided on 26 September 2023 (hereinafter, ‘Meta IE’s Submissions of 26 September 2023’ and ‘Facebook Norway’s Submissions of 26 September 2023’). These submissions also attached Meta IE’s and Facebook Norway’sprevioussubmissionsof25August2023 concerning the intentionof theNO SA to request an urgent binding decision of the EDPB (‘Meta IE’s Submissions of 25 August 2023’ and ‘Facebook Norway’s Submissions of 25 August 2023’). In addition to these submissions, the file submitted to the EDPB also included multiple documents produced by Meta IE and/or Facebook Norway in the context oftheassessmentofcompliancewiththeIESADecisionsand/orinthecontextofthelegalproceedings 60Art. 65(2) GDPR. According to Art. 66(4) GDPR, this provision is derogated in respect of the deadline for 61option; therefore, the last sentence of Art. 65(2) GDPR fully applies. Letter of the EDPB Chair to Meta IE and Facebook Norway of 13 October 2023. 62Letter of the EDPB Chair to Meta IE and Facebook Norway of 18 October 2023. Adopted 16 63 concerning the NO SA Order , where Meta IE’s and Facebook Norway’s positions in respect of the elements being considered by the EDPB were clarified. 68. On the basis ofthe assessment performed by the EDPBSecretariat,Meta IE andFacebook Norwayhad not yet had an opportunity to make their views known on some elements of fact and law included in some documents of the file to be used by the EDPB to take its decision. The Chair of the EDPB invited bywayofherletterof13October2023 MetaIEandFacebookNorwaytoprovidewrittensubmissions to the EDPB on these elements. These submissions, together with annexes, were provided by Meta IE and Facebook Norway on 16 October 2023 (‘Meta IE’s Submissions of 16 October 2023” and 65 “Facebook Norway’s Submissions of 16 October 2023’) and were subsequently added to the file. 69. On 18 October 2023, the Chair of the EDPB sent a new letter to Meta IE and Facebook Norway informing them of the document added to the file on 17 October 2023 and providing them with an opportunity to make written submissions on it. Meta IE and Facebook Norway made written submissionson19October2023(‘Meta IEandFacebookNorway’sSubmissionsof19October2023’), which were added to the file. 70. The EDPB notes that Meta IE and Facebook Norway received the opportunity to make their views regarding all the legal and factual elements used by the EDPB to take this decision. Therefore, in case Meta IE and Facebook Norway would be found to be entitled to a right to be heard in this procedure, it would be in any case fully respected. 4 ON THE NEED TO REQUEST FINAL MEASURES 71. TheEDPBconsidersthatinorderforanurgentbindingdecisionadoptedpursuanttoArticle66(2)GDPR toorderfinalmeasurestwocumulativeconditionsneedtobefulfilled:theexistenceofone(orseveral) infringement(s) and the existence of an urgency situation justifying a derogation from the regular cooperation procedure. 72. Consequently, the sections below assess first the existence of infringements (Section 4.1), then the existence of an urgency situation (Section 4.2). 4.1 On the existence of infringements 63By way of example, these documents included the Letter from Meta IE to the IE SA of 31 May 2023, the letter from Meta IE to the IE SA of 21 June 2023, the Letter from Meta IE to the IE SA of 30 June 2023, Meta IE’s Response to the IE SA Provisional Position Paper of 4 August 2023, Letter from Meta IE to the IE SA of 27 July 6423, Letter from Meta IE to the NO SA of 27 July 2023. Letter of the Chair of the EDPB to Meta IE and Facebook Norway of 13 October 2023, replying to their letter of 28 September 2023 where they requested that Meta IE and Facebook Norway be granted access to any documents in the administrative file, and tobe afforded an opportunitytomake submissions afterreviewing the file in advance of the EDPB reaching a final decision. 65On 18 October 2023, Meta IE and Facebook Norway provided new versions of two of their annexes. In these letters of 16 October 2023, Meta IE and Facebook Norway also informed the EDPB that they filed a complaint before the Oslo District Court challenging and seeking to invalidate the NO SA Order on the merits. Adopted 17 4.1.1 On the infringement of Article 6(1) GDPR 4.1.1.1 Summary of the overall position of the NO SA 73. TheNOSArequestedtheEDPBtoadoptanurgentbindingdecisionorderingfinalmeasurestobetaken across the EEA to ensure that ‘personal data shall not be processed for behavioural advertising based on Article 6(1)(b) [GDPR] or Article 6(1)(f) GDPR in the context of the Services’ . In the NO SA Request to the EDPB, the NO SA defines ‘behavioural advertising’ as ‘targeting ads on the basis of observed behaviour’ . In the view of the NO SA, this includes ‘targeting ads on the basis of inferences drawn from observed behaviour as well as on the basis of data subjects’ movements, estimated location and how data subjects interact with ads and user-generated content’ . This definition is in line with their 69 understanding of the scope of the IE SA Decisions . 74. In the NO SA Request to the EDPB, the NO SA states that ‘[Meta IE] has failed to ensure compliance 70 with(...)[theIESADecisions]’ .According to the NOSA,thereisconsensusamong theCSAsthat Meta IE’s processing of personal data for behavioural advertising purposes is currently infringing the GDPR, and in particular Article 6(1)(b) GDPR, Article 6(1)(f) GDPR, and the duty to comply with the decisions of the SAs .1 75. The NO SA’s analysis is based on the following elements: • Despite the IE SA Decisions, Meta IE still relies on Article 6(1)(b) GDPR to process (1) location information, including GPS location, data subjects’ activity on Meta products and the places data subjects like to go and the businesses and people data subjects are near; and (2) information about ads that Meta IE shows and how data subjects engage with those ads; for the purpose of behavioural advertising . 72 • Meta IE relies on Article 6(1)(f) GDPR to process some personal data for the purpose of behavioural advertising, while Article 6(1)(f) GDPR is not an appropriate legal basis for this processing .73 • The IE SA also considers thatMeta IE failed to demonstrate that it has a lawful basis to process platform behavioural data for behavioural advertising , and did not provide any documentation confirming that it stopped processing personal data for the purpose of 75 behavioural advertising on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR . 66NO SA Request to the EDPB, p. 12. 67NO SA Request to the EDPB, p. 12. 68NO SA Request to the EDPB, p. 3-4, referring to the NO SA Order. 69 NO SA Order, p. 3. 70NO SA Request to the EDPB, p. 6. 71NO SA Request to the EDPB, p. 5-7. 72NO SA Request to the EDPB, p. 4 which refers to the NO SA Order. See also NO SA Order, section 7.2.1.1. 73 NO SA Request to the EDPB, p. 4. The NO SA Request to the EDPB only mentions that Meta IE changed its legal basis for ‘some of its processing’ of personal data. Meta IE clarifies in its Letter to the IE SA of 30 June 2023 that these changes relate to the personal data collected on its products (paragraph 7c). A description of this data is provided in section 2.3 of the Meta IE Compliance Reports. 74 NO SA Request to the EDPB, p. 5. 75NO SA’s Decision to Impose a Coercive Fine on Meta IE and Facebook Norway of 7 August 2023, p. 4. Adopted 1876. The NO SA states that Meta IE has already been given enough time to bring its processing into compliance with Article 6(1) GDPR, and takes the view that ‘[Meta IE] is making use of dilatory 76 strategies’ . 77. The NO SA considers that there is sufficient information to allow the EDPB to conclude that infringements are taking place . 77 4.1.1.2 Inappropriate reliance on Article 6(1)(b) GDPR 4.1.1.2.1 Summary of the position of the NO SA 78. The NO SA takes the view that Meta IE’s infringement of Article 6(1)(b) GDPR in the context of its behavioural advertising processing activities was confirmed by the EDPB Binding Decisions and the IE SADecisionswhichconcluded,inlinewiththeviewsexpressedinpreviousEDPBguidelines,thatArticle 6(1)(b) GDPR is an unsuitable legal basis for behavioural advertising processing activities, both generally and in the case at issue . 78 79. The NO SA finds that Meta IE has incorrectly understood what constitutes ‘processing of personal data for the purposes of behavioural advertising’ in the IE SA Decisions . It states that Meta IE’s processing 80 81 of data subjects’ location data and engagement with ads is part of Meta IE’s processing of personal data for the purpose of behavioural advertising concerned by the IE SA Decisions 82, and that, pursuant 83 to those decisions, such processing which is based on Article 6(1)(b)GDPR, is unlawful . 4.1.1.2.2 Summary of the position of the controller 80. MetaIEstatesthat,priortotheIE SADecisions,itreliedonArticle 6(1)(b)GDPR inagoodfaithmanner and its ‘bona fide belief that it was lawful for it to do so’ , considering that different national courts found that Meta IE may validly rely on Article 6(1)(b) GDPR to process personal data for the purposes of behavioural advertising . 85 76 NO SA Request to the EDPB, p. 6. 77NO SA Request to the EDPB, p. 7. 78NO SA Request to the EDPB, footnotes 4 and 10, referring to EDPB Guidelines 8/2020 on the targeting of social media users, paragraphs 49 and 71. 79 NO SA Order, section 7.2.1.1, p. 14 (referring to the IE SA FB Decision paragraph 10.44(b) and the IE SA IG Decision paragraph 417(b), respectively). 80According to the NO SA, ‘[Meta IE]’s use of location data to inform which ads are displayed to data subjects clearly constitutesBehaviouralAdvertising.Itisuncleartouswhatthislocationisestimatedonthebasisof,ifnot the data subject’s behaviour’. NO SA Order, section. 7.2.1.1, p. 15. 81According to the NO SA, ‘For information about data subjects’ engagement with ads, we understand that data subjects may click on “Hide Ad” and that one effect of this would be that the particular ad is not shown to that data subject again. We agree with [Meta IE]’s assertion set out in its letter of 30 June 2023 that this in itself does not constitute processing for Behavioural Advertising. However, to the extent that this or any other engagement with an ad is used to inform which other ads a data subject should see, we find that the processing of personal 82ta does take place for Behavioural Advertising’, NO SA Order, section. 7.2.1.1, p. 15. NO SA Order, section. 7.2.1.1, p. 15. The NO SA also states this in the NO SA Mutual Assistance Request, p. 5. 83NO SA Order, p. 15. 84Meta IE’s Submissions of 25 August 2023, paragraph 65. 85 Meta IE’s Submissions of 25 August 2023, paragraph 65; Written Pleading of 18 August 2023 from Meta IE to Oslo District Court, p. 6. Adopted 19 86 81. Meta IE acknowledges that the IE SA Decisions concluded differently to these cases , and argues that it took since then substantial steps to bring its processing activities into ‘what it believes was 87 compliance with those decisions’ . Meta IE states that it changed its legal basis from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR for the processing of personal data collected on Meta’s products for the 88 purposes of behavioural advertising to comply with the IE SA Decisions . It states further that it relies on Article 6(1)(a) GDPR to process personal data obtained from third party advertising partners 8. 82. In relation to the definition of what behavioural advertising encompasses, Meta IE states that its processing of personal data for the purpose of behavioural advertising comprises the use of ‘information collected on Meta’s products about a user’s behaviour over time in order to assess and understand users’ interests and preferences’. According to Meta IE, this includes signals such as ‘a user’s activity across Meta’s products, engagement with content such as other users’ posts or which pages they visit, the individuals and groups they communicate with, and/or what the user searches 90 for’ . Meta IE states that it processes this personal data to assess and understand users’ interests and preferences, and to provide them with behavioural advertisements . 91 83. However, Meta IE takes the view that its processing of a) demographic data (including location data), b) In-use app, browser and device data c) advertisement shown and d) advertisement interaction data does not constitute behavioural advertising, and therefore falls beyond the scope of the IE SA Decisions 93.Inthisrespect,MetaIEarguesthatitsprocessingofsuchdataonthebasisofArticle6(1)(b) GDPR is valid .4 84. 95 . 4.1.1.2.3 Analysis of the EDPB 85. The EDPBBindingDecisionsinstructed, inter alia, the IESA to findaninfringementofArticle 6(1)GDPR on the ground that Meta IE inappropriately relied upon Article 6(1)(b) GDPR to process personal data for the purposes of behavioural advertising, and therefore lacked a legal basis to process this data for this purpose . In relation to this, the EDPB also instructed the IE SA to include in each of its final 86Written Pleading of 18 August 2023 from Meta IE to Oslo District Court, p. 6. 87Meta IE’s Submissions of 25 August 2023, paragraph 65; Written Pleading of 18 August 2023 from Meta IE to Oslo District Court, p. 6. 88 Meta IE Compliance Report on IE SA FB Decision, paragraphs 2.1 and 2.3 and Meta IE Compliance Report on IE SA IG Decision, paragraphs 2.1 and 2.3. 89 Such data includes information from third party websites, apps and certain offline interactions (such as purchases). See Meta IE Letter to the IE SA of 30 June 2023, paragraph 7c and footnote 150 below. 90Meta IE Compliance Report on IE SA FB Decision, paragraph 2.2; Meta IE Compliance Report on IE SA IG Decision, paragraph 2.2 91Meta IE Compliance Report on IE SA FB Decision, paragraph 2.2; Meta IE Compliance Report on IE SA IG Decision, paragraph 2.2. 92As described in section 5.8.2 of the Meta IE Compliance Reports. 93Meta IE’s Request for preliminary injunction of 4 August 2023, p. 27. 94 95Meta IE’s Request for preliminary injunction of 4 August 2023, p. 27. 96 EDPB Binding Decision 3/2022, paragraphs 133 and 484; EDPB Binding Decision 4/2022, paragraphs 137 and 451. Adopted 20 decisions an order for Meta IE to bring it processing of personal data for the purpose of behavioural advertising in the context of the Facebook and Instagram services into compliance with Article 6(1) GDPR within three months 97. 86. On the basis of the EDPB Binding Decisions, the IE SA Decisions ordered Meta IE to bring its processing into compliance with Article 6(1) GDPR , the IE SA ordered Meta IE to take the necessary actions to bring into compliance with Article 6(1) GDPR and to address the finding that Meta IE is not entitled to processpersonaldataforthepurposeofbehaviouraladvertisingonthebasisofArticle6(1)(b)GDPR . 99 The EDPB notes that the IE SA made clear that such action may include, but is not limited to, the identification of an appropriate alternative legal basis in Article 6(1) GDPR 100. 87. In the Compliance Reports, Meta IE indicated that it changed the legal basis it relies on for the processingof personaldata collectedon itsproductsforbehavioural advertising purposesfromArticle 6(1)(b)GDPR to Article6(1)(f)GDPRasof 5April2023, which wasthedeadlineforcompliance withthe 101 IE SA Decisions . Meta IE also states that it still relies on Article 6(1)(b) GDPR to process what it considers to be ‘limited categories of non-behavioural information’ to show advertising on Facebook 102 and Instagram . 88. In the IE SA Final Position Paper assessing Meta IE’s compliance with the IE SA Decisions and taking into consideration the comments received by the CSAs on such compliance, the IE SA addressed two key questions relevant for the purpose of this section of this urgent binding decision: the definition of behavioural advertising and whether the processing of Meta IE for advertising purposes relying upon 103 Article 6(1)(b) GDPR falls within such definition . 89. As to the definition of behavioural advertising, the IE SA referred to the definition provided by the 104 Article 29 Working Party in its Opinion 2/2010 being referred to by Meta IE in the Compliance Reports 10: ‘Behavioural advertising is advertising that is based on the observation of the behaviour of individuals over time. Behavioural advertising seeks to study the characteristics of this behaviour through their actions (repeated site visits, interactions, keywords, online content) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their inferred interests’ 106. 97 EDPB Binding Decision 3/2022, paragraphs 288 and 493; EDPB Binding Decision 4/2022, paragraphs 290 and 459. 98See IE SA FB Decision, paragraph 10.44b; IE SA IG Decision, paragraph 212. See also IE SA Final Position Paper, paragraph 2.1. 99 IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 212. 100IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 212. 101Meta IE Compliance Report on IE SA FB Decision, paragraph 2.1; Meta IE Compliance Report on IE SA IG Decision, paragraph 2.1. 102 Meta IE Compliance Report on IE SA FB Decision, paragraph 3.1.3; Meta IE Compliance Report on IE SA IG Decision, paragraph 3.1.3. 103IE SA Final Position Paper, paragraphs 7.3 - 7.22. 104IE SA Final Position Paper, paragraph 7.5, referring to Article 29 Working Party Opinion 2/2010 adopted on 22 June 2010, p. 5. 105Meta IE Compliance Report on IE SA FB Decision, p. 4; Meta IE Compliance Report on IE SA IG Decision, p.4. 106Article 29 Working Party Opinion 2/2010 adopted on 22 June 2010, p. 5. Adopted 2190. TodefinewhethertheprocessingofMetaIEforadvertisingpurposesrelyinguponArticle6(1)(b)GDPR falls within such definition, the IE SA also referred to the description of Meta IE’s processing for 107 behavioural advertising purposes provided by the EDPB in the EDPB Binding Decisions : ‘[Meta IE] collects data on its individual users and their activities on and off its Facebook social networkservicevianumerousmeanssuchastheserviceitself,otherservicesoftheMetagroup including Instagram, WhatsApp and Oculus, third party websites and apps via integrated programming interfaces such as Facebook Business Tools or via cookies, social plug-ins, pixels and comparable technologies placed on the internet user’s computer or mobile device. According to the descriptions provided, [Meta IE] links these data with the user’s Facebook accounttoenableadvertiserstotailortheiradvertisingtoFacebook’sindividualusersbasedon their consumer behaviour, interests, purchasing power and personal situation. This may also include the user’s physical location to display content relevant to the user’s location’10. 91. The IE SA noted that Meta IE relies on Article 6(1)(b) GDPR for a more limited set of personal data for 109 advertising purposes in the Facebook and Instagram services . The EDPB notes that Meta IE argues that it is relying on Article 6(1)(b) GDPR for the processing of ‘limited non-behavioural information’ to show advertisements, as described in its Compliance Reports 110: ‘a) Demographic data. This consists of age users provide, gender users provide, and estimated general location. The use of demographic data is required to ensure advertising is appropriate in accordance with the Terms of Use/Service. For example, (...) (c) relying on location is necessary to ensure advertisements that [Meta IE] show users are in an appropriate language and relate to an appropriately located company or service (e.g., [Meta IE] does not show users advertisements for products which are not available in their country); b) In-use app, browser and device data. (...) This includes the type of device being used, the language chosen on the device at that time and the version of the Facebook/Instagram app being used. These data points are necessary to deliver advertisements appropriately. For example,toproperlyformattheadvertisementtomeettheviewingrequirementsofthedevice, to avoid users being shown advertisements for apps which are not supported by the operating systemontheirdevice,andensurethattheadvertisementisinthechosenlanguageoftheuser; c) Advertisements shown. This consists of information on whether the advertisement is rendered and delivered to a user. This information is a basic metric which [Meta IE] needs in order, for example, to ensure the number of advertisements that [Meta IE] shows to users is at an appropriate level and to ensure that the same advertisements are not being directed to the user repeatedly. The information does not indicate whether the user has actually noticed the advertisement; d) Advertisement interaction data. This consists of two forms of information provided by users if they choose to interact with advertisements: (a) to provide negative feedback on their advertising experience, for example by selecting to “hide” or report an advertisement; and (b) 107IE SA Final Position Paper, paragraph 7.4, referring to EDPB Binding Decision 3/2022, paragraphs 95-96 and EDPB Binding Decision 4/2022, paragraphs 98-99. 10EDPB Binding Decision 3/2022, paragraphs 95-96 and EDPB Binding Decision 4/2022, paragraphs 98-99. 10IE SA Final Position Paper, paragraphs 2.2, 4.5 and 7.6. 110 As referred to in the IE SA Final Position Paper, paragraph 7.6. Adopted 22 to provide positive feedback on their advertising experience, for example by clicking advertisements they find relevant’. 111 92. The EDPB notes the IE SA’s following findings: • In relation to location data, the IE SA took the view that Meta IE did not provide sufficient information to allow the IE SA to understand why location data would fall outside the 112 definition of behavioural data . According to the IE SA, Meta IE did not explain whether it is processing the user’s physical location or the location that they proactively provide to Meta IE to target ads to them. • In relation to device data, the IE SA indicated that device information could also be used to identify different market segments, which in turn could be processed for behavioural advertising purposes 113. • In relation to advertisements shown, the IE SA indicated that more clarity from Meta IE would be required as to whether Meta IE only analyses records of ads shown (which, according to the IE SA, are not amounting to behavioural data) or also behavioural ads presented by other tools through a shared interface screen, which would also add to the behavioural processing by Meta IE 114. • In relation to advertisement interaction data, the IE SA underlined that ‘interaction data’ was listed in the definition of behavioural advertising in the Article 29 Working Party Opinion, 115 which was incorporated by Meta IE into its Compliance Reports . The IE SA therefore underlined the lack of clarity on how Meta IE would then distinguish ‘advertisement interaction data’, listed in point d) above from ‘interaction data’ included in the Article 29 Working Party Opinion 2/2010. The IE SA raised concerns as to the fact that Meta IE stated that it relies on Article 6(1)(b) GDPR in circumstances where the user provides positive advertising feedback 116. According to the IE SA, this falls within the definition of behavioural 111 Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2; Meta IE Compliance Report on IE SA IG Decision, paragraph 5.8.2. 112In particular,the IE SAstatedthat‘[Meta IE]hasexplainedthe usesof this data, but notwhy theseusesdo not amount to behavioural processing. For example, it is unclear if location data is used by [Meta IE] to tailor ads to users on the basis of visits to certain types of shops, their travel to business hubs or holiday destinations, or the times of year at which they travel. If [Meta IE] use location data in these ways, then this would be processing personal data for the purposes of behavioural advertising, both by reference to the EDPB’s description of such advertising, as set out at paragraph 7.4 above, and by reference to the Article 29 Working Party Opinion relied on by [Meta IE]’, IE SA Final Position Paper, paragraph 7.11. 113The IE SA stated that ‘it is unclear whether [Meta IE] identifies device information as a different market segment. While the processing of device information to serve ads may not amount to behavioural advertising, it ispossiblethat[MetaIE]identifiescertaindevicesasadifferentmarketsegment.Thetypeofdevicecouldindicate spending power or history, which could be processed for behavioural purposes’, IE SA Final Position Paper, paragraph 7.12. 114 115IE SA Final Position Paper, paragraph 7.13. Article 29 Working Party Opinion 2/2010 adopted on 22 June 2010, p. 5 referred to in Meta IE Compliance Report on IE SA FB Decision, p. 4 and Meta IE Compliance Report on IE SA IG Decision, p. 4. 116The IE SA’s concerns relate in particular to Meta IE’s statement that when ‘the user provides positive advertising feedback (e.g., actively choosing to click on a specific ad they find relevant and want to see), [Meta IE] similarly needs to use that information to ensure it is providing the user with an appropriate and relevant personalised advertising experience pursuant to the Terms of Service’, see IE SA Final Position Paper, paragraph 7.14, referring to Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2 and Meta IE Compliance Report on IE SA IG Decision, paragraph 5.8.2. Adopted 23 advertising provided by the Article 29 Working Party Opinion 2/2010 as it involves Meta IE ’117 ‘inferringconclusionsaboutuserpreferencesfromusers’interactionwithanadvertisement . Following further information provided by Meta IE on 30 June 2023 to the IE SA on negative advertisingfeedback 11,theIESAindicatedthat,totheextentthatMetaIE‘processespersonal data solely to prevent a specific hidden ad being shown to a user, then the [IE SA] agrees that this does not amount to behavioural advertising. However, to the extent that [Meta IE] infers a user’s advertising preferences from the fact that they have hidden an ad, then this does fall withinthedefinitionofbehaviouraladvertising’ 119.TheIESAaddedthat‘[MetaIE]submissions are too vague to determine whether it processes personal data just to hide the specific ad, or whether it draws inferences from the choice to hide an ad. The reference in the justification of this processing to a user’s “personal advertising experience” indicates that the decision to hide 120 onead could beused toinferpreferencesabout theadsthat a user receives moregenerally’ . TheEDPBnotesthatthisappreciationisinlinewiththeobservationsmadebytheDEHamburg 121 SA .The IE SA thereforeprovidedthat‘it appearsfrom theinformationprovidedby[MetaIE] that it uses data about hidden ads to engage in behavioural advertising’. The IE SA also provided similar conclusions for the positive feedback, raising that ‘Using information about click-throughs to determine what types of ads a user wants to see in the future falls plainly within the definition of behavioural advertising provided by [Meta IE] to the [IE SA]’ 12. 93. In light of the above, the EDPB notes that the IE SA found that Meta IE still conducts some processing for the purposes of behavioural advertising in reliance on Article 6(1)(b) GDPR 123. 94. In addition, the IE SA also indicated the lack of sufficient information to explain why categories (a) to (d) were not behavioural data 124. The EDPB also notes that on this basis, the IE SA found that Meta IE had not demonstrated compliance with the IE SA Decisions as regards reliance on Article 6(1)(b) GDPR for behavioural advertising 12. 95. The EDPB notes that this view was also expressed by certain CSAs replying to the IE SA IMI Informal Consultations. More specifically, the FI SA stated that ‘the following personal data seems to be still unlawfully collected for behavioural advertising purposes under Article 6(1)(b) [GDPR]: “Information 117 IE SA Final Position Paper, paragraph 7.15. 118Meta IE said that ‘with respect to negative advertising feedback, if a user selects the option that is available to “Hide Ad – never see this ad again,” then [Meta IE] needs to use that information to ensure that choice regarding the user’s personal advertising experience (i.e., what advertisements they do not want to see) is respected’, IE SA Final Position Paper, paragraph 7.16. 