EDPB - Binding Decision 4/2022 - 'Meta (Instagram)'
EDPB - Binding Decision 4/2022 | |
---|---|
Authority: | EDPB |
Jurisdiction: | European Union |
Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 9 GDPR Article 12 GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR Article 56 GDPR Article 58 GDPR Article 60 GDPR Article 65 GDPR Article 77 GDPR Article 79 GDPR Article 83 GDPR |
Type: | Other |
Outcome: | n/a |
Started: | 25.07.2022 |
Decided: | 05.12.2022 |
Published: | 11.01.2023 |
Fine: | n/a |
Parties: | Belgian Instagram user (represented by noyb - European Centre for Digital Rights) Meta Platforms Ireland Limited |
National Case Number/Name: | Binding Decision 4/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | LR |
Following a referral under the Article 60 GDPR procedure, the EDPB issued a binding decision finding Meta IE’s processing of personal data for behavioural advertising to be unlawful.
English Summary
Facts
In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a user was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).
Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.
A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (APD), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.
Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.
Secondly, the use of the Instagram service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the data controller seeks to rely is invalid.
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.
The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.
In response to the complaint Meta IE submitted, among others points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of Article 6(1)(a) GDPR. The company stated that it “does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use” (Para 41).
On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 11 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.
Holding
Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. The EDPB identified six issues in the case at hand, addressing each one in turn before issuing the Binding Decision.
Please note: When describing Issues 1-3, it is necessary to explain the proposals in the Irish DPA’s Draft Decision, in order to provide the context for the EDPB decision.
Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis/Unlawful Data Processing
This issue concerns whether Meta IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”.
In its Draft Decision, the DPC – taking into account the complainant’s submissions, the EDPB guidelines and the framing of Article 6(1)(b) – acknowledged that “consideration of the meaning of the term ‘contract’ within a data protection context is required”. However, the DPC also asserted that an assessment of the terms “necessary” and “performance” is also required, and they “do not have competence to consider substantive issues of contract law, and, accordingly [their] analysis is limited to the specific contract entered into by the named data subject and Meta Ireland in respect of the Instagram service” (DPC - 87). The DPC took a broad approach in determining what is necessary for the performance of a contract based on what is “reflected in the terms of the precise contract between those parties” (DPC - 95). The DPC explained that, in their view, “the core of the service offered is premised on the delivery of personalised advertising” (DPC - 106) and proposed to conclude that “Meta Ireland may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision of the Instagram service, including through the provision of behavioural advertising” (DPC - 116).
Nine DPAs objected to this proposed conclusion from the DPC, and the matter was referred to the EDPB.
In its binding decision, the EDPB sought to emphasise "the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Instagram service" (99). With regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:
"The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model” (108).
"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR... Otherwise, the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not" (112).
"...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (119).
Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Instagram. Firstly, "Meta IE promotes... the perception that the main purpose of the Instagram service serves and for which it processes its users' data is to enable them to communicate with others" (120). The EDPB also takes into account Article 21(2) and (3) GDPR, "the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes." Because this right exists, "the processing cannot be necessary to perform a contract [as the] subject has the possibility to opt out from it at any time, and without providing any reason" (125). The EDPB continues, outlining the inherent risk of a finding in the DPC Decision that Meta IE can process personal data on the basis of Article 6(1)(b):
“...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of Article 6(1)(b) GDPR, pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject" (134). "As a result, owing to the number of users, market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the complainant and the millions of users of Instagram service in the EEA and affect the protection of hundreds of millions of people covered the GDPR" (135).
In light of all of the above, the EDPB directed the following:
“...behavioural advertising performed by Meta in the context of the Instagram service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Instagram service and is not an essential or core element of it" (136). "Meta has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data in the context of the Instagram terms of service and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Instagram Terms of Service for the purpose of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (137).
Accordingly, the EDPB instructed the DPC to “alter Finding 2 of its Draft Decision, which concludes that Meta IE may rely on Article 6(1)(b) GDPR in the context of its offering of the Instagram Terms of Use, and to include an infringement of Article 6(1) GDPR” (Para 137).
Issue 2 – On whether the LSA’s Draft Decision includes sufficient analysis and evidence to conclude that Meta IE is not obliged to rely on consent to process the Complainant’s personal data
In its Draft Decision, the DPC sought to consider whether clicking the “Agree to Terms” button constitutes or should be considered consent for the purposes of the GDPR. According to the DPC, this question consists of two parts, “first, whether clicking the ‘Agree to Terms’ button actually constitutes consent for the purposes of the GDPR and, second, whether the act of clicking ‘Agree to Terms’ necessarily must be considered consent for such purposes” (DPC - 34).
On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “as a matter of fact, Meta Ireland did not – and did not seek – to rely on consent as the legal basis for all processing” (DPC - 46).
Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasized that there is no hierarchy of legal bases for the processing of personal data under the GDPR, any implication otherwise would be “inherently problematic”, and “[no] one ground has normative priority over the others” (DPC - 51).
However, six DPAs raised objections to this proposed finding by the DPC. In its binding decision, the EDPB stated:
“The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (107). “[The DPC] cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve” (202).
As a result, the EDPB instructed the DPC to remove its proposed finding regarding consent as a basis for lawful processing. The EDPB also decided that the DPC shall carry out a new investigation into Meta IE’s processing operations in its Instagram service to determine if it processes special categories of personal data (Article 9 GDPR), and complies with the relevant obligations under the GDPR (Para 203).
Issue 3 – On the Potential Additional Infringement of the Principle of Fairness
During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. The DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Meta IE was not afforded the opportunity to be heard in response to a particularised area of wrongdoing” (DPC - 200). The matter was referred to the EDPB, who determined as follows:
"the principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too" (224).
"the concept of fairness stems from the EU Charter of Fundamental Rights" (225).
“Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject… [it] underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (225, 226).
"The combination of factors, such as the asymmetry of the information created by Meta IE with regard to the Instagram service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages the Instagram service users, limits their control over the processing of their personal data and undermines the exercise of their rights” (234).
Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (235).
Issue 4 – On the potential additional infringement of the principles of purpose limitation and data minimisation
During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision, on account of Meta IE’s failure to comply with the purpose limitation and data minimisation principles (239).
The Italian DPA argued that the DPC should not have confined its assessment to only the purpose of personalised advertising (while the Instagram service would actually be composed of several processing activities pursuing several purposes). Accordingly, the fact Meta IE inappropriately based its multifarious processing activities only on Article 6(1)(b) GDPR entails an infringement of the purpose limitation and data minimisation principles (240). Furthermore, “the failure to specify and communicate the purposes of the processing to the data subject creates a risk of artificially expanding the types of processing or the categories or personal data considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would nullify the safeguards afforded to data subjects under data protection law” (241). In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned.
In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it related to specific parts of the DPC’s Draft Decision and the DPC could have made a finding of an infringement of the principles of purpose limitation and data minimisation. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “substantial and plausible” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy Article 4(24) GDPR (Para 252).
Issue 5 – On Corrective Measures Other than Administrative Fines
In its Draft Decision, the DPC proposed the imposition of an order to bring processing in compliance with Articles 5(1)(a), 12(1) and 13(1) GDPR within three months of the date of notification of any final decision. This concerned the DPC’s finding that Meta had breached its transparency obligations under the GDPR, a conclusion which was not objected to by any DPAs and thus was not referred to the EDPB.
However, under the Article 60 GDPR process, a range of objections were made to the proposed order to bring Meta’s processing activities into compliance. These objections proposed: the imposition of corrective measures other than administrative fines (see “Issue 6” below and EDPB decision paras 255, 256); a temporary ban on processing (255); measures to remedy the infringement of Article 6(1)(b) GDPR (Para 257); and to delete any unlawfully processed data (259).
The EDPB considered the objections raised in accordance with Article 4(24) GDPR, assessing whether they are “relevant” and “reasoned”. The EDPB also considered the need for any corrective measures applied by a supervisory authority to be “appropriate, necessary and proportionate in view of ensuring compliance with the regulation” (Article 58(2) GDPR) (Para 280).
Having considered the objections, the EDPB instructed the DPC to include in its final decision an order for Meta IE to bring its data processing for behavioural advertising into compliance with Article 6(1) GDPR within 3 months (290). In addition, the EDPB notes that the order should be modified to reflect the EDPB’s finding that Meta IE is not entitled to rely on Article 6(1)(b) GDPR for this data processing (291). Furthermore, the EDPB instructed the DPC to amend its order regarding transparency obligations to include data processed for the purpose of behavioural advertising, and not just data processed pursuant to Article 6(1)(b) (Para 291).
Issue 6 – On the determination of the administrative fine
The EDPB considered the DPC’s assessment of the criteria in Article 83(2) GDPR in deciding whether to impose an administrative fine for the infringement of its transparency obligations under the GDPR (Paras 293 – 312). The EDPB also noted the objections raised by five DPAs, requesting a “significantly higher administrative fine with reference to the established infringements” (313). The EDPB found these objections to be relevant and reasoned in accordance with Article 4(24) GDPR and, after conducting its own assessment of the factors under Article 83(2) GDPR, found that the proposed fine “is not effective, proportionate and dissuasive, in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of doing business” (Para 364).
Therefore, the EDPB instructed the DPC to “set out a significantly higher fine amount for the transparency infringements identified, in comparison with the upper limit for the administrative fine envisaged in the Draft Decision” (366).
Furthermore, following a range of further objections by DPAs to the administrative fine proposed by the DPC, the EDPB instructed the DPC to impose an administrative fine for the additional infringement of Article 6(1) GDPR (440), and to take into account the additional infringement of the principle of fairness in Article 5(1)(a) GDPR in its adoption of corrective measures (446).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
BindingDecision4/2022onthedisputesubmittedby the Irish SAon MetaPlatformsIrelandLimitedand itsInstagram service(Art.65GDPR) Adopted on 5December 2022 AdoptedTableof contents 1 Summaryofthe dispute.................................................................................................. 5 2 The right togoodadministration...................................................................................... 9 3 Conditionsfor adopting a binding decision........................................................................ 9 3.1 Objection(s)expressedby severalCSA(s)inrelationtoa Draft Decision.......................... 9 3.2 The IESA finds the objections totheDraftDecision not relevantor reasoned anddoes not follow them.....................................................................................................................10 3.3 Admissibilityofthe case..........................................................................................10 3.4 Structure ofthe Binding Decision.............................................................................11 4 Onwhether the LSA should have foundaninfringement for lackofappropriate legalbasis.....11 4.1 Analysisbythe LSA inthe Draft Decision...................................................................11 4.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................14 4.3 Positionofthe LSA onthe objections........................................................................19 4.4 Assessment ofthe EDPB..........................................................................................20 4.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................20 4.4.2 Assessment onthe merits................................................................................24 5 Onwhether the LSA’sDraftDecisionincludes enoughanalysis andevidence toconclude that MetaIE isnot obligedtorelyonconsent toprocessthe complainant’spersonaldata....................39 5.1 Analysisbythe LSA inthe Draft Decision...................................................................39 5.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................40 5.3 Positionofthe LSA onthe objections........................................................................44 5.4 Assessment ofthe EDPB..........................................................................................45 5.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................45 5.4.2 Assessment onthe merits................................................................................48 6 Onthe potentialadditionalinfringement ofthe principle offairness....................................54 6.1 Analysisbythe LSA inthe Draft Decision...................................................................54 6.2 Summaryofthe objectionraised bythe CSA ..............................................................55 6.3 Positionofthe LSA onthe objection .........................................................................56 6.4 Analysisofthe EDPB...............................................................................................56 6.4.1 Assessment ofwhether the objectionwasrelevant andreasoned..........................56 6.4.2 Assessment onthe merits................................................................................58 7 Onthe potentialadditionalinfringement of theprinciples of purpose limitationanddata minimisation.......................................................................................................................63 7.1 Analysisbythe LSA inthe Draft Decision...................................................................63 2 Adopted 7.2 Summaryofthe objectionraised bythe CSAs.............................................................63 7.3 Positionofthe LSA onthe objection .........................................................................64 7.4 Analysisofthe EDPB...............................................................................................64 7.4.1 Assessment ofwhether the objectionwasrelevant andreasoned..........................64 8 Oncorrective measuresother thanadministrative fines.....................................................66 8.1 Analysisbythe LSA inthe Draft Decision...................................................................66 8.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................67 8.3 Positionofthe LSA onthe objections........................................................................69 8.4 Assessment ofthe EDPB..........................................................................................69 8.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................69 8.4.2 Assessment onthe merits................................................................................71 9 Onthe determinationofthe administrative fine................................................................77 9.1 Onthe determinationofthe administrative fine for the transparencyinfringements.......77 9.1.1 Analysisbythe LSA inthe Draft Decision............................................................77 9.1.2 Summaryofthe objectionsraisedbythe CSAs ....................................................82 9.1.3 Positionofthe LSA onthe objections.................................................................85 9.1.4 Assessment ofthe EDPB...................................................................................86 9.2 Onthe determinationofanadministrative fine for further infringements......................95 9.2.1 Analysisbythe LSA inthe Draft Decision............................................................95 9.2.2 Summaryofthe objectionsraisedbythe CSAs ....................................................96 9.2.3 Positionofthe LSA onthe objections...............................................................101 9.2.4 Analysisofthe EDPB......................................................................................101 10 Binding Decision......................................................................................................113 11 Finalremarks..........................................................................................................116 3 AdoptedTheEuropeanDataProtectionBoard Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European Parliamentandofthe Council of27 April2016 onthe protectionofnaturalpersonswithregardtothe processing ofpersonal dataandonthe freemovement ofsuchdata,andrepealingDirective95/46/EC 1 (hereinafter“GDPR”) , Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amendedby theDecision ofthe EEA joint Committee No154/2018 of 6 July 2018 , 2 HavingregardtoArticle 11 andArticle22 of itsRulesof Procedure (hereinafter“EDPBRoP”) , 3 Whereas: (1) The main role of the European Data ProtectionBoard (hereinafter the “EDPB”) is to ensure the consistent applicationof the GDPRthroughoutthe EEA.Tothiseffect,it follows from Article60 GDPR that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory authoritiesconcerned(hereinafter“CSAs”)inanendeavourtoreachconsensus, thattheLSA andCSAs shall exchange all relevant information with each other, and that the LSA shall, without delay, communicatethe relevantinformation onthe mattertothe other supervisory authoritiesconcerned. The LSA shall without delaysubmit a draft decision to the other CSAs for their opinion and take due account oftheir views. (2) Where any of the CSAs expressed a reasoned and relevant objection on the draft decision in accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the relevantandreasonedobjection or considers thattheobjection isnot reasonedandrelevant,theLSA shall submit this mattertothe consistency mechanism referredtoinArticle 63 GDPR. (3)PursuanttoArticle65(1)(a)GDPR,theEDPBshallissueabindingdecision concerningallthematters which are the subject of the relevant and reasoned objections, in particular whether there is an infringement ofthe GDPR. (4)The binding decision of theEDPBshall be adoptedby atwo-thirds majorityofthe membersofthe EDPB, pursuant toArticle 65(2) GDPR inconjunction withArticle 11(4) EDPB RoP, within one month after the Chair of the EDPB and the competent supervisory authority have decided that the file is complete. The deadline may be extendedby a further month, taking into account the complexity of the subject-matter upon decision of the Chair of the EDPB on own initiative or at the request of at least one thirdof the membersofthe EDPB. (5)InaccordancewithArticle65(3)GDPR,if,inspite ofsuchanextension, theEDPBhasnotbeenable toadopt a decision within the timeframe,it shall do so withintwoweeks following the expiration of the extensionby a simple majorityof itsmembers. (6)InaccordancewithArticle 11(6)EDPB RoP, onlythe Englishtext ofthe decisionisauthentic asit is the languageofthe EDPBadoptionprocedure. 1 2OJL119,4.5.2016,p.1. References to “Member States”madethroughout this decision shouldbeunderstoodas references to “EEA MemberStates”. 3EDPBRules ofProcedure,adoptedon25May2018. 4 Adopted HAS ADOPTED THEFOLLOWINGBINDINGDECISION 1 SUMMARYOF THE DISPUTE 1. This document contains a Binding Decision adopted by the EDPB in accordance with Article65(1)(a) GDPR.Thedecisionconcerns thedispute arisenfollowing a draftdecision (hereinafter “DraftDecision”)issuedbythe Irishsupervisory authority(“DataProtectionCommission”, hereinafter the “IESA”,alsoreferredtointhis contextasthe “LSA”)andthe subsequent objections expressed by a number of CSAs (“Österreichische Datenschutzbehörde” hereinafter the “AT SA”; “ Der HamburgischeBeauftragtefürDatenschutzundInformationsfreiheit” alsoon behalfofother German SAs 4, hereinafter the “DE SAs”;“AgenciaEspañola de Protección de Datos”,hereinafter the “ESSA”; “Office of the Data Protection Ombudsman”, hereinafter the “FI SA”; “Commission Nationale de l'Informatique et des Libertés", hereinafter the “FR SA”; “Hungarian National Authority for Data Protection and Freedom of Information, hereinafter “HU SA”; “Garante per la protezione dei dati personali", hereinafter the “IT SA”; “Autoriteit Persoonsgegevens”, hereinafter the “NL SA”; “Datatilsynet”, hereinafter the “NO SA”; and “Integritetsskyddsmyndigheten”, hereinafter the “SE SA”). 2. The DraftDecisionatissue relatestoa“complaint-basedinquiry” whichwascommencedbythe IESA on 20 August 2018 into the Instagram social media processing activities (hereinafter “Instagram service”) of Facebook IrelandLimited, a company established in Dublin, Ireland. The company has subsequently changedits name to “Meta PlatformsIrelandLimited” andhereinafter it is referredto as“MetaIE”.Any referencetoMetaIEinthis Binding Decisionmeansa referencetoeither Facebook IrelandLimitedor MetaPlatformsIrelandLimited,asappropriate. 3. The complaint was lodged on 25 May 2018 with the Belgian supervisory authority (“Autorité de protection des données”), hereinafter the “BE SA” by a data subject who requested the non-profit NOYB-EuropeanCenterfor DigitalRights(hereinafter,“NOYB”)torepresentthemunderArticle80(1) GDPR(bothhereinafterreferredtoasthe“Complainant”).TheComplainantallegeda violationofthe right to data protection and especially infringements of “all the particular requirementsset out in Article4(11),Article6(1)(a),Article7and/or Article9(2)(a)oftheGDPR”,byarguingthatthecontroller relied on a “forced consent”, as well as alleging misrepresentations of the controller with regardto consent and the legal basis for the processing, and consequently, an infringement of Article 5(1)(a) GDPR 5.The complaint articulateditsrequests into a request toinvestigate,and a request to impose 6 correctivemeasures . 4Objections raised on behalf of theHamburg Commissioner forData Protectionand Freedom of Information, the Bavarian StateOfficefor Data ProtectionSupervision, theBerlinCommissionerfor Data Protection and FreedomofInformation,theBrandenburgCommissionerforDataProtectionandFreedomofInformation,the Federal Commissionerfor Data Protection and Freedom of Information, the State Commissioner for Data ProtectioninLowerSaxonyandtheStateCommissionerforDataProtectionNorthRhine-Westphalia. 5Complaint,paragraphs2.2.5.and2.3.2. 6 Within its request to investigatein paragraph 3.1 of theComplaint, theComplainant requested that a full investigationbemadeto determine“which processingoperations the controllerengages in, in relation to the data subject”, “for which purpose they are performed”, “on which legal basis for each specific processing operationthecontrollerrelieson”,andtoacquire“acopyofanyrecordsofprocessingactivities”.Thecomplaint alsorequested“that the results of this investigation[be] madeavailableto [them]”. As regards therequest to 5 Adopted4. On31 May2018,the BESA transferredthe complaint totheIESA. The IESA statedinits“Schedule to the DraftDecision” 7thatitwassatisfied thattheIESA isthe LSA,withinthe meaningof theGDPR,for MetaIE,ascontroller, for the purpose ofthe cross-border processing of personal datain the context of theInstagramservice. 5. The following table presents a summary timeline of the events part of the procedure leading tothe submission of the mattertothe consistency mechanism: Thescope andlegalbasisofthe inquirywereset outinthenotice 20.08.2018 ofcommencementofinquiry thattheIESA sent tothe partieson 20August 2018.TheIESA commencedtheinquiry andrequested information from thisdate. InquiryReport stage: 20.08.2018-07.04.2021 • the IESA commenced workonthe draft inquiry report • the IESA preparedadraftinquiryreportandissued it to Meta IE andto the Complainant to allow them to make submissions inrelationtothe draftinquiry report; • MetaIE provided its submissions in relationto the draft inquiry report; • The Complainant provided its submissions in relation to the draftinquiry report; • Meta IE andthe Complainant were furnished with each other’ssubmissions andthe finalreport wasprovided to the decision-maker; • The IESA issued a copyof itsfinalinquiry report toMeta IEandthe Complainant. • The IE SA issued a letter to Meta IE and to the Complainant to confirm the commencement of the decision-making stage. The IE SA issued a Preliminary Draft Decision (hereinafter “the 23.12.2021 Preliminary Draft Decision”)(including a Schedule) to Meta IE andtothe Complainant. The Complainant provided submissions on the Preliminary Draft 04.02.2022 Decision to the IE SA (“Complainant’s Preliminary Draft Submissionsdated4February2022” ). Meta IE made submissions on the Preliminary Draft Decision to the IESA (“Meta IE’sPreliminary DraftSubmissions”). The IE SA shared its Draft Decisionwith the CSAs in accordance 01.04.2022 withArticle60(3) GDPR. imposecorrectivemeasures,morespecifically,thecomplaintrequestedinparagraph3.2thattheSA“stopany processing operationsthat are based on invalid consent by the data subject”, and in paragraph3.3 that an “effective, proportionateanddissuasivefine”beimposed. 