119IE SA Final Position Paper, paragraph 7.16, referring to the comments of the DE Hamburg SA on the IE SA Provisional Position Paper. 120IE SA Final Position Paper, paragraph 7.16. 121 ‘Allowing[MetaIE]tofurtherjustifywhetheritprocessespersonaldataonlytohideaparticularad,orwhether it draws inferences from the decision to hide an ad, is nothing more than leaving a choice not to describe the actual purpose of the processing, to formally fall short of the definition of behavioural advertising. In doing so, hiding certain ads without anything deriving from that decision would contradict [Meta IE]´s business model. To the extent that this or other engagement with an ad is used to learn what other ads a data subject should see, Hamburg SA notes that the processing of personal data serves purposes of behavioural advertising’, Views of DE Hamburg SA of 4 May 2023; as referred to in the IE SA Final Position Paper, paragraph 7.17. 122IE SA Final Position Paper, paragraph 7.19. 123 IE SA Final Position Paper, paragraph 6.2 and paragraph 8.1. 124IE SA Final Position Paper, paragraph 7.22. 125IE SA Final Position Paper, paragraphs 7.1, 7.22 and 8.1. Adopted 24 about ads we show you and how you engage with those ads” and “Location information”’. 126The IT SA also stated that ‘[Meta IE]’s proposal is not such as to adequately implement the order to bring the processing into compliance insofar as it misclassifies part of the user-related information and thereby applies the legal basis of contractual performance under Article 6(1)(b) GDPR to the serving of ads which, actually, are behavioural in nature’ 12. 96. The EDPB observes that if any of the data listed in paragraph 91 of this urgent binding decision may be considered as falling within the scope of the definition of behavioural advertising, there are grounds forfinding thatMetaIEisinfringingArticle6(1)GDPR.Thisis becauseMetaIE wouldstill beprocessing personal data for the purpose of behavioural advertising on the basis of Article 6(1)(b)GDPR, although it was considered unlawful by the IE SA Decisions 12. 97. Inthisrespect,theEDPBsharestheIESA’sviewthatMetaIEstillconductssomeprocessingofpersonal data for the purposes of behavioural advertising in reliance on Article 6(1)(b) GDPR 12, at least for the following categories of data: • Location data - the EDPB finds, in line with the view of the IE SA, that Meta IE failed to demonstrate that its processing of location data does not constitute processing for the 130 purpose of behavioural advertising . It is unclear to the EDPB, as it is to the NO SA and the IE SA, on which basis the location is estimated, if not the data subject’s behaviour. The EDPB consequently finds, in line with the view of the NO SA, that Meta IE’s processing of location 131 data to inform which ads are displayed to data subjects constitutes behavioural advertising . • Advertisement interaction data - the EDPB finds, in line with the view of the IE SA, that Meta IE failed to demonstrate that its processing of advertisement interaction data does not constitute processing for the purpose of behavioural advertising. The EDPB shares the view of the IE SA that ‘[Meta IE] is recording the behaviour of the users when they are presented with adsandusethattotailorfuturepresentationofads’ 132.TheEDPBconsequentlyfindsthatMeta IE’s processing of advertisement interaction data constitutes behavioural advertising for the following reasons: o As rightly pointed out by the IE SA, the EDPB recalls that interaction is listed among the data types in the definition of behavioural advertising in the Article 29 Working Party Opinion 2/2010 13. o The EDPB observes that irrespective of whether the data subject provides negative or positivefeedbackon theadstheysee, MetaIEstatesthattheinteractionswill beused 134 toprovidean‘appropriateandrelevantadvertisingexperience’ whichindicatesthat Meta IE is inferring conclusions about user preferences from such interaction. 126Views of the FI SA of 15 May 2023, p. 2. 127Views of IT SA on IE SA FB Decision of 23 May 2023, p. 2, and views of IT SA in IE SA IG Decision of 23 May 2023, p. 2. 128 In this respect, the IE SA Decisions implemented the findings described in the EDPB Binding Decision 3/2022, paragraphs 94-133 and the EDPB Binding Decision 4/2022, paragraphs 97-137. 129See paragraphs 92-93 above. 130IE SA Final Position Paper, paragraph 7.11. 131 132IE SA Final Position Paper, paragraph 7.11. IE SA Final Position Paper, paragraph 7.14. 133IE SA Final Position Paper, paragraph 7.14. 134Meta IE Compliance Report on IE SA FB Decision, p. 16. Adopted 25 o With respect to negative feedback (i.e., where the data subject clicks to hide/report an ad), the EDPB observes that Meta IE states that it needs to use this information ‘to ensure that choice regarding the user’s personal advertising experience (i.e., what 135 advertisements they do not want to see) is respected’ . The EDPB also observes that MetaIEstatesthat theoptions‘HideAd’and‘Report Ad’areusedto‘directlyinfluence the ads [users] see’ 13. The EDPB shares the view of the IE SA that ‘the reference in the justification of this processing to a user’s “personal advertising experience” indicates that the decision to hide one ad could be used to infer preferences about the ads that 137 a user receives more generally’ and therefore that ‘it appears from the information provided by [Meta IE] that it uses data about hidden ads to engage in behavioural 138 advertising’ . o With respect to positive feedback, the EDPB observes that Meta IE states that when ‘the user provides positive advertising feedback (e.g., actively choosing to click on a specific ad they find relevant and want to see), [Meta IE] similarly needs to use that information to ensure it is providing the user with an appropriate and relevant 139 personalised advertising experience pursuant to the Terms of Service’ . Consequently, the EDPB also shares the view of the IE SA that this practice falls within the definition of behavioural advertising provided by the WP29 Opinion as it involves Meta IE ‘inferring conclusions about user preferences from users’ interaction with an ’140 advertisement . 98. In conclusion, the EDPB finds that Meta IE is inappropriately relying on Article 6(1)(b) GDPR to process location data and advertisement interaction data collected on its products for the purpose of behavioural advertising. 99. In addition, the EDPB shares the view of the IE SA that Meta IE did not provide sufficient information to explain whyother categoriesofdata processed by Meta IEdo notamount to behaviouraldata,such 141 as device data and advertisements shown . In this respect, the EDPB finds, in line with the view of the IE SA, that in relation to device data, if Meta IE would use device data to identify different market segments, this would constitute a processing for behavioural advertising for which it would rely inappropriately on Article 6(1)(b), infringing Article 6(1) GDPR 142. 135Letter from Meta IE to the IE SA of 30 June 2023, p. 5. 136Meta IE’s submissions of 16 October 2023 to the Oslo District Court. For Instagram specifically, also see the screenshots included in p. 35 of the Annex 3 to the Compliance Report on IE SA IG Decision. 137IE SA Final Position Paper, paragraph 7.16. 138IE SA Final Position Paper, paragraph 7.18. 139Meta IE Compliance Report on IE SA FB Decision, paragraph 5.8.2 and Meta IE Compliance Report on IE SA IG 140ision, paragraph 5.8.2. IE SA Final Position Paper, paragraph 7.15. 141See paragraph 89 above. 142The IE SA stated that ‘it is unclear whether [Meta IE] identifies device information as a different market segment. While the processing of device information to serve ads may not amount to behavioural advertising, it ispossiblethat[MetaIE]identifiescertaindevicesasadifferentmarketsegment.Thetypeofdevicecouldindicate spending power or history, which could be processed for behavioural purposes’, IE SA Final Position Paper, paragraph 7.12. Adopted 26 4.1.1.3 Inappropriate reliance on Article 6(1)(f) GDPR 4.1.1.3.1 Summary of the position of the NO SA 100. The NO SA considers that Article 6(1)(f) GDPR does not constitute an appropriate legal basis under 143 Article 6(1) GDPR for Meta IE’s behavioural advertising processing . 101. The NO SA refers to the IE SA Final Position Paper, in which the IE SA concluded that Meta IE continues to fail to rely onavalidlegalbasis toprocesspersonaldata for behaviouraladvertising purposesunder Article 6(1) GDPR, despite Meta IE’s switch to Article 6(1)(f) GDPR as a legal basis for its behavioural advertising processing on 5 April 2023 14. The NO SA outlines that this conclusion was supported by 145 several CSAs explicitly, without any objection being raised by the other CSAs . 102. Further, the NO SA states that paragraph 117 of the CJEU Bundeskartellamt Judgment validates the conclusion that Article 6(1)(f) GDPR does not constitute an appropriate legal basis for Meta IE’s behavioural advertising processing 146. In this respect, the NO SA acknowledges Meta IE’s view that the judgment is irrelevant and relates to a different aspect of Meta IE’s processing for behavioural advertising 147. However, the NO SA argues that the ruling does apply to Meta IE’s behavioural 148 advertising practices in general and, therefore, that it cannot be disregarded . 4.1.1.3.2 Summary of the position of the controller 103. In its Compliance Reports, Meta IE states that it has changed its legal basis from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR for ‘Behavioural Advertising Processing’ - solely for personal data collected on Meta’s products 149- to comply with the IE SA Decisions 150. 104. Asmentionedinparagraph81above,MetaIEdefinesthescopeofthisprocessingoperationprocessed on the basis of Article 6(1)(f) GDPR as follows: ‘Behavioural Advertising Processing comprises the use by [Meta IE] of information collected on [Meta’s] products about a user’s behaviour over time in order to assess and understand users’ 143NO SA Request to the EDPB, p. 4. 144NO SA Request to the EDPB, p. 5. As specified in paragraph 104 below, Meta IE defines the scope of this processing operation processed on the basis of Art. 6(1)(f) GDPR as relating to personal data collected on Meta’s products. 145NO SA Request to the EDPB, p. 5. 146NO SA Request to the EDPB, p. 5. 147NO SA Request to the EDPB, p. 6. As specified in paragraphs 109 and 142 below, in paragraph 1.5 (A) of Meta IE’s Response to the IE SA’s Provisional Position Paper of 4 August 2023, Meta IE considers that the Bundeskartellamt Judgment ‘does not rule out Article 6(1)(f) [GDPR] “as a matter of principle” as a valid legal basis for [Meta IE]’s Behavioral Advertising Processing. The judgment assessed Article 6(1)(f) [GDPR] (and the element of “necessity”) in the context of different processing than is at-issue here (i.e., data collected off-[Meta], and to a limited extent cross-product data processing, as opposed to data collected on-[Meta] products). (...) Further,theCJEUdidnot(andcouldnotasamatteroflaw)issueablanketfindingthatusers’interestswillalways outweigh [Meta IE]’s and third parties’ legitimate interests in the context of personalised advertising (...).’ 148NO SA Request to the EDPB, p. 6. 149 Meta IE indicates to rely on Art. 6(1)(a) GDPR to process personal data about users’ activity off-Meta’s products (such as on third-party websites, apps and certain offline interactions (e.g., purchases)), obtained by MetaIEfromthirdpartyadvertisingpartnersforthepurposesofshowingpersonalisedadvertisingtotheseusers onFacebookorInstagram(seeMetaIEComplianceReportonIESAFBDecision,p.12,paragraph3.1.2,andMeta IE Compliance Report on IE SA IG Decision, p. 13, paragraph 3.1.2). 150Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision, p. 4. Adopted 27 interests and preferences. This includes signals such as a user’s activity across [Meta’s] products, engagement with content such as other users’ posts or which pages they visit, the individuals and groups they communicate with, and/or what the user searches for. [Meta IE] uses all of these signals to assess and understand users’ interests and preferences and to provide them with behavioural advertisements.’ (emphasis added in bold) 151 105. With respect to the above, the EDPB notes that the personal data processed for behavioural advertising purposes on the basis of Article 6(1)(f) GDPR is collected ‘on’ and ‘across’ Meta’s products and that these terms are used interchangeably by Meta IE. 106. Meta IE also refers to its updated privacy policies for Facebook and Instagram, which provide the list of categories of personal data processed for this purpose 152. 107. In Meta IE’s view, it was entitled to consider that it could switch to Article 6(1)(f) GDPR for its behaviouraladvertisingprocessingtocomplywiththeIESADecisions 153.AccordingtoMetaIE,neither the EDPB Binding Decisions nor the IE SA Decisions ordered Meta IE to rely on a specific legal basis under Article 6(1) GDPR, such as Article 6(1)(a) GDPR 154. Meta IE argues that it is only once the IE SA adopted the IE SA Final Position Paper on 18 August 2023 that an authority concluded that Meta IE’s reliance on Article 6(1)(f) GDPR was insufficient to comply with the IE SA Decisions 155. Meta IE argues that prior to this date ‘[s]ome SA submissions are inconsistent with one another and cannot be reconciled (for example (...) certain SAs appear to consider that consent is the only viable basis possible 156 whereas others accept Article 6(1)(f) GDPR is viable)’ . 157 108. Meta IE carried out Legitimate Interests Assessments annexed to its Compliance Reports , in which it concludes that Article 6(1)(f) GDPR constitutes an appropriate legal basis for behavioural 158 advertising . Meta IE reiterates this conclusion on 4 August 2023, after having made a commitment to switch to Article 6(1)(a) GDPR through the Meta IE’s Consent Proposal 15. In addition, Meta IE highlighted that it ‘expended significant resources’ and implemented ‘very substantial steps’ to switch from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR to comply with the deadline of 5 April 2023 16. 109. With respect to the CJEU Bundeskartellamt Judgment, Meta IE takes the view that this case ‘does not rule out Article 6(1)(f) [GDPR] as a matter of principle as a valid legal basis’ for Meta IE’s behavioural 151 Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision, p. 4. 152Meta IE Compliance Report on IE SA FB Decision, p. 4-5, and Meta IE Compliance Report on IE SA IG Decision, p. 4-5. 153 Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 22. See also Meta IE’s letter to the IE SA of 27 July 2023, p. 1-2. 154Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 4 and 16. 155 Meta IE’s Submissions of 26 September 2023, p. 11 and Meta IE’s Submissions of 16 October 2023, p.5. 156Letter from Meta IE to the IE SA regarding process and urgency of 31 May 2023, p. 3. 157Meta IE’s Legitimate Interests Assessments Behavioural Advertising Processing of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FBDecision and Annex 4 toMeta IE ComplianceReport on IE SA IG Decision. 158 Annex 4 to the Meta IE Compliance Report on IE SA FB Decision and to Meta IE Compliance Report on IE SA IG Decision, p. 4, and Meta IE Compliance Report on IE SA FB Decision, p. 11, Meta IE Compliance Report on IE SA IG Decision, p. 12. 159Meta IE’s Request for preliminary injunction, 4 August 2023, p. 27. 160 Meta IE’s Submissions of 26 September 2023, p. 10 and Meta IE’s Submissions of 16 October 2023, p.5. See also Meta IE’s Submissions of 25 August 2023, p. 33. Adopted 28 advertising processing activities, given that the CJEU ‘did not (and could not as a matter of law) issue a blanket finding that users’ interests will always outweigh [Meta IE]’s and third parties’ legitimate interests in the context of personalised advertising’ 161. It argues that the CJEU Bundeskartellamt Judgment relates to a different processing than the processing covered by the EDPB Binding Decisions and the IE SA Decisions. More specifically, Meta IE points out that this judgment relates to personal data collected off-Meta, as opposed to data collected on-Meta products. Notably, Meta IE states that the scope of the case, ‘excludes processing for behavioural advertising purposes when using personal data collected across different [Meta IE]’s products’, while acknowledging that the case focuses ‘to a lesser extent’ on ‘the processing of personal data collected across various [Meta IE]’s products’ 16. 110. Lastly, despite considering that it can lawfully rely on Article 6(1)(f) GDPR, Meta IE announced that, taking into account the ‘different views’ of the IE SA both in the IE SA Provisional Position Paper and regarding the interpretation of the CJEU Bundeskartellamt Judgment, it was willing to switch to 163 consent for the processing at stake . 164 . 165 . 166. 167. 4.1.1.3.3 Analysis of the EDPB 111. In the IE SA Decisions, Meta IE was directed to take the necessary action to address the finding that Meta IE is not entitled to carry out the processing operations at stake on the basis of Article 6(1)(b) GDPR,wasordered tobringits processingof personaldatafor the purposesofbehaviouraladvertising into compliance with Article 6(1) GDPR and it was specified that such action is ‘not limited to the 161 Meta IE’s Response to IE SA’s Provisional Position Paper, 4 August 2023, section 1.5 (A) and also section 2 for a more detailed analysis. 162 Meta IE’s Request for preliminary injunction, 4 August 2023, p. 27. 163 Meta IE’s letter to the IE SA of 27 July 2023, p. 1-2. 164 Meta IE’s letter to the IE SA of 27 July 2023, p. 2. 165 Meta IE’s letter to the IE SA of 27 July 2023, p. 2. 166 IE SA’s letter to Meta IE of 11 August 2023, p. 2. 167 IE SA’s letter to Meta IE of 11 August 2023, p. 2. Adopted 29 identification of an appropriate alternative legal basis’, but may include the implementation of ‘any necessary measures required to satisfy the conditionality associated with that/those alternative legal basis/bases’ 16. 112. TheEDPBnotesthat,accordingtoMetaIEComplianceReportsandtheIESAFinalPositionPaper,Meta 169 IE relies on Article 6(1)(f) GDPR to process personal data collected on Meta’s products for the purposes of behavioural advertising since 5 April 2023 170. 113. Pursuant to Article 6(1)(f) GDPR, Recital 47 GDPR and the CJEU’s settled case-law 171, three cumulative conditions must be met to be able to rely on Article 6(1)(f) GDPR, ‘namely, first, the pursuit of a legitimate interest by the data controller or by a third party; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, [according to a balancing test] that the interests or fundamental freedoms and rights of the person concerned by the data protection do not 172 take precedence over the legitimate interest of the controller or of a third party’ . 114. More specifically, the first condition relates to the existence of legitimate interests pursued by the controller or a third party. 115. Meta IE has identified different interests that it considers legitimate and on which it relies for the processing at stake. These interests are pursued either by Meta IE or third parties, namely businesses that use Facebook/Instagram and other users of Meta’s products 173. More specifically, Meta IE identified the four following legitimate interests: • (1)Meta IE’s‘interest and theinterestsofother userstoprovidea positiveuserexperiencethat users will want to engage with, and which is tailored to users - providing quality targeted and personalised ads is a core element of the wider user experience across Meta Products’, • (2) Meta IE’s ‘interest and the interests of other users to enable [Meta IE] to generate revenue and continue to innovate, improve and develop the Meta Products and new technologies’, • (3) Meta IE’s and third parties’ (e.g. advertisers) interests ‘to provide businesses, both big and small, the opportunity to connect with the users who are most likely to be interested in their products and services’, and • (4) Meta IE’s ‘interests and the interests of third parties (e.g. advertisers) and other users, for businesses, both big and small, to be able to promote their products and services to users’ 17. 168 IE SA FB Decision, paragraph 8; and IE SA IG Decision, paragraph 212. 169IE SA Final Position Paper, paragraph 7.23, p. 11-12, referring to Meta IE’s Letter to the IE SA of 30 June 2023, and Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision, p. 4. 170 IE SA Final Position Paper, paragraph 7.25, p. 12, and Meta IE Compliance Report on IE SA FB Decision, p. 4, and Meta IE Compliance Report on IE SA IG Decision, p. 4. 171As recently recalled in the CJEU Bundeskartellamt Judgment, paragraph 106, which refers to previous case- law. The IE SA Final Position Paper also recalls and applies this test in paragraphs 7.27 and seq., p. 12-21. 172See paragraph 106 of the CJEU Bundeskartellamt Judgment. 173 Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p. 6. 174Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p. 6. Adopted 30116. These four categories of interests are further broken down in several sub-interests in Meta IE Legitimate Interests Assessments 17. For example, the first and the second legitimate interests also include the following sub-interest: ‘[For other Facebook and Instagram users:] The enjoyment of Facebook and Instagram services free of charge’. 176 117. As recalled by the IE SA, the given legitimate interests must be ‘sufficiently clearly articulated and [be] real and present, corresponding to current activities or to benefits that are expected in the near future’ 177. 118. The EDPB notes that the IE SA concluded that the interests listed by Meta IE in its Compliance Reports can meet these criteria 178. 119. The second condition relates to the necessity of the processing for the pursuit of those interests (or ‘necessity test’). 120. In its Compliance Reports, Meta IE considers that: (1) the processing at stake is necessary to pursue and achieve the legitimate interests identified by Meta IE 179, (2) this processing is reasonable and 180 proportionate to achieve the legitimate interests pursued and (3) no viable alternatives exist that would allow the legitimate interests to be achieved 181. 121. In that regard, the IE SA considers that Meta IE failed to demonstrate in its Compliance Reports that its behavioural advertising processing was necessary to the different legitimate interests it identified 182. More specifically, the IE SA points out that Meta IE’s explanations regarding the impact of the processing at stake are ‘too vague’ and therefore they do not allow the IE SA to determine that there is a less intrusive alternative that Meta IE could pursue 183. In addition, the IE SA considers that Meta IE Legitimate Interests Assessments do not apply the necessity test for each of the legitimate interest on which it relies 184. 122. More specifically, regarding the first interest set out by Meta IE, the IE SA refers to the EDPB Binding Decision 3/2022 and concludes that behavioural advertising is not in the interest of all Meta IE’s users, 185 but only of some users . Therefore, according to the IE SA, Meta IE has not explained the need to 175 MetaIELegitimateInterestsAssessmentsBehaviouralAdvertisingProcessingof3April2023,Annex4toMeta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 9- 13. 176MetaIELegitimateInterestsAssessmentsBehaviouralAdvertisingProcessingof3April2023,Annex4toMeta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 9. This sub-interest is further detailed on p. 12 of Meta’s Legitimate Interests Assessments. 177IE SA Final Position Paper, paragraph 7.33, referring to the EDPB Binding Decision 02/2022, paragraph 110. 178 IE SA Final Position Paper, paragraph 7.33, p. 13-14. 179Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision, p.6, both referring to sections 2.b, 2.c., and 3.a of Meta IE Legitimate Interests Assessments. 180Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision, p. 7, both referring to section 3.b of Meta IE Legitimate Interests Assessments. 181Meta IE Compliance Report on IE SA FB Decision, p. 6 and Meta IE Compliance Report on IE SA IG Decision, p. 7, both referring to sections 3.c, 3.d, and 3.e of Meta IE Legitimate Interests Assessments. 182 183IE SA Final Position Paper, paragraph 7.50, p. 18. IE SA Final Position Paper, paragraph 6.3, p. 5. 184IE SA Final Position Paper, paragraph 7.41, referring to Meta IE Legitimate Interests Assessments Behavioural Advertising Processing of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision. 185IE SA Final Position Paper, paragraphs 7.43-7.44, p. 16. Adopted 31 process the personal data of all of its users ‘for the purposes of realising the interests of those users 186 who want to receive behavioural advertising’ . 123. Further, regarding the second, third and fourth interests put forward by Meta IE in its Compliance 187 Reports , the IE SA concludes that Meta IE’s arguments are not sufficiently substantiated because of the vagueness and the lack of specificity of the analysis 188. In particular, Meta IE has not explained which specific categories of personal data Meta IE needs to process or which processing operations need to take place to achieve the above interests 189. 124. When conducting the ‘necessity test’ in the Meta IE Legitimate Interests Assessments, Meta IE claims that ‘Without the Processing, which as explained above is essential in order to monetise Facebook and Instagram, [Meta IE] would not be able to provide the services to users free of charge in the same manner as it does currently. This in turn would jeopardise the attainment of the legitimate interests identified above’ 190. According to Meta IE, if it did not carry out the processing of personal data collected on its products for the purpose of behavioural advertising and if it only carried out the ‘limited’ processing it engages in when data subjects object, it ‘would significantly impact the user experienceonFacebook andInstagram (in part, duetolessinnovation happeningon theplatformsdue to reduced revenue) and it would also impact [Meta IE]’s ability to provide Facebook and Instagram free of charge (regardless of the financial means of the user) to users as this is largely due to the revenues that [Meta IE] makes from enabling advertisers to effectively advertise to Instagram and 191 Facebook users’ . 125. However, the IE SA points out that Meta IE’s privacy policy states that Meta IE is pursuing a legitimate interest ‘to generate revenue’, which is different than providing services for free 19. According to the IE SA, given that other types of advertising may also generate revenue, it cannot be concluded that behavioural advertising is necessary to generate ‘any revenue at all’ 193. 126. The IE SA also highlights that ‘there is no explanation as to why it is necessary to process all the data categories that [Meta IE] uses for behavioural advertising in order to provide the services for free’ 19. Against this background, the IE SA concludes that Meta IE’s claim that it is necessary to carry out behavioural advertising to provide Meta IE’s services is not sufficiently granular 195. In particular, it is unclear whether, through this argument, Meta IE is saying that (1) Meta IE is unable to provide FacebookandInstagramforfreeunlessitprocessesthepersonaldataofallofitsusersforthepurpose 186 IE SA Final Position Paper, paragraph 7.44, p. 16. 187Meta IE Compliance Report on IE SA FB Decision, p. 6, and Meta IE Compliance Report on IE SA IG Decision, p. 6. 188IE SA Final Position Paper, paragraphs 7.45 and 7.50, p. 16 and 18. 189 IE SA Final Position Paper, paragraph 7.45, p. 16. 