7IESAScheduletotheDraftDecisionof1April2022inthematterofTSA(throughNOYB)vMeta PlatformsLtd (formerlyFacebookIrelandLimited)inrespectoftheInstagramService,paragraphs58-72. 8This documentismistakenlydated“11.06.2020”. 6 Adopted Between SeveralCSAs (AT,DE,ES,FI,FR,HU,IT,NL,NO,andSESAs)raised objections in accordancewithArticle60(4)GDPR. 28 and29.04.2022 The IE SA issued a Composite Response setting out its replies to 01.07.2022 such objections and shared it with the CSAs (hereinafter, “Composite Response”). The IE SA requestedthe relevant CSAs to confirm whether, having considered the IE SA’s position in relation to the objections as set out in the Composite Memorandum,the CSAs intended tomaintaintheir objections. In light of the arguments put forward by the IE SA in the Composite Response, the DE, ES, FI, HU, NL, NO, and SE SAs), confirmed to the IE SA that they maintain their remaining objections . The IE SA invited Meta IE to exercise its right to be heard in 08.07.2022 respect of the objections (and comments) that the IE SA proposed to refer to the EDPB under Article 65(1) GDPR along with the IE SA’s Composite Response and the communications receivedfrom the CSAs in replytothe Composite Response. Meta IE furnished the requested submissions (“Meta IE Article 09.08.2022 65 Submissionsof9August2022”). The IE SA referred the matter to the EDPB in accordance with 11.08.2022 Article 60(4) GDPR, thereby initiating the dispute resolution procedure under Article65(1)(a). 6. The IE SA triggered the dispute resolution process in the Internal Market Information system (hereinafter“IMI”) on 11 August 2022 inaccordancewithArticle 60(4)GDPR. 7. The EDPBSecretariatassessed the completeness of the file on behalf of the Chair of the EDPBin line withArticle11(2) EDPBRoPinorder toensure thatallthe necessarydocuments wereincluded inthe file. 8. The EDPB Secretariatcontactedthe IESA on 23 and27 September 2022, asking for the transmission via IMIof specified documents pertaining to the investigationconducted by the IE SA . The request 9ResponseoftheDESAs toCompositeResponsedated11July2022;ResponseoftheESSAto IESAComposite Responsedated8July2022;ResponseoftheFI SAto CompositeResponsedated8July2022;Responseofthe HU SAto CompositeResponsedated7July2022; ResponseoftheNLSA to CompositeResponsedated5July 2022;ResponseoftheNO SAto CompositeResponsedated11July2022;ResponseoftheSE SAto Composite Responsedated8July2022 10TheInternalMarketInformation(IMI)istheinformationandcommunicationsystemmentionedinArticle17 oftheEDPBRules ofProcedure. 11Thefollowingdocumentswererequested: Letter ofDPCto NOYBof23/11/2018outliningthescopeoftheinquiry. NOYB's replytoDPCof03/12/2018outliningproceduralconcerns 7 Adopted was made to allow the EDPB to come to a fully informed decision on the objections raised by some CSAs onthescope andconductofthe investigation.Fromthe schedule tothe DraftDecision,theEDPB Secretariat concluded that both Meta IE and the Complainant were given access to the documents requestedandinvited the IESA toconfirm thiswasindeed thecase. 9. The IE SA declined the request, as it considered that the materialalready provided as sufficient to enable theEDPBtodeterminetheobjections referredtoit, asthe draft decisionprovidesinformation about the scope of the inquiry commenced for the purpose of examining the complaint, the procedural steps taken in the inquiry, the information that was collected during the course of the inquiry process, the allegations that were put to the data controller, the submissions made by the parties to the inquiry and the assessments and views of the IE SA. Further, the IE SA expressed its concern over the possibility of the EDPB concluding its decision on the basis of materialwhich was never put to the controller concerned as part of the formulation of any allegation of potential wrongdoing.Finally, the IESA underlined that,inaccordancewithArticle11(2) ofthe EDPBRoP,they would provide documentsthe Boarddeems necessary. 10. A matter of particular importance that was scrutinised by the EDPB Secretariat wasthe right to be heard,asrequiredbyArticle 41(2)(a)ofthe CharterofFundamentalRights.Furtherdetailson thisare provided in Section2 ofthis Binding Decision. 11. On 5 October 2022, the decision on the completeness of the file was taken, andit was circulatedby the EDPBSecretariattoallthemembers ofthe EDPB. 12. TheChair ofthe EDPBdecided,incompliance withArticle65(3)GDPRinconjunctionwithArticle11(4) EDPBRoP, to extendthe default timeline for adoption of one month by a further month on account of thecomplexity ofthe subject-matter DPC's replytoNOYBof16/01/2019 DPClettertoMeta of30/01/2019outliningviewsonthescope; Meta IEresponsetoDPCof05/02/2019,raisingproceduralquestions; DPC's responsetoMeta of08/02/2019; Email exchangesbetweenDPCandMetaon08/02and15/02/2019regardingscopeandproceduralissuesraised byNOYB; Meta IE’s Submissionsof 22/02/2019includingMeta Submissionof28/09/2018(markedupcopy,ofwhichparts Meta consideredoutofscopeofcomplaint); DPClettertoNOYBof28/03/2019whichincludedanupdateonthescope; Letter fromNOYBtotheIESAdated19April2019whichincludedfurthersubmissionsonthescope NOYB's lettertoDPCof24/02/2020raisingproceduralissues; DPC's replytoNOYBof23/03/2020; DraftInquiryreportof20/05/2020; DPClettertoNOYB of20/05/2020; NOYB's responsetoDPCof03/06/2020; NOYBsubmissionsontheDraftInquiryReportof19/08/2020; Meta IE’s SubmissionsontheDraftInquiryReportof22/06/2020; FinalInquiryreportof18January2021; NOYB’s SubmissionsonthePreliminaryDraftDecisioninIN-18-08-05dated11June2021; NOYB’s submissiontotheIESAcontainingtheGallupstudyinattachment. 8 Adopted 2 THE RIGHT TOGOOD ADMINISTRATION 13. TheEDPBissubject toArticle41 oftheEUCharterofFundamentalRights,inparticularArticle41(right togoodadministration).This isalsoreflectedin Article11(1)EDPBRoP.Furtherdetailswere provided inthe EDPBGuidelines on Article65(1)(a)GDPR 12. 14. The EDPB Decision “shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them” (Article 65(2) GDPR). It is not aiming to address directly anythird party. However, asa precautionarymeasure to address the possible need for the EDPBtooffer the righttobe heardatthe EDPBleveltoMetaIE,the EDPBassessed if MetaIE was offered the opportunity toexercise its right tobe heard in relationto the procedure led by the LSA andthesubject matterofthe dispute tobe resolvedbythe EDPB.Inparticular,theEDPBassessed ifallthe documents containingthe mattersoffactsandlaw used bythe EDPBtotake itsdecisionhad beenpreviously sharedwithMetaIE. 15. The EDPBnotes thatMeta IEhas receivedthe opportunity to exercise itsright tobe heard regarding allthedocuments containingthe mattersoffactsandoflawconsidered bythe EDPBinthecontext of this decision and provided its writtenobservations 1, which have been shared withthe EDPB by the LSA. 16. Considering that Meta IE has been already heard by the IE SA on all matters of facts and of law addressed by the EDPB in its decision, the EDPB is satisfied that the Article 41 of the EU Charter of FundamentalRightshas beenrespected. 17. TheEDPBconsidersthattheComplainantisnot likelytobe adverselyaffectedbythisBindingDecision, andconsequently does not meetthe conditions tobe grantedaright tobe heardby the EDPBin line with Article 41 of the EU Charter of Fundamental Rights, applicable case law, and Article 11 of the EDPBRoP. This is without prejudice toany right tobe heardor other relatedrights the Complainant mayhave before the competentnationalsupervisory authority(/-ies). 3 CONDITIONSFOR ADOPTING A BINDINGDECISION 18. The generalconditionsfor theadoptionof abinding decision bytheEDPBareset forthinArticle60(4) andArticle 65(1)(a)GDPR 1. 3.1 Objection(s) expressed by several CSA(s) in relationto a DraftDecision 19. The EDPB notes that severalCSAs (AT, DE, ES, FI, FR, HU, IT, NL, NOandSE SAs) raised objections to the DraftDecisionvia IMI.Theobjections were raisedpursuant toArticle 60(4)GDPR. 12 EDPB Guidelines 3/2021on theapplication of Article65(1)(a) GDPR, adopted on 13April 2021 (versionfor 13blicconsultation)(hereinafter,“EDPBGuidelinesonArt.65(1)(a)”),paragraphs94-108. In particular, Meta IE Preliminary Draft Submissions dated 4 February 2022, Meta IE Article65 Submissions dated9August2022. 14AccordingtoArt.65(1)(a)GDPR,theEDPBwillissuea bindingdecisionwhena supervisoryauthorityhasraised a relevantandreasonedobjectiontoa draftdecisionoftheLSAandtheLSAhas notfollowedtheobjectionor theLSAhas rejectedsuchanobjectionasbeingnotrelevantorreasoned. 9 Adopted 3.2 The IE SA finds the objections to the DraftDecision not relevantor reasoned and does not follow them 20. On 1 July 2022, the IESA provided to the CSAs ananalysis of the objections raised bythe CSAs inthe Composite Response. 21. The IE SA concluded that it would not follow the objections, as it did not consider them “relevant” and/or “reasoned”,withinthe meaningofArticle 4(24)GDPRforthe reasonsset out inthe Composite Response andbelow 15. 3.3 Admissibility of the case 22. The case at issue fulfils the elements listed by Article 65(1)(a) GDPR, since several CSAs raised objections toadraftdecision oftheLSA (theIESA)withinthedeadline providedbyArticle60(4)GDPR, and the IE SA has not followed objections or rejected them for being, in its view, not relevant or reasoned. 23. The EDPBtakesnote of MetaIE’sposition that the currentArticle 65 GDPRdispute resolution should be suspended due to pending preliminary ruling proceedings before the Court of Justice of the EU (hereinafter,“CJEU”) 16.MetaIE refersin particulartocases C-252/21 and C-446/21 . Following its assessment, the EDPBdecidestocontinueitsproceedingson thisArticle65 GDPR dispute resolution, as there is no explicit legal basis for a stay of the dispute resolution procedure in EU law, nor are existing CJEU rulings on the matter conclusive for the situation of the EDPB 19. Also, the EDPB takes into consideration the data subjects’ right to have their complaints handled within a “reasonable period”(Article 57(1)(f) GDPR),andtohave their case handledwithina reasonable time byEU bodies (Article 41 Charter).Moreover,ultimatelythereareremediesavailable tothe affectedpartiesin case 20 of adiscrepancy betweenthe EDPBBinding DecisionandCJEU rulingsin the aforementionedcases . 24. Considering the above, inparticularthatthe conditions of Article65(1)(a) GDPRaremet,the EDPBis competent to adopt a binding decision, which shall concern allthe matterswhichare the subject of 15TheIESAletterto theEDPBSecretariatdated11August2022. 16Meta IEArticle65Submissions,paragraphs3.4-3.8. 17Requestfora preliminaryrulingof22April2021,Meta PlatformsandOthers,C-252/21(hereinafter‘C-252/21 18erlandesgerichtDüsseldorfrequest’). Requestfora preliminaryrulingof20July2021,Schrems,C-446/21(hereinafter‘C-446/21Austrian ObersterGerichtshofrequest’). 19C-234/89Judgement of theCourt of Justiceof 28 February 1991, Delimitis, C-234/89, ECLI:EU:C:1991:91;C- 344/98 Judgement of theCourt of Justiceof 14December 2000, Masterfoods, C-344/98, ECLI:EU:C:2000:689. These cases concerned proceedings beforethe national courts, where the parties faced the risk of being confronted with a conflicting decision of the national judgethat could be seen as de facto nullifying the Commission decision – a power which is retained by the CJEU. The current disputeresolutionprocedure concernstheadoptionofanadministrativedecision,whichcanbesubjecttofulljudicialreview. 20In casean action forannulment is brought against theEDPB decision(s) and found admissible, theGeneral Court/CJEUhastheopportunitytoinvalidatethedecisionoftheEDPB.Inaddition,andiftheGeneralCourt/CJEU wereto deliveranyjudgmentinthetimebetweentheadoptionoftheEDPB’s Art.65decisionandtheadoption theIESA’s finaldecision,theIESAmayultimatelydecidetorevisethefinalnationaldecisionittakesfollowing the EDPB's binding decision - if the CJEU’s rulings givecauseto do so - in accordancewith theprincipleof cooperation as elaborated by theCJEU in theC-453/00Judgement of theCourt of Justiceof 12 January2004, Kühne&HeitzNV, ECLI:EU:C:2004:17. 10 Adopted the relevantandreasonedobjection(s), i.e.whetherthere isaninfringement ofthe GDPRor whether the envisagedactioninrelationtothe controller or processor complieswiththe GDPR 21. 25. The EDPBrecallsthat itscurrent Decision is without anyprejudice toany assessments the EDPBmay be called upon to make in other cases, including with the same parties, taking into account the contentsof therelevant draftdecision and theobjections raised bythe CSA(s). 3.4 Structure of the Binding Decision 26. For eachof the objections raised, the EDPB decides on their admissibility, by assessing first whether they can be considered as a “relevant and reasoned objection” within the meaning of Article 4(24) 22 GDPRasclarifiedinthe Guidelines on the conceptof a relevantandreasonedobjection . 27. Where the EDPB finds that anobjection does not meet the requirements of Article 4(24) GDPR, the EDPBdoes not takeanyposition onthe meritof anysubstantialissues raisedbythat objectionin this specific case.TheEDPBwillanalysethemeritsofthesubstantialissues raisedbyallobjections itdeems 23 relevantand reasoned . 4 ON WHETHER THE LSA SHOULD HAVE FOUNDAN INFRINGEMENT FOR LACK OF APPROPRIATE LEGAL BASIS 4.1 Analysis by the LSA inthe DraftDecision 28. The IESA concludes thattheGDPR,the jurisprudence andthe EDPBGuidelinesdo not preclude Meta IE from relying on Article 6(1)(b) GDPR as a legal basis to carry out the personal data processing activitiesinvolved in the provision of its service tousers, including behavioural advertising insofar as thatforms a core partof the service 2.Finding 2 reads“Ifind the Complainant’scase is not made out that the GDPR does not permit the reliance by Meta Ireland on 6(1)(b) GDPR in the context of its offeringofTermsofUse 25” 29. The IESA statesthatit does not have competence toconsider substantive issues ofcontractlaw and, accordingly, its analysis is limited tothe specific contract enteredintoby the complainant andMeta 26 IEin respectof the Instagramservice . 27 30. The IESA understands the complainant’sallegationsas : being that,firstly,theyweregivena binary choice: i.e. either acceptthe InstagramTermsof Use andthe associated DataPolicy byselecting the 21 Art. 65(1)(a) and Art. 4(24) GDPR. Some CSAs raised comments and not per se objections, whichwere, therefore,nottakenintoaccountbytheEDPB. 22EDPB Guidelines 9/2020 ontheconcept of relevant and reasoned objection, version 2 adopted on 9 March 2021,(hereinafter,“EDPBGuidelinesonRRO”). 23SeeEDPBGuidelinesonArt.65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjectionraised, whethertheobjectionmeetstherequirementsofArticle4(24)GDPRand,ifso,addressthemeritsoftheobjection inthe bindingdecision.”) 24DraftDecision,paragraphs112and115. 25DraftDecision,Finding2,p.40. 26DraftDecision,paragraph84. 27 DraftDecision,paragraph10. 11 Adopted “accept”button,ordeletingtheirInstagramaccount ,lackofclarityonwhichspecific legalbasisMeta IErelies onfor eachprocessing operation 29,andtheir concernon MetaIE’srelianceon Article6(1)(b) todeliver the InstagramTermsof Use 30. 31. While the IE SA acknowledges that the EDPB considers in its Guidelines 2/2019 31 that, as a general rule, processing for online behaviouraladvertising is not necessary for the performance of acontract for online service under Article 6(1)(b) GDPR 32, in this particular case, having regardto the specific terms of the contract andthe nature of the service provided and agreedupon by the parties, IE SA concluded thatMetaIEmayinprinciple relyonArticle 6(1)(b)aslegalbasisofthe processing ofusers’ data necessary for the provision of its service, including through the provision of behavioural advertisinginsofar asthisforms acorepartofthatserviceofferedtoandacceptedbyusers 33. Further, the IE SA states that while the examples provided in any form of EDPB guidance are helpful and instructive, theyare not necessarily conclusive of the position in any specific case andindeed do not 34 purport tobe . 32. The IE SA disagrees with what it defines as a “strict threshold of ‘impossibility’ in the assessment of necessity” proposed by the complainant and the EDPB . By “impossibility”, IE SA refers to the argument put forward that a particular term of a contract (here, behavioural advertising) is not necessary to deliver an overall service or contract 36. The IE SA is of the view that “it is not for an authority such as the Commission, tasked with the enforcement of data protection law, to make assessmentsasto whatwillorwillnot maketheperformanceofa contractpossibleor impossible” and that the generalprinciples set out in the GDPR andexplained by the EDPB in the guidelines must be appliedon a case-by-case basis 37. TheIE SA considers thatArticle 6(1)(b)GDPRcannot be interpreted as requiring that it is impossible to perform the contract without the data processing operations in question 38. 33. TheIESA referstoMetaIE’spositionthatinthespecific contextoftheInstagramservice,personalised advertising mayconstitute a distinguishing feature of said service which is an “exact rationale” and one of the “essential elementsof the Terms of Use” for which the ordinary user would reasonably expect their personal data to be processed so as to receive the Instagram service as advertised 39. Further, the IE SA refers to Meta IE’ssubmission regarding whether the necessity test encompasses an impossibility threshold, and Meta IE’sargument that were impossibility anaspect of necessity, it 28 DraftDecision,paragraph11. 29DraftDecision,paragraph17. 30DraftDecision,paragraph77. 31EDPB Guidelines2/2019ontheprocessingofpersonaldataunderArticle6(1)(b)GDPRinthecontextofthe provision of onlineservices to data subjects Version 2.0, adopted on 8 October 2019 (hereinafter, “EDPB Guidelines 2/2019onArticle6(1)(b)GDPR”). 32DraftDecision,paragraph113. 33DraftDecision,paragraph113. 34 DraftDecision,paragraph108. 35DraftDecision,paragraphs107and112. 36DraftDecision,paragraph107 37DraftDecision,paragraph108. 38 DraftDecision,paragraphs107-109and112. 39DraftDecisionparagraph109. 12 Adopted would not,inanycase operateasa“blanket prohibition”on relying onArticle(1)(b) GDPRasthe legal 40 basis for the processing inthis context . 34. The IESA considers personalised advertisinga corepart oftheservice offered toandacceptedbythe users, having regardtothe specific termsofthe contractandthe nature of the service provided and agreedupon by Meta IE and the user 41. The IE SA points out that the nature of the service being offeredtoInstagramusersis setout intheTermsofUse whichdescribe theInstagramserviceasbeing “personalised”andconnectsuserswithbrands, including bymeansofproviding “relevant”advertising 42 andcontent . 35. The IESA considers thisasthe Instagramserviceisadvertisedinthe TermsofUse asbeing predicated onpersonalised advertising,anyreasonableuser wouldunderstand andexpectthatthisis partofthe core bargainthatis being struckwithMeta IE,evenif theymight prefer thatthe market would offer them betteralternativechoices 43. 36. The IE SA considers that as personalised advertising forms part of the core bargain struck between Meta Ireland and Instagram users, any processing necessary for the delivery of such advertising is 44 deemedtofall within thescope ofArticle 6(1)(b) GDPR . 37. The IE SA thus concludes that MetaIE mayinprinciple rely on Article6(1)(b) GDPRasa legalbasis of the processing of users’ datanecessaryfor the delivery ofa service basedon behaviouraladvertising 45 of thekind provided for under the contractbetweenMetaIEand Instagram’susers . 38. The IE SA clarified that, having regard to the scope of the complaint and its inquiry, the above conclusion ought not tobe construed as an indication that all processing operations carried out on users’ personal dataarenecessarily coveredbyArticle 6(1)(b) GDPR 46. 39. The IESA alsonotesthatotherprovisions ofthe GDPRsuchastransparencyacttostrictlyregulatethe manner inwhich thisservice istobe deliveredandthe information thatshould be giventousers and decides to address it separately in its Draft Decision .The IE SA considers that there have been 48 significant failings oftransparencyin relationtotheprocessing . 40. The IE SA considers that these failings of transparency, having regard to the specific terms of the contract andthe nature of the service provided and agreedupon by the parties, do not, in principle prevent Meta IEfrom relying on Article 6(1)(b) GDPRasa legalbasis of the processing of users’ data 40DraftDecisionparagraph109. 41 DraftDecision,paragraph104. 42DraftDecision,paragraph104. 43DraftDecision,paragraph105. 44DraftDecision,paragraph105. 45 46DraftDecision,paragraph111. DraftDecision,paragraph114. 47DraftDecision,paragraph111. 48DraftDecision,p.71. 13 Adopted necessary for the provision of the Instagram service, including throughthe provision of behavioural 49 advertising insofar as thisforms acore part ofthatservice offered toandacceptedby users . 4.2 Summary of the objections raised by the CSAs 41. The AT, DE, ES, FI, FR, HU, NL, NO and SE SAs object to Finding 2 of the draft decision and the assessment leadingup toit. 42. The AT, ES, FI,HU,NL, NOand SE SAs 50 consider that,theIE SAshouldhavefoundaninfringement 51 ofArticle 6(1)(b)oftheGDPR,inline withthe EDPB’sinterpretationofthisprovision . The DEandFR SAs arguethatthe IESA should have found aninfringement ofArticle 6(1)GDPR . 52 43. TheDESAs,intheirobjection, furtherarguethattheIESAshouldfindaninfringementofArticle5(1)(a) GDPR and make use of corrective powers of Article 58(2)(f) and (i) GDPR and order to erase the unlawfully processedpersonaldata,impose abanof therespectiveprocessing ofdatafor the purpose of behavioural advertising until a valid legal basis is in place and impose an administrative fine 53 pursuant toArticle 83 GDPR . 44. The FI SA, in itsobjection, also arguesthatthe finding thatMetaIEwasnot entitledtorelyon Article 6(1)(b) GDPR asa legalbasis for all the processing operations in the scope of the Instagram Service should leadtotheconclusion thatcorrectivepowerspursuant toArticle58(2)GDPRmustbeexercised to bring the processing operations of Meta IE intocompliance withthe GDPR 54. Furthermore, the FI SA considers that this additional infringement should be properly reflected in the amount of the administrative fine imposed pursuant toArticle83 GDPR 55. 45. The FR SA notes that reversing the findings concerning the infringements of Article 6(1) GDPR also affects the scope of the corrective actions proposed by the IE SA, in addition to the administrative 56 fine . 46. The HU SA, inits objection, arguesthatinlight of the infringement,the legalconsequences of Article 58(2) (d) (order to bring processing operations into compliance) GDPR should be applied, and the controller should be instructedtoindicateanother alternativelegalbasis . 57 47. The NOSA, initsobjection, alsoarguesthattheIESA should takeconcretecorrectivemeasures.More specifically, theNOSAconsiders thattheIESA should orderMetaIEtodeletepersonaldataprocessed under Article6(1)(b) GDPR,unlessthose datawerealsocollectedfor otherpurposes witha validlegal basis, aswell asorder MetaIE toidentify a valid legalbasis for future online behaviouraladvertising 49DraftDecision,paragraph113. 50AT SAObjection, pp. 1-7;ES SAObjectionpp. 1-3;FI SAObjection pp. 2-7;HU SAObjectionpp. 2-4;NLSA Objection,pp.1-12;NOSAObjection,pp.1-9;SESAObjection,pp.2-4. 51EDPBGuidelines02/2019onArticle6(1)(b)GDPR. 52DESAs Objection,pp.2-7,FRSAObjection,pp.2-7. 53DESAs Objection,p.10. 54 55FI SAObjection,paragraph23. FI SAObjection,paragraph26. 56FRSAObjection,paragraph50. 57HUSAObjection,p.3. 14 Adopted or abstain from such processing activities and impose an administrative fine against Meta IE for 58 unlawfully processing personaldatain the contextof online behaviouraladvertising . 48. The AT,DE,ES,FI, FR,HU,NL,NOandSE SAs put forwardseveralfactualandlegalargumentsforthe proposed change in legalassessment . Specifically they argue that Meta IE cannot rely on Article 6(1)(b) GDPRasa legalbasis toprocessanInstagramuser’sdatafor behavioural advertising. 49. Inaddition, in the context of their objection, the AT and FR SAs arguethat the factualbackground of theDraftDecisiondoesnotincludeallrelevantfacts.Theyrequestamendingthefactualbackground toinclude adefinition of“behaviouraladvertising” 60.TheATSAsuggestsmentioning alsothetechnical possibilities Meta IEuses to conduct it, such ascollecting datafrom other groupservices, third-party websites,apps,cookiesor similarstoragetechnologiesplacedontheuser’scomputerormobile device and linking that data withthe user’s Instagram account 61. The AT SA alsosuggestsincluding the fact thaton 25 May2018 MetaIE switcheditslegalbasistoprocessdata for behaviouraladvertising from 62 consent tocontractualperformance . 63 50. TheDEandNL SAs question thevalidityofthecontractbetweenMetaIEandtheInstagramservice’s user togroundthesaidprocessing onArticle6(1)(b) GDPRinlightofthe transparencyissues identified 64 by the IE SA . The DE SAs question whether the parties reachedan agreement if the user did not know that they would enter into a contract, because Meta IE did not clearly communicate in a 65 transparentmanner that the use of itsservices would inthe future be based on a contract .TheNL SA arguesthat,asa generalrule, both partiesmust be awareof the substance of a contractin order towillinglyenterinto it 66andconsiders that“theestablishedserious lackoftransparencyonbehalfof thecontroller,leads, atthe veryleast, to a reasonable doubt whetherdatasubjectshave indeed been able toenterinto a contractwiththecontrollerboth willingly and sufficientlyinformed" 67.TheDEand NL SAs therefore considered that Meta IE’s statement that it relies on Article 6(1)(b) GDPR, in combination with documents with general descriptions of the service provided, and the IE SA’s reference to the controller’s right to choose its own legal basis to process data are insufficient to acceptthe performanceof a contractasalegalbasis 68. 58NOSAObjection,p.9. 59AT SAObjection,pp.3-6;DESAs Objection,pp.2-9;ESSAObjection,pp.1-3;FI SAObjection,pp.3-7;FRSA Objection, pp. 2-4; HU SA Objection, pp. 2-3; NL SA Objection, pp. 2-6; NO SA Objection, pp. 2-8; SE SA 60jection,pp.2-3. AT SAObjection,pp.6-7;FRSAObjection,paragraph6. 61AT SAObjection,pp.6-7. 62AT SAObjection,p.7. 63 64DESAs Objection,p.3-4;NLSAObjection,pp.3-5. InFinding3,theIESAstates that“InrelationtoprocessingforwhichArticle6(1)(b)GDPRisreliedon,Articles 5(1)(a), 12(1)and13(1)(c) GDPR have beeninfringed”. TheIE SAconsidered, among other, that “Meta Ireland have not provided meaningful informationas to the processing operation(s) and/orset(s) of operations that occurin the context of the Instagram service, eitheron basis of Article 6(1)(b) GDPRorany otherlegal basis. Indeed,Iwouldgosofarastosaythatitisimpossiblefortheusertoidentifywithanydegreeofspecificitywhat processing is carried out onwhat data, on foot ofthe specifiedlawful bases, in orderto fulfil these objectives” (DraftDecision,par.185). 65DESAs Objection,p.4. 66 NLSAObjection,paragraph12. 67NLSAObjection,paragraph.17. 68DESAObjection,pp.3-4;NLSAObjection,paragraph7. 15 Adopted51. The DESAscontendthattheIESA iscompetent toassess thevalidityof contractsinthecontextofthe GDPR,whichis aprerequisite for controllerstobase the processing ofpersonal dataonArticle 6(1)(b) GDPR 69. Would that not be the case, the assessment of Article 6(1)(b) GDPR would practically be 70 deducted from Supervisory Authorities’ tasks provided for in Article 57(1)(a) GDPR . The DE andNL SAs argue that the IE SA should assess whether a valid contract is in place as required under Article 6(1)(b) GDPR 7. 