190MetaIELegitimateInterestsAssessments BehaviouralAdvertisingProcessingof3April2023,Annex4toMeta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 21, section 3a. 191 MetaIELegitimateInterestsAssessments BehaviouralAdvertisingProcessingof3April2023,Annex4toMeta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 24, section 3d. 192IE SA Final Position Paper, paragraph 7.46, p. 17. 193 IE SA Final Position Paper, paragraph 7.46, p. 17. 194IE SA Final Position Paper, paragraph 7.47, p. 17. 195IE SA Final Position Paper, paragraph 7.47, p. 17. Adopted 32 of behavioural advertising, or (2) Meta IE is still able to provide Facebook and Instagram for free by 196 processing the personal data of some of its users who do not object to behavioural advertising . 127. The IE SA’s conclusion for the second condition was shared by a number of CSAs in their comments and reactions on the Compliance Reports: • On 4 May 2023, the NL SA outlined that ‘[t]he massive processing of users’ (special) personal data for the purpose of behavioural advertising is not ‘necessary’ for the purposes of the 197 declared interests’ . • On 23 May 2023, the IT SA notes in relation to Meta IE Legitimate Interests Assessments that ‘it is as if the controller were shifting the burden of proof regarding legitimate interest as the legal basis of processing on the data subjects – who conversely should be called into play as key actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the necessity of the processing and performing the required balancing exercise’ 19. • In the NO SA Order, the NO SA argues that Meta IE fails to show that it fulfils the ‘necessity test’ based on (1) the absence of assessment of the necessity of each interest put forward by Meta IE, (2) the absence of a substantiated assessment regarding alternative advertising models that could be viable, (3) the incorrect finding in Meta IE Legitimate Interests Assessments that its behavioural advertising processing is unlikely to have an adverse impact ondata subjects,and (4)theinappropriatereference to the fact thatother businessesarealso carrying out behavioural advertising, which does not have an impact on the lawfulness of such processing 19. 128. According to the settled case-law of the CJEU, when applying the necessity test, ‘it should be borne in mind that derogations and limitations in relation to the protection of personal data must apply only in 200 so far as is strictly necessary’ . 129. In its Bundeskartellamt Judgment, the CJEU also recalled that this second condition requires ‘to ascertain that the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed by 201 Articles 7 and 8 of the Charter’ . This condition must also be examined in conjunction with the principle of data minimisation under Article 5(1)(c) GDPR 202. 196IE SA Final Position Paper, paragraph 7.47, p. 17. 197Views of the NL SA of 4 May 2023 on Meta IE’s choice of a new legal basis for the processing of personal data 198Meta IE in the framework of Behavioural Advertising on its platforms Facebook and Instagram, paragraph 3. Views of IT SA on the IE SA FB Decision of 23 May 2023, p. 2, and views of IT SA on the IE SA IG Decision of 23 May 2023, p. 2. 199NO SA Order, p. 17-18. 200Judgment of 4 May 2017, Rīgas satiksme, C-13/16, ECLI:EU:C:2017:43, paragraph 30 and cited case-law; Judgment of 11 December 2014, Ryneš, C-212/13, ECLI:EU:C:2014:2428, paragraph 28; Judgment of 11 December 2019, Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, paragraph 46. 201CJEU Bundeskartellamt Judgment, paragraph 108. 202CJEU Bundeskartellamt Judgment, paragraph 109. Adopted 33130. In the EDPB Binding Decisions, the EDPB considered that there are realistic, less intrusive alternatives 203 to behavioural advertising, making the processing at stake not ‘necessary’ . 131. Inlight ofthe above,the EDPBconsidersthat therearegrounds forconcluding, asthe IE SA did 204,that Meta IE failed to fulfil the second condition of the ‘necessity test’ to be able to rely on Article 6(1)(f) GDPR for the processing of personal data collected on Meta’s products for purposes of behavioural 205 advertising, in particular whether there are no other means that are less intrusive alternatives and regarding compliance with the principle of data minimisation under Article 5(1)(c) GDPR 20. 132. The third condition relates to the ‘balancing test’. 133. In its Compliance Reports referring to the Meta IE Legitimate Interests Assessments, Meta IE has concluded that, in light of the ‘extensive measures and safeguards’ it implemented, the potential risks 207 to data subjects identified are ‘appropriately mitigated’ . 134. More specifically, Meta IE refers inter alia to the following safeguards: the measures implemented to ensure transparency towards data subjects (e.g. through privacy policies and ‘Help center’ articles), the publication of advertising policies for users, the existence of restrictions on targeting criteria, the existence of control tools (in relation to advertising in general or to specific ads that are displayed to users) 208,thepossibilitytoobjecttotheprocessing 209andthepossibilitytoexercisedatasubjects’data 210 protectionrights .Metaalsoarguesthatthelanguage introducedtoexplainthechangeoflegalbasis and the impact on users, including their ability to object to the behavioural advertising processing at stake, ‘have been implemented to ensure that users have a reasonable expectation of Behavioural Advertising Processing and are aware of their right to object to this processing 211’. In Meta IE’s Legitimate Interests Assessments, Meta further claims that ‘Users reasonably expect the processing of Platform Behavioural Information for behavioural advertising, taking into account the robust 203EDPB Binding Decision 3/2022, paragraph 121 and the EDPB Binding Decision 4/2022, paragraph 124. As eluded to in the EDPB Binding Decisions, the AT SA, PL SA (only for EDPB Binding Decision 3/2022) and SE SAs mention as examples contextual advertising based on geography, language and content, which do not involve intrusivemeasuressuch asprofiling andtracking ofusers.Thisanalysiswasmadeinthecontextofthelegalbasis of Art. 6(1)(b) GDPR. 204 205IE SA Final Position Paper, paragraph 7.50, p. 18 and paragraph 6.3., p. 5. IE SA Final Position Paper, paragraphs 7.46-7.48, p. 17. 206IE SA Final Position Paper, paragraph 7.45, p. 16, and an analysis of the principle of data minimisation is included in paragraph 7.59, p. 19, with respect to the balancing test. 207 Meta IE Compliance Report on IE SA FB Decision, p. 10 and Meta IE Compliance Report on IE SA IG Decision, p. 11, both referring to sections 4 and in particular sections 4.2.b and 4.2.c of Meta IE Legitimate Interests Assessments. 208Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.c. on the implemented safeguards.SomesafeguardsarereiteratedinMetaIEComplianceReportonIESA FBDecision,p.7-10andMeta IE Compliance Report on IE SA IG Decision, p. 7-12. 209Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.e. on the opt-out tools. 210Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, section 4.2.f. on data protection rights. 211 Meta IE Compliance Report on IE SA FB Decision, p. 7 and Meta IE Compliance Report on IE SA IG Decision, p. 7. Adopted 34 transparency [Meta] has implemented (...), which contributes to managing user expectations around 212 the Processing and personalised advertising more broadly’ . 135. In that regard, the EDPB notes that the IE SA concluded that, due to the failure to facilitate the right to 213 object under Article 21 GDPR , the lack of any consideration of the right to private life (as enshrined in Article 7 of the Charter) 214 or data minimisation 21, and the insufficient consideration of the impact 216 of the processing on the purpose limitation principle , Meta IE has not demonstrated that its legitimate interests in processing for behavioural advertising outweigh the fundamental rights and 217 freedoms of data subjects . In particular regarding the right to object, the IE SA pointed out inter alia that ‘there is no ability in these [objection] tools to turn off processing of data collected directly by [Meta IE] for advertising purposes, including content, audio, metadata about content, apps and features used, transactions, hashtag and the time, frequency and duration of activities on [Meta IE] products’ as these categories of data would still be used for the purpose of behavioural advertising according to Meta IE’s privacy policy 21. 136. The IE SA also refers to a previous CJEUjudgment of 24 September 2019, where the CJEU held that the data subjects’ fundamental rights under Articles 7 and 8 of the Charter ‘override, as a rule (...) the 219 economic interest’ of a private operator . 137. The conclusion of the IE SA regarding the third condition was shared by a number of CSAs in their comments and reactions on the Meta IE Compliance Reports: • On 4 May 2023, the NL SA concluded that ‘[t]he fundamental rights and freedoms of the data subject override the interest of [Meta IE] and the third parties involved’ 22. The NL SA raised the following considerations: o ‘some of the data processed by [Meta IE] for the purpose of behavioural advertising are special, sensitive kinds of personal data, which increase the weight attached to 221 the interests of data subjects in the balancing act ’ o ‘Not only the type but also the sheer amount of data that is processed by a company with the size of [Meta IE] should be taken into account in the balancing act. For the purposes of behavioural advertisement, [Meta IE] processes a broad spectrum of (special) personal data from millions of users. These data are analysed and possibly 222 stored, adjusted, and reused on a daily basis. ’ 212Meta IE Legitimate Interests Assessments, of 3 April 2023, Annex 4 to Meta IE Compliance Report on IE SA FB Decision and Annex 4 to Meta IE Compliance Report on IE SA IG Decision, p. 7. 213 IE SA Final Position Paper, paragraphs 7.60.-7.66., p. 19-21. 214IE SA Final Position Paper, paragraphs 7.57, p. 19. 215IE SA Final Position Paper, paragraph 7.59, p. 19. 216IE SA Final Position Paper, paragraph 7.58, p. 19. 217 IE SA Final Position Paper, paragraph 7.67, p. 21, and paragraph 6.3., p. 5. 218IE SA Final Position Paper, paragraph 7.65., p. 20-21, referring in footnote 29 to p. 54-55 of Meta IE’s privacy policy. 219IESAFinalPositionPaper,paragraph7.57.,p.19,referringtoJudgmentoftheCourtofJusticeoftheEuropean Union of 24 September 2019, GC and Others, C-136/17; ECLI:EU:C:2019:773, paragraph 53. In this case, the private operator was a search engine. Also see case-law cited. 220Views of the NL SA of 4 May 2023 on Meta IE’s choice of a new legal basis for the processing of personal data by Meta IE in the framework of Behavioural Advertising on its platforms Facebook and Instagram, paragraph 3. 221 Views of the NL SA of 14 May 2023, paragraph 43. 222Views of the NL SA of 14 May 2023, paragraph 44. Adopted 35 o ‘With regard to user expectations, the NL SA points out that, in line with the principle of accountability, the assessment of user expectations should take place before the processing is initiated under Art. 6(1)(f) GDPR. Controllers cannot simply "retroactively adjust" the expectations of existing users and bring processing in line with Art. 6(1)(f) GDPR, simply by providing them with some information – especially not when the essence of this information is hard to grasp. 22’ o ‘Furthermore,asalsoconcludedbytheEDPBinitsdecision3/2022,20theNLSAagrees withtheEDPBthatusersdonotsignupto[MetaIE]’sservicestobeservedpersonalized content but for the sake of connecting with friends and family. Even in its changed Terms of Service, [Meta IE] presents its services as “services that enable people to connect with each other, build communities…”. The connection to people/friends/family is therefore still theservicewith which [Meta IE] seeks to attract newusers.Eventhough“buildingbusinesses”isinsertedasathird“goa”oftheservices of [Meta IE], this does not create the reasonable expectation that users’ personal data 224 will be processed for the purpose of behavioural advertising’ . o ‘NL SA therefore concludes that users do not expect or should reasonably expect that their data are processed for the sake of behavioural advertising as done by [Meta IE].25’ o ‘Consideringthegravityoftherisksidentified,NLSAfindsthat[MetaIE]indeedtreads very lightly on these risks and their mitigation.26’ o ‘The NL SA therefore finds that the right to object as provided for in the GDPR, a core right when processing is undertaking on the basis of Art. 6(1)(f) GDPR, is therefore not 227 properly respected by [Meta IE]’ . • On 12 May 2023, the ES SA identified the following shortcoming in Meta IE’s assessment of the balancing test: o ‘Regarding the impact on data subjects, it is not established that it does not concern sensitive data. o As regards the way in which data is processed, data is processed massively, comprehensively and in combination with all types of data obtained from other sources, without taking into account the principle of data minimization. o As regards the data subject’s reasonable expectations, the data typology reflected in the privacy policy is not easily understandableto the average user, who does not know exactlywhatdataisbeingprocessedandwhattheextentofsuchprocessingis.Inorder for the user to know what type of data is being processed and how they are being processed, the user must also look up several documents. o As regards the position of the controller and the data subject, there is no balance of power, Meta [IE] is a large company which imposes its conditions on its users without they have the possibility of choosing or not certain processing operations and which of 223Views of the NL SA of 14 May 2023, paragraph 45. 224Views of the NL SA of 14 May 2023, paragraph 46. 225 226Views of the NL SA of 14 May 2023, paragraph 49. Views of the NL SA of 14 May 2023, paragraph 51. 227Views of the NL SA of 14 May 2023, paragraph 63. Adopted 36 their data are processed. There is also no analysis of how the [processing] affects vulnerable sectors, and how to mitigate possible negative effects. o Finally, with regard to the additional safeguards included to prevent undue impact on data subjects, as already stated, the principle of data minimization is not taken into account, there is no indication of what actions [Meta IE] takes to prevent the processing of sensitive data indirectly and, as explained below, the GDPR is not 228 complied with regard to the right to object.’ [emphasis added in bold] • On 15 May 2023, the FI SA stated that ‘[Meta IE]´s legal interests assessment (...) seems to be rather one-sided and superficial and fails to convince why the interests of [Meta IE] or third parties should override the interests and fundamental rights of the data subjects’ 229. • On 23 May 2023, the IT SA notes in relation to Meta IE Legitimate Interests Assessments that ‘it is as if the controller were shifting the burden of proof regarding legitimate interest as the legal basis of processing on the data subjects – who conversely should be called into play as key actors in the two subsequent steps of the legitimate interest test, i.e. when assessing the 230 necessity of the processing and performing the required balancing exercise’ . • In the NO SA Order, the NO SA rejects Meta IE’s assumption that the data subjects undisputedly want and expect behavioural advertising based on monitoring and profiling of their behaviour 231. Therefore, according to the NO SA, Meta IE’s assessment of the elements of Article 6(1)(f) GDPR has been skewed 23. In addition, the NO SA refers to the paragraph 117 of the CJEU Bundeskartellamt Judgment, which held that ‘data subjects cannot reasonably expect that the operator of the social network will process that user’s personal data, without his or her consent, for the purposes of personalised advertising’ 233. Further, the NO SA considers that informing data subjects about behavioural advertising processing does not mean that it falls within their reasonable expectations and in any case, data subjects are not realistically able to read the privacy policies of every service used, including Meta IE’s privacy 234 policies . The NO SA also argues that Meta IE fails to show that Meta IE’s interests outweigh the rights and freedoms of data subjects 23. 236 138. The IE SA made an overall conclusion on the three-step test that Meta IE has not demonstrated compliance with Article 6(1)(f) GDPR for the processing at stake 237. The IE SA highlighted, both in the IE SA Provisional Position Paper and IE SA Final Position Paper that this conclusion stems from the following reasons: (1) ‘[Meta IE] has not made out that the processing is necessary for legitimate interests. Its explanations of the impact of the processing on its business are too vague to allow the [IE 228Views of the ES SA of 12 May 2023, p. 5. 229ViewsoftheFISAof15May2023,preliminary remarksonMeta´snewlegalbasisinrelationtotheprocessing of personal data for the purposes of behavioural advertising in Facebook and Instagram services, p. 2. 230ViewsofITSAonthelegalbasisorderandtransparency orderrelatingtotheIE SAFBDecision,p.2,and views of IT SA on the legal basis order and transparency order relating to the IE SA IG Decision of 23 May 2023, p. 2. 231NO SA Order, p. 15-16. 232 NO SA Order, p. 15-16. 233NO SA Order, p. 17. 234NO SA Order, p. 16. 235NO SA Order, p. 17-23. 236 IE SA Final Position Paper, paragraphs 7.27-7.28, p. 12-13, referring to the CJEU Bundeskartellamt Judgment, paragraph 126. 237IE SA Final Position Paper, paragraph 7.30, p. 13. Adopted 37 SA] to determine that there is no less intrusive alternative that can be pursued’, (2) ‘[Meta IE] has not demonstrated that the balancing favours its processing. In particular, the opt-out mechanism provided does not comply with the GDPR’ 238. The conclusions of the IE SA regarding the results of the three-step testwassharedbyanumberofCSAs,whichalsoraisedtheinappropriaterelianceby Meta IEtoArticle 6(1)(f) GDPR: • On 18 April 2023, the AT SA stated that processing operations in connection with ‘behavioural 239 advertising processing’ cannot be based on Article 6(1)(f) GDPR . • On 12 May 2023, the ES SA indicated that Meta IE Legitimate Interests Assessments ‘did not demonstrate that the processing carried out by Meta IE with the purpose of behavioural advertisement can be based on [A]rticle 6(1)(f) [GDPR] since it does not meet the requirements of this article’0. • In the NL SA Mutual Assistance Request sent on 30 May 2023, the NL SA expressed concerns as to Meta IE’s reliance on Article 6(1)(f) GDPR, taking into account ‘thefact that thecontroller could not have been unaware of already established guidance from the EDPB, nor of the position of several CSAs on the matter, but chose to explore the path of Article 6(1)(f) [GDPR] 241 regardless’ . The NL SA states that ‘Meta [IE] cannot invoke Article 6(1)(f) [GDPR] as a valid legalbasistoprocessthepersonaldataofitsusersforthepurposesofbehaviouraladvertising’, and that this conclusion is ‘in line with several EDPB and WP29 Guidance documents, which underpin that the appropriateness of using Article 6(1)(f) [GDPR] as a legal basis for the 242 processing concerned is highly questionable’ . 139. In previous judgments, the CJEU clarified that when carrying out the ‘balancing test’, the data controller ‘must take account of the significance of the data subject’s rights arising from Articles 7 and 8 of the Charter’ 24. 140. In its Bundeskartellamt Judgment, the CJEU held the following obiter dictum: ‘as can be seen from recital 47 of the GDPR, the interests and fundamental rights of the data subject may in particular override the interest of the data controller where personal data are 244 processed in circumstances where data subjects do not reasonably expect such processing .’ ‘(...) such processing must also be necessary in order to achieve that interest and the interests or fundamental freedoms and rights of the data subject must not override that interest. In the contextofthatbalancing oftheopposingrightsatissue,namely,thoseofthecontroller,onthe one hand, and those of the data subject, on the other, account must be taken, as has been noted (...) above, in particular of the reasonable expectations of the data subject as well as the scale of the processing at issue and its impact on that person. 24’ 238IE SA Final Position Paper, paragraph 6.3, p. 5 ; IE SA Provisional Position Paper, paragraph 5.3, p. 4 (in 239ghtly different terms). IMI report on Compliance in the Facebook case. 240Views of the ES SA, 12 May 2023, p. 6. 241NL SA Mutual Assistance Request, p. 2. 242NL SA Mutual Assistance Request, p. 1, where a reference is made to the EDPB Guidelines 8/2020 on the targeting of social media users. 244CJEU Bundeskartellamt Judgment, paragraph 112. 244CJEU Bundeskartellamt Judgment, paragraph 112. 245CJEU Bundeskartellamt Judgment, paragraph 116. Adopted 38 ‘In this regard, it is important to note that, despite the fact that the services of an online social network such as Facebook are free of charge, the user of that network cannot reasonably expectthattheoperatorofthesocialnetworkwillprocessthatuser’spersonaldata,without his or her consent, for the purposes of personalised advertising. In those circumstances, it must be held that the interests and fundamental rights of such a user override the interest of thatoperatorinsuchpersonalisedadvertisingbywhichitfinancesitsactivity,withtheresult that the processing by that operator for such purposes cannot fall within the scope of point 246 (f) of the first subparagraph of Article 6(1) of the GDPR.’ [emphasis added] 141. In the IE SA Provisional Position Paper issued before the CJEU Bundeskartellamt Judgment, the IE SA provisionallyfoundthatMetaIEhadnotdemonstratedcompliancewithArticle6(1)(f)GDPR 247asMeta IE had not demonstrated that it could rely on Article 6(1)(f) GDPR 248. The IE SA then confirmed that Meta IE has not demonstrated compliance with Article 6(1)(f) GDPR following the analysis of the CJEU Bundeskartellamt Judgment as it states in its Final Position Paper that ‘Prior to the date of [the Bundeskartellamt]judgment,the[IESA]hadanalysed[MetaIE]’srelianceonArticle6(1)(f)[GDPR]and had come to the provisional conclusion that [Meta IE] had not demonstrated compliance with that provision’ and that‘theCJEUindicated that there aresignificant barriers to [Meta IE] seeking to rely on 249 Article 6(1)(f) [GDPR] for the behavioural advertising processing at issue in that judgment’ . 142. The EDPB notes Meta IE’s arguments regarding the alleged irrelevance of the CJEU Bundeskartellamt 250 Judgment . Meta considers that this judgment ‘does not rule out Article 6(1)(f) [GDPR] “as a matter of principle” as a valid legal basis for [Meta IE]’s Behavioral Advertising Processing. The judgment assessed Article 6(1)(f) [GDPR] (and the element of “necessity”) in the context of different processing than is at-issue here (i.e., data collected off-[Meta] 25, and to a limited extent cross-product data processing, as opposed to data collected on-[Meta] products). (...) Further, the CJEU did not (and could not as a matter of law) issue a blanket finding that users’ interests will always outweigh [Meta IE]’s and third parties’ legitimate interests in the context of personalised advertising (...) 252.’ 143. As regards the scope of the CJEU Bundeskartellamt Judgment, the EDPB notes the references made to data collection from other services of the group to which an operator belongs 25. 246 CJEU Bundeskartellamt Judgment, paragraph 117. 247IE SA Provisional Position Paper, paragraph 6.26, p. 11. 248IE SA Provisional Position Paper, paragraph 5.3, p. 4. 249IE SA Final Position Paper, paragraph 7.26, p. 12. 250 MetaIE’sResponsetoIESA’sProvisionalPositionPaperof4August2023,section1.5(A).SeealsoENGVersion of Meta IE Merits Complaint submitted to the Oslo District Court of 16 October 2023 (corrected), p. 38 and Meta IE’s Submissions of 26 September 2023, p. 10-11. 251Data collected ‘off’-Meta products refers data collected outside of Meta’s products, such as on third-party websites, apps and certain offline interactions (e.g., purchases). 252Meta IE’s Response to IE SA’s Provisional Position Paper of 4 August 2023, section 1.5 (A) and section 2 for a more detailed analysis of the CJEU Bundeskartellamt Judgment. 253In that regard, paragraph 86 of the CJEU Bundeskartellamt Judgment states: ‘By Questions 3 and 4, which it is appropriate to examine together, the referring court asks, in essence, whether and under what conditions points (b)and(f)ofthefirstsubparagraphofArticle6(1)oftheGDPRmustbeinterpretedasmeaningthattheprocessing of personal data by the operator of an online social network, which entails the collection of data of the users of such a network from other services of the group to which that operator belongs or from visits by those users to third-party websites or apps, the linking of those data with the social network account of those users and the use of such data, may be considered to be necessary for theperformance of a contract to which the data subjects are party, within the meaning of point (b), or for the purposes of the legitimate interests pursued by the controller or Adopted 39144. The EDPB acknowledges that the behavioural advertising processing that Meta carries out in reliance 254 ofArticle6(1)(f)GDPRandthatisexaminedforthepurposeofthissection4.1.1.3 relatestopersonal data collected on Meta’s products while, according to Meta IE, the CJEU Bundeskartellamt Judgment mostly relates to personal data obtained from third party advertising partners outside of Meta’s products. However, the EDPB considers that this Judgment, addressed to Meta IE, Meta Platforms Inc. 255 and Facebook Deutschland GmbH , outlines the way the balancing exercise may be carried out for the purpose of behavioural advertising, which is also relevant for personal data collected on Meta’s products. 145. The EDPB recalls its previous guidelines where it highlighted that ‘it would be difficult for controllers to justify using legitimate interests as a lawful basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering. 256’ 146. The EDPB considers that this guidance is relevant for the processing at stake carried out by Meta IE, which,asprovidedintheEDPBBindingDecisions,isintrusivegivenitsscaleandtheextensiveamounts of data that is processed by Meta IE 257. In those decisions, the EDPB outlined ‘the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Facebook [or Instagram] service’ 25. In other words, ‘[b]ehavioural advertising, as briefly described in [paragraph 95 of the EDPB Binding Decision 3/2022 and paragraph 98 of the Binding Decision 4/2022 259] is a set of processing operations of personal data of great technical complexity, which has a by a third party, within the meaning of point (f). That court asks, in particular, whether, to that end, certain interests which it explicitly lists constitute ‘legitimate interests’ within the meaning of the latter provision.’ 254 Meta IE indicates to rely on Art. 6(1)(a) GDPR to process personal data obtained by Meta IE from third party advertising partners. Such data is about users’ activity off-Meta’s products. See footnotes 89 and 149 above in that regard. 255The request for a preliminary ruling in the CJEU Bundeskartellamt Judgment has been made in proceedings betweenMetaPlatformsInc.,formerlyFacebookInc.,MetaPlatformsIrelandLtd,formerlyFacebookIrelandLtd, andFacebookDeutschlandGmbH,ontheonehand,andtheBundeskartellamt.MetaIEoperatestheonlinesocial network Facebook in the EU. See CJEU Bundeskartellamt Judgment, paragraphs 2 and 26. 256Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, as last Revised and Adopted on 6 February 2018, endorsed by the EDPB on 25 May 2018, p. 15. This was referred to by the NO SA in the NO SA Order, p. 9. This same statement wasreiterated by the EDPB in theEDPB Guidelines on the targeting of social media users, Version 2.0, adopted on 13 April 2021, paragraph 56. 