52. Without prejudice toany argumentsmade on the existence ofa valid contractabove,the AT, DE,ES, 72 FI,FR, HU,NL,NOandSE SAs arenot satisfied bythe assessment ofnecessity inthe DraftDecision . They assert that the data processingfor the delivery ofpersonalisedadvertisingis objectively not necessaryfortheperformanceofMeta IE’scontractwiththedatasubjecttodelivertheInstagram service and it is not an essentialor core element of it. To highlight the unnecessity of behavioural advertising toperform the contractwiththe Instagramuser,theAT,DE,NLandSE SAs arguethatthis contract of providing personalised advertisement is a contract between Meta IE and a specific advertiser, inwhich Meta IE would presumably have this obligationtowards the advertisers, yet not towards Instagram users that are not partyto this contract 73. The DE SAs support this assertion by pointing out that thereis no obligation tooffer personalised advertising to the user, andcontractual 74 sanctions for thefailure toprovide it,asitcanbe seenfrom the termsof use .The AT,DE,HU,FI,FR, HU, NOand SE SAs consider, while referring tothe EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR, that the business models tooffer “free” servicesand in return generate income by behavioural and personalised advertisement, inter alia, to support the service, cannot be necessary to perform a 75 contract and fail to comply with data protection regulations . The DE, FR and HU SAs also cite the EDPB Guidelines 8/2020 tounderscore that processing cannot be rendered lawful by Article 6(1)(b) GDPR simply because such advertising indirectly funds the provision of the service and that while personalisation of content, may, in certain circumstances, constitute an intrinsic and expected element of certainonline services, Article 6(1)(b) GDPR in the context of targeting of social media users ishardly applicable76.The AT,ESandSE SAs arguethatadvertisementscanstillbe displayed on Instagramusing alternativemethodstobehaviouraladvertising not involving profiling andtracking 7. The SE SA adds thatsome degreeof targetingforincreased relevanceis possible, such as geography, languageandcontext 78. 53. Inaddition, theAT,ES,FI,FR,HU,NOandSE SAsargue,alsowhile referringtoEDPBGuidelines2/2019 on Article6(1)(b) GDPR,thattheIE SA should have consideredthe EDPB’sargumentthatbehavioural 69DESAs Objection,p.3. 70DESAs Objection,p.3. 71 72DESAs Objection,p.3;NLSAObjection,paragraph11. AT SAObjection, p. 3;DE SAs Objection, pp 4-7;ES SAObjection, pp. 1-2;FI SAObjection, pp. 3-5;FR SA Objection, pp. 3-4; HU SA Objection, pp. 1-3; NL SA Objection, pp. 4-8; NO SA Objection, pp. 5-6; SE SA Objection,p.3. 73AT SAObjection,p.4;DESAs Objection,p.5;NLSAObjection,paragraphs12and19:SESAObjection,p.3. 74 DESAs Objection,p.5. 75EDPB Guidelines 2/2019 on Article6(1)(b) GDPR. AT SA Objection, p. 5;DE SAs Objection, pp. 6-7;HU SA Objection,p.3;FI SAObjection,paragraphs13and16;FRSAObjection,paragraphs9and11;NOSAObjection, pp.3and6-7;SESAObjection,p.3. 76 EDPB Guidelines 8/2020on the targeting of social media users, version 2.0, adopted on 13 April 2021, paragraph49.DESAs Objection,p.6;FRSAObjection,paragraph11;HUSAObjection,p.3. 77AT SAObjectionp.4;ESSAObjection,p.2;SESAObjection,p.3. 78SESAObjection,p.3. 16 Adopted advertisingcannot be “necessary”withinthe meaningofArticle6(1)(b) GDPRwhilea datasubject can object tothe processing of his/her personal data for direct marketing purposes at any time without anyreason, inaccordancewithArticle 21(2)GDPR 7. 54. The AT, DE, FR, NO, NL and SE SAs also point out some argumentson data subjects’ expectations abouttheprocessingoftheirpersonaldataforpersonalised advertising asanecessaryelementofthe 80 contract entered into between users and Meta IE . The AT, DE, NL, and SE SAs contend that data subjects do not reasonably expect that their data is being processed for personalised advertising 81 simply because Meta IE briefly refers to it in the Instagram Terms of Use . The NO SA takes into accounthow MetaIEmarketsitsInstagramplatformtowardspotentialusers(“Asimple,fun&creative way to capture, edit & share photos, videos & messages with friends & family”) and considers that Instagram users (including those with prior knowledge of data protection, technical means for profiling or the ad tech industry) should not be deemed to reasonably expect online behavioural 82 advertising,especially tothe extentasit is carriedout byMetaIE .The FR andNOSAs consider that the particularly massive and intrusive nature of the processing of the users’ data cannot meet the 83 reasonable expectationsofthe users . The AT, NLand SE SAs alsoconsider thatthe DraftDecision is inconsistent infinding thatinformationon specific processing operationsshould have beenprovided, linkedwithaspecific or lawfulbasis, anddescribedinanunambiguousmanner,while considering that data subjects had a perspective or expectation or were well informed that their data was being processed for behavioural advertising 84. 55. In addition to the arguments made above on the existence of a valid contract and the necessity of behavioural advertising for the performance of that contract, severalSAs raise other considerations intheir objections. 56. The NOSA arguesthatthe IESA’sinterpretationofArticle 6(1)(b)iscontrarytothe fairnessprinciple, since data subjects face the dilemma of approving contractualtermspossibly entailing intrusive and harmfulprocessing practices,andbeingexcludedfromservicesonwhichtheyaredefactodependent, due toa lackof realisticalternativestothem 85. 57. On the risks posed by the Draft Decision, the AT, DE, ES, HU, FI, NL, NOand SE SAs explain that the proposed interpretationof Article 6(1)(b) GDPRleads toa situation where dataprotectionprinciples are either undermined or bypassed entirely with regards to data subjects using the Instagram service86 . 79Seeparagraph52.ATSAObjection,p.4;ESSAObjection,p.2;FI SAObjection,paragraph19;FRSAObjection, 80ragraph11;HUSAObjection,p.3,NOSAObjection,p.7;SESAObjection,p.3. ATSAObjection,p.4;DESAs Objectionp.5;FRSAObjection,paragraph9;NLSAObjection,paragraph19;NO SAObjection,pp.7-8;SESAObjectionp.3. 81AT SAObjection,p.4;DESAs Objection,p.5;NLSAObjection,paragraph19;SESAObjection,p.3. 82NOSAObjection,p.8. 83 84FRSAObjection,paragraph18;NOSAObjection,p.8. AT SAObjection,p.4;NLSAObjection,paragraph12;SESAObjection,p.3. 85NOSAObjection,p.5. 86AT SAObjection,p.6;DE SAs Objection,p.9;ES SAObjection,p.3; HU SAObjection,p.4;FI SAObjection, paragraphs31-33;NLSAObjection,paragraph29;NOSAObjection,p.8;SE SAObjection,p.5. 17 Adopted58. Specifically, the AT, DE andNO SAs point tothe conditions of consent pursuant toArticle 7 GDPR as being bypassed 87. The NL SA considers that the Draft Decision allows Meta IE to engage in online behavioural advertising in a way that bypasses informed consent of data subjects 88. The NO SA considers thatusers ‘wouldface a dilemma betweenapproving (though not by way ofvalid consent) contractualterms possibly entailing intrusive and harmful processing practices, and being excluded from services’,whichultimatelywould also‘adverselyaffect datasubjects’ freedomofexpression and information’ 8. The FI, FR and NO SAs considered that the Draft Decision poses a risk to the fundamentalrightsand freedoms of the individuals concerned, insofar asusing the legalbasis ofthe contractforthe processing ofthepersonaldatafor personalised advertising,wouldpreventEuropean 90 users ofthe social networktohave control over theirdata . 59. Further,the AT SA sees therisk materialiseasin itsview Article25(2) GDPR(privacybydefault)is not applied, “since Meta Ireland – at least in its contract – declares that behavioural advertising is 91 ‘necessary’for thecontractualperformance” . 60. The DESAs argue theDraftDecision allowsMeta IEto“bypass the requirementsofa valid legalbasis for the processing that cannot be based on contract performance” . The NL SA considers the Draft 93 Decisionlowers thethreshold for legalityofdataprocessing onthe basis ofArticle 6(1)(b) severely . The NO SA considers thatthe DraftDecisionerodes the lawfulness principle, as in the DraftDecision “it is not the legislation which sets the boundaries for lawfulness under Article 5(1)(a) GDPR, but instead the individual contract”, whichis incompatible with Article 8 of the Charter of Fundamental Rightsand Article5(1)(a)GDPR 94. 61. FR, HU,NL andSE SAs take the view that the DraftDecision, asit stands, sets adangerous precedent contrarytotheGDPR . TheFRSAnotesthatitcouldbeunderstoodasreflectingthecommonposition of the European supervisory authorities on this matter, since it is issued following the cooperation procedure among SAs 96. Moreover, the AT, DE, FI, HU and SE SAsraise that this interpretation of Article 6(1)(b) GDPR could essentially be used by every controller andtherefore endanger the rights of nearlyevery datasubject withinthe EEA 97. 62. The DE SAs specify that the risks concern the complainant in person but it arguesthat there is alsoa significant risk asregardthe fundamentalrightsand freedoms of allMetaIE’susers in the European 98 Union that their personal data are processed without any legalbasis ; the FI SA adds that the risks 87AT SAObjection,p.2and5;DESAs Objection,p.9;NOSAObjection,p.4. 88NLSAObjection,paragraph30. 89NOSAObjection,p.5. 90 FI SAObjection,paragraph35;FRSAObjection,paragraph34;NOSAObjection,p.8. 91AT SAObjection,p.6; 92DESAs Objection,p.9. 93NLSAObjection,paragraph30. 94 NOSAObjection,pp.2and8; 95FRSAObjection,paragraph35;HUSAObjection,p.3;NLSAObjection,paragraph31;SESAObjection,p.5. 96FRSAObjection,paragraph35. 97AT SA Objection, p 6;DE SAs Objection, p. 9;FI SAObjection, paragraph34;HU SAObjection, p. 3;SE SA Objection,p.5. 98DESAs Objection,p.9. 18 Adopted include fundamental right andfreedom of data subjects whose personal data might be processed in 99 the future . 63. Finally, theAT,DE,FI,NLandNOSAs explainthattheDraftDecisioncreatesaloophole, allowingMeta IE andany other controllers tomake lawful virtually anycollection and reuse of personal data by, as long astheydeclare thatit isprocessed for the performance ofa contract 100. 4.3 Position of the LSA on the objections 64. The IE SA considers that the objections above are not relevant and/or not reasoned for the purpose of Article60(4)GDPRanddecides not tofollow them 101. 65. The IESA contends thatabroad, directcompetencein contractlawtoassessthevalidityofcontracts cannot be inferredfrom theGDPRtasksof supervisory authorities.Itarguesthat thisinference would create a very extensive power for SAs to regulate private law, without an appropriate basis in EU law 102. 66. The IE SA arguesthat the core or fundamental aspects of the Terms of Use, including behavioural advertising processing, reflects the mutual expectations of the parties on contractualperformance. TheIESA contendsthatareasonableuser wouldhave hadsufficient understandingthattheInstagram service was provided on the basis of personalised advertising, based also on a “recognised public 103 awareness”of behaviouraladvertising asa form of processing . 67. Onthe necessityoftheprocessingtoperformthecontract,theIESAconsidersthatit doesnot adopt amerelyformalapproachtoArticle6(1)(b)thatreliesonly onthetextualcontentof theTermsof Use. The IESA statesthatit does not takethe view thatallwrittencontractualtermsarenecessaryfor the performance of the contract. The IE SA contends that it focuses in its Draft Decision on the fundamentalpurpose or core function ofthe contractthatis necessaryfor itsperformance 104. 68. The IESA arguesthatthe EDPBGuidelines2/2019 onArticle 6(1)(b)GDPR donot prohibit behavioural advertising processing under Article6(1)(b) GDPRif it falls withinthe core or essentialaspects ofthe service105.InrelationtoMetaIE’sprocessing of personal data,theIESA differs from the SAsin thatit considers online behavioural advertising as necessary for the performance of the contract (as 106 described inthe InstagramTermsofUse) betweenInstagramandthedata subject . 69. The IE SA also disagrees with the interpretation of Article 21 GDPR making behavioural advertising optional andnot indispensable 107. The IE SA arguesthatArticle6(1)(b) GDPRisnot limitedtoaspects of contractual performance which are expressly mandatory and unconditional obligations of the 99 100I SAObjection,p.7. AT SAObjection,p.5;DESAs Objection,p.9;FI SAObjection,paragraph32;NLSAObjection,paragraphs30- 31;NOSAObjection,p.2-3and7;SESAObjection,p.5. 101CompositeResponse,paragraphs51,57,77,85,88,95. 102CompositeResponse,paragraph51. 103 104CompositeResponse,paragraphs72and73. CompositeResponse,paragraphs55and56. 105CompositeResponse,paragraphs84. 106CompositeResponse,paragraph71. 107CompositeResponse,paragraph74. 19 Adopted parties108. The IE SA contends that the CJEU has in the past held that processing which exceeds the most minimal level of processing possible may be regardedas necessary, where it renders a lawful objective “moreeffective”.The IE SA affirmsthat the necessityinthe context of Article6(1)(b) GDPR cannot be assessed by referenceto hypotheticalalternative forms of the Instagramservice and that 109 it is not therole ofSAs toimpose specific business models on controllers . 70. The IE SA considers EDPB Guidelines as not binding on supervisory authorities, yet it acknowledges that they should be taken into account 11. However, the IE SA arguesthat the EDPB has not been provided with the legalpower to mandate that certaincategoriesof processing must be based on consent, tothe exclusionofanyother legalbasesfor processing. The IESA’sviewis thatsuchapower isproperlyexercisedfrom timetotimebythe EUlegislator,intheformofspecific legislativemeasures. The IE SA is therefore not satisfied that the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR canbe construedasabinding andspecific prohibition onprocessing for online behavioural advertisingonthe basis of Article 6(1)(b)GDPR. The IE SA considers that under these Guidelines, where processing for behavioural advertising is a distinguishing characteristicofthe service in question, it cansupport the business objectives and interests of the controller and be based on Article 6(1)(b) GDPR. The IE SA considers that to be the case regarding Meta IE’s processing with reference to the Instagram service111. 71. The IE SA arguesthat compliance with GDPR transparencyobligations under Article 13(1)(c) GDPR involves a separateand different legalassessment tothatrequired in Article6(1)(b) GDPR.TheIE SA acknowledgesthatthe necessity test under Article 6(1)(b) GDPRmayrequire considering contractual termsandother relevantinformation, andthatthe informationprovided under Article13(1)(c)GDPR could, insome cases, inform a datasubject’sexpectationsastoacontractualservice.However,inthe present case,theIESAconsiders thatthetransparencyinfringementsitproposes for itsDraftDecision do not impactits findings on the legalbasis, as it considers thatthe expectationsand understanding 112 of thepartieson theTermsof Use include personalised advertising . 4.4 Assessment of the EDPB 4.4.1 Assessment of whether theobjections were relevant and reasoned 72. The objections raised by the AT, DE, ES, FI, FR, HU, NL, NOand SE SAs concern“whether there isan infringementof theGDPR” 113. 73. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe 114 threshold of Article 4(24) GDPR . Meta IE’sprimaryargument isthat “it isnot open to the EDPB to now decideon the lawfulness of Meta Ireland’sactualprocessing as the Objectionssuggest. Such an 115 assessment is not within the scope of the Inquiry as defined by the DPC .” In Meta IE’sview, “the EDPBcannotexpand thescope oftheInquiryin themannersuggested bytheCSAs throughObjections 108CompositeResponse,paragraph74. 109CompositeResponse,paragraph76. 110 111CompositeResponse,paragraph78. CompositeResponse,paragraphs82-83. 112CompositeResponse,paragraph87. 113EDPBGuidelinesonRRO,paragraph24. 114Meta IEArticle65Submissions,paragraph2.4andAnnexI,p.65. 115Meta IEArticle65Submissions,paragraph2.4. 20 Adopted thatarenotrelevanttothesubstanceoftheComplaint.”and“suchobjections‘oughttobedisregarded in theirentiretybytheEDPB” 116.Inthiscontext,MetaIEcitesEDPBBinding Decision2/2022, adopted on 28 July 2022 (hereinafter,“EDPBBinding Decision2/2022”), and in particular,theEDPB’sanalysis of some of the objections in thatcase, which werefound to be not relevant or reasoned, due tothe fact thatthese objections “fail[ed] to establish a direct connectionwith thespecific legaland factual contentofthe draftdecision” 117. 74. Contraryto MetaIE’sposition on relevance, asdescribed above, objections canhave bearingon the “specific legal and factual content of the Draft Decision”, despite not aligning with the scope of the 118 inquiry asdefined by anLSA . 75. In essence, Meta IE arguesthat CSAs may not, under any circumstance, express disagreement with the scope of the inquiry asdecided by the LSA by wayof anobjection. The EDPB does not share this readingof Article65 GDPR,asisexplicitly statedin theEDPBRROGuidelines 11. 76. Further,MetaIEstatesthat“severalCSAsnow propose toexpand thescopeoftheInquiryevenfurther toincludemanyotherunrelatedissues.”andthatinthisregardMetaIE“agreeswiththeDPC’sposition inthe Composite Memothat theseunrelatedissues raised bythe CSAs areirrelevantto theresolution of thisInquiryand thatexpanding thescope of the Inquiryat thispoint would seriously infringe Meta Ireland’sproceduralrightsunderbothIrishandEUlaw 120.”MetaIEalsoagreeswiththeIESA’sposition in theComposite Response that“expanding the scope oftheInquiryat thispoint as theCSAs propose would seriously infringe MetaIreland’slegitimateexpectations,rightto fair procedures(including the 116Meta IEArticle65Submissions,paragraph4.9. 117 InrespectofMeta IE’sargumentsinparagraph4.9ofitsArticle65Submissionsontheseobjectionsnotbeing “relevant”,theEDPBrecallsthattheanalysisofwhethera givenobjectionmeets thethresholdsetbyArt.4(24) GDPRis carriedoutonacase-by-casebasis.MetaIEreferstotheEDPB’sBindingDecision2/2022andspecifically to theparagraphswheretheEDPBestablishedthatspecificobjections raisedbytheDE SAs andNOSAinthat casewerenotrelevantandreasoned.Thereareseveraldifferencesbetweenthoseobjectionsandtheobjections whichareanalysedinthissection. Morespecifically,intheBindingDecision2/2022theobjectionsreferredtobyMetaIEdidnot“establishadirect connectionwiththespecificlegalandfactualcontentoftheDraftDecision”(BindingDecision2/2022paragraphs 139,147,164)whereaseachCSAherehas madeseveralclearlinkswiththecontentoftheDraftDecision,asis describedinparagraph77ofthisBindingDecision. 118 Meta IEdoes notconsiderthatanyoftheobjectionsarereasoned,as setoutintheirrepliestoeachofthe objectionsinAnnex1.Meta IEArticle65Submissions,Annex1,pp.66-124.InrespectofMeta IE’sarguments inparagraph4.9ofitsArticle65Submissionsontheseobjectionsnotbeingreasoned,theEDPBnotes thatthe objections that werefound to benot relevant and/ornot reasoned in theBinding Decision 2/2022 did “not provide sufficiently precise and detailed legal reasoning regarding infringement of each specificprovision in question”,didnotexplainsufficientlyclearly,norsubstantiateinsufficientdetailhowtheconclusionproposed couldbereached,ordidnotsufficientlydemonstratethesignificanceoftheriskposedbytheDraftDecisionfor the rights and freedoms of thedata subjects or thefreeflow of data within theEU (BindingDecision 2/2022, paragraphs140,148,165).Here,eachCSAprovidesa numberoflegalandfactualargumentsandexplanations as towhyaninfringementforlackofappropriatelegalbasisistobeestablished,andadequatelyidentifiesthe 119kposedbytheDraftDecisionifitwasadoptedunchanged(paragraphs79-81ofthisBindingDecision). “Forinstance,if theinvestigationcarriedoutbytheLSAunjustifiablyfailstocoversomeofthe issuesraised bythecomplainantorresultingfromaninfringementreportedbyaCSA,arelevantandreasonedobjectionmay beraisedbasedonthefailureoftheLSAtoproperlyhandlethecomplaintandtosafeguardtherightsofthedata subject.”EDPBGuidelinesonRRO,paragraph.27. 120Meta IEArticle65Submissions,paragraph4.2. 21 Adopted rightto beheard)andrightsofdefence 121”.Despiteclaimingitthishasbeenexplained“clearly”inthe Composite Response, MetaIE does not demonstrate in whichmanner its proceduralrightswould be 122 inevitably breached by the mere fact that the EDPB finds specific objections admissible . Admissibility determines the competence of the EDPB,but not the outcome of the dispute between the LSA and the CSAs. Likewise, MetaIE does not explainhow the mere actof considering the merits 123 ofadmissible objections inevitablyandirreparablybreachestheproceduralrightscitedbyMetaIE . AcceptingMetaIE’sinterpretationwouldseverelylimit theEDPB possibilitytoresolve disputesarising inthe one-stop-shop, andthus undermine the consistent applicationofthe GDPR. 77. The objections of the AT, DE, ES, FI, HU, FR, NL, NOandSE SAs all have a direct connection withthe LSA Draft Decision and refer to a specific part of the Draft Decision, i.e. Finding 2. All of those objections concern“whetherthereisaninfringementoftheGDPR”astheyarguethattheIE SA should have found aninfringement ofArticle 6,6(1) or (1)(b) ofthe GDPR.Asthe LSA considered thatArticle 6(1)(b) of the GDPR wasnot breached, the objections entail a need of a change of the LSA decision leading toadifferent conclusion. Consequently, theEDPBfinds thatthe AT,DE,ES, FI,HU,FR,NL,NO andSE SAs objections relatingtothe infringement ofArticle 6,6(1) or 6(1)(b) GDPRarerelevant. 78. As regardsthe part of the DE SAs’ objection arguing that the IE SA should find an infringement of Article5(1)(a)GDPRandimpose the erasureofunlawfully processed personaldataandthebanofthe processing of data for the purpose of behavioural advertising until a valid legalbasis is in place, the part of the FI SA objection asking that the infringement of Article 6(1) be properly reflected in the amount ofthe administrative fine, aswellasthe partofthe NOSA objectionarguingthe IESA should order MetaIE todelete personaldataprocessed under Article 6(1)(b) GDPR,aswell asorder MetaIE to identify a valid legalbasis for future online behavioural advertising or from now on abstain from such processing activities, the EDPB notes that these parts of the objections concern “whether the envisaged action in relation to the controllercomplies with the GDPR.”These partsof the objections are linked to the IE SA’s Finding 2 with regardto Article 6(1)(b) GDPR. Therefore, they are directly connected with the substance of the Draft Decision and, if followed, would lead to a different conclusion. Thus, theEDPBconsidersthatthesepartsoftheDE,FIandNOSAsobjectionsarerelevant. 79. The objections of the AT,DE,ES, FI, FR, HU,NL, NOand SE SAs on the finding of an infringement are reasonedbecausetheyallinclude clarificationsand argumentson legal/factualmistakes inthe LSA’s DraftDecisionthat require amending.More specifically, the AT,DE,ES, FI,HU,FR, NL, NOandSE SAs provide detailedargumentstochallengetheDraftDecision’sconsiderationofbehaviouraladvertising as a necessary,coreor fundamentalaspect of a contractleading to the need tochange the decision and to find an infringement of Article 6(1)(b) GDPR 124. Some of them provide detailed arguments 121Meta IEArticle65Submissions,paragraph4.10,whereMeta IEmakes referencetoparagraphs32-33ofthe CompositeResponse. 122Meta IEArticle65Submissions,paragraph4.10. 123TheEDPB fails to seehow, for instance, declaring anobjection admissiblebut rejecting it on merits could impingeontheproceduralrights ofthecontrollerinvolvedintheunderlyingcase. 124AT SAObjection,pp.4-5;DESAs Objection,p.5-6,ESSAObjection,p.2,FI SAObjection,paragraphs16and 18,FRSAObjection,paragraphs8-9,HUSAObjection,p.3,NLSAObjection,paragraphs18-19;NOSAObjection, p. 7,SE SAObjection,pp.3. 22 Adopted challengingthe validityofthe contractonwhichthe use ofArticle 6(1)(b)asa legalbasisdependsand 125 whichthe IESA accepts . 80. Some SAs recall,while referringtothe termsof the EDPBGuidelines 2/2019 on Article 6(1)(b) GDPR, that it is the fundamental and mutually understood contractual purpose, which justifies that the processing is necessary 12. This purpose is not only based on the controller’sperspective but also on a reasonable data subject’s perspective when entering into the contract and thus on “the mutual perspectivesandexpectationsofthepartiestothecontract”.TheAT,NL,andSESAscontendthatdata subjects do not reasonably expect that their data is being processed for personalised advertising simply because MetaIE briefly referstoit inthe InstagramTermsof Use 127. The FR and NOSAs also support this finding and add that data subjects cannot be presumed tobe aware of the particularly massive andintrusive natureof thisprocessing 128. SeveralSAs alsoconsider thatthe DraftDecisionis inconsistent infinding thatinformationon specific processing operationsshould have beenprovided, linkedwithaspecific or lawfulbasis, anddescribedinanunambiguousmanner,while considering that data subjects had a perspective or expectation or were well informed that their data was being 129 processed for behavioural advertising . 81. The AT,DE,ES,FI,FR,HU,NL,NOandSE SAsobjectionsalsoidentify risks posedby theDraftDecision, in particular an interpretationof Article 6(1)(b) that could be invoked by any controller and would undermine or bypass dataprotectionprinciples, andthus endangerthe rightsof datasubjects within 130 the EEA . 82. MetaIE’scontends thatin terms of risk, the objections must “demonstratethe likelihood of a direct negative impact of a certainsignificance of the Draft Decision on fundamental rights and freedoms under the Charter and not just any data subject rights 131.” Meta IE thus adds a condition to Article 132 4(24)GDPR,whichis not supported bythe GDPR . 83. As regards the parts of the DE and NO SAs’ objections requesting the finding of an infringement of Article 5(1)(a)GDPR,andthe partsofthe DE, FI andNOSAs’ objectionsrequesting specific corrective measures under Article 58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the imposition of an administrative fine, a ban of the processing of personal data for the purpose of behavioural advertising, an order todelete personal data processed under Article 6(1)(b) GDPR and anordertoidentifya validlegalbasisfor future online behaviouraladvertising ortoabstainfrom such processing activities, the EDPB considers that these parts of the objections do not sufficiently elaborate the legalor factualargumentsthat wouldjustify a change in the Draft Decisionleading to the finding of an infringement of Article 5(1)(a) GDPR or to the imposition of the specific corrective 125DESAs Objection,pp.3-4;NLSAObjection,paragraphs7and10-12. 126ATSAObjection,p.4;DESAs Objectionpp.5-6;FRSAObjection,paragraphs9-11;NLSAObjectionparagraph 18;NOSAObjection,p.7-8;SESAObjection,p.3.EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs 32and33. 127AT SAObjection,pp.3-4;NLSAObjection,paragraph28,30-32;SESAObjection,p.3. 128FRSAObjection,paragraph18;ITSAObjection,paragraph2.6,NOSAObjection,pp.6-7. 129AT SAObjection,p.4;NLSAObjection,paragraph30;SESAObjection,p.3. 130 Seetheirdescriptionoftherisksinparagraphs57-63above. 131Meta IEArticle65Submissions,p.64. 132Article1(2)GDPRprovidesthattheGDPRitself“protectsfundamentalrightsandfreedomsofnaturalpersons andinparticulartheirrighttoprotectionofpersonaldata”,whichdirectlystemsfromArticle8(1)oftheCharter. Therefore,thereis noreasontodrawa distinctionbetweenthedata subjectrightsprotectedbytheGDPRand thefundamentalrightsprotectedundertheCharterwheninterpretingArticle4(24)GDPR. 23 Adopted measures mentioned above. Likewise, the significance of the risk for the data subjects, which stems from theIESA’sdecisionnottoconcludeontheinfringementofArticle5(1)(a)GDPRandnottoimpose the requestedcorrectivemeasures, isnot sufficiently demonstrated. 