257EDPB Binding Decision 3/2022, paragraph 444 and EDPB Binding Decision 4/2022, paragraph 413. 258 EDPB Binding Decision 3/2022, paragraph 96 and the EDPB Binding Decision 4/2022, paragraph 99. 259Paragraph 95 of EDPB Binding Decision 3/2022 states: ‘These requests for preliminary rulings mention that [Meta IE] collects data on its individual users and their activities on and off its Facebook social network service via numerous means such as the service itself, other services of the Meta group including Instagram, WhatsApp and Oculus, third party websites and apps via integrated programming interfaces such as Facebook Business Tools or via cookies, social plug-ins, pixels and comparable technologies placed on the internet user’s computer or mobile device. According to the descriptions provided, [Meta IE] links these data with the user’s Facebook account to enable advertisers to tailor their advertising to Facebook’s individual users based on their consumer behaviour, interests, purchasing power and personal situation. This may also include the user’s physical location to display content relevant to the user’s location. Meta IE offers its services to its users free of charge and generates revenue through this personalised advertising that targets them, in addition to static advertising that is displayed to every user in the same way.’ Paragraph 98 of EDPB Binding Decision 4/2022 states: ‘These requests for preliminary rulings mention that Meta IE collects data on its individual users and their activities on and off its Facebook service via numerous means suchastheserviceitself,otherservicesoftheMetagroupincludingInstagram,WhatsAppandOculus,thirdparty websites and apps via integrated programming interfaces such as Facebook Business Tools or via cookies, social Adopted 40 particularlymassiveandintrusivenature” 260.TheIESAreiteratedthisconclusionintheIESADecisions: ‘ItisthereforeclearthattheBoardconsiders(...)thenatureandscopeoftheprocessingtobeextensive, complex, intrusive and on a massive scale’ 261. 147. In light of the above and taking into account the legal analysis provided by the IE SA (see for example in paragraphs 135 and 138 above, as supported by the assessment performed by the of the CSAs), the EDPB considers that the interests and fundamental rights of data subjects override the legitimate interests put forward by Meta IE for the processing of personal data collected on Meta’s products for the purposes of behavioural advertising, with the result that Meta IE did not fulfil the third condition of Article 6(1)(f) GDPR. 148. In light of the above analysis of the EDPB from paragraph 111 to 147, the EDPB considers that Meta IE inappropriately relies on Article 6(1)(f) GDPRto process personal data collected on its products for the purpose of behavioural advertising. 4.1.1.3.4 Conclusion as to the infringement of Article 6(1) GDPR 149. The compliance approach adopted by Meta IE has been assessed in the IE SA Final Position Paper as follows: • Meta IE seeks to still rely on Article 6(1)(b) GDPR to process some specific categories of personal data 262, for advertising purposes 263; • Meta IE seeks to rely on Article 6(1)(f) GDPR to process other personal data for the purposes of behavioural advertising 264- solely for personal data collected on Meta’s products 265; • Meta IE relies on Article 6(1)(a) GDPR to process personal data provided to Meta IE by third party advertising partners 266. 150. Meta IE is willing to rely on Article 6(1)(a) GDPR as its legal basis 267 through the Meta IE’s Consent Proposal . 151. The EDPB highlights the need to assess the compliance of the processing activities within the scope of the IE SA Decisions with Article 6(1) GDPR at this point in time. plug-ins, pixels and comparable technologies placed on the internet user’s computer or mobile device164. According to the descriptions provided, Meta IE links these data with the user’s Facebook account to enable advertiserstotailortheiradvertisingtoFacebook’sindividualusersbasedontheirconsumerbehaviour,interests, purchasing power and personal situation. This may also include the user’s physical location to display content relevanttotheuser’slocation.MetaIEoffersitsservicestoitsusersfreeofchargeandgeneratesrevenuethrough this personalised advertising that targets them, in addition to static advertising that is displayed to every user in the same way.’ 260 261EDPB Binding Decision 3/2022, paragraph 123 and the EDPB Binding Decision 4/2022, paragraph 126. IE SA FB Decision, paragraph 9.23 and IE SA IG Decision, paragraph 243. 262See paragraph 91 above. 263IE Final Position Paper, paragraphs 6.2 and 7.1-7.22. 264 265IE Final Position Paper, paragraphs 6.3 and 7.23-7.67. IE Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to the IE SA of 30 June 2023. 266IE SA Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to the IE SA of 30 June 2023. 267Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2. Adopted 41 268. For the sake of clarity, the EDPB specifies that Meta IE’s Consent Proposal was not assessed in its merits for the purposes of this urgent binding decision. In this regard, the EDPB may only take note of the existence of an ongoing evaluation of the Meta IE’s Consent Proposal by the IE SA and the CSAs. 152. According to the EDPB, there is an ongoing infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(b) GDPR for processing of personal data, including location data and advertisement interaction data collected, on Meta’s products for behavioural advertising 269 purposes . 153. Inaddition,theEDPBconcludes thatthereisanongoinginfringementofArticle6(1)GDPRarisingfrom inappropriate reliance on Article 6(1)(f) GDPR for processing personal data collected on Meta’s products for behavioural advertising purposes 27. 4.1.2 On the infringement of the duty to comply with decisions by supervisory authorities 4.1.2.1 Summary of the overall position of the NO SA 154. According to the NO SA, since the deadline for complying with the IE SA Decisions was 5 April 2023 but the infringement of Article 6(1) GDPR still persists more than six months later, Meta IE failed to ensure 271 compliance with the IE SA Decisions, and hence infringed its duty to comply with the SAs’ decisions . The NO states further that there is consensus on the European level between the IE SA and the CSAs 272 that the processing continues to be unlawful , and that ‘as acknowledged by the IE SA itself, Meta IE has failed to ensure compliance with [the IE SA Decisions]’ 273. The NO SA stated that this non- 274 compliance constitutes in itself an independent violation of the GDPR for which Article 83(5)(e) GDPRenvisagesafinewhichmaybeimposedinadditiontothefinesimposedbytheIESADecisions 275. 4.1.2.2 Summary of the position of the controller 155. MetaIEstatedthat,priortotheIESADecisions,itreliedonArticle6(1)(b)GDPRinagoodfaithmanner 276 and its ‘bona fide belief that it was lawful for it to do so’ . 156. Following to the IE SA Decisions, Meta IE argued that it took substantial steps to bring its processing 277 activities into ‘what it believes was compliance with [the IE SA] decisions’ , including by changing its legal basis from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR for the processing of personal data 278 collected on its products for the purposes of behavioural advertising . 268 269See the analysis carried out above in Section 4.1.1.2.3 and paragraphs 98-99. 270See the analysis carried out above in Section 4.1.1.3.3 and paragraph 148. 271NO SA Request to the EDPB, p. 6. 272 NO SA Request to the EDPB, p.12. 273NO SA Request to the EDPB, p. 6. 274NO SA Request to the EDPB, p. 6 and Letter from the NO SA to the IE SA dated 11 October 2023, p. 2. 275NO SA Request to the EDPB, p. 6. 276 Letter from Meta IE to NO SA of 4 August 2023, in relation to right to be heard, paragraph 65. 277Letter from Meta IE to NO SA of 4 August 2023, in relation to the right to be heard, dated paragraph 65. 278 Meta IE’s Compliance Report regarding the Facebook Service (IN-18-5-5) of 3 April 2023 (hereinafter, ‘Compliance Report on IE SA FB Decision’), paragraph 2.1 and Meta IE’s Compliance Report regarding the Instagram Service (IN-18-5-7) of 3 April 2023 (hereinafter, ‘Compliance Report on IE SA IG Decision’), paragraph 2.1 (together, the ‘Compliance Reports’). Adopted 42157. Meta IE takes the view that neither the EDPB Binding Decisions nor the IE SA Decisions ordered Meta IE to rely on a specific legal basis for the processing of personal data collected on its products for behavioural advertising purpose under Article 6(1) GDPR, such as Article 6(1)(a) GDPR 27. As a result, Meta IE still currently seeks to rely on Article 6(1)(b) GDPR to process some specific categories of personaldatathatitdoesnotconsidertobebehaviouraldata 28,andonArticle6(1)(f)GDPRtoprocess 281 other personal data for the purposes of behavioural advertising - solely for personal data collected on its products 282. 158. After considering the IE SA Provisional Position Paper (including the IE SA’s interpretation of the CJEU Bundeskartellamt Judgment), Meta IE stated that it was willing to implement the necessary measures to rely on Article 6(1)(a) GDPR as its legal basis for processing for the purpose of behavioural advertising through the Meta IE’s Consent Proposal 28. 159. After considering the IE SA’s Final Position Paper, Meta IE stated that it considered itself as compliant with the IE SA Decisions 284 . 285 . 4.1.2.3 Analysis of the EDPB 160. TheEDPBrecallsthatArticle60(10)GDPRprovidesforthedutyforthecontrollerto‘takethenecessary measures to ensure compliance with the decision [taken in the context of the cooperation mechanism] as regards processing activities in the context of all its establishments in the Union’ 28. 161. The EDPB also recalls that non-compliance with an order of an SA pursuant to Article 58(2) GDPR constitutes an infringement that may be sanctioned by way of an administrative fine pursuant to 287 Article 83(5)(e) GDPR and Article 83(6) GDPR . 279Meta IE’s Submissions of 26 September 2023, p. 10, and Meta IE’s Submissions of 25 August 2023, p. 4 and 280 See paragraph 91 above and the IE SA Final Position Paper, paragraphs 6.2 and 7.1-7.22. 281IE SA Final Position Paper, paragraphs 6.3 and 7.23-7.67. 282See paragraph 104 above and the IE SA Final Position Paper, paragraph 7.23, referring to Meta IE’s Letter to the IE SA of 30 June 2023. 283Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2. 284Meta IE’ Submissions of 25 August 2023, paragraph 61. 285Meta IE’s Submissions of 25 August 2023, paragraph 64. 286 Article 60 GDPR. 287According to Art. 83(5)(e) GDPR, ‘non-compliance with an order or a temporary or definitive limitation on processingorthesuspensionofdataflowsbythesupervisory authoritypursuanttoArticle 58(2)[GDPR]orfailure to provide access in violation of Article 58(1) [GDPR]’ is an infringement that ‘shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher’. Art. 83(6) GDPR provides: ‘Non-compliance with an order by the supervisory authority as referred to in Article 58(2) [GDPR] shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher’. Adopted 43162. The EDPB confirms, in line with the view of the NO SA 288, that non-compliance with decisions of 289 supervisory authorities is in itself an independent violation of the GDPR . 163. As already noted above, the IE SA Decisions required Meta IE to, inter alia, take the necessary action to address the finding that Meta IE is not entitled to process personal data for behavioural advertising on the basis of Article 6(1)(b) GDPR and to bring its processing of personal data for behavioural 290 advertising purposes into compliance with Article 6(1) GDPR. Also, the IE SA made clear that the actions Meta IE should take to comply with the IE SA Decisions may include, but were not limited to, 291 the identification of an appropriate alternative legal basis in Article 6(1) GDPR and may include the implementation of any necessary measures required to satisfy the conditionality associated with 292 that/those alternative legal basis/bases . The deadline for compliance with the IE SA Decisions was 5 April 2023. The EDPB notes that in the IE SA Final Position Paper, the IE SA found that Meta IE failed to demonstrate compliance with the IE SA Decisions, and states that Meta IE ‘failed to demonstrate that it no longer relies on Article 6(1)(b) GDPR to process personal data for behavioural advertising’ and ‘failed to demonstrate that it has a lawful basis to process Platform behavioural Data for behavioural 293 advertising’ . 164. The EDPB notes that the NL SA also stated that ‘As Meta [IE] has publicly stated that it already makes useofArticle6(1)(f)[GDPR]asalegalbasis,thisconclusionmeansthat-atthemoment-personaldata of millions of European data subjects are being processed without there being a valid legal basis. This moreovermeansthat Meta[IE]doesnotcomplywiththe[IESA]’s orderinthe[IESADecisions]tobring 294 these processing operations in line with Article 6 GDPR’. 165. The EDPB notes the view of the IE SA that neither the GDPR nor Irish national law prescribes the mannerinwhichtheassessmentofthestepstakenby thecontrollerinpurportedcompliance withthe orders of an SA should be carried out 295. In this respect, the EDPB notes that Meta IE does not contest that the IE SA’s findings made subsequently to the IE SA Decisions are made ‘to implement the existing [IE SA] decisions pursuant to Article 60(10) GDPR’. 296 166. In respect of Meta IE’s argument that it fully complied with the IE SA Decisions by taking, first, substantial steps to bring its processing activities into compliance by 5 April 2023 297and, secondly, steps in the direction of theMeta IE’s Consent Proposal 29, the EDPB highlights that these elements do 288 Letter from the NO SA to the IE SA of 17 September 2023 in relation to the right to be heard, p. 7. 289‘Non-compliance with a corrective power previously ordered may be considered either as an aggravating factor, or as a different infringement in itself, pursuant to Art. 83(5)(e) and Art. 83(6) GDPR. Therefore, due note should be taken that the same non-compliant behaviour cannot lead to a situation where it is punished twice’, EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, version 2.1, paragraph 103. 290See IE SA FB Decision, paragraph 10.44b; IE SA IG Decision, paragraph 212. 291IE SA FB Decision, paragraph 10.44b and IE SA IG Decision, paragraph 10. 292 IE SA FB Decision, paragraph 8; and IE SA IG Decision, paragraph 212. 293IE SA Final Position Paper, section 8, p. 25. In relation to Meta IE’s reliance on Article 6(1)(b) GDPR, also see paragraphs 96-99 above. In relation to Meta IE’s reliance on Art. 6(1)(f) GDPR, also see paragraphs 121, 135, 138 above. 294 NL SA Mutual Assistance Request, p. 2. 295Letter of the IE SA to Meta IE of 14 June 2023, p. 1-2. 296Meta IE’s Submissions of 26 September 2023, p. 12 and 13. 297Meta IE’s Submissions of 26 September 2023, p. 10 and Meta IE’s Submissions of 16 October 2023, p. 5. See also Meta IE’s Submissions of 25 August 2023, p. 33. 298Letter from Meta IE to IE SA regarding consent of 27 July 2023, p. 2. Adopted 44 notinthemselvescontradicttheconclusionthatatthispointintimecompliancewithArticle6(1)GDPR for the processing activities within the scope of the IE SA Decisions has not yet been achieved while the deadline to implement the IE SA Decisions was 5 April 2023. 4.1.2.4 Conclusion as to the infringement of the duty to comply with decisions by supervisory authorities 167. InlightofitsfindingsthatMetaIEstillreliesinappropriatelyonArticle6(1)(b)GDPRtoprocesspersonal data, including location data and advertisement interaction data, collected on its products for the purpose of behavioural advertising 300and on Article 6(1)(f) GDPR to process personal data collected onitsproductsforthepurposeofbehaviouraladvertising 301theEDPBfinds,inlinewiththeconclusions 302 303 304 drawn by the IE SA and with the views expressed in particular by the NO SA in the courseof the proceedings, that Meta IE did not achievecompliancewith the IE SADecisions within the deadline for compliance and is therefore currently in breach of its duty to comply with decisions by supervisory authorities. 4.2 On the existence of urgency to adopt final measures by way of derogation from the cooperation and consistency mechanisms 168. The second element to assess pursuant to Article 66(2) GDPR is the existence of an urgency situation justifying a derogation from the regular cooperation procedure. 169. TheurgentinterventionoftheEDPBpursuanttoArticle66(2)GDPRisexceptional,andderogatesfrom the general rules applicable to the regular consistency and cooperation mechanisms. 170. Considering the fact that the urgency procedure under Article 66(2) GDPR is a derogation to the standardconsistencyand cooperationmechanisms,itmustbeinterpretedrestrictively.Therefore,the EDPB may request final measures under Article 66(2) GDPR only if the regular cooperation or consistency mechanisms cannot be applied in their usual manner, due to the urgency of the situation30. 171. In addition, Article 61(8) GDPR provides that, where an SA does not provide the information referred to in Article 61(5) GDPR within one month of receiving a mutual assistance request from another SA, the ‘urgent need to act under Article 66(1) [GDPR] shall be presumed to be met and require an urgent binding decision from the Board pursuant to Article 66(2) [GDPR]’. If such a presumption applies, the urgent natureofan Article 66(2)requestforan urgentbinding decisioncan be presumed and doesnot 306 need to be demonstrated . 299 LetterfromNO SAtoMetaIE andFacebookNorway of17September2023 in relationtotherighttobeheard, p. 9. 30See paragraphs 98-99, and 152 above. 30See paragraphs 148 and 153 above. 30IE SA Final Position Paper, section 8, p. 25. 303 NO SA Request to the EDPB, p. 6. 304 30EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 167. 30EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 170. Adopted 45172. In the present procedure, the NO SA requested the EDPB to adopt a decision pursuant to Article 66(2) GDPR, in order to urgently request the IE SA to impose final measures on Meta IE. The request has been made following to the adoption of provisional measures pursuant to Article 66(1) GDPR 307which are only applicable in Norway, and are only valid for three months. 173. In the sections below, the EDPB analyses first whether the circumstances of the present case demonstrate theexistence ofurgencyandtheneedtoderogatefromthecooperationandconsistency mechanisms(section4.2.1below)beforeanalysingwhetherthepresumptiondescribedinArticle61(8) GDPR is applicable to the circumstances of the case (section 4.2.2). 4.2.1 On the existence of urgency and the need to derogate from the cooperation and consistency mechanisms 4.2.1.1 Summary of the position of the NO SA 174. The NO SA considers that ‘Regardless of the applicability of the Article 61(8) presumption, in the present case there is an urgent need for a binding decision from the EDPB in accordance with Article 66(2) GDPR, in order to protect the rights and freedoms of data subjects’ 30. 175. According to the NO SA, the processing in question is detrimental to individuals’ fundamental rights, and failing to put an end to this processing would thus expose these data subjects to a risk of serious and irreparable harm 309. In more details, the NO SA takes the view that: • Theinfringementshavebeenoccurringforasignificantamountoftimeandareofanespecially serious nature, as they have a considerable impact on the users of Meta’s products whose online activities are ‘constantly, intrusively and opaquely monitored and profiled by Meta’, which ‘may give rise to the feeling that their private life is being continuously surveilled’.10 • The infringements affect over 250 million average monthly active users in the EU, including vulnerable data subjects in need of particular protection, such as minors, elderly people and 311 people with cognitive disabilities . • The filtering of the specific ads that are displayed on Facebook or Instagram has an adverse 312 effect on data subjects’ freedom of information and on political participation while creating ‘a potential for reinforcement of existing stereotypes, and it can leave data subjects open to discrimination’ 313. • Not taking urgent action to ensure compliance with the IE SA Decisions would deprive data subjects of the right to seek an effective remedy against a data controller from SAs under 314 Article 77 GDPR . 307 Art. 66(4) GDPR; as described in Section 2.1 above. 308NO SA Request to the EDPB, p. 10. 309NO SA Request to the EDPB, p. 10. 310NO SA Request to the EDPB, p. 10, referring to CJEU Bundeskartellamt Judgment, paragraph 118. 311 NO SA Request to the EDPB, p. 10. 312NO SA Order, p. 22. 313NO SA Request to the EDPB, p. 10; NO SA Order, p. 22. 314NO SA Order, p. 28. Adopted 46 • The NO SA is of the view that there is no measure that could be applied retroactively to repair the violation of the rights and freedoms of data subjects 315. 176. In addition, the NO SA states that there has been a ‘continued refrainment from enforcement’ on the part of the IE SA 31. The NO SA takes the view that despite the fact that infringements are taking place appears uncontroversial among supervisory authorities, ‘the IE SA appears to be unwilling to demand that such infringements be ceased without any further delays’ 31. In this respect, the NO SA states that thefailuretofirmlyandexpedientlyreacttonon-compliancewiththeIESADecisionsnotonlydeprives datasubjectsoftheprotectiontheyareentitledto,butisalsocontrarytosupervisoryauthorities’duty to ensure that the GDPR is respected in practice 318. 177. More generally, in the view of the NO SA, not reacting to Meta IE’s prolonged state of non-compliance 319 would set a dangerous precedent as it would ‘invite dilatory strategies from non-compliant controllers’andunderminetheauthorityoftheIESA,theCSAsandtheEDPB 320.FortheNOSA,afailure to adopt the requested urgent binging decision in the present circumstances would entail serious risks that the Article 66 GDPR mechanism would turn in to a ‘paper tiger’ 32. 178. The NO SA argues that an EDPB urgent binding decision would be a narrow and strictly limited exceptiontotheprimacyoftheLSAinensuringcompliancewithanArticle60GDPRdecisionandwould 322 not set a precedent for derogating from the standard one-stop-shop cooperation procedure as it would be issued after the completion of an Article 60 GDPR process, following the adoption by the IE 323 SA of the IE SA Decisions and given the fact that the IE SA does not envisage to start a new Article 60 GDPR procedure 32. 179. Further, the NO SA argues that final measures would not interfere with commitment to change the legal basis for behavioural 325 advertising to consent . According to the NO SA, ‘if Meta [IE] would be ordered to stop all such processing activities based on Article 6(1)(b) [GDPR] and [Article 6(1)] (f) pending the identification of a valid legal basis, it would have an incentive to expeditiously identify adequate and lawful solutions to resume its processing activities as soon as possible’ 326. 180. 315 NO SA Rejection of Meta IE and Facebook Norway’s Request for Deferred Implementation of the Order dated 7 August 2023, p. 1. 316NO SA Order, p. 12. 317 NO SA Request to the EDPB, p. 6. 318NO SA Request to the EDPB, p. 6. 319Letter of NO SA to IE SA of 11 October 2023, p. 11. 320NO SA Order, p. 28; NO SA Request NO SA Request to the EDPB, p. 12. 321 NO SA Request to the EDPB, p. 12, referring to the opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, paragraph 119 and paragraph 122. 322NO SA Request to the EDPB, p. 12. 323 NO SA Request to the EDPB, p. 10-11, referring to IE SA Information on Procedure (response to SE SA) of 4 May 2023 where the IE SA had indicated via the IE SA IMI Informal Consultations that they would ‘not be preparing any further decision in this matter’. 324NO SA Request to the EDPB, p. 11. 325 NO SA Request to the EDPB, p. 11-12. 326NO SA Request to the EDPB, p. 11-12. Adopted 47 327 ’ . 328 . 181. The NO SA also recalls that in any event, the Meta IE’s Consent Proposal does not eliminate the urgent need to adopt final measures 329. 330. 331. Therefore, in the NO SA’s view, final measures constitute ‘the only way’ to stop the harm to data subjects’ fundamental rights 33. 4.2.1.2 Summary of the position of the controller 182. According to Meta IE, the circumstances of the case do not justify an urgent decision of the EDPB pursuanttoArticle66(2)GDPR 333.Inparticular,MetaIE recallsapriordecisionoftheEDPBstatingthat ‘the urgency procedure under Article 66(2) GDPR is a derogation to the standard consistency and cooperation mechanisms, it must be interpreted restrictively. Therefore, the EDPB will request final measures underArticle66(2)[GDPR] onlyif theregularcooperationor consistencymechanismscannot be applied in their usual manner due to the urgency of the situation’ 334. 183. In this respect, Meta IE notes that the comments received by the IE SA from the CSAs show that the cooperation and consistency mechanism being led by the IE SA (which incorporates the views of numerous CSAs in addition to the views of the NO SA), is clearly functioning in accordance with Article 60 GDPR, and argues that there is no reason to derogate from that mechanism 335. For this reason, in Meta IE’s view, the NO SA’s invocation of Article 66(1) GDPR and the NO SA Request to the EDPB are improper 33. 184. According to Meta IE, the urgency procedure interferes with the regular cooperation mechanism that the IE SA has been following to implement the IE SA Decisions 337. Meta IE’s view is that the process of 327LetterofNOSAtoIESAof11October2023,p.2.SeealsoNOSARejectionofMetaIE’sandFacebookNorway’s RequestforDeferredImplementationoftheCoerciveFineof7August2023,p.1-2,wheretheNOSAgivesseveral arguments related to the fact that Meta IE has ‘not implemented any measures that would warrant lifting the Orderorwaivingthecoercivefine,as thepersonal data of data subjects in Norway continue to be unlawfully processed for behavioural advertising purposes [...], . 328NO SA Request to the EDPB, p. 11. 329NO SA Request to the EDPB, p. 11. 330NO SA Request to the EDPB, p. 8. 331 NO SA Request to the EDPB, p. 8. 332NO SA Request to the EDPB, p. 12. 333Letter from Meta IE to IE SA of 31 May 2023, p.5; Letter from Meta IE to IE SA regarding potential urgent 334ceedings of 21 June 2023, p. 4. Letter from Meta IE to IE SA dated 31 May 2023, p. 5, referring to EDPB Urgent Binding Decision 01/2021, paragraphs 195-196. 335Meta IE’s Submissions of 16 October 2023, p. 4. 336 Meta IE’s Submissions of 16 October 2023, p. 4. 337Meta IE’s Submissions of 26 September 2023, p. 12-13. Adopted 48 engagement between Meta IE and the IE SA pursuant to Articles 56(6) GDPR and Article 60(10) GDPR remains ongoing, and that there are no exceptional circumstances that would allow the NO SA to bypass such process 338. 185. In addition, according to Meta IE, ‘the NO SA’s action directly conflicts with and undermines (i) the authority of the LSA, (ii) the role of other supervisory authorities across the EU/EEA who are 339 appropriately engaging via the LSA-led process and (iii) the GDPR’s one-stop-shop mechanism’ . 186. Meta IE also states that the existence of a disagreement between a LSA and a CSA does not, in itself, create a situation of urgency as such 340. In this respect, it states that ‘the fact that the [NO SA] appears to disagree with the [IE SA] cannot justify it resorting to the use of Article 66(2) [GDPR]’ 341. Meta IE also states that there is no precedent for a SA using Article 66(2) GDPR to seek to ‘overrule and dictate the process that a LSA has put in place to assess compliance with the LSA’s own orders’ 342. 