84. Considering the above, theEDPBfinds that theobjections of the AT,DE,ES,FI,FR, HU,NL,NOandSE SAs arerelevantand reasonedinaccordancewithArticle 4(24)GDPR. 85. However,thepartsofthe DEandNOSAs’ objectionsconcerning theadditionalinfringement ofArticle 5(1)(a) GDPR and the imposition of specific corrective measures, namely the imposition of an administrative fine, a ban on the processing of personal data for the purpose of behavioural advertising, an order to delete personal data processed under Article 6(1)(b) GDPR and anorder to identify a valid legal basis for future behavioural advertising or to abstain from such processing activitiesarenot reasonedanddo not meetthe threshold of Article4(24) GDPRSimilarly, the part of the FI SA’s objection concerning the imposition of a specific corrective measure, namely an administrative fine is not reasonedanddoes not meet the thresholdof Article4(24) GDPR. 4.4.2 Assessment on the merits 86. Inaccordancewith Article65(1)(a) GDPR,inthe context of a dispute resolution procedure, the EDPB shall take a binding decision concerning all the matterswhich are the subject of the relevant and reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR. 87. The EDPBconsiders thatthe objections found tobe relevantand reasonedinthis subsection require an assessment of whether the Draft Decision needs to be changed insofar as it rejects the Complainant’s claim that the GDPR does not permit Meta IE’sreliance on Article 6(1)(b) GDPR to 133 process personal datainthe context of itsoffering of the InstagramTermsof Use .When assessing the merits of the objections raised, the EDPB also takes into account Meta IE’s position on the objections andits submissions. MetaIE’sposition on theobjectionsand itssubmissions 88. Initssubmissions, MetaIEarguesthattheobjectionslackmerit.MetaIEconsidersthattheyarebased 134 on incorrect factualassumptions and are legallyflawed . Meta IE statesthat itsreliance on Article 6(1)(b) GDPRdoes not ‘bypass’ the GDPR.Norwould it,accordingtoMetaIE,jeopardise datasubject rights, be limited to individually negotiatedagreementsor be affectedby Meta IE’spurported pre- 135 GDPRlegalbasis for processing conductedpre-GDPR . 89. Meta IE arguesthat there isa lack of factualmaterialandevidence on the issues on which the CSAs raiseobjections, including onitsrelianceonArticle6(1)(b)GDPRforthe specific processing operations it conducts in itsInstagramservice for the purposes of behaviouraladvertising 136. MetaIEnotes that in its inquiry, the IE SA “only addresses the issue of whether Meta Ireland may in principle rely on Article6(1)(b) GDPRforpurpose ofbehavioural advertising,but not theissue of whetherMetaIreland 133Theseobjections beingthoseoftheAT, DE, ES, FI,FR, HU, NL, NO andSE SAs arguingthattheIESA should havefoundaninfringementofArticle6(1)(b),6(1)or6GDPR. 134Meta IEArticle65Submissions,paragraph2.4. 135 136Meta IEArticle65Submissions,paragraph2.5. Meta IEArticle65Submissions,paragraph4.24and4.25. 24 Adopted may infact relyon Article6(1)(b) GDPR,which would have requireda detailedfactualassessment of allof MetaIreland’sdata processing. 13“ 90. At the same time, Meta IE contendsthat, toaddress the complaint, the IE SA did not have to reach any conclusions as to whether the actual processing conducted by Meta IE to deliver behavioural 138 advertising based on Article 6(1)(b) GDPR was lawful. Meta IE supports the IE’sposition that “it would not be appropriate to undertake substantial factualfindings for an open-ended assessment of 139 allprocessing operationsbyMetaIreland. ” 91. MetaIEthus agreeswiththe finding the IESA reachedon MetaIE’snot being precludedfrom relying on Article 6(1)(b) GDPR for the processing of data necessary todeliver behavioural advertising upon the IESA’sreviewof theInstagramTermsofUse andthe natureofthe Instagramserviceasdescribed inthose terms 140. 92. Meta IE defends that Article 6(1)(b) GDPR can be relied on as a legal basis for behavioural 141 advertising . Meta IE arguesthat its application requires the assessment of whether a given data processing operation, when properly investigated and analysed, is actually necessary for the 142 performanceof acontract .MetaIEnotesthattheprovision ofapersonalised experience,including in the form of behavioural advertising, is “core” to the Instagram Service (as per the Terms of Use 143 whichgovernthe contractualrelationship betweenMetaIEandInstagramusers) . 93. MetaIEarguesthat the TermsofUse make clear that userswillbe shownadvertising personalisedto their interests under the heading “Connecting you with brands, products, and servicesin ways you careabout” 144.MetaIEsupports theDPC’sfinding, basedon itsreview ofthe InstagramTermsofUse andthat Instagramis“promotedassuch”, that anaverage user whoacceptsthe TermsofUse would have the expectationthat personalisation, including in the form of behavioural advertising, forms a core andintegralpartof the InstagramofService 145.MetaIEbacks thisargumentwitha referenceto a survey and a study conducted by a private entity and a digital industry association 146. Meta IE considers that its compliance with the GDPR’s transparency obligations involves a separate and different legalassessment from Article 6(1)(b) GDPR 14.MetaIE considers demonstratedin this case that Meta IE and its users have a mutual expectationthat personalisation, including in the form of behaviouralads, is core toitsTermsofUse 14. 94. MetaIE recallsthat the EDPB Guidelines2/2019 onArticle 6(1)(b) GDPRdonot categoricallyprohibit 149 reliance on Article 6(1)(b) GDPRfor behavioural advertising .MetaIE further adds, referring tothe 137Meta IEArticle65Submissions,paragraph4.23. 138Meta IEArticle65Submissions,paragraph2.3. 139Meta IEArticle65Submissions,paragraph4.23. 140 Meta IEArticle65Submissions,paragraphs2.3and4.7. 141Meta IEArticle65Submissions,paragraph6.4. 142Meta IEArticle65Submissions,paragraph6.7. 143Meta IEArticle65Submissions,paragraphs6.13and6.17. 144 Meta IEArticle65Submissions,paragraph6.18. 145Meta IEArticle65Submissions,paragraphs6.20and6.21. 146Meta IEArticle65Submissions,paragraph6.21. 147Meta IEArticle65Submissions,paragraph6.29. 148 Meta IEArticle65Submissions,paragraph6.29. 149Meta IEArticle65Submissions,paragraph6.34. 25 Adopted CJEU’sHuberjudgment,that“processingbeyond themost minimalrequiredto achievetheprocessing purpose could still be deemed ‘necessary’ if it allowed the relevant processing purpose to be ‘more effectively’achieved” 150.MetaIEsubmits thateven ifArticle 6(1)(b) GDPRrequiredthe processing to be absolutely essential to perform the contract, it would be impossible to provide the Instagram Service in accordance with the Term of Use without providing behavioural advertising 151. Meta IE statesthat theEDPBmaynot dictatethe natureofthe services MetaIEprovides. MetaIE wouldview this asa violation of Article16 of the Charter onthe freedom toconduct a business, enabling service providers todetermine whatmeasurestotakein ordertoachieve theresult theyseek,basedon their resources,abilities, andcompatibilitywithotherobligationsandchallengestheymayencounter inthe exercise oftheir activity52. 95. Meta IE further arguesthat its reliance on the contractual necessity legal basis does not jeopardise 153 datasubject rights .MetaIEconsidersthatthesewould alsobeprotectedbycontractandconsumer protection legislations in the EU Member States 15. Meta IE defends that the contractualnecessity legalbasisis notlimitedtoindividually negotiatedagreementsandcanalsobe used for standardform contracts 155. Meta IE further adds that it would be improper for CSAs and the EDPB to analyse the validity of Instagram Terms of Use under applicable laws of contract or to draw inferences from 156 them .Inresponse towhat MetaIE considers mischaracterisationsin certainobjections of national contractlawMetaIEprovidesexpertreportsonthevalidityofitsTermsofUsein10 MemberStates 15. 96. MetaIEconcludes its argumentsin support ofits relianceon Article6(1)(b) GDPRstating thatitspre- GDPRlegalbasisfor dataprocessingdoesnot affectitsflexibilitytorelyonotherlegalbasespostGDPR ifit complies withtherelevant requirements 158.MetaIEalsodistinguishes behavioural advertisingon the Instagram Service from direct marketing pursuant to Article 21(2) GDPR and thus considers this provision not applicable tobehaviouraladvertising 159. TheEDPB’sassessment of themerits 97. The EDPB considers it necessaryto begin its assessment on the meritswith a general description of the practice of behavioural advertising carried out in the context of the Instagram service before determining whether the legal basis of Article 6(1)(b) GDPR is appropriate for this practice in the present case, based on the InstagramTermsof Use and the nature of its products and features as describedinthose terms.Therequestsfor preliminaryrulingsmade tothe CJEU inthe casesC-252/21 andC-446/21 towhichsome of thedocuments in thefile refer containhelpful descriptions of Meta’s 150 JudgementoftheCourtofJusticeof16December2008,HeinzHubervBundesrepublikDeutschland, C-524/06,ECLI:EU:C:2008:724,(hereinafter‘C-524/06Huber’),paragraphs62and66.Meta IEArticle65 Submission,paragraph6.37. 151Meta IEArticle65Submissions,paragraph6.38. 152 Meta IEArticle65Submissions,paragraph6.25. 153Meta IEArticle65Submissions,paragraph6.8. 154Meta IEArticle65Submissions,paragraph6.8. 155Meta IEArticle65Submissions,paragraphs6.40-6.46. 156 157Meta IEArticle65Submissions,paragraphs6.43and6.44. Meta IEArticle65Submissions,paragraphs6.44and6.45andAnnex2. 158Meta IEArticle65Submissions,paragraphs6.47-6.49. 159Meta IEArticle65Submissions,paragraphs6.50-6.57. 26 Adopted behavioural advertising practicesin the context of its Facebook services 160. Given that behavioural advertising is also carried out in the context of the Instagram service, and given the similarities betweenthe twoservices, relying onthe sameDataPolicy 16,the EDPBconsidersthatthese casesare also useful in gaining an understanding of the practice of behavioural advertising in relationto the Instagram service. Furthermore, in the request for a preliminary ruling in case C-252/21, it is mentionedthatiftheCJEU answersthequestion 7positively (regardingthecompetenceofa Member State nationalcompetition authoritytodetermine, when assessing the balance of interests whether data processing andtheir terms comply withthe GDPR)thatthe questions 3 to5 must be answered in relation to data from the use of the group’s Instagram service. 162 In addition, Meta IE makes reference to both of these requests for preliminary rulings in its submissions, and therefore clearly considers them relevanttothis case 16. 98. These requests for preliminaryrulings mention that Meta IE collectsdata on its individual users and their activitieson and off its Facebook service via numerous means such as the service itself, other servicesof the Metagroupincluding Instagram,WhatsAppandOculus, thirdpartywebsitesandapps via integratedprogramming interfacessuchasFacebookBusinessToolsor via cookies, socialplug-ins, 164 pixels and comparable technologies placed on the internet user’s computer or mobile device . According tothe descriptions provided, MetaIElinks these datawiththe user’s Facebookaccount to enable advertisers totailor their advertising toFacebook’s individual users based on their consumer behaviour, interests, purchasing power and personal situation. This may also include the user’s physical location to display content relevant to the user’s location. Meta IE offers its services to its 160 C-252/21 Oberlandesgericht Düsseldorf request, pp. 6-7, available at: https://curia.europa.eu/juris/showPdf.jsf?text=&docid=242143&pageIndex=0&doclang=en&mode=req&dir=& occ=first&part=1&cid=644235and C-446/21 Austrian Oberster Gerichtshof request, paragraphs 2-3, 6-13, 15- 23, available at https://curia.europa.eu/juris/showPdf.jsf?text=&docid=247308&pageIndex=0&doclang=EN&mode=lst&dir=& occ=first&part=1&cid=766249;seealso thereferences to theserequests fora preliminary ruling in theAT SA Objectionp.1-2.andMetaIEArticle65Submission,paragraphs3.4-3.9. 161 SeethesimilaritiesoftheInstagramandFacebookservicesdescribedintheData Policy.TheInstagramData Policy refers to both “Facebook settings”and“Instagram settings”(“This policydescribes the informationwe process to support Facebook, Instagram, Messengerand other products and features offered by Facebook (Facebook Products orProducts). You can find additional tools andinformationin the FacebookSettings and Instagram Settings.”) SectionI of this policy refers to the“Facebook products”when describing thekinds of information collected for the processing. Instagram Data Policy of 22.05.2018, annex 2 of the Instagram Complaint.Similarly,accordingtoInstagramTermsofUse“InstagramispartoftheFacebookCompanies,which sharetechnology,systems,insights,andinformation-includingtheinformationwehaveaboutyou (...)inorder toprovideservicesthatarebetter,safer,andmoresecure.WealsoprovidewaystointeractacrosstheFacebook CompanyProductsthatyouuse,anddesignedsystemstoachieveaseamlessandconsistentexperienceacross 162FacebookCompanyProducts.” Question3 reads “Canan undertaking, such as Facebook Ireland, which operates a digital social network fundedbyadvertisingandofferspersonalisedcontentandadvertising,networksecurity,productimprovement andcontinuous,seamlessuseofallofits groupproductsinits terms of service, justifycollectingdataforthese purposesfromothergroupservicesandthird-partywebsitesandappsviaintegratedinterfacessuchasFacebook Business Tools, orvia cookiesorsimilarstorage technologiesplacedonthe internet user’s computerormobile device,linkingthosedatawiththeuser’sFacebook.comaccountandusingthem,onthegroundofnecessityfor the performanceofthecontract underArticle6(1)(b)oftheGDPRoronthe groundofthepursuitoflegitimate interestsunderArticle6(1)(f)oftheGDPR?” 163Meta IEArticle65Submissions,paragraphs3.2-3.9. 164C-252/21OberlandesgerichtDüsseldorfrequest,pp.6-7. 27 Adopted users free of chargeand generatesrevenue through this personalised advertising thattargetsthem, inaddition tostaticadvertising thatis displayed toeveryuser in thesame way. 99. TheEDPBconsidersthatthesegeneraldescriptionssignalbythemselvesthecomplexity,massive scale andintrusiveness ofthe behaviouraladvertisingpracticethatMetaIEconductsthroughthe Facebook service, as well as off the Facebook service itself, through third party websites and apps which are connected to Facebook.com via programming interfaces (“Facebook Business Tools”), including the Instagram service 165. Furthermore, among the aspects described in the Instagram Terms of Use is “Providing consistent and seamless experiencesacross other Facebook Company Products.” which involves “shar[ing] technology,systems, insights, and information-including the information we have about you.” It istherefore clear thatpersonal datais shared betweenFacebook companies (”We use data from Instagramand otherFacebook Company Products,as wellas from third-partypartners,to show you ads(...)” 100. These are relevant facts toconsider to assess the appropriateness of Article 6(1)(b) GDPR asa legal basis for behavioural advertising and to what extent reasonable users may understand and expect behaviouraladvertisingwhentheyaccepttheInstagramTermsofUseandperceive itasnecessaryfor Meta IE to deliver its service66. Accordingly, the EDPB further considers that the IE SA could have addedtoitsDraftDecisiona descriptionofbehaviouraladvertising thatMetaIEconductsthroughthe Instagram service to appropriately substantiate its reasoning leading to its acceptance of Article 6(1)(b) GDPRasa legalbasis for thatpracticein accordancewiththe IESA’sduty tostatethe reasons 167 for anindividual decision . 101. Notwithstanding the EDPB’s considerations above, the EDPB considers that there is sufficient information in the file for the EDPB to decide whether the IE SA needs to change its Draft Decision insofar asitrejectsthecomplainant’sclaim thattheGDPRdoesnotpermitMetaIE’srelianceonArticle 6(1)(b) GDPRtoprocess personaldatain thecontextof itsoffering ofthe Instagramservice,basedon itsTermsof Use. 102. As described above in section 4.1., the IE SA concludes in Finding 2 of its Draft Decision that the Complainant’scasewasnotmadeout thattheGDPRdoesnotpermitthereliancebyMetaIEonArticle 6(1)(b) GDPRinthe contextof itsoffering of TermsofUse, neither Article6(1)(b) GDPRnor anyother provision ofthe GDPRprecludesMetaIEfrom relyingonArticle6(1)(b) GDPRasalegalbasistodeliver 16C-252/21 Oberlandesgericht Düsseldorf request, pp. 6-7. Facebook Business Tools is also mentioned in 166tagram’sDataPolicy. Inthesamevein,theAdvocateGeneralalsoprovidesa descriptionofbehaviouraladvertisinginhisOpinion on the case C-252/21 Oberlandesgericht Düsseldorf request, see Opinion of the Advocate General on 20 September2022),ECLI:EU:C:2022:704,paragraphs9and10. 167SeeEDPBGuidelinesonArt.65(1)(a)GDPR,paragraph84andEDPBGuidelines2/2022ontheapplicationof Article60GDPR(Version1.0,Adoptedon14March2022),para.111(stating:“[…]everydecisionthatisaimed atlegalconsequencesneedstoincludeadescriptionofrelevantfacts,soundreasoningandaproperlegal assessment.Theserequirementsessentiallyservethepurposeoflegalcertaintyandlegalprotectionofthe partiesconcerned.Appliedtotheareaofdataprotectionsupervisionthismeansthatthecontroller,processor andcomplainantshouldbeabletoacknowledgeallthereasonsinordertodecidewhethertheyshouldbring thecase totrial. Havingregardtothedecisionmakingprocesswithinthecooperationmechanism,CSAs likewiseneedtobeinthe positiontodecideonpossiblytakingactions(e.g.agreetothedecision,providetheir viewsonthesubjectmatter)”).SeealsobyanalogyC-50/12PJudgementoftheCourtofJusticeof26 November2013,KendrionNVvEuropeanCommission,ECLI:EU:C:2013:771. 28 Adopted a service, including behavioural advertising insofar as that forms a core part of the service8. TheIE SA considers that, having regardto the specific terms of the contract and the nature of the service provided and agreedupon by the parties, Meta IE mayin principle rely on Article 6(1)(b) GDPR asa legal basis of the processing of users’ data necessary for the provision of its Instagram service, including throughtheprovision ofbehaviouraladvertisinginsofar asthisformsacorepartofitsservice offeredtoand acceptedbyits users 169. TheIE SA considers the core of theservice offeredby MetaIE ispremisedonthedeliveryofpersonalised advertising 170.TheIESAconsiders areasonableuser would 171 understand andexpect this having readthe Termsof Use . MetaIE supports this conclusion of the IESA 172. 103. Toassess these claimsof the IESA andMetaIE,the EDPBconsiders it necessaryto recallthe general objectives that the GDPRpursues, which must guide its interpretation,togetherwiththe wording of itsprovisions and itsnormative context 173. 104. The GDPR develops the fundamentalright tothe protection of personal datafound in Article 8(1) of the EU Charter of Fundamental Rights and Article 16(1) of the TFEU, which constitute EU primary law 174.AstheCJEU clarified,“anEUact mustbe interpreted,asfaras possible, in such a wayasnot to affectits validityand inconformitywithprimarylaw as a whole and, in particular,with theprovisions oftheCharter.Thus,ifthewordingofsecondaryEUlegislation isopentomorethanoneinterpretation, preference should be given to the interpretation which rendersthe provision consistent with primary law ratherthantotheinterpretationwhichleadstoitsbeing incompatiblewithprimarylaw” 175.Inthe faceofrapidtechnologicaldevelopments andincreasesinthescale ofdatacollectionandsharing,the GDPRcreatesa strongand more coherentdata protectionframeworkinthe Union, backedbystrong enforcement,andbuilt ontheprinciple thatnaturalpersonsshould havecontroloftheirownpersonal data 176.Byensuringa consistent,homogenous andequivalent highlevelofprotectionthroughoutthe EU, the GDPR seeks to ensure the free movement of personal data within the EU 177. The GDPR acknowledgesthattherighttodataprotectionneedstobe balancedagainstotherfundamentalrights and freedoms, such as the freedom to conduct a business, in accordance with the principle of proportionality andhas these considerations integratedinto itsprovisions 178. The GDPR,pursuant to EU primary law, treatspersonal data as a fundamental right inherent to a data subject and his/her 179 dignity,andnot asacommoditydatasubjectscantradeawaythroughacontract .TheCJEUprovided 168DraftDecision,paragraphs112and115.Finding2reads:“IfindtheComplainant’scaseisnotmadeoutthat theGDPRdoesnotpermitthereliancebyMetaIrelandon6(1)(b)GDPRinthecontextofitsofferingofTermsof 169.” DraftDecision,paragraph113. 170DraftDecision,paragraph104. 171DraftDecision,paragraph105. 172Meta IEArticle65Submissions,paragraphs6.21and6.30. 173 Judgementof theCourtof Justiceof 1 August2022, Vyriausioji tarnybinės etikos komisija, CaseC-184/20, ECLI:EU:C:2022:601,(hereinafter‘C-184/20Vyriausiojitarnybinėsetikoskomisija’),paragraph121. 174Recitals1and2GDPR. 175JudgementoftheCourtofJusticeof21June2022,Liguedesdroitshumainsv.Conseildesministres,C817/19, ECLI:EU:C:2022:491, (hereinafter ‘C-817/19 Liguedes droits humains'), paragraph 86;andudgement of the CourtofJusticeof2February2021,Consob,C-481/19,ECLI:EU:C:2021:84,paragraph50andthecase-lawcited. 176Article1(1)(2)andRecital6and7GDPR. 177Article1(3)andRecitals9,10and13GDPR. 178 Recital4GDPR. 179EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph54. 29 Adopted additionalinterpretativeguidancebyassertingthatthe fundamentalrightsofdatasubjectstoprivacy 180 andthe protectionoftheir personal dataoverride,asa rule, acontroller’seconomic interests . 105. The principle of lawfulness of Article 5(1)(a) andArticle 6 GDPRis one of the main safeguardstothe protection of personal data. It follows a restrictive approach wherebya controller may only process the personal data of individuals if it is able to rely on one of the bases found in the exhaustive and restrictivelists of thecases inwhichthe processing ofdatais lawfulunder Article6 GDPR 181. 106. Theprinciple oflawfulnessgoeshandinhandwiththeprinciplesoffairnessandtransparencyinArticle 5(1)(a)GDPR.The principle of fairness includes, inter alia,recognising the reasonable expectationsof the data subjects, considering possible adverse consequences processing may have on them, and having regard to the relationship and potential effects of imbalance between them and the controller 182. 183 107. The EDPB agreeswiththe IESA and MetaIE thatthere is no hierarchybetweenthese legalbases . However,thisdoes not meanthata controller,asMetaIEinthe presentcase, hasabsolute discretion tochoose thelegalbasis thatsuitsbetteritscommercialinterests.Thecontroller mayonlyrelyonone ofthe legalbases establishedunder Article6 GDPRifit isappropriatefor theprocessing atstake 184.A specific legalbasis willbe appropriateinsofar asthe processing canmeet itsrequirements set bythe GDPRand fulfil the objective of the GDPRtoprotect the rightsand freedoms of naturalpersons and 185 in particulartheir righttothe protectionof personaldata .The legalbasis willnot be appropriateif its applicationto a specific processing defeatsthis practicaleffect “effet utile” pursued by the GDPR and Article 5(1)(a) andArticle 6 GDPR 186.These criteria stem from the content of the GDPR andthe interpretationfavourabletotherightsofdatasubjectstobe giventheretodescribedinparagraph104 above 187. 108. The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparentmanner,andanyobligationsderivedtherefrom 188.Thisobligationappliesevenwherethe 180 Judgement of the Court of Justice of 13 May 2014, Google Spain SL, C-131/12, ECLI:EU:C:2014:317, paragraphs97and99. 181Judgementof theCourtof Justiceof 11 December 2019, TK v Asociaţia deProprietari blocM5A-ScaraA, C 708/18,ECLI:EU:C:2019:1064,(hereinafter‘C708/18TKvAsociaţiadeProprietari'),paragraph37. 182 183See, Recital39GDPRandEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs11and12. DraftDecisionparagraph48andMeta IEArticle65Submissionparagraph5.10. 184As mentionedintheEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph18,theidentificationofthe appropriatelawful basis is tied to the principles of fairness and purposelimitation. It will be difficult for controllerstocomplywiththeseprinciplesiftheyhavenotfirstclearlyidentifiedthepurposesoftheprocessing, orifprocessingofpersonaldatagoesbeyondwhatisnecessaryforthespecifiedpurposes.SeealsoSection6of this BindingDecisiononthepotentialadditionalinfringementoftheprincipleoffairness. 185C708/18 TK v Asociaţia deProprietari, paragraph 37. 186See C-524/06Huber, paragraph 52 on theconcept of necessity being interpreted in a mannerthat fully reflects theobjectiveof Directive95/46). On theimportanceof considering thepractical effect (effet utile) soughtbyEUlawinits interpretation,seealsoforinstance:C-817/19Liguedes droitshumains,paragraph195 and Judgement of the Court of Justice of 17 September 2002, Muñoz and Superior Fruiticola, C 253/00, ECLI:EU:C:2002:497,paragraph30. 187 Article1(1)(2)and(5)GDPR. 188 Article5 (2) GDPR “Principle of accountability”of data controllers;seealso C-252/21Oberlandesgericht Düsseldorfrequest,OpinionoftheAdvocateGeneralon20September2022,ECLI:EU:C:2022:704,paragraph52. 30 Adopted practical application of GDPR principles such as those of Article 5(1)(a) and Article (5)(2) GDPR is inconvenient or runs counter to the commercial interests of Meta IE and its business model. The controller is alsoobliged tobe able todemonstratethatit meetsthese principles andany obligations derivedtherefrom,such asthatit meetsthe specific conditions applicable toeachlegalbasis 18. 109. The first condition to be able to rely on Article 6(1)(b) GDPR as a legal basis to process the data subject’s data is that a controller, in line with its accountabilityobligations under Article 5(2) GDPR, has to be able to demonstrate that (a)a contract exists and (b) the contract is valid pursuant to 190 applicable nationalcontractlaws . 110. Boththe IE SA and Meta IE consider that the Terms of Use make up the entire agreement between the InstagramuserandMetaIE andthatthe Data Policyissimply acompliance document settingout information tofulfil the GDPRtransparencyobligations 191. The IE SA thus considers thatthe contract 192 for which theanalysis based onArticle 6(1)(b) GDPRtakesplace,is the TermsofUse . 111. The IE SA and Meta IE argue that the GDPR does not confer a broad and direct competence to supervisory authoritiestointerpret or assess the validityof contracts 193. 112. TheEDPBagreesthatSAsdonot haveunder theGDPRabroadandgeneralcompetenceincontractual matters.However,theEDPBconsidersthatthesupervisory tasksthatthe GDPR bestowsonSAsimply a limitedcompetencetoassess acontract’sgeneralvalidityinsofar asthisis relevanttothe fulfilment of their tasks under the GDPR.Otherwise,the SAs would see their monitoring andenforcement task under Article 57(1)(a) GDPR limited to actions such as verifying whether the processing at stake is necessary for the performance of a contract (Article 6(1)(b) GDPR), and whether a contract with a processor under Article 28(3)GDPRanddataimporter under Article 46(2)GDPRincludes appropriate safeguardspursuant totheGDPR.PursuanttotheIESA’sinterpretation,theSAswouldthusbe obliged toalwaysconsider a contractvalid, evenin situations where it is manifestly evident that it is not, for instance because there is no proof of agreement betweenthe two parties, or because the contract does not comply with its Member State’srules on the validity, formation or effect of a contract in 194 relationtoachild . 113. As theDE andNL SAs 195argue,the validityof the contractfor the InstagramservicebetweenMetaIE andthe complainant is questionable, giventhe strong indications thatthe Complainant wasunaware ofenteringintoa contract,and(astheIE SA establisheswithitsFinding 3 ofitsDraft Decision)serious transparency issues in relation to the legal basis relied on. In contract law, as a general rule, both parties must be aware of the substance of the contract and the obligations of both parties to the contractinorder towillingly enterinto suchcontract. 189EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph26. 190EDPBBindingDecision2/2022,paragraph84. 191DraftDecision,paragraphs72and73. 192 193DraftDecision,paragraph73. CompositeResponse,paragraph51;DraftDecision,paragraph95,Meta IEArticle65Submissions,paragraph 6.43. 194Article8(3)GDPR. 195DESAs Objection,p.4andNLSAObjection,paragraph11. 31 Adopted114. Notwithstanding thepossible invalidity ofthe contract,theEDPB,referstoitsprevious interpretative guidance on this matter to provide below its analysis on whether behavioural advertising is objectively necessaryfor Meta IE toprovide its Instagram service tothe user based on its Terms of 196 Use andthe natureof the service . 197 115. The EDPBrecalls that for the assessment of necessity under Article 6(1)(b) GDPR,“[i]t is important to determinethe exact rationale ofthe contract, i.e. itssubstance and fundamentalobjective, asit is 198 against thisthat it will be testedwhetherthedata processing is necessaryfor its performance” .As the EDPBhaspreviously stated,regardshould be giventotheparticular aim, purpose, or objective of theservice and,for applicabilityofArticle6(1)(b) GDPR,itisrequiredthatthe processing isobjectively necessaryfor apurpose andintegraltothe delivery ofthatcontractualservice tothe datasubject 199. 116. Moreover,the EDPB notesthat the controller should be able tojustify the necessityof its processing byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose.Thisdepends notonly onthecontroller’sperspective,but alsoonareasonabledatasubject’sperspective whenenteringinto the contract 200. 117. The IE SA accepts the EDPB’s position that, as a general rule, processing of personal data for 201 behavioural advertising is not necessary for the performance of a contract for online services . However, the IE SA considers that in this particular case, having regardto the specific terms of the contract and the nature of the Instagram service provided and agreedupon by the parties, Meta IE mayin principle rely on Article 6(1)b) GDPRtoprocess the user’sdata necessary for the provision of itsservice, including throughthe provision ofbehaviouraladvertising insofar asthisforms acore part of thatservice offeredtoandacceptedby users 202. 118. The IE SA views behavioural advertising as “the core of both Meta Ireland’sbusiness model and the bargainstruckbetweenMetaIrelandand Instagram users ” 20.Insupport ofthis consideration, theIE SA refers to the ”first and sixth clauses” of “the specific contract entered into between Meta IE and Instagramusers” 20.The IE SA considers thatfrom the textofthese “clauses” it is “clearthatthe core 205 of theservice offered byMeta Irelandis premised on the deliveryofpersonalised advertising. ”The IESAconsiders thatthisposition issupportedbythefactthat“theTermsofUsedescribetheInstagram service as being ‘personalised’ and connects users with brands, including by means of providing ‘relevant’ advertising and content.” Based on this, the IE SA is of the view that “It is clear that the Instagram service is advertised as offering a 'personalised' experience, including by way of the advertisingit deliversto users 20.”The IE SA considers thatasthe Instagramservice is“advertised”in its Terms of Use “as being predicated on personalised advertising (...) any reasonable user would 196 EDPBGuidelines2/2019onArticle6(1)(b)GDPR. 197SeeBindingDecision2/2022,paragraph89. 198WP29Opinion6/2014onthenotionoflegitimateinterests,p.17 199EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph30. 200 SeeBindingDecision2/2022,paragraph90. 201EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph52.DraftDecision,paragraph113. 202DraftDecision,paragraph113. 203DraftDecision,paragraph102andFinding2. 204 DraftDecision,paragraph103. 205DraftDecision,paragraph104. 206DraftDecision,paragraph104. 32 Adopted expectand understand thatthisis partof thecorebargain that isbeing struck(...)”butacknowledges 207 that“usersmay preferthatthemarket offeralternativechoices .” 119. On thisissue, the EDPBrecallsthatthe concept of necessity hasits ownindependent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument,inthiscase,the GDPR 20.Accordingly,theconceptofnecessityunder Article6(1)(b)GDPR cannot be interpretedin a way that undermines this provision and the GDPR’sgeneralobjective of protecting the right to the protection of personal data or contradictsArticle 8 of the Charter 209. On the processing of data in the Facebook services, Advocate General Rantos supports a strict interpretationofArticle6(1)(b)GDPRamongotherlegalbases,particularlytoavoidanycircumvention 210 of the requirement for consent . Given the similarities between the Facebook and Instagram services, as explained above in paragraph97, and the fact thatthis case mayconcernthe legalbasis 211 for processing of personaldatafor theInstagramservice . 120. As the IE SA states in its Draft Decision, “Instagram is a global online social network service which allows registeredusersto communicate with other registered users through messages, audio, video calls and video chats, and by sending images and video files 212.” Meta IE promotes among its prospective andcurrentusers the perception thatthe mainpurpose of the Instagramservice andfor which it processes its users’ data is to enable them to share content and communicate with others. MetaIE presentsits Instagramserviceon its “About”page ofits website asa platform which “give[s] people the power to build communityand bring[s] the world closer together 213.” At the beginning of itsTermsof Use, MetaIE presentsits mission for the Instagramservice as“To bring you closer to the people and things you love 214.” The description of the aspects of the service includes “Offering personalizedopportunitiesto create,connect,communicate.” 121. The fact thatthe Termsof Use do not provide for any contractualobligationbinding MetaIE tooffer personalised advertising to the Instagram usersand any contractualpenaltyif Meta IE fails to do so shows that, at least from the perspective of the Instagram user, this processing is not necessary to 215 perform the contract .Providingpersonalised advertisingtoitsusers maybe anobligationbetween 207DraftDecision,paragraph105. 208Seeparagraphs 103-104 aboveon theprinciples guiding theinterpretationof theGDPR and its provisions. The CJEU also stated inHuber that “what is at issue is a concept [necessity] which has its own independent meaninginCommunitylawandwhichmustbeinterpretedinamannerwhichfullyreflectstheobjectiveofthat Directive, [Directive95/46],aslaiddowninArticle1(1)thereof”.C-524/06Huber,paragraph52. 209Article1(2)GDPR. 210C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022, ECLI:EU:C:2022:704, paragraph51. (TheEDPB refers to theAdvocateGeneral’s Opinionin its Binding Decision as anauthoritativesourceofinterpretationtounderlinetheEDPB’s reasoningontheprocessingofdata inthe FacebookService,withoutprejudicetothecase-lawthattheCJEUmaycreatewithitsfuturejudgmentsonthe Cases C-252/21andC-446/21). 211Paragraph97andfootnote161ofthisBindingDecision. 212 DraftDecision,paragraph5. 213https://about.instagram.com/ 214BoththeIESAandMeta IEconsidertheInstagramTermsofUseasconstitutingtheentirecontractbetween Meta IEandtheInstagramusers(seeparagraphs92,110and118ofthisBindingDecision). 215 TheInstagramTerms ofUseareformulatedinone-sidedtermsasfollows:“TheseTermsofUse governyour useofInstagramandprovideinformationabouttheInstagramService(...).“Whileunderthefirstheadingofthe Terms of Use(“The InstagramService”), Instagram announces that it “provide[s]“theInstagram service. After describing theaspects of theserviceandreferencing theData Policy, theInstagram Terms of Useincludea 33 Adopted MetaIEand thespecific advertisersthatpay for MetaIE’stargeteddisplayoftheir advertisementsin the Instagram service to Instagram users, but it is not presented as an obligation towards the Instagramusers. 122. Nor does MetaIE’sbusiness model ofoffering services, at nomonetarycost for the user togenerate income bybehaviouraladvertisementtosupport itsInstagramservicemakethisprocessing necessary to perform the contract. Under the principle of lawfulness of the GDPR and its Article 6, it is the business model which must adapt itselfand comply withthe requirementsthat the GDPRsetsout in generalandfor eachof the legalbasesand not the reverse.Asthe Advocate GeneralRantosstressed recently in his opinion on Meta IE’s processing in Facebook, based on Article 5(2) GDPR, it is the controller (Meta IE) in this case who is responsible for demonstrating that the personal data are 216 processed inaccordancewiththe GDPR . 123. As the EDPBprovided in itsguidance, “Assessing what is ‘necessary’involves a combined,fact-based assessment ofthe processing‘fortheobjectivepursued and of whetheritisless intrusivecomparedto other options for achieving the same goal’. If there are realistic, less intrusive alternatives, the processingisnot‘necessary’.Article6(1)(b)willnotcoverprocessing which isusefulbutnot objectively necessary for performing the contractualservice or for taking relevant pre-contractualsteps at the requestofthe data subject,evenif it isnecessaryfor thecontroller’sotherbusiness purposes. 21” 124. On the question of whether here there are realistic, less intrusive alternatives to behavioural 218 advertising that make this processing not “necessary” , the EDPB considers that there are. The AT and SE SAs mention as examplescontextualadvertising based on geography, language andcontent, whichdonotinvolve intrusive measuressuchasprofiling andtrackingofusers 219.Inhis recentopinion on Facebook, Advocate General Rantos also refers to the Austrian Government’s “pertinent” observation that in the past, Meta IE allowed Facebook users to choose between a chronological presentationandapersonalised presentationof newsfeedcontent,which, inhis view, provesthatan alternativemethodis possible 220. Byconsidering the existence ofalternativepracticestobehavioural advertising thataremore respectfulofthe Instagramusers’righttodataprotection, theEDPB,asthe Advocate General did in relation to Facebook users, aims to assess if this processing is objectively sectionwhichisheadedwith“YourCommitments”.WhileInstagramitselfonly“offers”variousservices,itmakes clear that theInstagram Terms of Useunilaterallyimposeduties andobligations on theuser. Otherwise, the usermayfacesuspensionorterminationoftheiraccount,asdescribedunder“ContentRemovalandDisabling orTerminatingYourAccount”oftheInstagramTerms ofUse.No(contractual)sanctionsappeartoapplyinthe event thatMeta IEfailstoprovideorpoorlyperformsoneormoreoftheseservices. 216C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022, ECLI:EU:C:2022:704,paragraph52. 217EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph25. 218In Schecke, theCJEU held that, when examining thenecessity of processingpersonaldata, thelegislature needed to take into account alternative, less intrusive measures. Judgement of the Court of Justice of 9 November2010,VolkerundMarkusScheckeGbR,C-92/09andC93/09,ECLI:EU:C:2010:662,(hereinafter‘Case C-92/09andC93/09Schecke’),paragraph52.This was repeated by theCJEUintheRīgas casewhereitheld that “As regardstheconditionrelatingtothenecessity ofprocessingpersonaldata,itshouldbeborneinmindthat derogationsandlimitationsinrelationtotheprotectionofpersonaldatamustapplyonlyinsofarasis strictly necessary”. Judgement of theCourt of Justiceof 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvaldev Rīgas pašvaldības SIA‘Rīgas satiksme’, C13/16,ECLI:EU:C:2017:336,parag30.. 219AT SAObjection,p.5;SESAObjection,p.3. 220C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022, ECLI:EU:C:2022:704,footnote80. 34 Adopted necessary to deliver the service offered, as perceived by the Instagramuser whose personal data is processed, and not todictate the nature of Meta IE’s service or impose specific business models on controllers, as Meta IE and the IE SA respectively argue 22. The EDPB considers that Article 6(1)(b) GDPR does not cover processing which is useful but not objectively necessary for performing the 222 contractualservice,even ifit is necessaryfor the controller’sotherbusiness purposes . 125. The EDPBconsiders thatthe absolute right available todatasubjects, under Article 21(2)(3) GDPRto object to the processing of their data (including profiling) for direct marketing purposes further supports its consideration that, as a generalrule, the processing of personal data for behavioural advertising is not necessaryto perform a contract.The processing cannot be necessary toperform a contractif adata subject has the possibility toopt out from it atany time,andwithout providing any reason. 126. The EDPB finds that a reasonable user cannot expect that their personal data is being processed for behaviouraladvertising simply becauseMetaIEbrieflyreferstothisprocessing in itsInstagramTerms of Use (which MetaIEandthe IE SA consider asconstituting the entiretyofthe contract),or because ofthe“widercircumstances”or“recognisedpublic awarenessofthisformofprocessing” derivedfrom its “widespreadprevalence ofOBA processing” to which the IE SA refers 22. Behaviouraladvertising, asbriefly described inparagraph98 above, isa set of processing operations ofpersonal dataof great technical complexity, which has a particularly massive and intrusive nature. In view of the characteristicsofbehaviouraladvertising,coupledwiththeverybriefandinsufficient informationthat Metaprovides about it in the InstagramTermsof Use andDataPolicy (a separatedocument thatthe IESAandMetaIEdonotevenconsider partofthecontractualobligations),theEDPBfindsit extremely difficult toargue thatanaverageuser canfully graspit,be awareof itsconsequences and impact on their rights to privacy and data protection, and reasonably expect it solely based on the Instagram Termsof Use. The EDPB recallsits Guidelines 2/2019 on Article6(1)(b) GDPR,inwhich it arguesthat the expectations of the average data subject need to be consider in light, not only of the terms of service but also the way this service is promoted to users 22. Advocate General Rantos expresses similar doubts where he says in relationto Facebook behavioural advertising practices“Iam curious as to what extenttheprocessing might correspond to the expectationsof an average user and, more generally, what ‘degree of personalisation’ the user can expect from the service he or she signs up 225 for” and adds in a footnote that he does not “believe that the collection and use of personal data outside Facebook are necessary for the provision of the services offered as part of the Facebook 226 profile” . 127. The EDPB notes that the mission of the Instagram service, as expressed in its Terms of Use, is formulated in a vague and broad manner (“To bring you closer to the people and things you love.”) When using the Instagram service, a user is primarily confronted with the possibility of viewing 221Meta IEArticle65Submissions,paragraph6.25andCompositeResponse,paragraph76.Ontherelevanceof this OpinionforassessingInstagram’srelianceonArticle6(1)(b)GDPR,seeparagraph97ofthisBindingDecision. 222EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph25. 223 224CompositeResponse,paragraphs72and73. EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph57. 225C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022, ECLI:EU:C:2022:704,paragraph56. 226Ibid,footnote81.OntherelevanceofthisOpinionforassessingInstagram’srelianceonArticle6(1)(b)GDPR, seeparagraph97ofthisBindingDecision. 35 Adopted photographs andvideos by people or organisationsthat theyfollow, as wellas sharing such content withtheirfollowers. Thisis acknowledgedbythe IE SA whichprovidesthe following descriptionofthe Instagram service in its Draft Decision: “Instagram is a global online social network service which allows registeredusersto communicate with other registered users through messages, audio, video calls andvideo chats,and bysendingimages and video files 22.” 128. Based on the considerations above, the EDPB considers that the main purpose for which users use InstagramandacceptitsTermsofUse istosharecontentandcommunicatewithothers,nottoreceive personalised advertisements. 129. Meta IE infringed its transparencyobligations under Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR by not clearly informing the complainant and other users of the Instagram Service specific processing operations, thepersonaldataprocessed inthem,thespecific purposes theyserve, andthe legal basis on which each of the processing operations relies, as the IE SA concludes in its Draft Decision 228. The EDPB considers that this fundamental failure of Meta IE to comply with its transparencyobligations contradictsthe IESA’sfinding thatInstagram userscouldreasonably expect online behaviouraladvertising asbeing necessaryfor the performanceof their contract(asdescribed 229 inthe InstagramTermsof Use)withMetaIE . 130. The EDPBrecallsthat “controllersshould make sure to avoid anyconfusion as to what the applicable legalbasis is” andthatthis is“particularlyrelevantwheretheappropriatelegal basis isArticle6(1)(b) GDPRand a contractregardingonlineservicesisenteredintobydatasubjects”,because “[d]epending on the circumstances, data subjects may erroneously get the impression that they are giving their consent in line with Article 6(1)(a) GDPR when signing a contract or accepting termsof service” 23. Article6(1)(b) GDPRrequires theexistence, validityof acontract,andthe processing being necessary toperform it.These conditions cannot be metwhere one of theParties(in thiscase the datasubject) is not provided withsufficient informationtoknow thattheyaresigning a contract,theprocessing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessaryto perform the services delivered. These transparencyrequirements are not only anadditionalandseparateobligation,asthe IESA seemstoimply, but also anindispensable and 231 constitutive partof the legalbasis . 131. The risks to the rights of data subjects derived from this asymmetry of information and an inappropriate relianceon this legalbasis arehigher in situations suchas inthe present case,in which the Complainant and other Instagram users face a “take it or leave it” situation resulting from the standardcontract pre-formulated by Meta IE andthe lackof few alternative services in the market. The EU legislator hasregularlyidentified and aimedtoaddress withmultiple legalinstruments these risks andtheimbalance betweenthepartiestoconsumer contracts.Forexample,Directive93/13/EEC 227 DraftDecision,paragraph5. 228DraftDecision,paragraphs184and185andFinding3,whichreads“InrelationtoprocessingforwhichArticle 6(1)(b)GDPRisreliedon,Articles5(1)(a),12(1)and13(1)(c)GDPRhavebeeninfringed.” 229DraftDecision,paragraph105andFinding2. 230EDPBBindingDecision1/2021,paragraph214andEDPBGuidelines2/2019onArticle6(1)(b),paragraph20. 231 DraftDecision,paragraph111. 36 Adopted on unfair termsinconsumer contracts 232mandates,asthetransparencyobligationsunder the GDPR, 233 the use of plain, intelligible language in the terms of the contracts offered to consumers . This Directiveeven provides that where there is a doubt about the meaning of a term,the interpretation most favourable tothe consumer shall prevail 234.Processing ofpersonal datathatisbasedon whatis deemedtobeanunfairtermunder thisDirectivewillgenerallynot beconsistent withthe requirement under Article 5(1)(a)GDPRthatthe processing islawfuland fair 23. 132. AdvocateGeneralRantosconcludesinreferencetoMetaIEthatthefactthatanundertakingproviding a social network enjoys a dominant position in the domestic market for online social network for privateusers “doesplay arole intheassessment ofthefreedomofconsentwithin themeaning ofthat provision, which it is for the controller to demonstrate, taking into account, where appropriate, the existenceofa clearimbalance ofpowerbetweenthedata subjectand the controller,anyrequirement for consent to theprocessing of personaldata other thanthose strictlynecessaryfor the provision of the servicesin question, the need for consent to be specific for each purpose of processing and the needtopreventthewithdrawalofconsentfrom being detrimentaltouserswho withdrawit 236.”Inline withthe logic of this argument,the EDPBconsiders that the dominant position of MetaIE also plays an important role in the assessment of Meta IE’sreliance on Article 6(1)(b) GDPR for its Instagram service and its risks to data subjects, especially considering how deficiently Meta IE informs the Instagramusersofthe datait strictlyneeds toprocesstodeliver the service. 133. Giventhat the mainpurpose for whicha user uses Instagramservice is toshare andreceive content, andcommunicate with others 237,and thatMetaIE conditions their use tothe user’s acceptanceofa contract andthe behavioural advertising theyinclude, the EDPB cannot see how a user would have the option of opting out of a particularprocessing which is partof the contractasthe IE SA seemsto argue 23.Theusers’ lackof choice in thisrespect would ratherindicate thatMetaIE’srelianceon the contractualperformance legal basis deprives users of their rights, among others, to withdraw their consent under Articles6(1)(a) and7 and/or to object tothe processing of their databased on Article 6(1)(f) GDPR. 134. The EDPB agreeswiththe AT, DE, ES, FI, FR, HU, NL, NOandSE SAsthat there is a risk thatthe Draft Decision’s failure to establish Meta IE’sinfringement ofArticle 6(1)(b) GDPR, pursuant tothe IE SA’s interpretationof it, nullifies thisprovision andmakeslawful theoreticallyanycollection andreuse of 239 personal data in connection with the performance of a contract with a data subject . Meta IE currentlyleaves the complainant and other users of the Instagramservice witha single choice. They may either contract awaytheir right to freely determine the processing of their personal data and 232A contractual term that has not been individually negotiated is unfairunder theDirective93/13/EEC “if, contrarytotherequirementofgoodfaith,itcausesasignificantimbalanceintheparties’rightsandobligations arisingunderthecontract,tothedetrimentoftheconsumer”Article3(1). 233 Articles4(2)and5Directive93/13/EEC. 234Article5Directive93/13/EEC. 235EDPBGuidelines2/2019onArticle6(1)(b)GDPR,footnote10. 236C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022, ECLI:EU:C:2022:704, Conclusion, paragraph78 (4). On therelevanceof this Opinion forassessing Instagram’s relianceonArticle6(1)(b)GDPR,seeparagraph97ofthisBindingDecision 237Seeparagraphs127-128ofthisBindingDecision. 238CompositeResponse,paragraph69. 239AT SAObjection,pp.5-6;DESAs Objection,p.9;ESSAObjection,p.3;FI SAObjectionparagraphs31-35;FR SAObjection,paragraphs34-35;HUSAObjection,p.4;NL SAObjection,paragraphs30-31;NOSAObjection, p. 8;SE SAObjection,p.5. 37 Adopted submit toitsprocessing for the obscure, andintrusive purpose of behaviouraladvertising,whichthey can neither expect, nor fully understand based on the insufficient information Meta IE provides to them. Or, they maydecline accepting Instagram Terms of Use and thus be excluded from a service thatenablesthemtocommunicate,sharecontentwithandreceivecontent from millionsofusersand for whichtherearecurrentlyfew realisticalternatives. Thisexclusionwouldthus alsoadverselyaffect their freedom of expression andinformation. 135. This precedent could encourage other economic operatorstouse the contractualperformance legal basis of Article 6(1)(b) GDPR for all their processing of personal data. There would be the risk that some controllers argue some connection between the processing of the personal data of their consumers and the contractto collect,retainandprocess asmuch personal datafrom their users as possible and advance their economic interests at the expense of the safeguards for data subjects. Some of the safeguards from whichdata subjects would be deprived due to aninappropriate use of Article 6(1)(b) GDPR as legal basis, instead of others such as consent (Article 6(1)(a) GDPR) and legitimate interest (Article 6(1)(f) GDPR), are the possibility to specifically consent to certain processing operations and not to othersand tothe further processing of their personal data (Article 6(4)GDPR);theirfreedom towithdrawconsent (Article7 GDPR);theirrighttobe forgotten(Article17 GDPR);and the balancing exercise of the legitimateinterests of the controller againsttheir interests or fundamental rightsandfreedoms (Article 6(1)(f) GDPR).As a result,owing tothe number of users of the Instagramservice,the marketpower, andinfluence ofMeta IEand itseconomically attractive business model, the risks derivedfrom the currentfindings ofthe DraftDecisioncould gobeyond the Complainant andthe millions of usersof Instagramserviceinthe EEAandaffect theprotectionofthe 240 hundreds of millions of people coveredbythe GDPR . 136. TheEDPBthusconcurswiththeobjections oftheAT,DE,ES,FI,FR,HU,NL,NOandSESAs 241toFinding 2 of the Draft Decision in that the behaviouraladvertising performedby Meta IE in the context of theInstagramserviceisobjectivelynotnecessaryfortheperformanceofMetaIE’sallegedcontract with datausersfortheInstagramserviceandisnotanessentialorcoreelementofit. 137. Inconclusion, theEDPBdecides thattheMetaIEhas inappropriatelyreliedonArticle 6(1)(b) GDPRto process thecomplainant’spersonaldatainthe contextofInstagramTermsofUse andthereforelacks a legalbasis toprocess these datafor thepurposes ofbehavioural advertising.MetaIE hasnot relied onany otherlegalbasistoprocess personaldatain thecontext ofthe InstagramTermsofUse for the purposes of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data. The EDPB instructs the IE SA to alter its Finding 2 of its Draft Decision which concludes thatMeta IEmay relyon Article 6(1)(b) GDPR inthe contextof its offering 240In theDraft Decision, theIE SAquotes Meta IE’s submissions dated 28September 2018, inwhichit states that it “provides the Instagram service to hundreds of millions of users across the European region.”Draft Decision, paragraph 223. In its submissions onthePreliminary Draft Decision, Meta IE stated that thecorrect figureformonthlyactiveaccountsfortheInstagramServiceasof31August2018(thedateofcommencement of the Inquiry)is approximately , whileclarifying that this numberrepresents activeaccounts on Instagramratherthanuniqueusers andthus doesnotrepresentthenumberofuniqueusers.Thisfiguredoes notincludeUK-basedaccountsasMetaIEconsideredaccountsinthatterritorywerenotrelevantfortheInquiry. TheIE SA does not sharethis view, on thegrounds that theGDPRwas applicablein theUK at thedateof the 241plaint.Meta IE’sReponsetothePreliminaryDraftDecision,paragraph14.13.DraftDecision,paragraph223. AT SAObjection,pp.4-5;DESAs Objection,p.5-6,ESSAObjection,p.2,FI SAObjection,paragraphs16and 18,FRSAObjection,paragraphs8-9,HUSAObjection,p.3,NLSAObjection,paragraphs18-19;NOSAObjection, p. 7,SE SAObjection,pp.3. 38 Adopted of the Instagram Terms of Use and to include an infringement of Article 6 (1) GDPR based on the shortcomings thatthe EDPBhasidentified. 5 ON WHETHER THE LSA’S DRAFT DECISION INCLUDESENOUGH ANALYSIS ANDEVIDENCE TOCONCLUDE THAT METAIE ISNOT OBLIGEDTORELY ON CONSENT TOPROCESSTHE COMPLAINANT’S PERSONAL DATA 5.1 Analysis by the LSA inthe DraftDecision 138. The IESA concludes asamatteroffact,initsDraftDecisionthatMetaIEdidnot rely, anddidnot seek 242 torely,onthe complainant’sconsent toprocesspersonaldatain connectionwiththeTermsofUse andis not legallyobligedtorelyon consent todo so 24. 139. The IE SA acceptsthatMetaIE never sought to obtainconsent from users throughthe clicking ofthe “Agreeto Terms”button,based alsoon MetaIE’sconfirmationthereto 244. 140. TheIESA distinguishes betweenagreeingtoacontract(whichmayinvolve theprocessing ofdata)and providing consent to personal data processing specifically for the purposes of legitimising that personaldataprocessing under theGDPR 245.TheIESA observes that,asnotedbythe EDPB,theseare entirelydifferent conceptswhich “havedifferent requirementsandlegal consequences” 246. 141. The IESA alsoemphasises that thereis no hierarchybetweenthe legalbasis thatcontrollers mayuse 247 to process personal data under the GDPR . The IE SA further arguesthat neither Article 6(1) GDPR nor any other provision in the GDPR require that the processing of data in particular contexts must necessarily be based on consent 248. The IE SA argues the GDPR does not provide that the specific nature and content of a contract, freelyentered into by two parties, requires a higher categoryor “default” legal basis. The IE SA includes reference to the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR whichassert that where data processing is necessary to perform a contract, consent is not an appropriatelawful basison whichtorely 249. 142. The IE SA considers Article 7 GDPR andits conditions do not in andof themselves indicate the legal basis on which a controller should rely on in a particular context. The IE SA contends that these conditions would only be relevant where the controller relies upon consent as the legal basis for its processing, whichit views asnot being the case for the processing of databy MetaIEinquestion 25. 