187. Regarding the nature of the infringements, Meta IE is of the view that the NO SA does not provide evidence of their alleged seriousness, and states that behavioural advertising is a common practice, widespread beyond Meta’s services 343. 188. Meta IE also argues that the fact that the behavioural advertising processing has been ongoing for manyyearsdoesnotjustifyanyurgencybut,rather,provesthatthereisnonewelementofurgency 344. Meta IE highlights that the processing at stake in this case is the same processing as the one that has been ‘thesubject of detailed consideration by the[IE SA] (...)for over 4 years and by the EDPB, with the 345 awareness of SAs throughout’ . In this respect, Meta IE also recalls that in the EDPB Urgent Binding Decision 01/2021, the EDPB has established that ‘the mere continuation of processing, cannot, on its 346 own, justify an urgent need to act’ . 189. Meta IE considers that the EDPB Binding Decisions did not mandate it to rely on Article 6(1)(a) GDPR forbehaviouraladvertising processinganddidnotconcludeeither thatArticle6(1)(f)GDPRwasnotan 338 Letter from Meta IE to IE SA of 31 May 2023, p. 5; Letter from Meta IE to IE SA regarding potential urgent proceedings of 21 June 2023, p. 4. . 339Letter from Meta IE to the IE SA of 10 August 2023, p. 2. 340Meta IE’s Submissions of 26 September 2023, p. 1-2, 8. See also Meta IE’s Submissions of 16 October 2023, p. 5. 341Meta IE’s Submissions of 26 September 2023, p. 12. 342Meta IE’s Submissions of 26 September 2023, p. 2. 343MetaIE’sSubmissionsof26September2023,p.9.Morespecifically,MetaIEhighlightsthattheminimumage for using Facebook and Instagram is 13 andfor users agedbetween 13 and 17 only theage and locationare used to display ads. 344Meta IE’s Submissions of 26 September 2023, p. 8-9. Meta IE also reiterated that the ‘alleged “urgency” claimed by the [NO SA] cannot be premised on the relevant processing (i.e. [Meta IE]’s use of on-platform data for behavioural advertising purposes), given this processing has been ongoing for years with the full knowledge of regulators, and the only recent development is that [Meta IE] has increased the level of data subjects’ control over this processing’, see Meta IE’s Submissions of 16 October 2023, p. 5. 345See also Letter from Meta IE to IE SA of 31 May 2023, p. 5. Also see Letter from Meta IE to IE SA regarding potential urgent proceedings of 21 June 2023, p. 3. 346Letter from Meta IE to IE SA of 31 May 2023, p. 5, referring to the EDPB Urgent Binding Decision 01/2021, paragraphs 195-196. Adopted 49 appropriate legal basis for the processing of personal data collected on Meta’s products for the 347 purpose of behavioural advertising . Meta IE argues that it was only with the IE SA Final Position Paper that it became clear to it that its reliance on Article 6(1)(f) GDPR for such processing did not 348 comply with the IE SA Decisions . 190. Meta IE also argues that the IE SA is not refraining from enforcing the GDPR against it, given that the IE SA shared a timeline with the CSAs and issued the IE SA Provisional Position Paper and then the IE SAFinalPositionPaper 34. 35. 191. Meta IE states further that any urgent binding decision would be counterproductive , and ultimately harm the interests of data subjects while generating administrative work for the EDPB, the IE SA, the CSAs and Meta IE 35. In this respect, it also highlights that the measures requested by the NO SA through the urgency proceedings had already been considered as objections during the previous Article 65 GDPR process, and rejected 352 by the EDPB in the EDPB Binding Decisions . 353 . 4.2.1.3 Analysis of the EDPB 192. Article 66(2) GDPR requires the SA requesting an urgent binding decision to provide reasons for requesting such opinion. This includes the need for the requesting SA to demonstrate an urgent need to act. 193. Therefore, the EDPB analyses, whether, on the basis of the views of the NO SA and of the controller, as well as on the basis of the elements in the file, the condition of urgency is met. 194. In this respect, the EDPB considered in a past decision that the nature, gravity and duration of an infringement, as well as the number of data subjects affected and the level of damage suffered by them, may play an important part when deciding whether or not there is an urgent need to act in a 354 particular case . 195. In relation to the nature and gravity of the infringements, the EDPB notes that its findings that Meta IE still relies inappropriately on Article 6(1)(b) GDPR to process personal data, including location data and advertisement interaction data collected on its products for the purpose of behavioural 355 advertising and on Article 6(1)(f) GDPR to process personal data collected on its products for the 347Meta IE’s Submissions of 26 September 2023, p. 10. 348Meta IE’s Submissions of 26 September 2023, p. 10 (Meta IE refers to national courts in the EU holding, prior totheIESADecisions,thatArt.6(1)(b)GDPRisanappropriatelegalbasis,andtothefactthat previousdecisions from the IE SA initially confirmed the possibility to rely on Art. 6 (1) (b) GDPR). See also Meta IE’s Submissions of 16 October 2023, p. 5. 349Meta IE’s Submissions of 26 September 2023, p. 7 and 9. 350 Meta IE’s Submissions of 26 September 2023, p. 11. 351Meta IE’s Submissions of 26 September 2023, p. 3; see also Meta IE’s Submissions of 25 August 2023, paragraphs 46-48. 352Meta IE’s Submissions of 26 September 2023, p. 7-8. 353 Meta IE’s Submissions of 26 September 2023, p. 9. 354EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 169. 355See paragraphs 98-995 and 152 above. Adopted 50 356 purpose of behavioural advertising relate to the same processing activities as those referred to in the IE SA Decisions adopted on the basis of EDPB Binding Decisions. 196. In this respect, the EDPB recalls its finding from the EDPB Binding Decisions, i.e. that the nature and gravity of the infringement of Article 6(1) GDPR are such that a risk of damage caused to data subjects is consubstantial with the finding of the infringement itself 357. In relation to Meta IE’s infringements of Article 6(1) GDPR with respect to behavioural advertisement practices, the EDPB found that they constituted a very serious situation of non-compliance with the GDPR, in relation to processing of extensive amounts of data 358, which is essential to the controller’s business model, and harming the rights and freedoms of millions of data subjects in the EEA 359. 197. The EDPB also already highlighted in its EDPB Binding Decisions the ‘complexity, massive scale and intrusiveness of the behavioural advertising practice that [Meta IE] conducts’ 36. This view is still currently shared by the NO SA, which finds that Meta IE’s users’ online activities are ‘constantly, intrusively and opaquely monitored and profiled’ by Meta IE, which ‘may give rise to the feeling that 361 their private life is being continuously surveilled’ . This view is also still shared by the NL SA, which expressed greatconcerns withrespect to the processingactivities atstakeinlightof‘thelargeamount of personal data being processed, the number of data subjects involved as well as the nature of the data that is being processed – including video, audio and mouse movement’ 362. 198. The EDPB also clarified that at the time of the adoption of the EDPB Binding Decisions, bringing the processingintocompliancewiththeGDPRwouldallowtominimisethepotentialharmtodatasubjects 363 created by the violations of the GDPR . In the EDPB Binding Decisions, the elements of the ‘nature and gravity of the infringement’ 364and the ‘number of data subjects affected’ - which were and still 365 aresignificant -ledtheEDPBtoconcludethat‘itisparticularlyimportantthatappropriatecorrective measuresbeimposed[...]inorderto ensurethat[MetaIE]complieswiththisprovisionoftheGDPR’ 366. 199. When determining the transition period for bringing Meta IE’s processing into compliance with the GDPR, the EDPB requested that the IE SA gives ‘due regard to the harm caused to the data subjects by 367 the continuation of [Meta IE]’s infringement of Article 6(1) GDPR during this period’ . 200. The need for urgent action was fully acknowledged and clearly indicated in the IE SA Decisions 368. 356 See paragraphs 148 and 153 above. 357EDPB Binding Decision 3/2022, paragraph 446 and EDPB Binding Decision 4/2022, paragraph 415. 358EDPB Binding Decision 3/2022, paragraph 444 and EDPB Binding Decision 4/2022, paragraph 413. 359 EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284. 360EDPB Binding Decision 3/2022, paragraph 96 and EDPB Binding Decision 4/2022, paragraph 99. 361NO SA Request to the EDPB, p. 10, referring to CJEU Bundeskartellamt Judgment, paragraph 118. 362NL SA Mutual Assistance Request, p. 2. 363 EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284. 364EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281. 365EDPB Binding Decision 3/2022, paragraph 445 and EDPB Binding Decision 4/2022, paragraph 414. 366 367EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281. EDPB Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288. 368IESAFBDecision,paragraph8.10(‘[...]IdonotagreewithFacebook’ssubmissionthatthe[IESA]hasdiscretion to delay the activation of the timeline for compliance [...]. It is clear, from paragraph 286 of the Article 65 [GDPR] Decision, that the EDPB considered it necessary for Facebook to take the remedial action required to address the relevant infringements “within three months”. While Facebook has correctly identified that the EDPB has not expressly identified the starting point of this compliance period, the [IE SA]’s view is that it goes without saying that the starting point has to be the adoption and notification of the [IE SA]’s final decision, given that this is the earliest time from which the applicable timeline for compliance can start to run. Any contrary suggestion would Adopted 51201. In relation to the duration of the infringement and considering the above findings that Meta IE still relies inappropriately on Article 6(1)(b) GDPR and Article 6(1)(f) GDPR to process personal data collected on its products for the purpose of behavioural advertising 369 despite the fact that the deadline for complying with the IE SA Decisions was 5 April 2023, the EDPB finds that data subjects are still faced with data processing activities that are unlawful 37. In relation to Meta’s argument that it is only on 18 August 2023 that the IE SA concluded that Meta IE’s reliance on Article 6(1)(f) GDPR for behaviouraladvertisingpurposewasinsufficienttocomplywiththeIESADecisions 371,theEDPBshares the view of the NL SA expressed already on 30 May 2023 that ‘the controller could not have been unaware of already established guidance from the EDPB, nor of the position of several CSAs on the 372 matter, but chose to explore the path of Article 6(1)(f) [GDPR] regardless’ . 202. In this respect, the EDPB can only note that every additional day during which the processing activity at stake takes place without reliance on an appropriate legal basis causes supplementary harm to the data subjects and allows Meta to continue to collect significant amounts of personal data of millions of European individuals on a daily basis and to generate significant revenue from the unlawful processing of the personal data of millions of data subject in the EEA 37. It also observes, in line with the position of the NO SA, that there are no measures that could be applied retroactively to repair the violation of the rights and freedoms of data subjects 374. 203. Therefore, while in some cases the fact that an infringement has been continuing for a long time may serve to demonstrate that an urgent need to act does not arise 37, as recalled by Meta IE 376, the EDPB considers in this case that the situation is different. To the contrary, in this case, the fact that the processing activities are still performed without reliance on an appropriate legal basis represents an element in favour of concluding that there is an urgent need for final measures to be adopted, since despite the orders given in the IE SA Decisions and the different discussions regarding their implementations, Meta IE still processes unlawfully personal data and still does not comply with the IE SA decisions 377This is not dispelled by Meta IE’s arguments on the fact that more transparency and an opt-out mechanism were implemented 378, as these elements do not solve the underlying issue of the lawfulness of the processing 379and the related harm caused on data subjects. be inconsistent with the need for urgent action that was clearly indicated to be required in paragraphs 286, 288 and 290 of the Article 65 Decision. It would further render meaningless the EDPB’s consideration of the compliance period in terms of a fixed number of months (in this case, three)’). An analogous wording is present in paragraph 214 of the IE SA IG Decision. 369See paragraphs 152 and 153 above. 370 EDPB Binding Decision 3/2022, paragraph 446 and EDPB Binding Decision 4/2022, paragraph 415. 371Meta IE’s Submissions of 26 September 2023, p. 11 and Meta IE’s Submissions of 16 October 2023, p.5. 372NL SA Mutual Assistance Request, p. 2. 373In this respect, Meta IE states that ‘any suspension of behavioural advertising in Norway for nearly a three month period would irreparably damage [Meta IE] as it would suffer (i) many millions of Euros in lost advertising revenue during this period’, see Meta IE’s Letter to the NO SA of 14 August 2023, p.9. 374NOSARejectionofMetaIE’sandFacebookNorway’sRequestforDeferredImplementationoftheOrderdated 7 August 2023, p. 1. 375 See, for instance, EDPB Urgent Binding Decision 01/2021, paragraphs 195-196. 376Letter from Meta IE to IE SA of 31 May 2023, p. 5, referring to the EDPB Urgent Binding Decision 01/2021, paragraphs 195-196. 377See sections 4.1.1.4 and 4.1.2.4 above. 378 Meta IE’s Submissions of 26 September 2023, p. 9. 379See paragraphs 152 and 153 above. Adopted 52204. The EDPB recalls in this respect the NO SA’s argument that the failure to firmly and expediently react to non-compliance with the IE SA Decisions deprives data subjects of the protection that they are entitled to 380. 205. The EDPB finds, in light of the above and in line with the view of the NO SA, that failing to put an end tothe processingactivities atstakeand toenforcetheIESADecisionsexposes datasubjects toarisk 381 of serious and irreparable harm . The NO SA, alongside other CSAs, have also expressed the view that further measures are urgently needed in this case not only to address the situation of non- compliance with the GDPR but also put an end to the harm to data subjects. 206. The SE SA expressed the need for further action after the circulation of Meta IE Compliance Reports 382 and asked ‘the [IE] SA what procedure [the SE SA] can expect going forward’ . 207. The NL SA ”383, echoing its previous call to the IE SA “to swiftly undertake adequate actions in order to cease the continuous illegality of the invasive processing of personal data of millions of users’ 38. It is also important to recall the NL SA Mutual Assistance Request 38, according to which ‘appropriate and expedient action is required to protect the fundamental rights of millions of data subjects in the Netherlands as well as throughout the European Economic Area’ 386 and that SAs should be ‘acting together’ on this ‘as cooperating European supervisory authorities under the lead of the [IE SA]’ 38. 208. Similarly, already after the circulation of the IE SA Provisional Position Paper to the CSAs, the DE Hamburg SA requested the IE SA ‘to swiftly reach a consolidated position that [Meta IE] has not demonstrated the legal basis and suspend the processing, which is based on Art[icle] 6 (1) [(b) GDPR] and [Article 6 (1)] (f) GDPR for behavioural advertising’ 388. 209. In the EDPB Binding Decisions, the EDPB made clear that urgent action was already required in December 2022 and decided that, at that time, the order for compliance to be imposed on Meta IE should require Meta IE to restore compliance within a short period of time 389. In doing so, the EDPB 380 381NO SA Request to the EDPB, p. 6. See paragraph 175 above, and NO SA Request to the EDPB, p. 10. 382SE SA comment in IE SA IMI Informal Consultations of 4 May 2023. 383 . 384 Views of the NL SA on the Compliance Reports of 4 May 2023, in IMI informal consultation on FB case and in IMI informal consultation on IG case, paragraph 4. 385The NL SA made the NO SA Mutual Assistance Request on 30 May 2023 and requested the IE SA to inform them by 30 June 2023: (i) ‘Of its conclusion as to whether [Meta IE] can or canno invoke Article 6(1)(f) GDPR for the processing of the personal data of its users for the purposes of behavioural advertising, more specifically for a large part of the processing operations for which [Meta IE] previously relied on Article 6(1)(b) [GDPR];’ and (ii) ‘Of its conclusion as to whether [Meta IE] does or does not comply with the [IE SA]’s final decision of 31 December 2022, ordering [Meta IE] to bring these processing operations in line with Article 6 GDPR;’ and (iii) ‘Of a timeframe in which appropriate and expedient action will be taken to ensure that [Meta IE] acts in compliance with Article 6 GDPR, to protect the fundamental rights of millions of data subjects affected by this processingoperation,intheNetherlandsaswellasthroughouttheEuropeanEconomicArea(EEA).Inthisrespect, the [NL SA] attaches significant weight to the connection between the controller’s non-compliance with Article 6 GDPR and its failure to comply with the [IE SA]’s order. In our view, this warrants prompt intervention’ 386NL SA Mutual Assistance Request, p. 1. 387NL SA Mutual Assistance Request, p. 2. 388 Views of the DE Hamburg SA on IE SA Provisional Position Paper of 21 July 2023, p. 2. 389Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288. Adopted 53 recalled the IE SA’s reasoning on the three-month deadline already provided by the IE SA its draft 390 decision forcomplianceforthetransparencyinfringements,whichitconsideredtobenecessaryand proportionate in light of: (1) the potential for harms to the data subjects’ rights that such a measure entails, considering that the interim period for compliance ‘will involve a serious ongoing deprivation of their rights’, (2) the significant financial, technological, and human resources and (3) the clear instructions provided to Meta IE to comply with GDPR 39. The EDPB therefore instructed the IE SA to include in itsfinaldecision anorder for Meta IE tobringitsprocessingof personaldata forthepurpose of behavioural advertising in the context of the Facebook service into compliance with Article 6(1) 392 GDPR within three months . 210. Importantly, the understanding that the timeframe to be left to Meta IE to achieve compliance with the GDPR needed to be a fixed one was also shared by the IE SA in the IE SA Decisions, where the IE SA referredto theEDPBBindingDecisions andexplainedthatclearly ‘theEDPBconsidereditnecessary for [Meta IE] to take the remedial action required to address the relevant infringements ‘within three 393 months’ and indicated a ‘need for urgent action’, and with ‘a fixed number of months’ . 211. The EDPB previously established that urgency procedures under Article 66 GDPR are derogations from the standard consistency and cooperation mechanism and that the requirements of Article 66 GDPR 394 must be interpreted restrictively . Therefore, the EDPB considers that it may request final measures underArticle 66(2)GDPRonlyiftheregularcooperationorconsistency mechanismscannotbeapplied 395 in their usual manner due to the urgency of the situation . Therefore, the EDPB assesses in this section whether there is a need to derogate from the regular cooperation and consistency mechanisms in this case. 212. In this particular case, the IE SA already adopted the IE SA Final Decisions under the one-stop-shop procedure on the basis of the EDPB Binding Decisions, containing an order for compliance with Article 6(1) GDPR. Pursuant to Article 60(10) GDPR, the controller shall notify the measures taken for complying with a decision taken in the cooperation mechanism with the LSA, which shall inform the CSAs. 213. The EDPB Guidelines on the application of Article 60 GDPR highlight that the ‘obligation [of the controllertonotifytotheLSAthemeasurestakentocomplywiththedecision]ensurestheeffectiveness of the enforcement. It is also the basis of possible necessary follow-up actions to be commenced by the LSA, also in cooperation with the other CSAs’ 396. 214. These guidelines further point out that if the LSA concludes that the measures taken are insufficient, the LSA should, as part of its legal duty to inform the CSAs, consider providing the other CSAs with its assessmentofthemeasuresadoptedbythecontroller,inparticularinordertodecidewhetherfurther 390 IE SA draft decision relating to Facebook, paragraph 8.4, IE SA draft decision relating to Instagram, paragraph 202. 39Binding Decision 3/2022, paragraph 286 and Binding Decision 4/2022, paragraph 288. 39Binding Decision 3/2022, paragraph 288 and Binding Decision 4/2022, paragraph 290. 39IE SA FB Decision, paragraph 8.10; IE SA IG Decision, paragraph 214. 394 EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraphs 165-167. 395EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 167. Also see paragraph 169 above. 39EDPB Guidelines 02/2022 on the application of Article 60 GDPR, adopted on 14 March 2022, paragraph 248. Adopted 54 actions are necessary 397.This indicates that where the measures adopted by the controller are considered to be insufficient, there may be a need for the LSA to take further actions. 215. In the case at hand, the IE SA concluded in the IE SA Final Position Paper, also relying upon the comments shared and views expressed by the CSAs, that Meta IE failed to demonstrate compliance with the IE SA Decisions 398. However, it also considered that it was ‘fair’ and ‘reasonable’ to provide Meta IE with an opportunity to demonstrate that it can rely on consent as a lawful basis rather than engaging in enforcement measures 399. 216. The IE SA has also reiterated its position, as LSA, that no further urgent actions are necessary in this case, as the course of action already being taken, consisting in ‘an enforcement procedure[...] in which adefinedsetofproposals,bywhich[MetaIE]proposestoachievecompliancewithitsobligationsunder Article 6 GDPR (and the terms of the [IE SA] Decisions), is the subject of ongoing assessment by the [IE 400 SA] and the CSAs’, is adequately addressing the situation . 217. In this respect, the EDPB acknowledges the need to evaluate the proposal being made by the controller, and that this entails the ‘examination of a number of particularly complex (and novel) issues’ 401. The EDPB also fully acknowledges that a ‘regulatory process’ is ‘being conducted under the GDPR’s cooperation and consistency framework’, led by the IE SA, 402. 218. 403 . 404 . he EDPB therefore finds that the existence of the Meta IE’s Consent Proposal does not undermine the need to take actions to ensure that the unlawful processing comes to an end. 219. In this context, the EDPB notes that the IE SA acknowledged in its Final Position Paper - more than four monthsafter the deadlineforcompliance-that Meta IEstill infringesthe GDPR 405.The EDPBfindsthat the fact that the IE SA did not take supervisory measures to put an end to Meta IE’s inappropriate reliance on 6(1)(b) and 6(1)(f) GDPR and to enforce the IE SA Decisions, despite the risk of serious and 397 EDPB Guidelines 02/2022 on the application of Article 60 GDPR, adopted on 14 March 2022, paragraph 249. 398IE SA Final Position Paper, paragraph 9.2. 399IE SA Final Position Paper, paragraph 9.2. 400Letter of IE SA to NO SA of 13 October 2023, p. 4. 401 Letter of IE SA to NO SA of 13 October 2023, p. 4-5. 402Letter of IE SA to NO SA of 13 October 2023, p. 6. 403Letter of IE SA to NO SA of 13 October 2023, p. 4-5. 404IE SA’s Response to Meta IE of 11 August 2023 p. 2. The 405IE SA Final Position Paper, paragraph 8.1. Adopted 55 irreparable harm caused to data subjects 406, shows that the regular cooperation and consistency mechanismisnotprovidingsatisfactoryresults,andthatthereisaneedtorequesttheIESAtourgently order final measures due to the urgency of the situation. In this respect, the EDPB notes that while now six months after the deadline for compliance have passed, there is still no clear indication that compliancewillbereached soonnoristhereaclearindicationthatthe IESA -asLSA-intendstoadopt 407 corrective measures in order to end the ongoing infringements . 220. In conclusion, the EDPB finds, in light of the circumstances described above, that the regular cooperation or consistency mechanisms cannot be applied in their usual manner, and that due to the risk of serious and irreparable harm without urgent final measures, there is a need to derogate from the regular cooperation and consistency mechanisms to order final measures due to the urgency of the situation. 221. Lastly, the EDPB considers it relevant to recall the SAs’ duty to monitor the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and 408 to facilitate the free flow of personal data within the EU . In particular, the EDPB has stated that when a violation of the GDPRhas been established, competent supervisory authorities are required to 409 react appropriately to remedy this infringement . The powers afforded to SAs by Article 58 GDPRare aimed to fulfilling this goal. Similarly, the Court of Justice of the European Union held that ‘(...) [a]lthough the supervisory authority must determine which action is appropriate and necessary (...), the supervisory authority is nevertheless required to execute its responsibility for ensuring that the 410 GDPR is fully enforced with all due diligence’ . 4.2.2 On the application of a legal presumption of urgency justifying the need to derogate from the cooperation and consistency mechanisms 222. Intheprecedentsection,theEDPBfoundthatthereisaneedtoderogatefromtheregularcooperation 411 and consistency mechanisms to order final measures due to the urgency of the situation . In this section, the EDPB assesses whether such urgency and need to derogate from the regular cooperation and consistency mechanisms may also be presumed on the basis of Article 61(8) GDPR. 412 223. Considering the facts of the case , the EDPB will assess whether this case falls within the description provided by Article 61(8) GDPR, which refers to the situation where an SA does not provide the information referred to in Article 61(5) GDPR within one month of receiving a mutual assistance request from another SA. Article 61(8) GDPR provides that the ‘urgent need to act under Article 66(1) [GDPR] shall be presumed to be met and require an urgent binding decision from the Board pursuant to Article 66(2) [GDPR]’. If such a presumption applies, the urgent nature of an Article 66(2) request 413 for an urgent binding decision can be presumed and does not need to be demonstrated . 406See paragraph 205 above. 407 408See paragraphs 215-216 above Article 51(1) GDPR and Recital 123 GDPR. 40EDPBBindingDecision3/2022,paragraph278 and EDPB Binding Decision 4/2022, paragraph 280 (referring to CJEU Judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, ECLI:EU:C:2020:559, paragraph 111). 410 411Judgment of 16 July 2020, Facebook Ireland and Schrems, C‑311/18, ECLI:EU:C:2020:559, paragraph 112. See EDPB analysis under 4.2.1.3 412See Section 1 of this urgent binding decision. 