242DraftDecision,paragraphs43and60. 243DraftDecision,paragraphs59-60. 244DraftDecision,paragraphs40and42,aswellas56. 245 246DraftDecision,paragraph52. DraftDecision,paragraph47. 247DraftDecision,paragraphs48-50. 248DraftDecision,paragraph50. 249DraftDecision,paragraph52. 250DraftDecision,paragraph57. 39 Adopted 5.2 Summary of the objections raised by the CSAs 143. The AT,DE,ES,FI,FRandNL SAsobject tothe assessment inthe DraftDecisiononconsent, leadingto Finding 1 of the IE SA25. These SAs put forwardseveral factualandlegalargumentsfor the changes theypropose tothe DraftDecision. 144. The SE SA holds that ifthe EDPBweretofindthat theprocessing canrely onArticle6(1)(b) GDPR,the investigationneedstoencompass whetherspecialcategoriesofpersonal datapursuanttoArticle9(1) GDPRareprocessed, since the performance ofacontractis not anexemption pursuant toArticle9(2) GDPR.Since the SE SA presents itsobjection as being contingent on whetherthe EDPB finds thatthe data processing in Instagram, basedon itsTerms of Use, can relyon Article 6(1)(b) GDPR 252andthe EDPBfindsthatMetaIEinappropriatelyreliedonArticle6(1)(b)GDPR(see aboveinSection4.4.2),the SE SA objectionis no longerapplicable. Argumentson thefinding ofthe LSA thatMetaIEis not legallyobliged torelyon consent 145. TheAT,DEandNL SAsconsider thattheIESA hasnotincluded enoughanalysis,evidence andresearch in the DraftDecision toconclude thatMetaIE is not legallyobliged torely onconsent toprocess the 253 complainants’ data . 146. The AT SA points out that the IE SA limits its facts and its legal assessment to the generalquestion whether Article 6(1)(b) GDPR canbe used aslegalbasis, specifically for behavioural advertising. The Draft Decisiondoes not clarify which data categoriesare being used for behavioural advertising and where Meta IE relies on Articles 6(1)(a) and 6(1)(b) GDPR for behavioural advertising. Also unaddressed is, if and to which extent Meta IE relies on Article 9(2)(a) GDPR for behavioural advertisingasfarassensitive dataareconcernedandwhetherMetaIErespectedtheGDPRconditions (for example,Article7GDPR)whenobtainingtheconsentpursuant toArticle6(1)(a)andArticle9(2)(a) GDPR. The AT SA argues that the Draft Decision did not address the part of the complaint on the differences between“consent”and“contractualperformance”andregardingArticle9 GDPR 254. 147. EventhoughtheDESAssharetheIESA’sfinding thatMetaIEdidnotrelyonconsent for theprocessing of dataasdescribedin theInstagramTermsof Use,the DESAs objectsagainstthe IE SA’sassessment that in the specific case at issue Meta IE was not legally obliged to obtain consent from the Complainant 25. TheDE SAsfurther add, alsoin relationtothe potentialuse of Article6(1)(f) GDPRas a legalbasis, that further investigations on the specific processing activities, purposes and their risks for rights and freedoms of the Complainant would be necessary to conclude an assessment on the applicable legalbasis25. 148. The NL SA notes itsview thatthereis lackof anysubstantive investigationintowhat kind of personal 257 data is being processed besides relying on information submitted by the controller . The NL SA 251AT SAObjection,p.9-11;DESAObjection,p.2-9;ESSAObjection,p.2-3;FI SAObjection,paragraphs36-44; FRSAObjection,paragraphs21-31;NLSAObjection,paragraphs20-27. 252SESAObjection,p.3-4. 253 254AT SAObjection,p.10;DESAObjection,p.7-9;NLSAObjection,paragraph21. AT SAObjection,p.10. 255DESAs Objection,p.7-8. 256DESAs Objection,p.8-9. 257NLSAObjection,paragraph25. 40 Adopted considers that thereare clearindications that consent is legallyrequiredfor (partsof) the processing operationsof the controller,and thatthe IESA couldthus draw adifferent conclusion on the basis of further inquiries andanalysis258. The NL SA considers that the DraftDecision should be amendedifa 259 further inquiry bythe IESA establishes thattherelianceon consent asa legalgroundismandatory . 149. Inaddition, the DE andFR SAs consider thateven if MetaIEhad reliedon consent, it would not have met the requirements of Article 7(1) GDPR asbeing “freely given”, as it is conditional on the use of their services asa whole (“take it or leave it”). Nor would consent meet the requirements of Article 7(2)GDPRsince, asthe IE SA finds, informationon theprocessing ofdataasdescribedinthe Termsof Use, is not provided in a concise, transparent, intelligible and easily accessible form, using clear and 260 plainlanguage . Argumentson thepossible breachoftheobligation to relyon consent to processspecialcategoriesof personaldata(Article9 GDPR) 150. TheAT,DE,ES,FI,FRandNLSAs consider thattheIESAshould haveidentifiedandseparatelyassessed anyprocessing ofspecialcategoriesofpersonal dataunder Article9GDPRinthe contextofInstagram Termsof Use 26.The DESAs conclude that MetaIEprocesses the complainant’sspecialcategoriesof 262 datainbreachofArticle9(1)GDPR .TheAT,ES,FI,FRandNLSAs taketheview thattheIESAshould broaden the scope of its investigation and examine whether the conditions for the processing of specialcategoriesof personaldatahave been metby MetaIE 263. 151. The AT, ES, FI, FR andNL SAs consider thatthe factualbackground of the DraftDecision misses facts on whether Meta IE relies on Article 9(1)(a) GDPR to process special categoriesof personal data for the purpose of behaviouraladvertising andwhether MetaIErespectsthe requirementsof the GDPR, 264 such asthose of Article7, inobtaining consent tothatend . 152. The FR and NL SAs argue that the data that Meta IE processes may include special categories of personal data under Article 9 GDPR 26. The DE SAs contend that nothing indicates that Meta IE 266 excludes these categoriesofdatafrom its processing for advertisingpurposes . 153. The FR SA notes thatInstagramusers canprovide various sensitive data about themselves, including their sexual orientation, religious views and political opinions in the description of their profile. The FR SA considers thatthe IESA cannot simply statethatithasno evidence thatMetaIE processessuch data in the context of the Instagram service. Inorder todeal with the complaint, the FR SA asks for 258 NLSAObjection,paragraph25. 259NLSAObjection,paragraph25. 260DESAs Objection,p.8;FRSAObjection,paragraphs24-29. 261AT SAObjection,p.9-10;DESAs Objection,p.7;ES SAObjection,p.2-3;FI SAObjection,paragraphs36-38, 41;FRSAObjection,paragraphs30-31;NLSAObjection,paragraphs24-26. 262DESAs Objection,p.7,10. 263AT SAObjection,p.9;ESSAObjection,p.2-3;FI SAObjection,paragraphs41-42;FRSAObjection,paragraph 31;NLSAObjection,paragraph25. 264 AT SAObjection,p.9;ESSAObjection,p.2-3;FI SAObjection,paragraph41;FRSAObjection,paragraph30; NLSAObjection,paragraph25. 265FRSAObjection,paragraph30;NLSAObjection,paragraph24. 266DESAs Objection,p.7. 41 Adopted further investigation,in particularitasks the LSA toexaminewhether sensitive dataare processedby 267 the controller and,if so, whetherone ofthe conditions ofArticle 9(2)GDPRismet inthis case . 154. The NL SA argues that there is strong indication that some data processed in the context of the Instagram service actuallybelongs toa specialcategoryof data considering “photographsand other images that are, or were, potentiallyprocessed with use of facial recognition technology and other artificial intelligence technologies in the context of Facebook services”68. The NL SA highlights that according tothe CJEU ruling in case C-136/17 the mereindexing of certaindata could alreadysuffice toconclude thatArticle9 GDPRapplies 26. 155. The DE and NL SAs recall that only consent may be used in this context among the exceptions that Article9 (2)GDPRlaysdowntothegeneralprohibition ofprocessing specialcategoriesofdata 27.The FI SA recallsthatthe performance ofa contractisnot anexceptionpursuant toArticle9(2) GDPR 271. Argumentson othertypesofdatarequiring consent 156. TheNLSA identifiesasanotherindicator contradictingtheIESA’sconclusionthatthereisnoobligation toseek consent the fact that the controller processes a significant amount of personal datathat has beencollectedthroughcookies for online advertising purposes and oflocationdata 27. Risks 157. Ontherisks posed bytheDraftDecision,the DESAsconsider that,asthesubject ofthe complaintwas the processing as described in the Instagram Terms of Use there is also a significant risk for the fundamental rights and freedoms of all Instagram users in the European Union that their personal 273 data, including data of special categories are processed without any legal basis . The AT SA also considers thatthe compliance ofMetaIE withthe GDPRruleson the processing of specialcategories ofdatagoesbeyond thecase atstakeandaffectshundreds ofmillions ofdatasubjectswithintheEEA, asMetaIEis the provider of the biggestmedia networkinthe world 274. 158. The AT,DE,FI,FRandNL SAsarguethatthe IESA’sconclusion thatconsent is not requiredaffectsthe rightsofdatasubjects andtheir controlover theirpersonal data 275. 159. The AT SA argues that the first risk is that the data subject’s right to lodge a complaint with a supervisory authority pursuant to Article 77(1) GDPR becomesineffective because the IE SA did not handle the complaint in its entire scope, including sensitive data pursuant to Article 9 GPDR. The AT 267FRSAObjection,paragraph30. 268NLSAObjection,paragraph25. 269NLSAObjection,paragraphs26. 270 DESAs Objection,p.7;NLSAObjection,paragraph24. 271FI SAObjection,paragraph40. 272NLSAObjection,paragraphs22-23,27. 273DESAs Objection,p.9. 274 AT SAObjection,p.9. 275ATSAObjection,p.11;DESAs Objection,p.9;FI SAObjection,paragraph43;FRSAObjection,paragraph34; NLSAObjection,paragraphs30-31. 42 Adopted SA argues that this is not in line with the CJEU ruling in case C-311/18, which provides that the 276 supervisory authoritymust handle complaints withalldue diligence . 160. The FR SA arguesthat the DraftDecision poses a risk tothe fundamental rightsandfreedoms of the individuals concerned, according to Article 4(24) GDPR, insofar as the legal basis of contractual performance toprocessthe personal dataofInstagramuserstosend them targetedadvertisingdoes not allow the Europeanusers tohave controlover thefate of their data 277.TheFR SA alsonotes that since the DraftDecisionwillbe takenat theendof acooperationprocedure andmade public, it could be interpreted as reflecting the common position of the European supervisory authorities on this issue, andsetting aprecedent for acceptingthatacompany mayuse the legalbasisof the contractto process itsusers’ datafor targetedadvertisingpurposes whensuch processing isparticularlymassive andintrusive 278. 161. The NLSA specifies theprotectionsfrom whichthe datasubjectswould be depriveddue totheIESA’s conclusion thatconsent is not required, such asthe right todataportability(Article 20(1) GDPR);the possibility tospecifically consent tocertainprocessing operations andnot toothersandtothefurther processing of personal data (Article 6(4) GDPR); the freedom to withdraw consent (Article 7 GDPR) 279 andthe subsequent right tobe forgotten . 162. TheAT,DE,FIandNLSAsnote asanadditionalriskthatsensitive personaldatafallingwithinthe scope of Article9 GDPRis processedwithout meeting therequirementsof Article9(2) GDPR 280. 163. The FI SA highlights that the will of the legislator has been to protect the Article 9 GDPR special categorydatawitha duty ofcare andifthere is anyreasonable doubt thatMetaIE hasno legalbasis for processing operations of such sensitive data of the Instagram users, the said claim needs to be properly investigated or otherwise the lack of investigation would negatively affect hundreds of 281 millions ofInstagramuserswithintheEEAandundermine theirrighttoprivacyanddataprotection . 164. The NL SA underlines the risk that allowing the bypassing of legal provisions requiring consent to process datacreateslegaluncertaintythathampersthe freeflow of personaldatawithinthe EU 282. 165. TheNL SA alsoarguesthatnotassessing theprocessing inasufficiently thoroughmannercould create a precedent for controllers to exclude from their privacy policies or terms of service processing operationsthatmustbebasedonconsent.Thiswouldrisk leavingdatasubjectswithareduceddegree of transparency 28. 276 AT SAObjection,p.10-11. 277FRSAObjection,paragraph34. 278FRSAObjection,paragraph35. 279NLSAObjection,paragraph33. 280 281AT SAObjection,p.11;FI SAObjection,paragraph43;DESAs Objection,p.9;NLSAObjection,paragraph33. FI SAObjection,paragraph43. 282NLSAObjection,paragraph33. 283NLSAObjection,paragraph30. 43 Adopted 5.3 Position of the LSA on the objections 166. The IESA considers theobjections not reasonedanddoes not follow them 284. 167. The IE SA argues that the scope of the inquiry is appropriate and relatesto the issues raised in the complaint. It also argues that finding of additional infringements which have not been fully investigatedor put to the controller would impose a risk of procedural unfairness by depriving the controller of itsrighttobe heardin response toaparticularisedallegationof wrongdoing 285. 168. The IE SA notes that it hasdiscretion to determinethe frameworkof the inquiry, taking into account the scope of the writtencomplaint aslodged. The IE SA arguesthat it would not have been possible to assess each discrete processing operation by Meta IE, without first resolving the fundamental dispute between the parties on the interpretationof Article 6(1) GDPR. The IE SA considers that it would have beeninappropriate and disproportionate for it toundertake anopen-ended assessment of all of Meta IE’s processing operations related to the Instagram Terms of Use to handle the 286 complaint . 169. The IESA arguesthatitsanalysis of Article6(1)(b) GDPRdoes not preclude the possibility thatcertain discrete processing operations by Meta IE mayfall outside the scope of Article 6(1)(b) GDPR. The IE SA finds it reasonable andpracticaltosetthe scope of theinquiry, focusing onthe principledissues of 287 dispute, which itconsiders asnot prejudicing the operationof more specific data protectionrules . 170. The IESA considers that thereference toArticle 9 GDPRprocessing by MetaIE isanelement of what it viewsasthe Complainant’sfundamentalallegation,i.e.thattheagreementtotheTermsof Usewas a form ofGDPRconsent toprocessing ofpersonal data,including consent tothe processing of special categoriesof data. The IE SA argues that since the scope of its inquiry addresses this issue, it is not necessaryfor ittoalsoconduct anindiscriminate andopen-ended assessment ofMetaIE’sprocessing 288 thatmayotherwise fallwithin thescope of Article9 GDPR . 171. The IE SA notes that under Irish national law, there would be a very significant risk of procedural unfairness to Meta IE if the IE SA assumed, without any further factualexamination, that Meta IE unlawfully processes specialcategoriesof personaldata 289. 172. According totheIESA, the CSAs objectingtothe DraftDecisionintendtomaximise the complainant’s rightsbyrequiring consent-based processing for certainprocessing operationsandthus prioritising it over other legalbasis. The IESA considers thatveryextensive dataprotectionrightsalsoapply under the GDPRwhere theprocessing is basedon Article 6(1)(b) or Article6(1)(f) GDPR.The IESA contends that the variationin the extent of data subject rights and protections, depending on the applicable legal basis, is an inherent element of the legislative scheme of the GDPR. The IE SA considers that Article 6 GDPR does not provide thatthe “appropriate”datasubject rightsdetermine the legalbasis for processing. The IE SA notes that separate tothe user’s acceptance of the Terms of Use, Meta IE 284 285CompositeResponse,paragraphs36and48. CompositeResponse,paragraph97. 286CompositeResponse,paragraph26. 287CompositeResponse,paragaraph27. 288CompositeResponse,paragraph28. 289CompositeResponse,paragraphs32-33. 44 Adopted relies on different “acts” of consent for specific aspects of the service, including personalised advertising basedon users’ off-Instagramactivities.Inthis regard,theIESA statesthatthe complaint in this case was about the agreement to the Terms of Use and the processing it entails once accepted 290. 173. The IE SA arguesthat the objections are inconsistent withthe principle of legalcertainty, ascitedin Recital7 GDPR. The IE SA indicates that it is not satisfied that the GDPR requires the limitation of processing for thepurposes ofbehaviouraladvertisingtosituationswhereprocessing isbasedondata subject consent 29. The IE SA contends that interpretative approach of the CSAs raising objections would result in the arbitraryapplicationofmore restrictive dataprotectionrules for reasons thatare not found in the GDPR. The IE SA also states that this approach does not take due account of the extensive data protectionrightswhich apply toalllegalbases under theGDPR.The IESA assertsthat it is not open tothe supervisory authoritiestocreateadditional binding limitationson the applicable legal basis for the processing of data for behavioural advertising. The IE SA states that it is the 292 legislator,not the supervisory authorities, whichhasdefined the conditions for lawfulprocessing . 5.4 Assessment of the EDPB 5.4.1 Assessment of whether theobjections were relevant and reasoned 174. The EDPBresponds toMetaIE’sprimaryargumentstothe contraryin Section4.4.1above 29. 175. The AT,DE,ES, FI, FR andNL SAsobjectionsanalysedinthis sectionhave a directconnection withthe Draft Decision and refer to a specific part of the Draft Decision, i.e. Finding 1. The AT, DE, ES, FI, FR andNLSAs arguethattheIESAhasnot carriedout enoughinvestigationandlegalanalysis intheDraft Decisiontoconclude thatMetaIEisnot legallyobligedtorelyonconsent toprocessthe complainants’ 294 data . According to these CSAs, the IE SA should have identified and separately assessed any 290CompositeResponse,paragraphs46. 291CompositeResponse,paragraph47. 292 CompositeResponse,paragraph47. 293Meta IEarguesthat“ObjectionswhichraisematterswhicharenotwithintheDefinedScopeofInquiryarenot ‘relevantandreasoned’withinthemeaningofArticle4(24)GDPR”andsuchobjections“oughttobedisregarded intheirentiretybytheEDPB”.TheEDPBdoes notsharethisunderstanding,asexplainedabove.Seeparagraphs 73-75ofthisBindingDecisionabove.Inparticular,theEDPBrecallsthattheanalysisofwhethera givenobjection meets thethresholdsetbyArt.4(24)GDPRiscarriedoutona case-by-casebasis.Morespecifically,incontrast to the objections referred to by Meta IE that did not “establisha direct connectionwith the specificlegal and factual content of the Draft Decision”(Binding Decision2/2022paragraphs 139, 147, 164) here, each CSAhas madeseveralclearlinkswiththecontentoftheDraftDecision,asisdescribedinparagraphs143,145-147and 150-151ofthisBindingDecision.Moreover,whiletheobjections referencedbyMeta IEinparagraph4.9ofits Article65submissions werefound not to berelevant and/or reasoned intheBindingDecision 2/2022 as they did “not provide sufficiently precise and detailed legal reasoning regarding infringement of each specific provisioninquestion”,didnotexplainsufficientlyclearly,norsubstantiateinsufficientdetailhowtheconclusion proposedcould bereached, or didnot sufficiently demonstratethesignificanceof theriskposed bytheDraft DecisionfortherightsandfreedomsofthedatasubjectsorthefreeflowofdatawithintheEU(BindingDecision 2/2022,paragraphs140,148,165),asregardstheobjections analysedinthis section,theAT, DE, FI,FR andNL SAs providea numberof legal and factual arguments and explanations as to why an infringement forlack of appropriatelegalbasisistobeestablished,andadequatelyidentifytheriskposedbytheDraftDecisionifitwas adoptedunchanged(paragraphs145-165ofthisBindingDecision). 294AT SAObjection,p.9;DESAs Objection,pp.8-9;ESSAObjection,pp.2-3;FI SAObjection,paragraphs36-37; FRSAObjection,paragraph30;NLSAObjection,paragraph21. 45 Adopted processing ofspecial categoriesofpersonal datain InstagramTermsof Use 29.The NL SA arguesthat processing operationsconcerning locationdataandthe use oftrackingtechnologieson users devices should have investigatedandassessed bythe IESA aswell 29.The AT, FI,FR andNL SAs consider that the IE SA should broaden the scope of its investigationand examine whether the conditions for the processing ofspecialcategoriesofpersonaldatahavebeenmetbyMetaIEinrelationtotheInstagram 297 service . The DE, FR and NL SAs argue that the data that Meta IE’sprocesses may include special categoriesofpersonaldataunder Article 9 GDPR 298.Theycontendthatnothing indicatesthatMetaIE excludes these categoriesof datafrom itsprocessing for advertising purposes. The AT,DE,ES, FI and FR SAs highlight thatthe issue falls within the remitof the complaint since the complainant allegeda potentialviolationof Article9 GDPRandshould thereforebe investigatedandassessed bythe LSA 29. The AT, DE, ES, FI and FR SAs challenge the reasoning underling the conclusion reached by the LSA. This assessment could lead to a different conclusion insofar as the IE SA would fully cover the complaint and include factsanda legalassessment on the Instagram’sservice processing operations towhich Article6(1)(a), Articles7 and9 GDPRmayapply, whichmayrevealaninfringement byMeta IE300. 176. Consequently, the EDPB finds that the AT, DE, ES, FI, FR andNL SAs objections relating toFinding 1, whichstatesthatMetaIEisnot requiredtorelyonconsent todeliver theInstagramTermsofUse and 301 itsunderlying reasoning,are relevant . 177. The AT, DE, FI, FR and NL SAs objections are reasoned because they include clarifications and argumentsonlegal/factualmistakesinthe LSA’sDraftDecisionthatrequire amending.TheAT,DE,FI, FR and NL SAs consider that the IESA should have identified and separatelyassessed any processing of special categories of personaldata under Article 9 GDPR in the context of Instagram Terms of Use 302. Inparticular, the DE, FR andNL SAs argue that the data that Meta IE processesmayinclude special categories of personal data under Article 9 GDPR and that nothing indicates that Meta IE excludes these categoriesof data from its processing for advertising purposes 303. The AT, DE, ES, FR and NL SAs recallthat only consent maybe used in this context among the exceptionsthat Article 9 (2) GDPR lays down to the generalprohibition of processing special categoriesof data 304.The FI SA recalls that EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR state that the WP29 has observed that Article9(2)GDPRdoesnot recognise “necessaryfor theperformanceofa contract”asanexceptionto 305 the general prohibition to process special categories of data . The NL SA identifies as another 295 AT SAObjection,p.9;DESAs Objection,p.7;FI SAObjection,paragraph37;FRSAObjection,paragraph30; NLSAObjection,paragraph25. 296NLSAObjection,paragraphs22-23and27. 297AT SA Objection, p. 9; FI SA Objection paragraph41;FR SA Objection, paragraph30;NL SA Objection, 298agraph25. DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraphs24-25. 299AT SAObjection,p.9;DE SAs Objection,p.7;ES SAObjection,p.2;FI SAObjection,p.42;FRSAObjection, paragraph30. 300SeeEDPBGuidelinesonRRO,paragraph15andEDPBGuidelinesonArticle65(1)(a)GDPR,paragraphs40and Sub-sections4.2,4.2.3-4.2.5. 301Seeparagraphs143,145and150ofthisBindingDecision. 302AT SAObjection,p.9;DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraph25. 303DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraphs24-25. 304 AT SAObjectionpp.9-10;DESAs Objection,p.7;ESSAObjection,p.2-3;FRSAObjection,paragraph31;NL SAObjection,paragraph24. 305FI SAObjection,paragraph40. 46 Adopted indicator contradictingthe IE SA’sconclusion thatthere isno obligationto seekconsent the factthat thecontroller processesasignificant amountofpersonaldatathathasbeencollectedthroughcookies for online advertising purposes and of location data 306. The NL SA also arguesthat the IE SA should have investigated more into the safeguards that are implemented by the controller to address the specific interests of children307. Lastly, the NL SA states that the information shared by users on Instagrammaycontainpersonaldataconcerningthehealthofindividual usersandmentionstheruling of the CJEU in case C-136/17 stating that the mere indexing of certaindata could already suffice to 308 conclude thatArticle9 of the GDPRapplies . 178. Onthe risks posed by the DraftDecision,the AT,DE,FI,FR andNL SAs explainthatthe IE SA’sFinding 1 providing that consent isnot requiredputs at risk the rightsof datasubjects and their controlover their personal data 309.The AT SA mentions the risk thatthe data subject’sright tolodge a complaint with a supervisory authority pursuant to Article 77(1) GDPR becomes ineffective because the IE SA does not handle it initsentirescope, including specialcategoriesofdataunder Article9 GDPR 310.The FR SA arguesthat the Draft Decision could set a precedent for accepting the use of the contractual performance legalbasis to process users’ data for targetedadvertising purposes, which it views as 311 particularlymassive and intrusive . The NL SA specifies thatthe datasubjects could be deprived of the following protections derived from the use of consent: the rightto dataportability (Article 20(1) GDPR);thepossibility tospecificallyconsent tocertainprocessing operationsandnot toothersandto the furtherprocessing ofpersonal data(Article6(4) GDPR);thefreedom towithdrawconsent (Article 312 7 GDPR) and the subsequent right to be forgotten . The AT, DE, FI and NL SAs also note as an additional risk that special categoriesofpersonal data falling within the scope of Article 9 GDPR are processed without meeting the requirementsof Article 9 (2) GDPR 313.TheNL SA alsounderlines the data protection deficits that are foreseeable with a switch from consent tocontract legal basis and the risk that this conclusion would create legaluncertainty that hampers the free flow of personal data within the EU 314. The NL SA further adds the risk that the decision could create by setting a precedent for controllers to exclude from their privacy policies or terms of service processing operations based on consent, thus undermining the principle of transparency 31.The ES SA does not describe any riskon thisspecific topic in theirobjection316. 179. On the basis of the above considerations, the EDPBfinds that the objections raised bythe AT, DE,FI, FR and NL SAs concerning the conclusions in the Draft Decision about the fact that Meta IE is not obliged to relyon consent toprocess the complainant’sdata, are relevant and reasonedobjections under Article 4(24)GDPR. 306 307NLSAObjection,paragraphs22-23and27. NLSAObjection,paragraph34. 308NLSAObjection,paragraph26. 309AT SA Objectionpp. 10-11;DE SAs Objection, p. 9;FI SAObjection, pp. 9-10;FR SAObjection, p. 7;NLSA Objection,p.9-11. 310 AT SAObjection,p.10. 311FRSAObjection,paragraph35. 312NLSAObjection,paragraph33. 313AT SAObjection,p.11;DESAs Objection,p.9;FI SAObjection,paragraph43;NLSAObjection,paragraph33. 314 NLSAObjection,paragraphs32-33. 315NLSAObjection,paragraph30. 316ESSAObjection,p.3. 47 Adopted180. However,thepart ofthe NLSA objection asking the IESA toinclude in itsDraftDecisiontheelements concerning the need torely on consent for the placing of tracking technology on end users devices 317 under ePrivacylegislationfalls outside thescope of theEDPB’smandate . 181. Finally, theEDPBconsidersthattheobjection raisedby theESSA regardingthepotentialinfringement of Article 9 GDPR is not sufficiently reasonedwith reference tothe significance of the risks posed by the Draft Decision at stake and, therefore, the objection of the ES SA does not meet the threshold provided for by Article4(24) GDPR. 5.4.2 Assessment on the merits 182. Inaccordance withArticle 65(1)(a) GDPR, inthe context of a dispute resolution procedure the EDPB shall take a binding decision concerning all the matterswhich are the subject of the relevant and reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR. 318 183. TheEDPBconsidersthattheobjectionsfound toberelevantandreasonedinthissubsection require anassessment of whether the DraftDecision needs to be changedon its Finding 1, which concludes thatMetaIEhas(a)notsought torelyonconsent toprocess personaldatatodeliver the TermsofUse and (b) is not legallyobliged to rely on consent in order todo so. When assessing the merits of the objections raised, the EDPB also takes into account Meta IE’s position on the objections and its submissions. MetaIE’sposition on theobjectionsand itssubmissions 184. Inits submissions, MetaIE supports the IESA’s conclusion thatMeta IE does not rely on consent for the purposes of behaviouraladvertising andis not requiredtorelyon it 31. 