413EDPB Urgent Binding Decision 01/2021, adopted on 12 July 2021, paragraph 170. Adopted 56224. As mentioned, the NO SA Mutual Assistance Request was made on 5 May 2023 - see paragraphs 10, 13, and 15 above describing the NO SA Mutual Assistance Request and the response provided by the IE SA. 4.2.2.1 Summary of the position of the NO SA 225. The NO SA considers that Article 61(8) GDPR is applicable in this case 414 because the IE SA replied ‘No, I cannot comply with the request’ to the NO SA Mutual Assistance Request ‘without providing any specific justification other than referring to another letter it sent to all of the CSAs on 31 May 2023’ 415. The NO SA also argues that the ‘IE SA did not provide a reasoned refusal’ as per Article 61(4) GDPR, ‘nor did it inform [the NO SA] of results or progress of any measures taken in order to respond to [their] request to ban the unlawful processing of personal data and to enforce compliance with Article 6(1) [GDPR]’ 41. According to the NO SA, the content of the letter of 31 May 2023 was a simple announcement of when the IE SA would finalise its review of the Meta IE Compliance Reports, but it ‘didnotprovideanyinformationonthespecific enforcementplan[they]requested,nordiditannounce any specific or envisaged enforcement action with respect to Meta IE, despite [their] request to that 417 effect’ . 226. In view of the NO SA there ‘were no measures taken in order to respond to the request’, and within a month from the NO SA Mutual Assistance request, ‘the IE SA had complied with neither of [their] demands’ 41. The NO SA also indicates that their demands remain unfulfilled due to the fact that the IE SA considers it fair and reasonable not to engage in enforcement measures despite its conclusion that Meta IE is currently failing to rely on a valid lawful basis for behavioural advertising 419. 227. To support the view that Article 61(8) GDPR is applicable to the present case, the NO SA refers to an opinion of Advocate General Bobek stating that where a LSA fails to address a CSA mutual assistance request, the latter may adopt provisional measures in circumstances in which ‘the urgent need to act 420 ispresumed andneednotbeproven’ .TheNOSAalsomentionsthe existenceofprecedentdecisions applying the Article 61(8) GDPR presumption, in particular a decision from the IT SA related to Meta IE where the SA similarly considered that a failure from the LSA to address their request legitimately allowed for a derogation to the cooperation mechanism and the triggering of an Article 66 GDPR 421 urgency procedure . 228. The NO SA underlines that - contrary to the factual circumstances that led the EDPB to conclude that 422 Article 61(8) was not applicable in a previous case - ‘the communications regarding the present matter between the NO SA and the IE SA were made using the procedure for MA [Mutual Assistance] 414NO SA Request to the EDPB, p. 7-8. 415NO SA Request to the EDPB, p. 8. 416NO SA Request to the EDPB, p. 8. 417 NO SA Request to the EDPB, p. 8. 418NO SA Request to the EDPB, p. 8; 419NO SA Request to the EDPB, p. 8, referring to the IE SA Final Position Paper. It may be useful to also note that the NO SA, in its Letter to the IE SA of 21 September 2023 (p.1), states they understand the IE SA has chosen not to follow the NO SA Mutual Assistance Request because in spite of preliminarily concluding that Meta IE is still notoperatingincompliancewithArt.6(1)GDPRtheydidnotindicateanycorrespondingenforcementmeasures. 420NO SA Request to theEDPB,p. 9, referring to Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, paragraph 119 and paragraph 135. 421 NO SA Request to the EDPB, p. 9, referring to Italian SA’s decision of 21 December 2022 [9853406], available at https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9853406#english. 422NO SA Request to the EDPB, p.9 referring to EDPB Urgent Binding Decision 01/2021, paragraphs. 171-181. Adopted 57 requests pursuant to Article 61(1) GDPR, and not the procedure for Voluntary Mutual Assistance 423 (“VM[A]”) requests’ . 4.2.2.2 Summary of the position of the controller 424 229. Meta IE argues that, in this case, no ‘presumption of urgency arises under Article 61(8) GDPR’ . Meta IE indicates that in order to rely on Article 61(8) GDPR presumption of urgency, the NO SA ‘must show that the [IE SA] failed to respond to the [NO SA’s Mutual Assistance Request]’ but considers that the NO SA ‘cannot show this’ 425. Meta IE states that the NO SA’s ‘attempt to rely on the presumption of urgency in Article 61(8) GDPR is misconceived as a matter of law and contradicts the factual record of communications’ between the IE SA and the NO SA 426. According to Meta IE, the IE SA ‘adequately addressed the [NO SA Mutual Assistance Request] by providing the information the [NO SA]requested’ and the NO SA ‘distort[s] and mischaracterize[s] the substance and nature of the correspondence’ with the IE SA427. 230. In MetaIE’sview,the NO SA MutualAssistance Requestdid not ‘request the[IE SA] to detail a “specific enforcement plan” or “specific or envisaged enforcement action” that it would “impose on [Meta IE] in the event of non-compliance”, as this is not what is entailed by the request of the NO SA to the IE SA to share “a timeline specifying how it will ensure in an expedient manner that Meta [IE] complies with 428 Article 6(1) GDPR”’ . Rather, according to Meta IE, this wording referred to a request to share a timeline, which the IE SA provided ‘on numerous occasions’ 429and this demonstrates that there was ‘noinactionorfailuretocommunicatebythe[IESA]whichthe[NOSA]cannowrelyontoinvokeArticle 61(8) [GDPR]’ 430. 231. According to Meta IE, ‘the [IE SA]’s decision not to immediately implement the[NOSA]’s own preferred enforcement measures did not amount to a failure to adequately respond to the [NO SA Mutual AssistanceRequest].NothinginArticle61(1)GDPRrequiressuchblindobediencebyanLSAtowhatever actions a CSA might request it to take. [...] The [IE SA] adequately addressed the [NO SA Mutual Assistance Request] by providing the information the [NO SA] requested’ 431. It also states that ‘Article 61(5) GDPR [...] does not require an LSA to commit in advance to impose any specific corrective measures within any specific timeframe’ 43. Meta IE further elaborates that while ‘Article 61 GDPR cannot be used by a single SA to demand that an LSA adopt corrective measures with respect to processing that is subject to an ongoing LSA-led compliance proceeding’, the IE SA later provided 433 reasons ‘for declining to issue an immediate ban on processing’ . In this regard, Meta IE is of the opinion that corrective measures cannot be requested ‘with respect to processing that is subject to an ongoing LSA-led compliance proceeding’ as this could ‘undermine the one-stop shop mechanism and 423NO SA Request to the EDPB, p.9-10. 424Meta IE’s Submissions of 25 August 2023, p. 18-21; Meta IE’s Submissions of 16 October 2023, p. 5-8; Annexure 1 to Meta IE’s 16 October 2023 Letter, p.17; Annexure 12 to Meta IE’s 16 October 2023 Letter, p.49- 53. 425Meta IE’s Submissions of 25 August 2023, p. 19; Meta IE’s Submissions of 16 October 2023, p. 5. 426Meta IE’s Submissions of 26 September 2023, p. 5. 427Meta IE’s Submissions of 16 October 2023, p. 5. 428 Meta IE’s Submissions of 26 September 2023, p. 5, referring to the NO SA Mutual Assistance Request. 429Meta IE’s Submissions of 25 August 2023, p. 19. 430Meta IE’s Submissions of 26 September 2023, p. 7. 431Meta IE’s Submissions of 26 September 2023, p. 2; Meta IE’s Submissions of 16 October 2023, p. 5. 432 Meta IE’s Submissions of 16 October 2023, p. 5. 433Meta IE’s Submissions of 16 October 2023, p. 6, referring to (i) Meta IE’s Merit Complaint submitted to the OsloDistrictCourtannexedtoMetaIE’sSubmissionsof16October2023,andto(ii)theIESAFinalPositionPaper. Adopted 58 the LSA’s duty to consider all CSAs views in connection with that mechanism’ 434. In addition, Meta IE argues that the request ban on processing had already been ‘considered and rejected by the EDPB in a prior Article 65 GDPR binding decision’ 435. 232. In Meta IE’s view, the IE SA addressed the NO SA’s Mutual Assistance Request via the IE SA Update to CSAs of 31 May 2023as it contained ‘relevant information’ and allowed to inform the NO SA of ‘the 436 progress of the measures taken in order to’ address the request . Considering that the IE SA did address the request on 31 May 2023, it therefore did not refuse to do so when it provided its negative response on IMI on 2 June 2023 because this response was accompanied with a reference to the IE SA Update to CSAs of 31 May 2023 437. Meta IE further details that the IE SA had explained that the negativeresponseonIMIwastheresultofa‘mistake’andthattheNOSA’smessagetotheIESAshows that the NO SA ‘did not believe [...] that the [IE SA] had failed to respond’ to the request 438. In support of this, Meta IE mentions a message from the NO SA to the IE SA stating: ‘Thank you for your message of 2 June 2023. We understand that you will revert towards the end of June’ and ‘we will await your response towards the end of June’ 439. 233. Meta IE considers that the NO SA did not object to the IE SA Provisional Position Paper and did not mention any alleged failure by the IE SA to respond to the NO SA Mutual Assistance Request, ‘despite invoking Article 61(8) GDPR in the [NO SA] Order to attempt to argue that urgency may be presumed due to an alleged failure to respond by the [IE SA]’ 440. Furthermore, Meta IE argues that the NO SA ‘did not raise any complaints about the[IE SA]’s proposed timetable prior to issuing theOrder, even though that is what it would have been expected to do first if it had genuine concerns about urgency’ 44. 234. Concerning the NO SA’s reference to the opinion of Advocate General Bobek in Case C-645/19, Meta IE indicates that ‘considering the lengthy procedural history, which includes the [IE SA] imposing the NOYB Decisions and properly conducting an ongoing compliance procedure, the NO SA cannot reasonably argue that the[IE SA] has failed to act. The [IE SA] is acting, and also fully cooperating with, the other SAs’ 442. 4.2.2.3 Analysis of the EDPB 235. The cooperation mechanism in the GDPR provides for different tools for the SAs to exchange among themselves and perform their tasks. One of such tools is mutual assistance pursuant to Article 61 GDPR. Under this provision, SAs ‘shall provide each other with relevant information and mutual assistance in order to implement and apply [the GDPR] in a consistent manner, and shall put in place 434 Meta IE’s Merits Complaint submitted to the Oslo District Court annexed to Meta IE’s Submissions of 16 October 2023, p. 52. 435Meta IE’s Merits Complaint submitted to the Oslo District Court annexed to Meta IE’s Submissions of 16 October 2023, p. 52, referring to (i) EDPB Binding Decision 3/2022, paragraph 285 and to (ii) EDPB Binding Decision 4/2022, paragraph 287. 436Meta IE’s Submissions of 16 October 2023, p. 5, referring to the IE SA Update to CSAs of 31 May 2023. 437Meta IE’s Submissions of 16 October 2023, p. 6. 438Meta IE’s Submissions of 16 October 2023, p. 6. 439 Meta IE’s Submissions of 16 October 2023, p. 6, referring to the message sent by the NO SA to the IE SA via the IMI flow relating to the NO SA Mutual Assistance Request on 9 June 2023. 440Meta IE’s Submissions of 25 August 2023, p.9, referring to an email dated 14 July 2023 from the NO SA to the IE SA informing of the Provisional Measures being taken. 441 Meta IE’s Submissions of 26 September 2023, under footnote 41 p. 12. 442Meta IE’s Complaint to the NO SA regarding the NO SA Order, 1 August 2023, p. 17; Meta IE’s Submissions of 25 August 2023, p.21. Adopted 59 443 measuresfor effective cooperationwith oneanother’ .Thesame provisionalsoexplains that mutual assistance ‘shall cover, in particular, information requests and supervisory measures, such as requests 444 to carry out prior authorisations and consultations, inspections and investigations’ . 236. The EDPB recalls that Article 61 GDPR on mutual assistance belongs to Section 1 of Chapter VII of the GDPR related to cooperation. In this regard, the EDPB considers Article 61 GDPR to be one of the mechanismsforsupervisoryauthorities toensure properand efficient cooperation.Consequently, the concept of mutual assistance rooted in the GDPR entails ‘sincere and effective cooperation’ 445and requires concrete actions from a supervisory authority receiving a mutual assistance request (hereinafter, ‘Requested SA’). More specifically, the obligations of a Requested SA can be listed in a logical sequence as follows: • Article 61(2) GDPR: ‘each SA shall take all appropriate measures required to reply to a request of another SA’; • Article 61(2) GDPR: the Requested SA shall reply within a specific timeframe (‘without undue delay and no later than one month after receiving the request’); • Article61(4) GDPR:the Requested SAmust‘complywiththerequest’inallcases exceptforthe situations mentioned in Article 61(4) (a) and (b); • Article61(5)GDPR,firstsentence:‘therequestedSAshallinformtherequestingSAoftheresult or, as the case may be, of the progress of the measures taken in order to respond to the request’; • Article 61(5) GDPR,secondsentence: ‘therequested SAshall providereasonsforany refusal to comply with a request pursuant to paragraph 4’; • Article 61(6) GDPR: the Requested SA shall, as a rule, supply the information by electronic means, using a standardised format. 237. Article 61(9) GDPR provides the possibility for the European Commission (hereinafter the ‘EC’) to specify, by means of implementing acts, the format and procedures for mutual assistance and the arrangementsfortheexchangeofinformationbyelectronicmeansbetweenSAs.On16May2018,the EC adopted an implementing act relating to the use of the EC Internal Market Information system for GDPR consistency and cooperation procedures, including for Article 61 GDPR mutual assistance requests (IMI) (hereinafter, the ‘IMI Implementing Act’) 446. 238. The IMI procedure dedicated to Article 61 GDPR mutual assistance requests is a one-to-one workflow. This entails that the request can only be addressed to, and received by, the Requested SA. Similarly, the reply will only be addressed to, and received by, the SA that made the mutual assistance request (hereinafter, the ‘Requesting SA’). Pursuant to Article 3(3) of the IMI Implementing Act, this dedicated workflow is to be used for the different exchanges between authorities in the framework of an Article 44Article 61(1) GDPR. 44Article 61(1) GDPR. 44Onhow a ‘lead supervisory authority cannot, in the exercise of its competences, [...]eschew essential dialogue with and sincere and effective cooperation with the other supervisory authorities concerned’, see Judgment of the Court of Justice (Grand Chamber) of 15 June 2021, in case Facebook Ireland Ltd and Others v Gegevensbeschermingsautoriteit, C-645/19, ECLI:EU:C: 2021:483, paragraph 63. 44EC Implementing Decision (EU) 2018/743 of 16 May 2018 on a pilot project to implement the administrative cooperation provisions set out in Regulation (EU) 2016/679 of the European Parliament and of the Council by means of the Internal Market Information System C/2018/2814, https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv%3AOJ.L .2018.123.01.0115.01.ENG&toc=OJ%3AL%3A2018%3A123%3ATOC. Adopted 60 61 GDPR mutual assistance request. This includes, in particular, ‘requesting mutual assistance from another supervisory authority in the form of information and/or supervisory measures’, ‘responding to a mutual assistance request including acceptance or in exceptional cases refusals to comply with the request’, and ‘communication of the progress and the result of measures taken in order to respond to the request’44. The use of this dedicated IMI workflow also allows for the automatic monitoring of the one-month deadline to reply to a request pursuant to Article 61(2) GDPR. 239. Being a one-to-one workflow in the IMI, an Article 61 GDPR mutual assistance procedure is a type of bilateral communication to be distinguished from other bilateral or multilateral communication channels that are made available in IMI for other types of GDPR cooperation mechanisms. While a mutual assistance request can be connected to developments occurring within multilateral communication channels, the initiation of a mutual assistance request by a supervisory authority opens a dedicated workflow for exchanges between the Requesting and Requested SAs only. 240. Pursuant to Article 61 GDPR, a Requested SA is under a legal obligation to address a mutual assistance request. The only possibility for a Requested SA to refuse to address a request is where it provides 448 reasons for refusing to comply, in line with the two limited exceptions of Article 61(4) GDPR and as provided in the last sentence of Article 61(5) GDPR 44. While the possibility to provide information on the results or progress of the measures taken within the one-month timeframe gives some discretion to the Requested SA, the duty to cooperate also implies that the Requested SA must always take certain concrete steps to address the given request, or duly justify why it does not do so. In an exceptional situation where a Requested SA does not provide appropriate information on the measurestaken,theprogressmade,oronthedulyreasonedgroundswhyitcannotsatisfytherequest, within one month of receiving the request, the Requesting SA may consider that the conditions of Article 61(8) GDPR are met. 241. In light of the above developments, the EDPB considers that the obligation for the Requested SA to address a mutual assistance request implies the need to fulfil procedural and substantive criteria. 242. The need to fulfil the procedural criteria mainly derives from Article 61, paragraphs 6 and 9 GDPR, togetherwithArticle3(3)oftheIMIImplementingAct.Theproceduralcriteriarelateto theprocedural formalities that need to be respected to address a mutual assistance request. 243. For what concerns, on the other hand, the obligation to fulfil substantive criteria, the EDPB considers thatthisarisesfromtheprovisionsmentionedabove,namely (i)thewordingofArticle61(4)GDPRand Article61(5)GDPR,providingforapossibilitytorefusetocomplywithmutualassistancerequestsonly based on the limited grounds listed in the GDPR, and providing reasons for any refusal, and (ii) the qualification of mutual assistance as a tool for cooperation. This imposes the need to examine the content of the reply and the actions taken by a Requested SA to evaluate whether or not a given request has been addressed. 244. The list provided by Article 61(1) GDPR is not exhaustive (‘in particular’). As such, it does not list or excludespecificallytheimpositionofcorrectivemeasures.However,theEDPBconsidersthat thisdoes 44EC Implementing Decision (EU) 2018/743 of 16 May 2018, Article 3(3). 44Art. 61(4) GDPR states ‘The requested supervisory authority shall not refuse to comply with the request unless: (a) it is not competent for the subject-matter of the request or for the measures it is requested to execute; or (b) compliance with the request would infringe this Regulation or Union or Member State law to which the supervisory authority receiving the request is subject.’ 44‘The requested supervisory authority shall provide reasons for any refusal to comply with a request pursuant to paragraph 4’. Adopted 61 not, in any event, remove the duty of the Requested SA, pursuant to Article 61 (4) and 61 (5) GDPR and the general duty of cooperation, to provide reasons for any refusal to comply with a request. 245. Moving on to the case at hand, the EDPB notes that on 5 May 2023 a formal Article 61 GDPR mutual assistance request was initiated by the NO SA via the creation of a dedicated IMI workflow. The NO SA Mutual Assistance Request contained two different requests: (i) ‘that the IE SA issues a temporary ban on Meta IE’s processing of personal data for behavioural advertising purposes on Facebook and Instagram based on Article 6(1)(f) GDPR, in accordance with Article 58(2)(f) GDPR’ 45; (ii) ‘that the IE SA shares a timeline specifying how it will ensure in an expedient manner that [Meta IE] complies with Article 6(1) GDPR’. 246. In the NO SA Mutual Assistance Request, the NO SA also specified that they would ‘be grateful if the IE SA, by 5 June 2023, would share the timeline and confirm that a temporary ban will be issued’ and that ‘If the IE SA is not in a position to comply with our request regarding [Meta IE], we may need to consider our options in relation to the adoption of provisional measures in Norway pursuant to Article 66 of the GDPR. We hope that this will not be necessary and look forward to cooperating further with the IE SA within the framework of the cooperation mechanisms set out in Chapter VII of the GDPR’. 247. The NO SA Mutual Assistance Request was also uploaded by the NO SA as a comment on the Meta IE Compliance Reports, shared with the LSA and all CSAs within the IE SA IMI Informal Consultations. Other CSAs shared their feedback on the Compliance Reports in the same period, as described above 451 in paragraph 10, and some of them also addressed concerns on actions taken by the IE SA . In this context, on 30 May 2023, the NL SA also made a mutual assistance request, as described above in paragraph 12. Analysing, first of all, whether the procedural criteria were met by the IE SA’s response to the NO SA Mutual Assistance Request, the EDPB notes that it is on 2 June 2023 that the first 450The wording of the NO SA Mutual Assistance Request then goes on as follows: ‘The ban should last until the lead and concerned supervisory authorities are satisfied that [Meta IE] has provided adequate and sufficient commitments to ensure compliance with Articles 6(1) and 21 GDPR, in line with Article 31 GDPR. This will give us the opportunity to further engage with Meta and make sure that it commits to fully respect its obligations under the GDPR, while preventing any further risks for data subjects stemming from [Meta IE]’s non-compliant behavioural advertising practices. Please note that in our view, behavioural advertising includes any activities where advertising is targeted on the basis of a data subject’s behaviour or movements, including advertising 451ed on perceived location’. Several CSAs expressed concerns about: (i) The IE SA not sharing its own legal assessment (e.g. FR SA on 25 April 2023; DE Hamburg SA on 4 May 2023). In response, the IE SA invited the CSAs to ‘carry out their own assessments of the compliance material’ and outlined that ‘the finding of infringement of Article 6(1) [GDPR] and the requirement for a corresponding order to be imposed, were determined by the EDPB’ which ’overturned the views originally expressed by the IE SA in its draft decision‘ (IE SA request for CSAs views circulated via the IMI on 26 April 2023); (ii) The measures suggested by the controller to comply with the IE SA decisions - in particular the reliance on Article 6(1)(b) GDPR and Article 6 (1)(f) GDPR for behavioural advertising - which raised concerns and criticisms forwhichseveralCSAsrequestedimmediateactionsfromtheIESA (e.g.viewsofDEHamburgSAon4May2023; views of NL SA on 4 May 2023; comment of the SE SA on 4 May 2023). Similarly, theNO SAhadpreviouslycontacted theIE SAviaemail on 5 April to express their ‘strongdoubts’about Meta using Article 6(1)(f) in the context of behavioural advertising, as well as their fear of a ‘real risk to data subject's rights’, and asking the IE SA for their assessment and intentions for regulatory action. On 4 May 2023, the IE SA had indicated via the IE SA IMI Informal Consultations that they would ‘not be preparing any further decision in this matter’ and that they would rely on their assessment of compliance, carried out jointly together with all CSAs, IE SA Information on Procedure (response to SE SA), dated 4 May 2023. Adopted 62 procedural development from the IE SA occurred within the Art. 61 IMI workflow initiated by the NO SA. This is when the IE SA specified they ‘cannot comply with the request’ (by way of checking a pre- filled text box on IMI), and indicated in a comment they had further detailed their response under 452 previous communications located in the IMI Informal Consultations . The IE SA made reference to the IE SA Update to CSAs of 31 May 2023 (see above paragraph 13). Therefore, the EDPB considers that the IE SA addressed the NO SA Mutual Assistance Request from a procedural standpoint. 248. The EDPB also analyses the substance of the reply provided by the IE SA to assess whether the NO SA Mutual Assistance Request was addressed within the one-month deadline set by the legislator. It is in particular relevant to assess whether the IE SA, refusing to comply with the NO SA Mutual Assistance Request,providedthereasonsforsuch refusalinaccordancewith Article61(5)GDPR.Whilespecifying they‘cannotcomplywiththerequest’,theIESAindicatedinacommenttheyhadfurtherdetailedtheir response under previous communications located in the IE SA IMI Informal Consultations 453. The IE SA 454 made reference to the IE SA Update to CSAs of 31 May 2023 (see above paragraph 13) . 249. AccordingtotheIESA,the IESAUpdate toCSAsof31 May2023whichitsreplyof2June2023referred to was ‘directed to the subject matter of the NO SA [Mutual Assistance Request]’ and was ‘clearly engaging with the substance of the NO SA [Mutual Assistance Request] [...] directly, and in a fulsome 455 manner’ . Consequently, the IE SA considers it did not refuse to engage with the NO SA’s request for mutual assistance by means of its communication of 2 June 2023 456. 250. The content of the IE SA Update to CSAs of 31 May 2023 relates to the information about the 457 continuation oftheassessmentof the Meta IECompliance Reportspursuant to Article60(10)GDPR . In fact, it was a mere confirmation of the approach already suggested to all CSAs prior to the NO SA 458 Mutual Assistance Request . 452NO SA mutual assistance request IMI dedicated flow. 453More specifically the message from the IE SA stated: ‘Dear Colleagues, Please see detailed response uploaded by the [IE SA] under [the IMI Informal Consultations] 453 further information. Best regards, IE SA’. Morespecifically themessage from the IE SA stated:‘DearColleagues, Please seedetailed responseuploaded by the [IE SA] under [the IMI Informal Consultations] for further information. Best regards, IE SA’. Such response was the IE SA Update to CSAs of 31 May 2023 (see paragraph 13 above). The LSA referred to two 454ferent communications issued to all CSAs via the IMI Informal Consultations. The IE SA indicated that they had ‘received all of the assessments from CSAs’ and ‘forwarded them to [Meta IE] for it to consider the views expressed and to detail any changes that it proposes to implement on foot of the CSA assessments’. Furthermore, the IE SA stated that it will ‘complete its own assessment of [Meta IE]’s compliance reports’ ‘once the IE SA receives [Meta IE]’s response’. The IE SA also stated ‘it will be in a position to completeitsownassessmentof[MetaIE]’s[ComplianceReports]andtoshareitsassessmentwiththeNorwegian and Dutch supervisory authorities (both of which have lodged Article 61 requests for mutual assistance) and with all other CSAs by the end of June 2023‘. 455 456Views of IE SA on NO SA Order, p.2. Views of IE SA on NO SA Order, p.2, referring to IE SA’s Response to the NO SA Mutual Assistance Request. 457The LSA indicated that they had ‘received all of the assessments from CSAs’ and ‘forwarded them to [Meta IE] for it to consider the views expressed and to detail any changes that it proposes to implement on foot of the CSA assessments’. Furthermore, the LSA stated that it will ‘complete its own assessment of Meta [IE]’s [C]ompliance [R]eports’ ‘once the IE SA receives Meta IE’s response’. The LSA also stated ‘it will be in a position to complete its own assessment of Meta’s compliance reports and to share its assessment with the Norwegian and Dutch supervisory authorities (both of which have lodged Article 61 requests for mutual assistance) and with all other CSAs by the end of June 2023’. 458 IE SA Information on Procedure (response to SE SA), dated 4 May 2023 (prior to the NO SA Mutual Assistance Request). In this communication, the LSA indicated to all CSAs - via the IMI Informal Consultations - that the ‘IE SA will not be preparing any further decision in this matter’ and that they would rely on their assessment of compliance, carried out jointly together with all CSAs. Adopted 63251. The EDPB notes that the IE SA Update to CSAs of 31 May 2023 makes reference to the NO SA Mutual Assistance Request, by saying: ‘The IE SA anticipates that it will be in a position to complete its own assessment of Meta IE Compliance Reports and to share its assessment with the [NO SA] and [NL SA] (both of which have lodged Article 61 requests for mutual assistance) and with all other CSAs by the end of June 2023’. 252. However, the EDPB considers that: • the second request in the NO SA Mutual Assistance Request was a request for ‘a timeline specifying how [the IE SA] will ensure in an expedient manner that [Meta IE] complies with Article 6(1) GDPR’. The IE SA Update to CSAs of 31 May 2023 does provide a timeline of the next steps in the process envisaged by the IE SA for the assessment of the Meta IE Compliance Reports (with the last step being the completion of the IE SA’s own assessment and its sharing with the CSAs by the end of June 2023). However, there are no details as to how the IE SA considered that the completion of the assessment of the Compliance Reports would ‘ensure in an expedient manner that [Meta IE] complies with Article 6(1) GDPR’. While there is an implicit (and, in any event, only partial) connection, further motivation in this regard would have been necessary. • the first request in the NO SA Mutual Assistance Request was a request for the imposition of a “temporary ban on Meta’s processing of personal data for behavioural advertising purposes on Facebook and Instagram based on Article 6(1)(f) GDPR, in accordance with Article 58(2)(f) GDPR’. The IE SA Update to CSAs of 31 May 2023 does not include any reasoning as to the IE SA’s acknowledgement or consideration of this request. 253. The EDPB notes that while the IE SA explained after the expiry of the one-month deadline that the negative answer to the NO SA Mutual Assistance Request was the result of a mistake (a text box 459 ‘incorrectly (and inadvertently) checked’) , the IE SA does not state it tried to amend its answer - for instance to provide the reasons for any refusal to comply with the request - or sought assistance to do so within the one-month deadline. 254. The EDPB also takes note of the IE SA’s view shared on 27 September 2023 that the part of the NO SA Mutual Assistance Request pertaining to a ban was not ‘validly made by reference to the provisions of Article 61 GDPR’ and that it was not ‘open to the [NO SA] to demand, by way of mutual assistance 460 request, that the [IE SA] impose a temporary ban on the Processing Operations’ at stake . 255. However, Article 61(4), letter (b) GDPR envisages the possibility for the Requested SA to refuse to complywithamutualassistancerequestinasituationwhereitconsidersthatcompliancewithitwould infringe the GDPR or EU or Member State law to which the Requested SA is subject. Nevertheless, in thiscircumstance,asalreadyunderlinedunderparagraph240,theRequestedSAthatwishestoinvoke thisgroundforrefusalneedstomotivateitsresponsepursuanttoArticle61(5)GDPR.TheIESAUpdate to CSAs of 31 May 2023 or the message in the MA Request workflow of 2 June 2023 do not provide any justification for not addressing the request under the limited exceptions of Article 61(4) GDPR. In addition, the views shared on 27 September 2023 were way beyond the expiration of the one month 459 460Communication of IE SA to all CSAs dated 20 July 2023, p. 2. Letter from the IE SA to the NO SA dated 27 September 2023, p. 3. In this regard the IE SA further argued that the EDPB Binding Decisions ‘explicitly declined to impose a temporary ban’ (p. 3) and that ‘Putting in place an immediatebanonprocessingwhichisisolatedanddivorcedfromanyunderlyinglegalprocedurewouldinevitably expose the [IE SA] to significant legal risk and lead to litigation’ (p. 4). Adopted 64 deadline. Therefore, the EDPB considers that, within one month of receiving the request, the LSA did not provide the reasons for refusal to comply with the request pursuant to Article 61(5) GDPR. 256. In light of the above, the EDPB considers that the IE SA failed to provide a substantive reply the NO SA Mutual Assistance Request. 257. ConsideringthefactthatArticle61(8)GDPRprovidesexplicitlythatthepresumptionofurgencyapplies in case the [Requested SA] does not provide the information in [Article 61(5)] within the one month of receiving the request, the EDPB therefore considers that the presumption set by Article 61(8) GDPR is applicable in this specific case. Consequently, the EDPB finds that urgency may be presumed on the basis of Article 61(8) GDPR, which further corroborates the need to derogate from the regular cooperation and consistency mechanisms 46. 4.2.3 Conclusion as to the existence of urgency 258. The EDPB considers that the elements analysed above justify the urgency for the EDPB to request the IE SA to order final measures under Article 66(2) GDPR. The EDPB considers that the urgent need to order final measures is clear in light of the risks that the infringements represent for the rights and freedoms of the data subjects without the adoption of final measures 462. Furthermore, the EDPB 463 considers that such urgency may be presumed pursuant to Article 61(8) GDPR . The EDPB therefore considers that there is urgency for the IE SA to order final measures in this case. 5 ON THE APPROPRIATE FINAL MEASURES 259. On the basis of the analysis above (see sections 4.1 and 4.2), the conditions relating to the existence of infringements and to an urgent need to act in this case are met. The EDPB therefore proceeds with the analysis of which final measures, if any, it should order in this specific case. A request from a SA under Article 66(2) GDPR is aimed to address a situation where such SA, after adopting provisional measures under Article 66(1) GDPR, ‘considers that final measures need urgently be adopted’. 5.1 Content of the final measures 5.1.1 Summary of the position of the NO SA 260. In the NO SA Request to the EDPB, the NO SA requests that ‘final measures, in line with the provisional measures [the NO SA] imposed in Norway, be imminently adopted’ 464. In the NO SA Order, the NO SA prohibited for three months Meta IE and Facebook Norway from processing personal data of data subjects residing in Norway for behavioural advertising on the basis of Article 6(1)(b) GDPR or Article 6(1)(f) GDPR from 4 August 2023 to 3 November 2023 465. The NO SA provides that the NO SA Order will be lifted before that date if remedial measures are implemented so that adequate and sufficient commitments to ensure compliance with Article 6(1) GDPR and Article 21 GDPR can be provided 466. In casetheorderisnot compliedwith,theNOSAannounces,intheNOSAOrderitself,thatit maydecide to impose a coercive fine of up to NOK 1 000 000 per day of non-compliance on Meta IE and/or 461 462lso see the EDPB Urgent Binding Decision 01/2021, paragraph 181. As demonstrated in section 4.2.2.3 above. 46As demonstrated in section 4.2.1.3 above. 46NO SA Request to the EDPB, p. 12. 46NO SA Order, p. 3. 466 NO SA Order, p. 3. Adopted 65 FacebookNorway,individuallyorcollectively 467.AsMetaIEandFacebookNorwaydidnotcomplywith the NO SA Order, the NO SA imposed a daily coercive fine, which started to accrue on 14 August 2023 46. 261. The NO SA also points out that, with respect to the objective that the final measures should seek to achieve, ‘it is necessary to ensure that “[p]ersonal data shall not be processed for Behavioural 469 Advertising based on Article 6(1)(b) [GDPR] or [Article] 6(1)(f) GDPR in the context of the Services”’ . TheNOSArequeststhatanyfinalmeasureshoulddemand“swiftcompliance”withoutfurtherdelay 47. 262. With respect to the geographical scope of the final measures requested, the NO SA asked that ‘the measures should be applied EEA-wide, to avoid derogating from the harmonisation and consistency 471 that the GDPR aims to ensure’ . 263. The NO SA considers that Meta IE has a ‘readily available procedure to terminate this processing rapidly’, as it already implemented an objection mechanism in the EEA in relation to its processing for behavioural advertising in reliance of Article 6(1)(f) GDPR. In other words, the NO SA argues that suspending this processing activity could be achieved through the use of a process similar to the one used by Meta IE in the context of the objection mechanism, and that nothing - from a technical perspective - prevents Meta IE from suspending the behavioural advertising processing in the EEA 472. 264. To support this request, the NO SA points out that (1) final measures should urgently be adopted because the processing of personal data violates the rights and freedoms of data subjects in all EEA states, (2) the IE SA Decisions are applicable for users in all EEA states, and (3) there is consensus at European level between the IE SA and the CSAs that the processing continues to be unlawful 473. 5.1.2 Summary of the position of Meta IE and Facebook Norway 265. Meta IE points out that in its view ‘it is not clear which final measures the [NO SA] is seeking to request 474 from the EDPB’ . According to Meta IE, the NO SA Order ‘comprises three core elements: (i) the imposition of a temporary ban [...]; (ii) the imposition of daily administrative fines [...]; and (iii) the 475 lifting of that ban subject to receiving adequate commitments from [Meta IE]’ . Meta IE alleges it is not clear whether the NO SA intends to pursue each of these elements, or others, as part of its 476 request . 266. Meta IE considers that the NO SA Request to the EDPB constitutes partly ‘an attempt to re-litigate objections that the [NO SA] has already raised in the NOYB Inquiries at the Article 65 GDPR stage and which have already been rejected by the EDPB’ 477. According to Meta IE, the NO SA’s actions ‘appear to be motivated by (unwarranted) dissatisfaction with the [IE SA]’s handling of the enforcement of the 467NO SA Order, p. 4. 468NO SA’s Decision to impose a coercive fine on Meta IE and Facebook Norway of 7 August 2023, p. 3. 469 NO SA Request to the EDPB, p. 12. 470NO SA Request to the EDPB, p. 12. 471NO SA Request to the EDPB, p. 12. 472NO SA Request to the EDPB, p. 12-13. 473 NO SA Request to the EDPB, p. 12. 474Meta IE’s Submissions of 26 September 2023, p. 13. 475Meta IE’s Submissions of 26 September 2023, p. 13. 476Meta IE’s Submissions of 26 September 2023, p. 13. 477 Meta IE’s Submissions of 26 September 2023, p. 3, 13. See also Meta IE’s Submissions of 16 October 2023, p. 8. Adopted 66 NOYB Decisions’. The controller states then that it ‘cannot be sanctioned based on factors that are outside its sphere of influence’ 47. 267. In addition, Meta IE provided arguments in respect of the possible content of the final measures to be ordered by the EDPB, setting out elements for each possible measure identified. Meta IE also argues that, in general, only the provisional measures adopted by the requesting SA can be adopted as final measures under the Article 66(2) GDPR procedure 47. In Meta IE’s view, it is unclear whether the EDPB is competent to order final measures on an EEA-wide basis, or whether it is limited to only ordering measures with respect to the country of the requesting CSA, and it is unclear whether the EDPB is 480 competent to adopt final measures permanently . On this matter, Meta IE also made reference to the fact that the EDPB has itself requested the EU legislator to clarify this 481. 268. Regarding a possible deletion order for data already unlawfully collected whiletheNOSA has notexplicitlyrequestedsuchfinal measure,Meta 482 IE clarified its view that such request would be unlawful and unnecessary . More specifically, Meta IE argues that the NO SA Order did not issue a deletion order as part of its Provisional Measures 483 adopted under Article 66(1) GDPR . Further, Meta IE highlights that the EDPB Binding Decisions rejected objections from the NO SA that aimed to impose a deletion order on Meta IE 484. 485. 486. 487. In any event, Meta IE notes that the personal data previously collected for behavioural advertising is also processed for other purposes that are not related to advertising, such 488 as security, fraud and safety . Meta IE considers that ‘a controller cannot be compelled to delete personal data where it is validly collected and processed for different purposes pursuant to valid legal bases, even in cases where its legal basis for one distinct set of processing is subsequently held to be invalid’489. 478Meta IE’s Submissions of 26 September 2023, p. 17. 479 480Meta IE’s Submissions of 26 September 2023, p. 13-14. Meta IE’s Submissions of 26 September 2023, p. 13, footnote 44. 481Meta IE’s Submissions of 26 September 2023, p. 13, footnote 44, referring to section 6.2 of EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down additionalprocedural rules relating tothe enforcementof Regulation(EU) 2016/679, atparagraphs 113-116 and 121. In this Joint Opinion, the EDPB and the EDPS provided their views on the proposed regulation made by the EuropeanCommissionwhich,accordingtotheEDPBandtheEDPS,undulyrestrictstheapplicationoftheurgency procedure under Article 66(2) GDPR. 482Meta IE’s Submissions of 26 September 2023, p. 14-15. 483Meta IE’s Submissions of 26 September 2023, p. 14. 484Meta IE’s Submissions of 26 September 2023, p. 14. This argument relates to the objections made by the NO SAtothedraftdecisionsoftheIESAintheFacebookandInstagramcases,requestinganordertodeletepersonal dataprocessedunderArt.6(1)(b)GDPR,whichtheEDPBconsiderednottomeetthethresholdofArt.4(24)GDPR (in EDPB Binding Decision 3/2022, paragraph 483 and EDPB Binding Decision 4/2022, paragraph 450). 485 Meta IE’s Submissions of 26 September 2023, p. 14. 486Meta IE’s Submissions of 26 September 2023, p. 14. 487Meta IE’s Submissions of 26 September 2023, p. 14. 488 489Meta IE’s Submissions of 26 September 2023, p. 14-15. Meta IE’s Submissions of 26 September 2023, p. 15. Adopted 67269. Regarding a possible suspension order or ban applicable to all EEA users, Meta IE considers that the 490 NOSA’srequestforashortimplementationdeadlineisallegedly‘flawedandnotfeasible’ .According to Meta IE, building the supporting infrastructure and rolling out the objection mechanism entailed ‘hundreds of thousands of hours of work’ on Meta IE’s side by multi-disciplinary teams including product, machinelearning andinfrastructure engineers,userexperience designers,operations,policy, marketing and legal to design, build and implement the systems, processes and user experience required to enable Meta IE to meet the different requirements of Article 6(1)(f) GDPR 49. In Meta IE’s view, the NO SA’s assertion that implementing a process similar to the objection mechanism could form some ‘sort of instant compliance solution’ is ‘flawed’ 49. 493. In other words, Meta IE argues that a change of legal basis for its behavioural advertising processing before would simply not be feasible. 270. Meta IE also quotes the arguments put forward by the IE SA in that regard: ‘Putting in place an immediate ban on processing which is isolated and divorced from any underlying legal procedure (...), would inevitably expose the [IE SA] to significant legal risk and lead to litigation. In the context of such litigation,the[IESA]wouldbecalledontojustifyitsdecisiontodepartfromthecourseofactionrooted in [IE SA Decisions] (uncontested by the EDPB and/or the CSAs), in favour of an alternative, summary procedure involving the immediate imposition of a ban on processing’ 494. 271. Regarding fines specifically, Meta IE argues that the NO SA is not entitled to ask for a fine as a final measure 49, since the NO SA Order did not include fines as a provisional measure under Article 66(1) GDPR. More generally, Meta IE also claims that fines are not an appropriate form of final measures underArticle 66(2)GDPR 49,andthattheEDPBisnotcompetenttoadoptsuchadecisionunderArticle 497 66(2) GDPR . As the Article 66(2) GDPR procedure constitutes a derogation to the standard cooperation procedure, Meta IE, highlighting the need for a restrictive interpretation of Article 66 GDPR, is of the opinion that any final measures ‘can only be those that are urgently needed to bring the infringement to an end’ 498. According to Meta IE, all the final measures that do not achieve this objective must be adopted within the framework of the one-stop-shop and the consistency mechanism 499. Lastly, in Meta IE’s view, fines are not appropriate to ensure the immediate protection of data subjects 50. Meta IE also argues that fines would be inappropriate in the circumstances of this case, where high fines have already been imposed by the IE SA in the IE SA Decisions and where Meta IE engagedingoodfaithwiththeIESA 501. 490Meta IE’s Submissions of 26 September 2023, p. 15. 491Meta IE’s Submissions of 26 September 2023, p. 15. 492Meta IE’s Submissions of 26 September 2023, p. 15. 493 Meta IE’s Submissions of 25 August 2023, p. 23-24. 494Meta IE’s Merits Complaint submitted to the Oslo District Court, p. 26, referring to the Letter of the IE SA to the NO SA of 27 September 2023. 495Meta IE’s Submissions of 26 September 2023, p. 3. 496 Meta IE’s Submissions of 26 September 2023, p. 16. 497Meta IE’s Submissions of 26 September 2023, p. 16. 498Meta IE’s Submissions of 26 September 2023, p. 16. 499Meta IE’s Submissions of 26 September 2023, p. 16. 500 Meta IE’s Submissions of 26 September 2023, p. 16. 501Meta IE’s Submissions of 26 September 2023, p. 16. Adopted 68 According to Meta IE, the NO SA Request to the EDPB ‘already has, and will continue to, generate a huge amount of administrative work for the EDPB, the CSAs, the LSA and Meta [IE], 502 . Meta IE considers that, in light of the fact that a potential urgent binding decision may extend beyond Norway, ‘any attempt to perpetuatetheprovisions of the [NO SA] Order by way of such a decision only serves to exacerbate this misuse of the urgency procedure and the violation of [Meta IE]’s rights’0. 272. Facebook Norway highlights that it is not, and has never been, a party to the inquiries leading to the adoptionoftheIESADecisions 504.ItalsohighlightsthattheIESADecisionsareonlyaddressedtoMeta IE, in its capacity of sole data controller for the purpose of behavioural advertising on Facebook and Instagram. Facebook Norway points out that it is a separate and independent legal entity that does not offer Facebook or Instagram either in Norway or elsewhere, and is not the data controller for the concerned behavioural advertising processing 50. Furthermore, Facebook Norway maintains that it 506 should not have been the addressee of the NO SA Order . 273. Meta IE and Facebook Norway have also expressed the view that the IE SA has already exercised corrective powers against Meta IE in the IE SA Decisions, and that anyways the enforcement of corrective orders is a matter for the LSA and governed by the applicable national law 507. 5.1.3 Analysis of the EDPB 274. In addition to the elements enshrined in the NO SA Request to the EDPB, the EDPB takes into consideration the elements and arguments put forward by the IE SA. The IE SA considers that the NO SA Request to the EDPB seeks to obtain an urgent binding decision from the EDPB, ‘the net effect of 508 which would be to compel the [IE SA], as LSA, to impose an EEA-wide ban’ . However, according to the IE SA, it is already leading an ongoing ‘enforcement procedure’, whereby it is, along with the CSAs, assessing ‘a defined set of proposals, by which [Meta IE] proposes to achieve compliance’ with Article 6(1) GDPR and the IE SA Decisions 50. This process is happening by involving the CSAs in accordance withtheGDPR’scooperationand consistencyframework 510.Morespecifically,the IESAhighlightsthat it ‘is currently engaged in a cooperative process to give effect to these orders in a manner that permits all CSAs to make observations on [Meta IE]’s proposed course of action’ 51. 502Meta IE’s Submissions of 16 October 2023, p. 9. 503 Meta IE’s Submissions of 25 August 2023, p. 28. 504Facebook Norway’s Submissions of 25 August 2023, p. 13. See also Facebook Norway’s Submissions of 16 October 2023, p. 4. 505Facebook Norway’s Submissions of 25 August 2023, p. 13; Facebook Norway’s Submissions of 16 October 2023, p. 4; see also Letter from Facebook Norway to Ministry of Local Government and Regional Development of 8 August 2023, p. 2. 506Facebook Norway’s Submissions of 26 September 2023, p. 1. See also Facebook Norway’s Submissions of 16 October 2023, p. 4. 507 Meta IE’s and Facebook Norway’s Submissions of 19 October 2023, p. 1-2. 508Letter from the IE SA to the NO SA of 13 October 2023, p. 3. 509Letter from the IE SA to the NO SA of 13 October 2023, p. 4. 510CommunicationofIESAtoCSAsof20July2023,p.1.SeealsoLetterfromtheIESAtotheNOSAof13October 2023, p. 4-6. 511Letter from the IE SA to the NO SA of 27 September 2023, p. 3 Adopted 69275. AccordingtotheIESA,nofinalmeasuresorderedbytheEDPBwouldbeappropriate,asitwoulddivert resources from the IE SA-led process under the GDPR’s cooperation and consistency framework 512. In addition, according to the IE SA, the NO SA’s legal justifications to suggest immediate enforcement action by the LSA are ‘rooted in hypothetical arguments’ 513. 276. In this regard, the EDPB acknowledges that, since the moment the IE SA shared with the CSAs the Compliance Reports on 5 April 2023, there has been an ongoing process consisting in the assessment of the compliance efforts by Meta IE represented by the switch on 3 April 2023 to Article 6(1)(f) GDPR as legal basis for most of the personal data collected on Meta’s products for behavioural advertising purposes and later on, by the Meta IE’s Consent Proposal, and that this process was led by the IE SA in its role as LSA in cooperation with the CSAs, which were invited to submit their views on multiple occasions. 277. However, in light of the elements described above, namely the existence of ongoing infringements of 514 Article6(1)GDPR-thattheEDPBhasalreadylabelledasa‘veryserioussituationofnon-compliance’ , and of the duty to comply with decisions of SAs, and the existence of an urgent need to act despite the ongoing process led by the IE SA, as motivated above in Section 4.2 of this urgent binding decision, the EDPB considers that, at this point of time, there is a need to order final measures as further enforcement measures are necessary. 278. With respect to the possible content of the specific final measures, the EDPB considers that it can order final measures other than the provisional measures adopted under Article 66(1) GDPR or than those referred to in the request made pursuant to Article 66(2) GDPR. The GDPR does not indeed provide such limitations on the final measures, and the EDPB, while taking into consideration the request made pursuant to Article 66(2) GDPR as well the other elements of the file, is entrusted to ensure the correct and consistent application of GDPR when performing activities under the consistency mechanism 515. Therefore, the EDPB is competent under Article 66(2) GDPR to order the final measures that are appropriate on the basis of the circumstances of the case. 279. Inthecaseathand,theEDPBconsidersitappropriatetoanalysewhetherabanonprocessingshould beimposed, bearing in mind that the NOSA Request to the EDPB asksthat ‘finalmeasures, inlinewith 516 the provisional measures [the NO SA] imposed in Norway, be imminently adopted’ , and that the NO SA Order included a prohibition from processing personal data of data subjects residing in Norway for behavioural advertising on the basis of Article 6(1)(b) GDPR or Article 6(1)(f) GDPR. 280. Inrespect of thepossible impositionof aban onprocessing,theIE SAconsiders that ‘the formoforder sought by the [NO SA] is not one that could lawfully be delivered by the [IE SA] in the manner now 517 demanded’ . Thisis,first, because the EDPBdeclined toinstruct theIESA to imposeatemporaryban 512 513etter from the IE SA to the NO SA of 13 October 2023, p. 5. Letter from the IE SA to the NO SA of 27 September 2023, p. 4. 514 EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284. 51Art. 63 GDPR, Art. 65 GDPR, Art. 70(1) GDPR, Art. 70(1)(a) GDPR, and Art. 70(1)(t) GDPR. 51NO SA Request to the EDPB, p. 12. 51Letter from the IE SA to the NO SA of 27 September 2023, p. 3. Adopted 70 in the EDPB Binding Decisions 518, and secondly because the IE SA Decisions ‘made provision for enforcement measures, namely, the orders for compliance, under which [Meta IE]’s proposals for the adoption of one or more alternative legal bases for the Processing Operations would be assessed, and ruled on, on their respective merits’ 51. The IE SA concludes that ‘the EDPB recognised, explicitly, that a process would need to be put in place in which the Controller would identify the means by which it proposed to achieve compliance with its obligations, and, further, that, acting together in the context of the co-operation and consistency mechanism provided for at Chapter VII of the GDPR, the [IE SA] and the CSAs would in turn be required to test those proposals and assess whether or not they are sufficient to achieve compliance with the requirements of Article 6(1) [GDPR] and the [IE SA] 520 Decisions’ . 281. According to the IE SA, the imposition of a ban on processing ‘which is isolated and divorced from any underlying legal procedure would inevitably expose the [IE SA] to significant legal risk and lead to litigation’,wheretheIESA‘wouldbecalledontojustifyitsdecisiontodepartfromthecourseofaction rooted in [the IE SA Decisions] (uncontested by the EDPB and/or the CSAs), in favour of an alternative, 521 summary procedure involving the immediate imposition of a ban on processing’ . In this regard the IE SA also argues that ‘it is inaccurate to suggest that the [IE SA] could impose an immediate ban on processing, whilst continuing to progress its assessment of [Meta IE]’s proposed consent model, in conjunction with its CSA colleagues’ 52. 282. In this respect, the EDPB highlights that the fact that it chose not to instruct the IE SA to impose a temporary ban in the EDPB Binding Decisions, considering at that time that the imposition of an order to bring processing into compliance within a short time frame would be appropriate, does not in itself rule out the possibility than a ban would be needed today. Likewise, the fact that the IE SA Decisions, adopted on the basis of the EDPB Binding Decisions, do not provide for a ban on processing does not prevent the EDPB from ordering final measures in the form of a ban on processing in the context of this urgent procedure, taking into account the facts that occurred following the adoption of the IE SA Decisions. In this regard, the EDPB also recalls that the IE SA acknowledged in the IE SA Final Position 523 Paper that ‘enforcement measures may [...] have been necessary at this juncture’ . 283. In the next paragraphs, the EDPB will assess the appropriateness, necessity and proportionality of a ban on processing. Article 58(2)(f) GDPR provides supervisory authorities with the power to impose a temporary or definitive limitation including a ban on processing. 284. Recital 129 GDPR provides elements to assess whether a specific measure is appropriate. More specifically, consideration should be given to ensuring that the measure chosen does not create ‘superfluous costs’ and ‘excessive inconveniences’ for the persons concerned in light of the objective pursued. When choosing the appropriate corrective measure, there is a need to assess whether the chosen measure is necessary to enforce the GDPR and achieve protection of the data subjects with regard to the processing of their personal data, which is the objective being pursued. Compliance with 518Letter from the IE SA to the NO SA of 27 September 2023, p. 3. See also Letter from the IE SA to the NO SA of 13 October 2023, p. 3-4 (where the IE SA also states the EDPB did not instruct the IE SA to adopt an automatic ban or a ban to be imposed should Meta IE fail to achieve compliance within a defined date). 