185. Meta IE states that it does not seek or rely on consent as its legalbasis for purposes of processing personal data to provide behavioural advertising, except in limited circumstances where Meta IE 320 separately obtains consent, yet not through users’ acceptance the Terms of Use . Meta IE claims that it explains in its DataPolicy todata subjects thatMeta IE relieson consent under Article 6(1)(a) GDPR“[f]orusing datathatadvertisersandotherpartnersprovideusabout[users’]activityoffofMeta Company Products, so we can personalise ads we show [them] on Meta Company Productsand on websites, apps and devices that use our advertising services” and that it has a separate process for obtaining this consent in amanner thatsatisfies the requirementsof Article4(11) andArticle7 GDPR andwhich is “entirelyseparate from any interactionby userswith the TermsofUse or DataPolicy, is not part of the Complaint and has not beenexamined” inthe IESA’s inquiry 321. Meta IEsubmits that the Complaint is limitedto the question of whether MetaIE seeks forcedconsent todata processing throughacceptance ofthe Termsof Use. Meta IE thenasserts that since it does not seek, obtain, or relyon consent asa legalbasis under Article 6(1)(a) GDPRtoprocess user data via acceptanceofthe 317NLSAObjection,paragraphs7-8. 318 Theseobjections beingthoseoftheAT, DE, FI,FR andNLSAs,disagreeingwiththeIESA’s Finding1,which states thatMeta IEis notrequiredtorelyonconsenttodelivertheInstagramTermsofUseandits underlying reasoning. 319Meta IEArticle65Submissions,paragraphs5.2and5.6. 320Meta IEArticle65Submissions,paragraph5.4. 321 Meta IEArticle65SubmissionsFootnote61andparagraph6.27. 48 Adopted Terms of Use, the inquiry should end there and all unrelatedassertions in the objections should be 322 disregarded . 186. Meta IE allegesthat some CSAs suggest that behavioural advertising must in all cases be based on consent, andin doing so, the CSAs suggest anapproachthatmandatesMetaIE torelyonconsent for 323 “itsdataprocessingfor purposesofbehaviouraladvertising (or anyotherpurpose)” .MetaIEagrees with the IE SA’s assertion that any approachlimiting the legalbasis on which a controller could rely 324 would not be consistent withthe principle of legalcertainty .MetaIEconsiders thatthe GDPRwas drafted in a way that protects data subjects while affording flexibility to controllers and that its applicationishighlydependent onfactsandcircumstancesunderlying therelevantprocessing andthe natureof the service providers 325. MetaIEcontends thatthe GDPRcontainsno expressreferencesto behavioural advertising and establishes no specific limitations on the available legalbasis for such processing; it is technology neutral and does not include specific derogations or rules for any one specific industry32. 187. Withregardtotheconsiderationthatconsentasalegalbasisprovides moreextensive dataprotection rights, Meta IE argues that in defining the conditions for lawful processing, the EU legislature has ensured that appropriate data protection rightswould be afforded to data subjects no matter what 327 legalbasisis reliedon andextensive dataprotectionrightsapplytoalllegalbases .MetaIEsupports the IESA’s view thatArticle 6(1)GDPR doesnot require legalbasestobe determinedby referenceto 328 the applicable datasubject rightsfor eachbasis . EDPB’sassessment on themerits 188. The EDPB notesthat the IE SA’s Draft Decision submitted via the Article 60 GDPR procedure results from an inquiry that the IE SA conducted based on a complaint from a data subject and Instagram 329 user . The BE SA forwarded this complaint to the IE SA as LSA in the case, given Meta IE’s main establishment in Ireland. 189. In this complaint, the Complainant alleges that Meta IE violated Articles 5, 6, 7 and 9 GDPR. The Complainant arguesthatit is unclear to whatthe datasubject has consented when the data subject agreedtoInstagramTermsofUse andPrivacyPolicy 33. Morespecifically, the Complainant points out that it remains unclear which exact processing operations the controller chooses to base on each specific legalbasisunder Articles6 and9 GDPR 33.TheComplainant arguesthatthe Termsof Use and PrivacyPolicy alsoinclude specialcategoriesofdataunder Article9(1)GDPRbecausethedatasubject, as an Instagram user, has interactedwith various groups and individuals, which would accordingly reveal the data subject’s political affiliation, sexual orientation, health condition, etc 332. The 322 Meta IEArticle65Submissions,paragraph5.8. 323Meta IEArticle65Submissions,paragraph5.2. 324Meta IEArticle65Submissions,paragraph5.14. 325Meta IEArticle65Submissions,paragraph5.15. 326 Meta IEArticle65Submissions,paragraph5.15. 327Meta IEArticle65Submissions,paragraph5.16. 328Meta IEArticle65Submissions,paragraphs5.16-5.17. 329DraftDecision,paragraph3;ScheduletotheDraftDecision,paragraphs12and19. 330 Complaint,p.1-2. 331Complaint,p.1-2. 332Complaint,p.1-2. 49 Adopted Complainant claims that the controller also allows to target such information for advertisement 333. The Complainant considers that it would be necessary for the SA toinvestigate the concrete subject of the allegedconsent and the legalbasis for allprocessing operations andto request the record of 334 processing activitiesunder Article30(4)GDPR . 190. Basedon the scope ofthe IE SA’sinvestigationinto this complaint,the EDPB considers thatthe IE SA decidedtolimit thescope of itsDraftDecisiontothe following legalissues: o Issue 1 – Whether clicking on the “Agree to Terms” button constitutes or must be consideredconsent for thepurposes oftheGDPRand,ifso,whetheritis validconsent for the purposes ofthe GDPR. o Issue 2 – Whether Meta IE could rely on Article 6(1)(b) GDPR as a lawful basis for processing ofpersonal datainthe context ofTermsofUse and/or DataPolicy. o Issue 3 – Whether Meta IE provided the requisite information on the legal basis for processing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent 335 manner. 191. The IESA arguesthatit hasdiscretion todetermine the frameworkofthe inquiry takinginto account the scope of the written complaint as lodged 33. The IE SA considers that it would not have been possible to undertake anassessment of eachdiscrete processing operation by Meta IE without first resolving the fundamentaldispute betweenthe partieson the interpretationof Article6(1) GDPR 337. Inrelationtothe processing ofArticle 9 GDPRcategoriesof data,the IESA considers thatthe inquiry has addressedthe fundamental issue of principle onwhich the complaint depends, andthis makesit unnecessarytoconduct anindiscriminate andopen-endedassessment ofprocessing falling withinthe 338 scope ofthis Article .The IESA thus concludes thatMetaIE has(a)not sought torelyon consent in order to process personal data to deliver the Terms of Use and (b) is not legally obliged to rely on 339 consent inorder todoso, basedonthe submissions of thePartiesandInstagramTermsofUse .The IESA warnsCSAs onthe legalrisks derivedfrom asking throughthe objections toexpandthematerial scope of the inquiry and thus cover infringements outside of the complaint and Draft Decision that the IE SA has not investigated(pursuant to itsown decision tolimit the scope of the inquiry) andput toMetaIE 340. 192. The EDPBnotesthattheComplaint makesplaintheconfusion oftheInstagramuserover whichofthe user’sspecialcategoriesof dataareprocessed, for whichpurposes andonwhich basis. 193. The Instagram Terms of Use themselves note in general terms “Providing our Service requires collecting and using your information. The Data Policy explains how we collect, use, and share 333 Complaint,p.4. 334Complaint,p.7and16. 335DraftDecision,paragraph30. 336CompositeResponse,paragraph26. 337 338CompositeResponse,paragraph26. CompositeResponse,paragraph28. 339DraftDecision,paragraph60;Finding1. 340CompositeResponse,paragraphs30-33and35. 50 Adopted information across the Facebook Products” 341 (service which includes “Offering personalized opportunitiestocreate,connect,communicate,discover,andshare”and“Connectingyouwithbrands, products,andservicesinwaysyoucareabout” 342).The InstagramTermsofUse include a referenceto 343 a separate document “the DataPolicy” , which lists under the heading “Things you and others do andprovide”:“Datawithspecialprotections:You canchoose to provide information in your Facebook profile fields or Life Events, about your religious views, political views, who you are ‘interested in’ or your health. Thisand other information (such as racialor ethnic origin, philosophical beliefs or trade 344 union membership) is subject to special protectionsunder EU law” . The Data Policydescribes the purposes for which these data areprocessed in verygeneraltermssuch as“Provide,personalize and improve ourproducts” and“toselectand personalizeads, offersand othersponsored contentthatwe show you” 345 with no specific reference tothe specific processing operations and categoriesof data eachpurpose wouldcover. MetaIEthusseems toacknowledgein itsDataPolicy 346thatituses special categoriesof data for behavioural advertising purposes, without specifying the “special protections under EU law” that it would apply to such processing. Meta IE only includes a generalreference to consent amongotherlegalbasisinthe samepage 347,whichincludesalink toaseparatefacebook.com page mentioning the use of consent on data with special protection and referring to the Instagram 348 Settings . 194. The IE SA finds that the way in which Meta IE provides, in relation to processing for which Article 6(1)(b) GDPR is relied upon, this information and the lack of information on the specific processing operations, the data involved, their purposes and legal basis constitute an infringement of transparencyobligations under the GDPR(Article5(1)(a), Article12 (1), andArticle13(1)(c) GDPR) 349. The IE SA considers the complaint inthis case tobe limitedtothe Termsof Use and the processing it entailsonce accepted 350.Inthese circumstances,the IESA acceptsatfacevalue MetaIE’ssubmission on its reliance on different “acts” of consent for discrete aspectsof the service separatelyfrom the user’sacceptanceof theTermsof Use 35. The IESA does not engageintoanyfurther examinationor verificationonhow consent issought inthe caseof processing carriedout toprovide discreteaspects of the service. The IE SA also does not examine or verify whether special categoriesof data under Article 9 GDPR are processed in the context of the Instagram service and, if so, whether they are subject tothese “acts”of consent andthus effectivelytreatedoutside the scope ofthe Termsof Use 341InstagramTermsofUse,Section“TheDataPolicy”. 342InstagramTermsofUse,Section“TheInstagramService”. 343The document is titled as “Instagram Data Policy”, howeverit is explainedinits chapeauthat “[t]his policy describes the information we process to support Facebook, Instagram, Messengerand other products and featuresofferedbyFacebook(FacebookProductsorProducts)”. 344InstagramDataPolicy,Section“Thingsyouandothersdoandprovide”. 345 Instagram Data Policy, Section “How do we use this information? -Provide, personalize and improve our 346ducts”. Instagram Data Policy, Section “Things you andothers do and provide” and Section“How do we use this information?-Provide,personalizeandimproveourProducts”. 347Data Policy,Section“Whatisourlegalbasisforprocessingdata?”. 348Facebookwebsitehttps://www.facebook.com/about/privacy/legal bases. 349 DraftDecision,Finding3. 350 The IE SA mentions in its Scheduleto the Draft Decision, paragraphs 134-135“My view is that [...] the Complaint even taken at its height quite clearly only concerns data processing arising out of the act of acceptance.Onthisbasis,Idonotacceptthattheprocessingofsensitivecategoriesofpersonaldataonthebasis ofArticle 9GDPRconsentfallswithinthescopeofthisInquiry.ThereisnoevidencethatMetaIrelandprocesses specialcategorydataatallinrespectoftheInstagramservice”. 351CompositeResponse,paragraph46. 51 Adopted and the legalbasis of Article 6(1)(b) GDPR on which the Terms of Use purportedly rely, or whether some special categoriesof personal data, as defined by the GDPR and EU case-law 352, are treated under the InstagramTermsof Use. 195. The CJEU assertedrecentlythatthe purpose ofArticle9(1)GDPRis toensure anenhancedprotection of data subjects for processing, which, because of the particular sensitivity of the data processed, is liable to constitute a particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, guaranteedbyArticles7 and 8 of the Charter 353. TheCJEU adoptsawide interpretationoftheterms“specialcategoriesofpersonaldata”and“sensitive data” that includes data liable indirectly to reveal sensitive information concerning a natural person 354. Advocate GeneralRantosreiteratesthe importance for the protectionof data subjects of Article 9 GDPR andapplies the same interpretationto the dataprocessing insocial network services for behavioural advertising bystatingthat “theprohibition on processing sensitive personaldata may include theprocessing ofdatacarriedout byan operatorof an online socialnetworkconsisting in the collectionofauser’sdatawhenhe or she visits otherwebsitesor apps or enterssuch data into them, the linking of suchdata to the user account on the social networkand the use of such data,provided thattheinformation processed,consideredin isolation or aggregated,makeitpossible toprofile users on the basis of the categories that emerge from the listing in that provision of types of sensitive personaldata” 35. 196. Therefore,theGDPRandthecase-lawpayespecialattentiontotheprocessing orpotentialprocessing of special categories of personal data under Article 9 GDPR to ensure the protection of the data subjects. In this connection, the Complainant allegesin the Complaint, among others, a violation of Article 9 GDPRand expressly requeststhe IESA toinvestigateMeta IE’sprocessing operations inthe context of the Instagram service covered by this Article 356. In a subsequent submission on the Preliminary DraftDecision, the Complainant criticisesthe scope thatthe IE SA decided togive tothe Complaint anditslackofinvestigationofMetaIE’sprocessingactivitiesandallegesthattheIESAfailed to give due consideration to processing under Article 9 GDPR and other cases in which it relies on 357 consent . 197. Inthe present case,theIESA limiteditsfactsandlegalassessment inthe DraftDecisiontothegeneral question of whether Meta IE has (a) sought to rely on consent in order to process personal data to deliver the Termsof Use and (b) if it is legallyobliged to relyon consent in order todo so. The IE SA categoricallyconcludes on these questions. At the same time, the IE SA acknowledgesa serious lack of transparency by Meta IE, as regards the information provided concerning the processing being carriedout in reliance on Article 6(1)(b) GDPR and does not clarify which data categoriesare being processed for behaviouraladvertising,if MetaIEprocesses specialcategoriesofdata,andifit does, if 352 SeeArticle9GDPRandC-184/20Vyriausiojitarnybinėsetikoskomisija. 353C-184/20 Vyriausiojitarnybinės etikos komisija, paragraph126. 354C-184/20 Vyriausiojitarnybinės etikos komisija, paragraph127. 355C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022, 356I:EU:C:2022:704,paragraph46. Complaint,p.1-3,7,16. 357DraftDecision,paragraphs28-29;Complainant’sSubmissiononPreliminaryDraftDecisionininquiryIN-18- 5-5 of 11 June2021, pp. 11-13(ina letter to theIE SAof 4 February 2022p. 2 theComplainant explains that their submissions in IN-18-5-5on facebook.com shouldbe considered as their submissions in IN-18-5-7on Instagramandallreferencesshouldbereadaccordingly). 52 Adopted MetaIE complies withthe conditions of Article 9 GDPRand othersrelevant tothe application of this provision (for example,Articles6(1)(a) andArticle7 GDPR). 198. By deciding not to investigate, further to the Complaint, the processing of special categories of personal data in the context of the Instagram service, the IE SA leaves unaddressed the risks this processing poses for the Complainant and for Instagram users. First, there is the risk that the Complainant’sspecialcategoriesof personaldataareprocessed withinthe Instagramservice tobuild intimate profiles of them for behavioural advertising purposes without a legalbasis and ina manner not compliant with the GDPR and the strict requirements of its Article 9(2) GDPR and other GDPR provisions relevant thereto. Second, there is also the risk that Meta IE does not consider as special 358 categoriesof personal data (in line with the GDPR and the CJEU case-law ) certain categoriesof personaldatait processes andconsequently, thatMetaIEdoes not treatthemaccordingly.Third,the Complainant and other Instagram users whose special categoriesof are processed may be deprived of certainspecial protections derived from the use of consent, such as the possibility tospecifically consent tocertainprocessing operations andnot toothersand tothe further processing of personal data(Article 6(4)GDPR);thefreedom towithdraw consent (Article 7 GDPR)andthe subsequent right to be forgotten 359. Fourth, given the great size and dominant market share of Meta IE in the social media market, leaving unaddressed its current ambiguity in the processing of special categoriesof personal data, and its limited transparency vis-à-vis Instagram users, may set a precedent for controllers to operate in the same manner and create legaluncertaintyhampering the free flow of personal datawithinthe EU. 199. The EDPB further considers, also in view of these risks to the Complainant and to other Instagram users, thatthe IE SA did not handle the Complaint withalldue diligence 36.The EDPBsees thelackof anyfurtherinvestigationintothe processing ofspecialcategoriesofpersonaldataasanomission, and in the present case finds it relevant that the Complainant allegedinfringements of Article 9 GDPR in 361 the Complaint . The EDPB contends that inthe present case, the IE SA should have verified on the basis of the contract and the data processing actually carried out on which legal bases each data processing operationatissue relies. 200. The EDPB alsohighlights that bylimiting excessively the scope of its inquiry despite the scope of the complaint in this cross-border case and systematically considering all the objections raised by CSAs not relevantand/or reasonedandthusdenying theirformaladmissibility, the IESA asLSA inthiscase, constrains the capacityof CSAs to act and tackle the risks to data subjects in sincere and effective cooperation. Asruledby theCJEU, the LSA must exercise itscompetence withina frameworkof close cooperationwithothersupervisory authoritiesconcernedandcannot“eschewessentialdialoguewith 358See C-184/20 Vyriausioji tarnybinėsetikos komisija and more recently on the processing in Facebook: C-252/21Oberlandesgericht Düsseldorf request, Opinion of the AdvocateGeneral on 20 September 2022, ECLI:EU:C:2022:704,. 359 Art. 17GDPR. 360JudgementoftheCourtofJusticeof16July2020,DataProtectionCommissionervFacebookIrelandLimited and MaximillianSchrems, C-311/18, ECLI:EU:C:2020:559, (hereinafter ‘C-311/18, Schrems II'), paragraph109; Judgement of the Court of Justiceof 6 October2015, Schrems, C-362/14, ECLI:EU:C:2015:650, paragraph63; Judgement of the Court of Justice of 4 April 2017, European Ombudsman v Staelen, C-337/15, ECLI:EU:C:2017:256,paragraphs12,34,43,114. 361 Complaint,p.1-3,7,16. 53 Adopted 362 and sincereandeffectivecooperationwiththeothersupervisoryauthoritiesconcerned” .Thelimited scope the IESA gavetotheinquiry anditsconsideration ofalltheobjections made asinadmissible for being not relevant or reasoned also impairs the EDPB’scapacityto conclude on the matterpursuant to Article 65 GDPR and thus ensure a consistent application of EU data protection law, especially considering thatthe complaint wasintroducedmore thanfour yearsago. 201. As a result of the limited scope of the inquiry and the fact that the IE SA did not verify and assess in the DraftDecisionMetaIE’sprocessing ofspecial categoriesofpersonal datainitsInstagramservice, the EDPBdoes not have sufficient factualevidence on MetaIE’sprocessing operationstoenable it to make a finding on any possible infringement by Meta IE of its obligations under Article 9 GDPR and other GDPRprovisions relevantthereto. 202. Inconclusion, the EDPB decides thatthe IE SA cannot categoricallyconclude at this stagethroughits Finding 1 that Meta IE isnot legallyobliged to rely on consent toprocess personal data tocarryout the personal data processing activities involved in the delivery of the Instagram Service, including behavioural advertising as set out in the Instagram Terms of Use without further investigating its processing operations, the categoriesof data processed (including to identify special categories of personal datathatmaybe processed), andthe purposes theyserve. 203. The EDPBinstructs the IE SA toremove from its DraftDecisionits conclusion on Finding 1. The EDPB decides that the IE SA shall carry out a new investigationinto Meta IE’sprocessing operations in its Instagramservicetodetermineifit processesspecialcategoriesofpersonaldata(Article9GDPR),and complies with the relevant obligations under the GDPR, to the extent that this new investigation complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding Decision,andbasedontheresultsofthisinvestigation,issue anew draftdDecisioninaccordancewith 363 Article60(3) GDPR . 6 ON THE POTENTIALADDITIONAL INFRINGEMENTOFTHE PRINCIPLE OF FAIRNESS 6.1 Analysis by the LSA inthe DraftDecision 204. TheIESA initsDraftDecisionaddresses theComplainant’sallegationsthattheunclearandmisleading nature of the InstagramTermsof Use andDataPolicy, togetherwiththe mode of acceptanceofthe Terms of Use, have made Instagram users believe that all processing operations were based on consent under Article 6(1)(a) GDPR and thus constituted a breach of the Meta IE’s transparency obligations under Articles 5(1)(a)and 13(1)(c) GDPR 364. The IE SA analyses the submissions provided 365 by the Meta IE and, noting the Complaint’s focus on the alleged“forced consent” , concludes that Meta IE has breached Article 5(1)(a), Article 13(1)(c) and Article 12(1) GDPR due to the lack of 362JudgementoftheCourtofJusticeof15June2021,FacebookIrelandLtdvGegevensbeschermingsautoriteit, C-645/19, ECLI:EU:C:2021:483, (hereinafter ‘C-645/19 Facebook v Gegevensbeschermingsautoriteit), paragraphs53and63. 363EDPBGuidelinesonArticle65(1)(a)GDPR,Section4.2.3andparagraph85. 364 365DraftDecision,issue3,paragraphs116-196,inparticulartheconclusioninparagraph196. Seealsoparagraph3ofthisBindingDecision 54 Adopted transparencyin relationtothe processing for whichArticle 6(1)(b) GDPRhasbeenreliedon 366. TheIE SA explains that,while aninfringement of Article 5(1)(a) GDPRdoes not necessarily or automatically flow from findings of infringement under Articles 12 and/or 13 GDPR, there is an important link between these provisions 367. Nevertheless, the IE SA takes the view that “[t]he factual question of whetherthedatasubject was misled asto the legalbasis isthereforepart ofthe broaderquestion as to whether there was compliance with transparency requirements and should not be considered in isolation ofthis broaderissue” 368. The IE SA points out thatArticle 5(1)(a)GDPRlinks transparencyto 369 the overallfairness of the activitiesof the controller and concludes on the breachofthis provision inrelationtothe infringement ofthe transparencyobligations 370. 6.2 Summary of the objection raisedby the CSA 205. The IT SA objects tothe scope of Finding 3 of the DraftDecision andtothe assessment leading up to it.The ITSA agreestoalargeextent withthe Draft Decision’sFinding 3 on theinfringement of Article 371 12(1), Article13(1)(c),andArticle5(1)(a)GDPRintermsoftransparency .However,theITSA argues thatMetaIEhasalsofailedtocomply withthemore generalprinciple offairnessunder Article5(1)(a) GDPR, which, inthe view of the IT SA, entails separate requirementsfrom those relating specifically totransparency 37. 206. According to the IT SA, the relationship between Meta IE and Instagram users is markedly and significantlyunbalanced 373andaninfringement of the fairnessprinciple resulted, first ofall, from the misrepresentation of the legal basis for processing by the controller 374, considering that “Meta presenteditsserviceto usersin a misleading manner”and“withouttaking dueaccount ofusers’ right tothe protectionoftheirpersonaldata” 375. TheITSA arguesthat“thecontrollerleavesitsusersinthe dark as theyare expected to tellor actually ‘figure out’, from time to time, the possible connections 376 betweenpurposesought, applicable legalbasis and relevantprocessing activities” . 207. Secondly, such infringementalsostemsfrom the“high-leveland all-encompassing referencetoArticle 6(1)(b) GDPRas relied upon to enable the massive collection of personaldata [...]and theirreuse for multifarious,distinct purposes”,considering the“pervasiveaswellasprolongedanalysis of[theusers’] online behaviour” amounting toa disproportionate interference withtheir private lives comparedto 377 the pursuit of freedom of enterprise . 208. The IT SA thus considers that the IE SA should have found an infringement of the fairness principle under Article 5(1)(a) GDPR, inaddition to the infringement of the transparencyobligations derived 366DraftDecision,paragraphs180-196. 367DraftDecision,paragraph191. 368 DraftDecision,paragraph25. 369DraftDecision,paragraph193. 370DraftDecision,paragraphs191-196andFinding3. 371ITSAObjection,p.4-5. 372 ITSAObjection,p.5. 373ITSAObjection,p.5. 374ITSAObjection,p.5. 375ITSAObjection,p.5. 376 ITSAObjection,p.6. 377ITSAObjection,p.6. 55 Adopted from this provision, without any need for supplementary investigations 378. According to the IT SA, should the objection be followed, it would also impactthe exercise of by correctivepowers by the IE SA, i.e.themeasurestobe imposed on thecontroller in order tobring the processing into conformity 379 withthe GDPR . 6.3 Position of the LSA on the objection 380 209. The IESA does not consider the ITSA objection tobe relevantandreasonedanddoes not follow it . The IE SA examines it together with the other objections relating to the scope and conduct of the inquiry andcontends thatintroducing novel issues not raisedby the Complainant or otherwise put to the partieswould represent a significant departureintermsof thescope of theinquiry 381. 210. TheIESA highlightsthelegalconsequences thatwouldflow from makingmaterialchangesconcerning infringementsoutside of the Complaint andDraftDecision, namelythe likelihood thatMetaIEwould succeed in arguing before the Irish Courts that it has been denied an opportunity to be heard on additional and extraneousfindings that are adverse toit 382. The IE SA’s concernarose from the fact that,accordingtothe IESA, MetaIEwasnever invitedtobe heardinresponse toanallegationthatit hadinfringedthe fairnessprinciple set out inArticle5(1)(a)GDPR.TheIESA notes,in thisregard,that a respondent has the rightto be heardin response tothe particularsof the case being made against it and that this is a core element of a fair procedure pursuant to Irish law. The IE SA takes the view thatexpandingthe materialscopeofthe inquiryis neithernecessary,nor couldbe reconciledwiththe controller’srighttoa fair procedure 38. 6.4 Analysis of the EDPB 6.4.1 Assessment of whether theobjection was relevant and reasoned 384 211. The ITSA objectionconcerns “whetherthereisan infringementoftheGDPR” . 212. The EDPBtakesnote of MetaIE’sview thatthe objections categorisedby the IE SA asrelatingtothe scope andconduct of the inquiry, among whichthe ITSA objectionregardingthe infringement ofthe fairness principle, are “irrelevant to the resolution of this Inquiry” and, if accepted, would seriously 385 infringe Meta IE’sproceduralrightsunder both Irish and EU law . According toMeta IE, “the EDPB cannot expand the scope ofthe Inquiryin the manner suggested bythe CSAs through Objectionsthat are not relevantto thesubstance of the Complaint” andin relationtothis MetaIEreferstothe EDPB Binding Decision2/2022 386. 