519 520Letter from the IE SA to the NO SA of 27 September 2023, p. 3. Letter from the IE SA to the NO SA of 13 October 2023, p. 4. 521Letter from the IE SA to the NO SA of 27 September 2023, p. 4. 522Letter from the IE SA to the NO SA of 27 September 2023, p. 4. 523IE SA Final Position Paper, paragraph 9.2. Adopted 71 the principle of proportionality requires ensuring that the chosen measure does not create disproportionate disadvantages in relation to the aim pursued 52. 285. As a first element, the EDPB would like to recall its reasoning in the EDPB Binding Decisions. In such decisions, as pointed out by the IE SA and by Meta IE, the EDPB analysed at that point of time whether a ban constituted an appropriate corrective measure to be imposed in the IE SA Decisions, due to the presence of some relevant and reasoned objections putting forward this request 52. Several of the elements that the EDPB considered at the time are helpful to be considered in this urgent binding decision, too. 286. The EDPB highlighted in the EDPB Binding Decisions that the infringement of Article 6(1) GDPR found in the case at hand constituted a very serious situation of non-compliance with the GDPR, in relation to processing of extensive amounts of data, which is essential to the controller’s business model, thus harming the rights and freedoms of millions of data subjects in the EEA; therefore, the corrective measure chosen in the circumstances of this case should aim to bring the processing into compliance with the GDPR thus minimising the potential harm to data subjects created by the violations of the 526 GDPR . 287. Therefore, according to the EDPB Binding Decisions, considering the nature and gravity of the infringementofArticle6(1)(b)GDPR,aswellasthenumberofdatasubjectsaffected,itwasparticularly important that appropriate corrective measures be imposed, in addition to a fine, in order to ensure that Meta IE complies with this provision of the GDPR 52. 288. It is also important to note that the EDPB considered that it is not necessary to establish an urgent necessity for imposing a temporary ban because nothing in the GDPR limits the application of Article 58(2)(f) GDPR to exceptional circumstances 52. 289. While in the EDPB Binding Decisions the EDPB took note of the elements raised by the objections to justify the need for imposing a temporary ban, consisting in essence in the need to halt the processing activities that are being undertaken in violation of the GDPR until compliance is ensured in order to avoid further prejudicing data subject rights, it considered that the objective of ensuring compliance and bringing the harm to the data subjects to an end could be adequately met also by amending the order to bring processing into compliance envisaged in the IE SA draft decisions to reflect Meta IE’s 524EDPB Binding Decision 3/2022, paragraph 284 and EDPB Binding Decision 4/2022, paragraph 286. 525More specifically, in the dispute leading to the adoption of EDPB Binding Decision 3/2022, certain objections requestedtheimpositionofabanorlimitationonprocessingoranordertoabstainfromtheprocessingactivities intheabsenceofavalidlegalbasis(inparticular,theobjectionsoftheAT,NL,DEandNOSAs).TheEDPBanalysed the merits of the objections of the AT and NL SAs (found to be relevant and reasoned in paragraph 266 of EDPB Binding Decision 3/22) and did not take any position on the merits of the other objections on this matter that were found to be not relevant and reasoned, namely the objections of the DE and NO SAs (see paragraph 268 of Binding Decision 3/2022). Concerning, instead, the dispute leading to the adoption of EDPB Binding Decision 4/2022, certain objections requestedtheimpositionofabanorlimitationonprocessingoranordertoabstainfromtheprocessingactivities intheabsenceofavalidlegalbasis(inparticular,theobjectionsoftheAT,NL,DEandNOSAs).TheEDPBanalysed the merits of the objections of the AT and NL SAs (found to be relevant and reasoned in paragraph 269 of EDPB Binding Decision 4/2022) and did not take any position on the merits of the other objections on this matter that were found to be not relevant and reasoned, namely the objections of the DE and NO SAs (see paragraph 271 of Binding Decision 4/2022). 526EDPB Binding Decision 3/2022, paragraph 282 and EDPB Binding Decision 4/2022, paragraph 284. 527EDPB Binding Decision 3/2022, paragraph 279 and EDPB Binding Decision 4/2022, paragraph 281. 528EDPB Binding Decision 3/2022, paragraph 283 and EDPB Binding Decision 4/2022, paragraph 285. Adopted 72 infringement of Article 6(1) GDPR 529. The EDPB noted in this regard that this measure would require Meta IE to put in place the necessary technical and operational measures to achieve compliance within a set timeframe 530. Such timeframe was established to be necessarily a ‘short period of 531 time’ .The EDPB Binding Decisions comprised, eventually, instructions to the IE SA to include in the IE SA Decisions orders for Meta IE to bring its processing of personal data for the purpose of behavioural advertising in the context of the Facebook service into compliance with Article 6(1) GDPR within three months 53. In this respect, the EDPB considered this deadline for compliance to be necessary and proportionate, considering that the interim period for compliance ‘will involve a serious ongoing deprivation of their rights’ and the significant financial, technological, and human 533 resources available to Meta IE . 290. The fact that the three-month timeframe has expired several months ago is an important element to be considered, that marks a significant difference compared to the situation that the EDPB analysed in the EDPB Binding Decisions. Already the three-month interim period for compliance was considered by the EDPB to involve ‘a serious ongoing deprivation’ of data subjects’ rights: the need to ensure that this deprivation comes to an end is therefore even clearer now that three times the time initially envisaged has passed. 291. As a consequence, the reasoning of the EDPB in the EDPB Binding Decisions on whether a ban needed to be imposed in the IE SA Decisions provides arguments in favour of considering that the imposition of a ban would be appropriate, necessary and proportionate today, rather than against this. 292. The EDPB also takes note of the NO SA’s argument that Meta IE has a ‘readily available procedure to terminate this processing rapidly’, as it already implemented an objection mechanism in the EEA in relation to its processing for behavioural advertising in reliance of Article 6(1)(f) GDPR, which allows the suspension of the processing 53. 293. The EDPB also notes Meta IE’s argument that a short implementation deadline would not be feasible535, considering the need for a complex process for the implementation of a ban involving 536 several teams and many hours of work . More specifically, Meta contests that it can comply ‘(i) through blanket application of the [objection mechanism] to all users across the EEA, and then “as a next step” (ii) “expanding the [objection mechanism] to include categories of data processing covered by the [NO SA Order]”, since already the NO SA acknowledges for step (ii) that this “would require 537 redesigning the [objection mechanism]”’ . 529EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287. In reaching thisconclusion,theEDPBhighlightedthatcompliancewiththeprincipleofproportionalityrequiresensuringthat the chosen measure does not create disproportionate disadvantages in relation to the aim pursued, and Recital 129 GDPR provides that consideration should be given to ensuring that the measure chosen does not create ‘superfluous costs’ and ‘excessive inconveniences’ for the persons concerned in light of the objective pursued. EDPB Binding Decision 3/2022, paragraph 284 and EDPB Binding Decision 4/2022, paragraph 286. 530EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287. 531EDPB Binding Decision 3/2022, paragraph 286 and EDPB Binding Decision 4/2022, paragraph 288. 532EDPB Binding Decision 3/2022, paragraph 288 and EDPB Binding Decision 4/2022, paragraph 290. 533 EDPB Binding Decision 3/2022, paragraph 286 and EDPB Binding Decision 4/2022, paragraph 288. 534NO SA Request to the EDPB, p. 12-13. 535Meta IE’s Submissions of 26 September 2023, p. 15. 536Meta IE’s Submissions of 26 September 2023, p. 15. 537 Meta IE’s Submissions of 26 September 2023, p. 15 (‘Ignoring [Meta IE]’s arguments, the [NO SA] claims that [Meta IE] can comply (i) through blanket application of the [objection mechanism] to all users across the EEA, and then “as a next step” (ii) expanding the [objection mechanism] to include categories of data processing Adopted 73294. According to the EDPB, the NO SA’s argument on the existence of the objection mechanism is reasonableatleastforwhatconcernstheprocessingcurrentlycarriedoutonthebasisofArticle6(1)(f) GDPR (i.e. the majority of the processing of personal data collected on Meta’s products currently 538 carried out for the purposes of behavioural advertising) , also considering that Meta IE did not explain why for the processing based on Article 6(1)(f) GDPR a ‘redesigning’ of the mechanism would benecessary;also,MetaIEconfirmsthat‘allrelevantobjections’arehonouredleadingtothe‘theuser [being] “opted out” of this processing’ 539. 295. Additionally, while certainly the imposition of a ban causes significant disadvantages to the 540 controller , the EDPB considers that such disadvantages are not at this point in time, per se, disproportionate compared to the harm caused to data subjects by the unlawful processing and continued non-compliance. In this regard, moreover, the EDPB notes that the controller was granted the opportunity to take remedies without facing these disadvantages. As highlighted above 541, several months have passed since the adoption of the IE SA Decisions and the expiry of the deadline for the orders to bring processing into compliance contained therein. At this stage, the controller has undertaken efforts to comply with the GDPR but compliance has not yet been achieved, as indicated in the IE SA Final Position Paper, and there is still no clear indication that compliance will be reached soon 542.The impositionofan orderto bringprocessing intocompliancewithin ashortdeadline didnot succeed in reaching the objective it pursued, consisting in ‘ensuring compliance and bringing the harm to the data subjects to an end’ 54. covered by the [NO SA Order]. As the [NO SA]’s argument itself acknowledges in step (ii), compliance with the [NO SA Order] (or an urgent binding EDPB decision based on the [NO SA Order]) would require redesigning the [objection mechanism]. As a reminder, building the supporting infrastructure and rolling out the [objection mechanism] entailed hundreds of thousands of hours of work by multi-disciplinary teams including product, machine learning and infrastructure engineers, user experience designers, operations, policy, marketing and legal to design, build and implement the systems, processes and user experience required to enable [Meta IE] to meet the different requirements of Article 6(1)(f) GDPR. The [NO SA]’s speculative assertion that this could form some sort of instant compliance solution is fundamentally flawed’). 538See Meta IE Compliance Report on IE SA FB Decision, paragraphs 3.1.3 and 5.8.2, and Meta IE Compliance Report on IE SA IG Decision, paragraphs 3.1.3 and 5.8.2. See also paragraphs 103-106 above. 539 Meta IE’s Merits Complaint submitted to the Oslo District Court on 16 October 2023, p. 14-15 (‘since the launch of the Objection Mechanism, Meta [IE] has honoured all relevant objections without qualification and without undertaking a balancing assessment to determine whether it has compelling legitimate grounds to override the user’s objection. All that is checked is that the objection (i) relates to behavioural advertising processing that Meta [IE] presentlyundertakes underArticle 6(1)(f) GDPR, and(ii) is submitted byagenuineuser based in the EU/EEA (to confirm Meta [IE] is the controller and the GDPR applies). As soon as Meta [IE]’s operations team have confirmed (i) and (ii) based on the limited information that the user is asked to provide, the user is “opted-out” of this processing’). This is without prejudice to the conclusion of the IE SA in the IE SA Final Position Paper whereby the compliance withtheGDPRoftheobjectionmechanismsetupbyMetaIEhasnotbeendemonstrated(paragraphs7.60-7.66). 540In Meta IE’s Letter to the NO SA of 14 August 2023, Meta IE lists challenges possibly arising from ‘stopping’ processingofpersonaldataofNorwegianusersforbehaviouraladvertisingpurposes,involvingtheneedtomake changestoMetaIE’scodeandrelatedinfrastructure,informusers,provideadvertiserswithappropriateadvance notice, waiting for users to update their apps. Meta IE also highlights the possible damage arising from a suspension of behavioural advertising in Norway, connected to lost revenue, reputational harm, and future revenue losses (p. 8-10). 541See paragraph 290 above. See also Meta Ireland’s Submissions of 25 August 2023, p. 23-24; Letter from Meta 542land to NO SA of 14 August 2023, p. 8-9. See also Meta IE’s Submissions of 25 August 2023, p. 23-24; Letter from Meta IE to NO SA of 14 August 2023, p. 8-9. . 543EDPB Binding Decision 3/2022, paragraph 285 and EDPB Binding Decision 4/2022, paragraph 287. Adopted 74296. In light of the elements above, the EDPB considers it appropriate, necessary and proportionate to order final measures consisting in a ban on processing, to be adopted on the basis of Article 58(2)(f) GDPR. 297. The EDPB considers that, in this particular case, it would be proportionate that a period of implementation be provided to enable Meta IE to implement it. 298. The EDPB seizes the occasion to specify that also the NO SA Order was issued on 14 July 2023 but 544 envisaged that it would only become applicable as of 4 August 2023 . 299. At the same time, the period of implementation should be a short one, in light of the urgency of the situationasdescribedextensivelyinthesectionsaboveofthisurgentbindingdecisionandinparticular of the urgent need to put an end to the unlawful processing being carried out to the detriment of data subjects. 300. AccordingtotheEDPB,inlightoftheelementsinthefile,theimplementationofabaninashortperiod of time should be technically and practically feasible for Meta IE. This is in particular the case considering that Meta IE already envisages the implementation of a consent mechanism . Additionally, Meta IE has been aware of the need to bring the unlawful processing to an end since the notification of the IE SA Decisions adopted in December 2022. 301. Therefore, the EDPB considers that, in this particular case, it is proportionate for the ban on processing to be effective one week after the notification of the final measures to the controller. 302. Additionally, the EDPB clarifies that the ban should refer to Meta IE’s processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPRandArticle6(1)(f)GDPR.Theprocessingactivitiestowhich thebanrefersare:(i)theprocessing of personal data, including location data and advertisement interaction data, collected on Meta’s products for behavioural advertising purposes, having established in this respect the infringement of Article6(1)GDPRarisingfrominappropriaterelianceonArticle6(1)(b)GDPR;(ii)processingofpersonal data collected on Meta’s products for behavioural advertising purposes, having ascertained in this respect the infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(f) 545 GDPR . 303. The EDPB considers that, in general, the geographical scope of the final measures ordered pursuant to Article 66(2)GDPR should be broader than the territory of the requesting SA. While it is provided by Article 66(1) GDPR that the urgent provisional measures adopted by a requesting SA only apply to the territory of that SA, the intervention of the EDPB aims to ensure a consistent application of the GDPR, in light of Articles 63 and 70 GDPR. The final measures should therefore have a broader geographical scope to ensure the protection of the rights and freedoms of all the data subjects affected; this scope can, depending on the matter, cover several Member States 546. The NO SA requested that final measures, if any, ‘should be applied EEA-wide, to avoid derogating from the harmonisation and consistency that the GDPR aims to ensure’ 547. Since in this case the unlawful processing takes place and affect the rights and freedom of data subjects in the entire EEA, the EDPB agrees that the appropriate territorial scope is for the final measures to be applicable throughout the entire EEA, and 54NO SA Order, p. 3-4. 54A more thorough analysis can be found above in paragraphs 97-99, 103-104, 147-148 and 152-153. 54EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679, paragraph 114. 54NO SA Request to the EDPB, p. 12. Adopted 75 concurswiththeNOSAontheneedtoavoidfragmentationintheprotectionaffordedtodatasubjects. Limiting the scope of the final measures to the Norwegian territory would indeed lead to fragmentation in the protection as it would require each CSAs to adopt provisional measures on its own territory under Article 66(1) GDPR and to request an EDPB urgent binding decision under Article 66(2) GDPR leading to the need to adopt final measures limited to their own territory. Such situation could also result in a patchwork of final measures and a fragmentation in countries where the SA has not acted 54. 304. The EDPB considers that the addressee of the final measures consisting of a ban on processing should beMetaIE,whichshalltakethenecessarymeasurestoensurecompliancewiththedecisionasregards processing activities in the context of all its establishments in the EEA. In line with this, and since Facebook Norway was subject to the NO SA Order alongside Meta IE and considering its submissions, Facebook Norway – which is the Norwegian establishment of Meta IE – should be informed of the outcome and receive a copy of the final measures and of the EDPB urgent binding decision. 5.1.4 Conclusion 305. In light of all the elements above, the EDPB considers it necessary to order final measures, consisting in a ban on processing pursuant to Article 58(2)(f) GDPR. 306. This ban on processing should be addressed to Meta IE, and become effective one week after the notification of the final measures to them. 307. The EDPB considers that the ban should refer to Meta IE’s processing of personal data for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR across the entire EEA, as described above in paragraphs 303-304. 5.2 Adoption of the final measures and notification to the controller 308. The GDPR does not specify the procedural steps to be taken following the adoption of an urgent binding decision by the EDPB pursuant to Article 66(2) GDPR. It is however important to note that the two-weekdeadlineforadoptionisspecified‘byderogationfrom[...]Article65(2)[GDPR]’(Article66(4) GDPR). Consequently, the EDPB considers that, in addition to Article 65(2) GDPR, the procedure set by Article 65(5) GDPR and Article 65(6) GDPR represents a point of reference. 309. The EDPB’s urgent binding decision shall be addressed to the LSA and to all the CSAs and be binding on them 54. The Chair of the Board shall notify, without undue delay, the urgent binding decision to 550 the supervisory authorities concerned, and inform the European Commission thereof . 310. Taking into consideration that the final measures will have to be applicable throughout the entire EEA (as provided in the above sections 5.1.3 and 5.1.4), the EDPB considers that the IESA, in its role of LSA, will have to adopt a national decision imposing the measures that the EDPB has considered necessary 548 EDPB-EDPS Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679, paragraph 115. 549Art. 65(2) GDPR. According to Art. 66(4) GDPR, this provision is derogated in respect of the deadline for adoption; therefore, the last sentence of Art. 65(2) GDPR fully applies. 55See Art. 65(5) GDPR. Considering the fact that the NO SA was the SA making the request pursuant to Article 66(2), the EDPB will also inform the EFTA Surveillance Authority, in light of Article 1, second paragraph, letter m of Decision of the EEA Joint Committee No. 154/2018. Adopted 76 551 to order as final measures pursuant to Article 66(2) GDPR . This was already envisaged by the IE SA itself5. 311. While the procedure set by Article 65(5) GDPR and Article 65(6) GDPR represents a point of reference, as mentioned above, the EDPB considers that the deadline set in Article 65(6) for the SA to adopt its national decision (one month in Article 65 proceedings) may need to be shortened, on a case by case basis, in Article 66 proceedings. The urgency of the procedure is highlighted by the shortening of the deadline for the Board to adopt its urgent binding decision or opinion under Article 66(4) GDPR. It would therefore counterintuitive, and against the legislator’s will, to imagine that the deadline for the SA to adopt its national decision should remain unchanged in Article 66 proceedings. While the EDPB acknowledges the need for time allowing the SA to draft a national decision and possibly hear the company, in this particular case it is necessary to bear in mind the date of expiry of the Provisional Measures (3 November 2023) as well as the prolonged situation of non-compliance leading to the urgency of the situation as described above. 312. In this case, the EDPB considers that the national decision needs to be adopted by the IE SA without undue delay and at the latest by two weeks after the EDPB has notified its urgent binding decision totheIESAandtoalltheCSAs.TheEDPBhighlights,inthisregard,thatadoptingthenationaldecision prior to the expiry of the Provisional Measures on 3 November 2023 would be desirable as it would allow avoiding a gap in the legal situation for what concerns the Norwegian territory. Additionally, the IE SA will have to notify the national decision to Meta IE, attaching the urgent binding decision 553. 313. The EDPB also requests the NO SA to inform Facebook Norway about the outcome of these proceedings, by sharing a copy of the national decision of the IE SA and of the urgent binding decision, following the notification by the IE SA of its national decision to Meta IE. 6 URGENT BINDING DECISION 314. In light of the above and in accordance with the tasks of the EDPB under Article 70(1)(t) GDPR to issue urgent binding decisions pursuant to Article 66 GDPR, the Board issues the following binding decision in accordance with Article 66(2) GDPR. 315. As regards the existence of infringements, based on the evidence provided, the EDPB concludes that there is an ongoing infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(b) GDPR for processing of personal data, including location data and advertisement interaction data, collected on Meta’s products for behavioural advertising purposes. 316. The EDPB also concludes that there is an ongoing infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(f) GDPR for processing personal data collected on Meta’s products for behavioural advertising purposes. 317. In addition, the EDPB concludes that Meta IE is currently in breach of its duty to comply with decisions by supervisory authorities. 55See Art. 65(6) GDPR. 55The IE SA considers theNO SA Requestto the EDPB seeksto obtain an urgentbindingdecision from the EDPB, ‘the net effect of which would be to compel the [IE SA], as LSA, to impose an EEA-wide ban (...) (In that regard, it is ofcoursethecasethat itisnotopentotheEDPBtoexercise correctivepowersdirectly asagainst any controller 553processor)’. Letter from the IE SA to the NO SA of 13 October 2023, p. 3. As described in Art. 65(6) GDPR and paragraph 308 above. Adopted 77318. On the existence of urgency, the EDPB considers that, the urgent need to order final measures is clear in light of the risks that the infringements represent for the rights and freedoms of the data subjects 554 without the adoption of final measures . Because of such risks, the EDPB also finds that there is a need to derogate from the regular cooperation and consistency mechanisms to order final measures due to the urgency of the situation 555. 319. The EDPBalsoconsiders that the IE SA, bynot providing theinformation referredin Article 61(5) GDPR within the one-month deadline, failed to address the NO SA Mutual Assistance Request and that the presumption of urgency set by Article 61(8) GDPR is therefore applicable in this specific case, which further corroborates the need to derogate from the regular cooperation and consistency mechanisms 55. 320. ConsideringtheexistenceoftheaforementionedongoinginfringementsoftheGDPRandtheexistence of an urgent need to act despite the ongoing process led by the IE SA, the EDPB considers that, at this point of time, further enforcement measures are necessary. 321. Therefore,inlightoftheanalysiscarriedoutabove 557theEDPBconsidersitappropriate,proportionate and necessary to order final measures, consisting in a ban on processing pursuant to Article 58(2)(f) GDPR. 322. This ban on processing should be addressed to Meta IE, and become effective one week after the notification of the final measures to them. 323. The EDPB considers that the ban should refer to Meta IE’s processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR across the entire EEA. The processing activities to which the ban refers are: (i) the processing of personal data, including location data and advertisement interaction data, collected on Meta’s products for behavioural advertising purposes, having established in this respect the infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(b) GDPR; (ii) processing of personal data collected on Meta’s products for behavioural advertising purposes, having ascertained in this respect the infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(f) GDPR. 324. The EDPB instructs the IE SA to adopt a national decision containing the final measures ordered by the EDPBwithoutunduedelayandatthelatestbytwoweeksaftertheEDPBhasnotifieditsurgentbinding decision to the IE SA and to all the CSAs. The IE SA shall notify the national decision, attaching the urgent binding decision of the EDPB, to Meta IE without undue delay. 325. The EDPB instructs the NO SA to inform Facebook Norway about the outcome of these proceedings. 7 FINAL REMARKS 326. This urgent binding decision is addressed to the IE SA, the NO SA and all the other CSAs. 327. TheEDPBconsidersthatitscurrentdecisioniswithoutanyprejudicetoanyassessmentstheEDPBmay be called upon to make in other cases, including with the same parties. 55See section 4.2.1.3 above. 555 556ee paragraph 220 above. See section 4.2.2.3 above, including paragraph 257. 55See Sections 5.1.3 and 5.1.4 above. Adopted 78328. TheIESAshalladoptitsnationaldecisionnolaterthantwoweeksafternotificationoftheEDPBurgent binding decision. 329. The IE SA shall notify its national decision and this urgent binding decision to Meta IE without undue delay. The IE SA shall inform the EDPB of the date when the national decision is notified to the controller. 330. The NO SA shall inform Facebook Norway of the outcome of these proceedings without undue delay after the notification of the national decision to Meta IE. 331. The IE SA will communicate itsfinal decisionto the EDPB.Pursuant to Article 70(1)(y)GDPR, theIE SA’s final decision communicated to the EDPB will be included in the register of decisions that have been subject to the consistency mechanism. For the European Data Protection Board The Chair (Anu Talus) Adopted 79