378ITSAObjection,p.5-6. 379ITSAObjection,p.1. 380CompositeResponse,paragraph36. 381 CompositeResponse,paragraph29. 382CompositeResponse,paragraphs31-32. 383CompositeResponse,paragraph35. 384EDPBGuidelinesonRRO,paragraph24. 385 Meta IE Article65 Submissions, paragraph 4.2and paragraphs 4.10 to 4.20 regarding the right to fair procedure,aswellasMeta IEArticle65Submissions,Annex1,paragraph7.7. 386Meta IEArticle65Submissions,paragraph4.9.Inparticular,Meta IEreferstoparagraphs139,140,147,148, 164,and165oftheEDPBBindingDecision2/2022. 56 Adopted213. Meta IE further contends that the IT SA objection is not reasoned as it provides broad and 387 unsubstantiatedallegationswithout presentingfactsor evidence in thisregard andfailstoaddress the significance ofthe risk tofundamentalrightsandfreedomsposed by the DraftDecision 388. 214. Asitwaspreviously explained,theEDPBdoesnotshare theunderstanding thatCSAsmaynot disagree 389 withthescope ofthe inquiry asdecidedbythe LSA bywayofanobjection .The EDPBrecallsthatan objection could go as far as identifying gaps in the draft decision justifying the need for further investigation by the LSA, for example in situations where the investigation carried out by the LSA unjustifiably fails to cover some of the issues raised by the complainant 390. In this regard, the EDPB observes that,in theircomplaint, the Complainant allegesthat the informationprovided in MetaIE’s PrivacyPolicy“isinherentlynon-transparentandunfair withinthemeaningofArticles5(1)(a)and 13(c) GDPR” 39. Inaddition, the Complainant alleges that “Asking for consent to a processing operation, whenthe controllerreliesin fact on another legalbasis is fundamentally unfair, misleading and non- transparentwithin themeaning ofArticle5(1)(a) oftheGDPR” 39.Therefore,theEDPBdisagreeswith the IE SA’s finding that assessing Meta IE’s compliance with the principle of fairness would amount addressing matters“whichfall outside ofthescope of theunderlying complaint” 39. 215. The EDPB notes that the IT SA agreeswiththe IE SA’sfinding with regardtothe infringement of the 394 principle of transparencyunder Article5(1)(a) GDPR .Asthis finding is not subject toa dispute, the EDPBwillnot examine this matter. 216. After analysing the IT SA objection, the EDPB finds that the objection is relevant, as it refers to a specific part of the Draft Decision (Finding 3 39), and if followed would lead to the conclusion that there isaninfringement of the generalprinciple of fairness under Article 5(1)(a)GDPR,in additionto the breach of the separate requirements relating to transparency under this provision 39. The 387Meta IEArticle65Submissions,Annex1,paragraph7.8. 388Meta IEArticle65Submissions,Annex1,paragraph7.9. 389Seeparagraphs73-75ofthisBindingDecision. 390 EDPBGuidelinesonRRO,paragraph27. 391Complaint,paragraph2.3.1. 392Complaint,paragraph2.3.2. 393CompositeResponse,paragraph30. 394 395ITSAObjection,p.4-5. ITSAObjection,p.4-5. In respect of Meta IE’s arguments in paragraph 4.9 of its Article65 Submissions on this objection not being relevant, theEDPB recalls that theanalysis of whethera given objectionmeets thethreshold set by Art. 4(24) GDPRis carriedoutonacase-by-casebasis.MetaIEreferstotheEDPB’sBindingDecision2/2022andspecifically to theparagraphswheretheEDPBestablishedthatspecificobjections raisedbytheDE SAs andNOSAinthat casewerenotrelevantandreasoned.Thereareseveraldifferencesbetweenthoseobjectionsandtheobjection oftheITSAthatis beinganalysedinthissection. Morespecifically,intheBindingDecision2/2022theobjectionsreferredtobyMetaIEdidnot“establishadirect connectionwiththespecificlegalandfactualcontentoftheDraftDecision”(BindingDecision2/2022paragraphs 139,147,164)whereastheITSAobjectionheremakesseveralclearlinkswiththecontentoftheDraftDecision, byreferringtotheanalysiscarriedoutbytheIESAinrespectofthebreachofthetransparencyobligationsand to specificobservationsmadebytheLSAandexplainshowtheadditionalinfringementofArt.5(1)(a)couldbe established on that basis (see, for example, p. 6 of the IT Objection referring to paragraph 185of theDraft Decisionconcerningusersbeingleft“inthedark”). 396ITSAObjection,p.5-6. 57 Adopted objection, if followed, would also entail the exercise of corrective powers, i.e. the measures to be 397 imposed on the controller inorder tobring the processing into conformitywiththe GDPR . 217. The ITSA objectionis alsoreasonedbecauseitincludesseveralspecific legalandfactualargumentsin 398 support of finding anadditionalinfringement oftheprinciple offairnessunder Article5(1)(a)GDPR . For example,the IT SA explainsthat “[t]ransparencyand fairness are two separatenotions” andthat “transparencyrelatestoclarityoftheinformationprovided tousersvia theToSandtheprivacypolicy”, while “fairness relatesto how the controller addressed the lawfulness of the processing activities in 399 connection with its social networking service” . The IT SA contends that the “overall relationship betweenMetaandInstagram usersis markedly as wellas significantly unbalanced” 400. According to the IT SA, the first wayin which Meta IE hasinfringed the principle of fairness is by misrepresenting the legalbasis for processing in order to pursue its business model “without taking due account of users’ rightto theprotectionofpersonaldata” andleaving “itsusersin thedark” 401.Further, intheIT SA’s view, Meta IE has breached the fairness principle, by justifying via the broad reference to the legalbasis ofperformanceof contractamassive collectionof personaldataandtheirreuse for awide 402 rangeof purposes, disproportionately interfering withusers’ private life . 218. The ITSA objection alsoidentifies the risks posed by the absence inthe DraftDecisionof a finding on the infringement of thefairness principle, namelysettinga dangerousprecedent for future decisions concerning otherdigitalplatform operators-more generally,other controllersbelonging tothesame business sector -andmarkedlyweakeningthesafeguardsthatmustbe provided throughtheeffective implementationof the dataprotectionframeworkon account ofthe comprehensive disregardofthe 403 fairness ofthe processing principle . 219. Therefore, the EDPB considers that the IT SA objection is relevant and reasoned (cf. Article 4(24) GDPR). 6.4.2 Assessment on the merits 220. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the matterswhichare the subject of the relevantand reasonedobjections, inparticularwhether there is aninfringement ofthe GDPR. 397ITSAObjection,p.1. 398Seeparagraphs206-208ofthisBindingDecision. 399 ITSAObjection,p.5. 400ITSAObjection,p.5. 401ITSAObjection,p.6. 402ITSAObjection,p.6.Seealsoabove,paragraphs206-208.InrespectofMeta IE’sargumentsinparagraph4.9 ofits Article65Submissionsonthisobjectionnotbeingreasoned,theEDPBnotesthattheobjectionsthatwere foundtobenotrelevantand/ornotreasonedintheBindingDecision2/2022did“notprovidesufficientlyprecise and detailed legal reasoning regardinginfringement of each specific provision in question”, did not explain sufficiently clearly, nor substantiateinsufficient detail how theconclusion proposed could bereached, or did notsufficientlydemonstratethesignificanceoftheriskposedbytheDraftDecisionfortherightsandfreedoms ofthedata subjectsorthefreeflowofdatawithintheEU(BindingDecision2/2022,paragraphs140,148,165). The IT SAobjection provides, instead, a numberof legal and factual arguments andexplanations as to why a breachofthefairnessprincipleistobeestablished,andadequatelyidentifiestheriskposedbytheDraftDecision ifitwas adoptedunchanged. 403ITSAObjection,p.7. 58 Adopted221. The EDPBconsiders thatthe objection found tobe relevant andreasoned in thissubsection requires anassessment of whetherthe DraftDecision needstobe changedinsofar as it containsno finding of infringement of the fairness principle under Article 5(1)(a) GDPR. Whenassessing the merits of the objection raised, the EDPB also takes into account Meta IE’s position on the objection and its submissions. 222. The EDPBtakesnoteof MetaIE’sviewthattheITSA objection lacksmeritasit goesbeyondthe scope 404 of theinquiry . The EDPBalsonotes thatMetaIElinks the issue ofthe potentialinfringement ofthe principle offairness, raisedinthe ITSA objection, withthequestion ofthe competenceof CSAsor the EDPB toassess the validity of contractsinthe context of Article 6(1)(b) GDPR and, when responding tothe meritsof the ITSA objection, Meta IEreferstoits submissions on applicationof Article6(1)(b) GDPRwithrespect tostandardform contracts 405.While takingnote of MetaIE’sview onthis matter, the EDPB considers the question of Meta IE’scompliance withthe principle of fairness under Article 5(1)(a) GDPRtobe distinct from the question of the choice of the appropriate legalbasis (althougha connectedone, asexplainedbelow) andproceedswithits respectiveassessment below. 223. Firstly, the EDPBrecallsthatthe basic principles relating toprocessing listed inArticle 5 GDPRcan,as 406 such, be infringed . This is apparent from the text of Article 83(5)(a) GDPR which subjects the infringement ofthe basic principles for processing toadministrative fines ofupto20 million euros, or inthe caseof undertaking,upto4% ofthetotalworldwide annualturnover ofthe precedingfinancial year,whichever is higher. 224. The EDPBunderlines thatthe principles of fairness, lawfulness andtransparency,allthree enshrined in Article 5(1)(a) GDPR, are three distinct but intrinsically linked and interdependent principles that every controller should respect when processing personal data. The link between these principles is evident from a number of GDPR provisions: Recitals39 and 42, Article 6(2) and Article 6(3)(b) GDPR referto lawfulandfair processing,while Recitals60and71GDPR,aswellasArticle13(2),Article14(2) andArticle 40(2)(a)GDPRrefertofair andtransparentprocessing. 225. On the basis of the above consideration, the EDPB agreeswiththe IE SA’s view that “Article 5(1)(a) 407 links transparencyto the overall fairness of the activities of a controller” but considers that the principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment ofMetaIE’scompliance withthe principle offairness too. 404Meta IEArticle65Submissions,Annex1,paragraph7.10.Inthisrespectseeparagraphs73-75(section4.41) onthis BindingDecision. 405“To the extent the IT SAObjects tothe lawfulnessofMetaIreland’sdataprocessingbasedonthenatureof the contract between Meta Ireland and users of the Instagram Service (i.e. a standard form contract), Meta IrelandsubmitsthatthevalidityofcontractisnotwithinthecompetenceofCSAsortheEDPB.Inanyevent,Meta Ireland respectfully asks the EDPB to take into account its submission abovewith respect to standard form contracts”.Meta IEArticle65Submissions,Annex1,paragraph7.10. 406SeealsoBindingDecision1/2021,paragraph191. 407 DraftDecision,paragraph193. 59 Adopted226. The EDPB recallsthat, in data protection law, the concept of fairness stems from the EU Charter of 408 Fundamental Rights . The EDPB hasalreadyprovided some elementsas tothe meaning andeffect of the principle of fairness in the context of processing personal data. For example, the EDPB has previously opined in its Guidelines on DataProtectionby Designand by Defaultthat “[f]airness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental,unlawfullydiscriminatory, unexpectedormisleading to thedata subject” 409. 227. Among the key fairness elements that controllers should consider in this regard, the EDPB has mentioned autonomy of the data subjects, data subjects’ expectation, power balance, avoidance of deception, ethicaland truthful processing 410. These elements are particularlyrelevant in the caseat hand. The principle of fairness under Article 5(1)(a) GDPR underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of thedata subjects’ rights.The EDPBhas previously explained that“theprinciple of fairness includes, interalia, recognisingthe reasonable expectationsofthe data subjects, considering possible adverse consequences processing may have on them, and having regard to the relationship and potentialeffectsofimbalance betweenthemand thecontroller” 411. 228. The EDPB recalls that a fair balance must be struck between, on the one hand, the commercial interests of the controllers and, on the other hand, the rights andexpectations of the data subjects under theGDPR 41.Akeyaspectofcompliancewiththeprinciple offairnessunder Article5(1)(a)GDPR 413 refersto pursuing “powerbalance” asa “key objectiveof the controller-datasubject relationship” , especiallyinthecontextofonline servicesprovidedwithoutmonetarypayment,whereusersareoften not aware ofthe ways andextent to which their personal data is being processed 41. Consequently, lack of transparency can make it almost impossible in practice for the data subjects to exercise an informed choice over the use oftheir data 415which is incontrast withthe element of “autonomy”of datasubjects astothe processing of their personaldata 416. 229. Considering theconstantlyincreasing economic value ofpersonal datainthedigitalenvironment, it is particularly important to ensure that data subjects are protected from any form of abuse and deception, intentionalor not, whichwould result in the unjustified loss ofcontrol over their personal 408Art. 8 EU Charter of Fundamental Rights states as follows:“1. Everyone has the right to the protection of personal data concerninghim orher. 2. Such data must be processed fairlyforspecified purposes andon the basisoftheconsentofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw”(emphasisadded). 409EDPB Guidelines 4/2019 onArticle25 Data Protection by Designand by Default, Version 2, Adopted on 20 October2020(hereinafter“EDPBGuidelinesonDataProtectionbyDesignandbyDefault”),paragraph69. 410 411EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70. EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph12. 412Onthebalancebetweenthedifferentinterests atstakeseeforexample:JudgementoftheCourtofJustice of12December2013,X,C-486/12,ECLI:EU:C:2013:836;JudgementoftheCourtofJusticeof7May2009,College vanburgemeesterenwethoudersvanRotterdamvM.E.E. Rijkeboer,C-553/07,ECLI:EU:C:2009:293;Judgment of the Court (GrandChamber) of 9 November 2010, Volker undMarkus ScheckeGbR (C-92/09)andHartmut Eifert(C-93/09)vLandHessen,ECLI:EU:C:2010:662. 413EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70. 414Ononlineservices,seeEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs3-5. 415 416FurtherEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph4. EDPB Guidelines on Data Protectionby Design and byDefault, paragraph70. According to this element of fairness,“datasubjectsshouldbegrantedthehighestdegreeofautonomypossibletodeterminetheusemade oftheirpersonaldata,aswellasoverthescopeandconditionsofthatuseorprocessing”. 60 Adopted data.Compliance by providers ofonline services actingascontrollers withallthree of thecumulative requirements under Article 5(1)(a) GDPR, taking into account the particular service that is being provided and the characteristicsof their users, serves as a shield from the danger of abuse and deception, especiallyin situationsof power asymmetries. 230. The EDPB haspreviously emphasised that the identification of the appropriate lawfulbasis is tiedto 417 theprinciples of fairnessandpurpose limitation .Inthisregard,theITSA rightlyobserves thatwhile finding a breachof transparencyrelatesto the wayin which information hasbeen provided to users via the InstagramTermsof Use andDataPolicy, compliance withthe principle of fairnessalso relates to“how thecontrolleraddressedthelawfulnessoftheprocessingactivitiesin connectionwithitssocial networkingservice” 41. Thus the EDPB considers that anassessment of compliance by Meta IE with the principle of fairness requires also an assessment of the consequences that the choice and presentation of the legal basis entail for the users of the Instagram service. In addition, that assessment cannot be made in the abstract, but has to take into account the specificities of the particularsocialnetworking serviceandof theprocessing ofpersonaldatacarriedout,namelyfor the 419 purpose of online behaviouraladvertising . 231. The EDPBnotesthatin thisparticularcase thebreachof MetaIE’stransparencyobligationsisofsuch gravitythatit clearlyimpactsthe reasonable expectationsof the Instagramusers by confusing them on whether clicking the “Agree to Terms” button results in giving their consent to the processing of their personal data. The EDPB notes in this regardthat one of the elementsof compliance withthe principle offairness is avoiding deception i.e.providing information“in an objectiveand neutralway, 420 avoiding anydeceptiveor manipulative language or design” . 232. Asoutlined inthe DraftDecision,the Complainant arguesthatMetaIEreliedon“forcedconsent” asa result of being led to believe that the legalbasis for processing the controller was relying upon was consent 421. The Complaint demonstratesthe confusion suffered bythe Complainant both due tothe 422 (lack of) information presented to Instagram users in the context of their “agreement” and the circumstancesof how the act of“agreement”wassought by MetaIE 423.TheEDPBconsiders thatthe LSA should have takeninto account such Meta IE’spracticesin relationto the principle of fairness, regardlessof its finding that Meta IE hasnot sought to rely on consent in order to process personal datatodeliver the Termsof Use 424. 233. Inaddition, andasrecognisedby the LSA itself, further toitsassessment of the informationprovided concerning processing being carriedout in reliance on Article 6(1)(b) GDPR, “it is impossible for the user to identify with any degreeof specificitywhat processing is carriedout on what data, on foot of 417EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph1. 418 419ITSAObjection,p.5. SeeDraftDecision,paragraph104wheretheIESAholdsthat“thecoreoftheserviceofferedbyMetaIreland is premised on the delivery of personalised advertising”and Meta IE Article65 Submissions, paragraph 6.38 whereMeta IEclaimsthat“ItwouldbeimpossibletoprovidetheInstagramServiceinaccordancewiththeTerms ofUse withoutprovidingbehaviouraladvertising”. 420 421EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70. DraftDecision,paragraph37. 422Complaint,p.3. 423Complaint,p.6-7. 424DraftDecision,Finding1. 61 Adopted the specified lawful bases” 425. Considering this, in the EDPB’sview, there are clear indications that 426 Instagram users’ expectations with regard to the applicable legal basis have not been fulfilled . Therefore, the EDPB shares the IT SA’s concern that Instagram users are left “in the dark” 427and considers that the processing by Meta IE cannot be regardedas ethicaland truthful 428because it is confusing withregardtothetype ofdataprocessed,the legalbasisandthepurpose oftheprocessing, whichultimatelyrestrictsthe Instagramusers’ possibility toexercisetheir datasubjects’ rights. 234. Furthermore, the EDPBconsiders that the extensive analysis by the IE SA withregardto the issue of legalbasisandtransparencyinrelationtotheprocessing being carriedoutinrelianceonArticle6(1)(b) GDPRisclosely linkedtotheissue of complianceby MetaIEwiththe principle offairness. Considering the seriousness of the infringementsof the transparencyobligations by MetaIE alreadyidentified in theDraftDecisionandthe relatedmisrepresentationofthelegalbasis reliedon, theEDPBagreeswith the IT SA that Meta IE has presented its service to the Instagram users in a misleading manner 429, which adversely affectstheir control over the processing of their personal data and the exercise of their data subjects' rights. Therefore, the EDPB isof the opinion that the IE SA’sfinding of breachof 430 Article 5(1)(a) GDPRwithregardto the principle of transparency should extend tothe principle of fairness too. 235. This is all the more supported by the fact that, in the circumstances of the present case as demonstrated above 431, the overall effect of the infringements by Meta IE of the transparency obligations under Article 5(1)(a), Article 12(1), Article 13(1)(c) GDPR and the infringement of Article 6(1)(b) GDPR 432furtherintensifiestheimbalancednatureof therelationshipbetweenMetaIEandthe Instagramusersbrought upbytheITSA objection. Thecombinationoffactors,such asthe asymmetry of the informationcreatedby MetaIEwithregardto theInstagram service users, combinedwiththe “take it or leave it” situation that they are faced with due to the lack of alternative services in the marketand the lackofoptions allowing them toadjust or opt out from a particularprocessing under the contract with Meta IE, systematically disadvantages the Instagram service users, limits their control over the processing of their personal data andundermines the exercise of their rightsunder Chapter IIIofthe GDPR. 236. Therefore, the EDPB instructs the IE SA to include a finding of an infringement of the principle of fairness under Article 5(1)(a) GDPR by Meta IE, in addition to the infringement of the principle of transparency under the same provision, and to adopt the appropriate corrective measures, by addressing, but without being limited to, the question of anadministrative fine for thisinfringement asprovided for in Section9 of thisBinding Decision. 425DraftDecision,paragraph185. 426According to the fairness element of “expectation”, “processing should correspond with data subjects’ 427sonableexpectations”.EDPBGuidelinesonData ProtectionbyDesignandbyDefault,paragraph70. ITSAObjection,p.6. 428See EDPB Guidelines on Data Protection by Designand byDefault, paragraph 70, wheretheEDPB explains that “ethical”means that “[t]he controllershouldsee the processing’s widerimpact on individuals’ rights and dignity“and “truthful”means that “[t]he controllermust make available information about how theyprocess 429sonaldata,theyshouldactastheydeclaretheywillandnotmisleadthedatasubjects”. ITSAObjection,p.5. 430DraftDecision,paragraphs180-196. 431Paragraphs223-235ofthisBindingDecision. 432Paragraph137ofthisBindingDecision. 62 Adopted 7 ON THE POTENTIALADDITIONAL INFRINGEMENTOFTHE PRINCIPLESOF PURPOSE LIMITATION ANDDATA MINIMISATION 7.1 Analysis by the LSA inthe DraftDecision 433 434 237. The IESA referstoArticle5(1)(b)GDPR andArticle5(1)(c) GDPR whenanalysingthe extentofthe controller’sobligation under Article 13(1)(c) GDPRandwhether Meta IEhas infringed this provision. More specifically, the IESA highlightsthat Article13 GDPRrequiresthat the purposesandlegalbases must be specified in respect of the intended processing and cannot just be cited in the abstract 435. AfterexplainingwhyMetaIE’sviewthatthereisnospecific obligationfor thelegalbasistobe mapped to the purpose of processing cannot be reconciled with a literalreading of the GDPR, the IE SA, for completeness, alsoengagesina systemic readingbasedon thelegislator’sobjective andthecontents 436 of theGDPRasa whole . 238. In this context, the IE SA points out that the six principles laid down under Article 5 GDPR are interconnectedandoperatein combinationtounderpin the whole GDPR 437.However,theIESA does not assess whether MetaIE’sprocessing activitiesentaila separate infringement of the principles of purpose limitationanddataminimisation under Article5(1)(b) andArticle 5(1)(c)GDPR. 7.2 Summary of the objection raisedby the CSAs 239. According tothe ITSA, thereisanadditionalinfringement ofpoints (b)and(c)of Article5(1)GDPRon accountof MetaIE’sfailuretocomplywiththe purpose limitationanddataminimisation principles. It considers that suchinfringement should be found without the needfor anyfurther investigationand should result intoa substantialincrease ofthe proposed administrative fine 438. 240. The IT SA puts forward several factual and legal arguments for the proposed change to the Draft Decision.First,itpointsout thattheIESAconfinesitsassessment toonlyone ofthecontractspurposes (the provision of online behavioural advertising), while the Instagram service would actually be composed of several processing activities pursuing several purposes 439. According to the IT SA, the fact that Meta IE inappropriately based its multifarious processing activities only on Article 6(1)(b) GDPRentailsaninfringement ofthe purpose limitationanddataminimisation principles 440. The IT SA stresses the relevance of these principles in online services contracts, astheyare not negotiatedon an individual basis, and refers to pages 15 and 16 of the WP29 Opinion 03/2013 on purpose 441 limitation .The ITSA also refersto the EDPBGuidelines 2/2019 on Article 6(1)(b) GDPR andrecalls that, where the contract consists of several separate services or elements of a service that can be 433 434DraftDecision,paragraphs152-160. DraftDecision,paragraph152. 435DraftDecision,paragraph162. 436DraftDecision,paragraphs167-171. 437Draft Decision, paragraph 152 andparagraphs 153-160withrespect to theprincipleof purposelimitation 438erArt.5(1)(b)GDPR. ITSAObjection,p.4. 439ITSAObjection,p.2. 440ITSAObjection,p.2. 441ITSAObjection,p.3. 63 Adopted performed independently, the applicability of Article 6(1)(b) GDPR should be assessed for each of 442 those services separately . 241. On the risks posed by the Draft Decision, the IT SA refers to the risk identified by the WP29 in its Opinion 03/2013 on purpose limitation 443, namely that “data controllers may seek to include processingtermsincontractsto maximise thepossible collectionand usesof datawithout adequately specifying those purposes or considering data minimisation obligations” 444. In addition, in the IT SA’s view, the failure to specify and communicate the purposes of the processing to the data subject creates a risk of artificially expanding the types of processing or the categories or personal data considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would nullify the safeguardsaffordedtodata subjectsunder dataprotectionlaw 445. 7.3 Position of the LSA on the objection 242. The IE SA does not consider that the IT SA’s objection is relevant and reasoned 446. Categorising the objection asrelating tothe scope andconduct ofthe inquiry, the IE SA adopts the same approachas with regard to the alleged infringement of the principle of fairness. More specifically, the IE SA contends thatintroducing novel issues not raised bythe Complainant or otherwise put tothe parties would represent a significant departurein termsof the scope of the inquiry 44. It highlightsthe legal consequences thatwouldflow frommaking materialchangesconcerninginfringementsoutside ofthe complaint andDraftDecision,namelythelikelihood thatMetaIEwouldsucceedinarguingbeforethe IrishCourts thatit hasbeendenied anopportunity tobe heardon additionalandextraneousfindings thatare adverse toit 448.The IE SA’sconcernarose from the fact that,accordingtothe IE SA, MetaIE wasnever invitedto be heardin response toanallegationthatit had infringedthe fairness principle set out in Article 5(1)(a) GDPR. The IE SA notes, in this regard, that a respondent has the right tobe heardin response tothe particularsof the case being made against it andthat this is a core element of a fair procedure pursuant toIrish law.The IESA takesthe view thatexpanding the materialscope of the inquiry is not possible under Irish procedurallaw 449.Itfurther notes that avery significant risk ofproceduralunfairness, under Irishnationallaw,wouldresult from the proposal toassume, without anyfurther factualexamination,thatMetaIE hasinfringedthe purpose limitationprinciple 45. 7.4 Analysis of the EDPB 7.4.1 Assessment of whether theobjection was relevant and reasoned 451 243. The ITSA’sobjection concerns “whetherthereisan infringement oftheGDPR” . 442ITSAObjection,p.3. 443WP29Opinion03/2013onpurposelimitation,WP203,adoptedon2April2013. 444ITSAObjection,p.3. 445 ITSAObjection,p.3. 446CompositeResponse,paragraph36. 447CompositeResponse,paragraph29. 448CompositeResponse,paragraphs31-32. 449 CompositeResponse,paragraph32. 450CompositeResponse,paragraph33. 451EDPBGuidelinesonRRO,paragraph24. 64 Adopted244. The EDPB takes note of Meta IE’s view that the IT SA’s objection does not meet the relevant and 452 reasoned thresholds because it falls outside the defined scope of the inquiry . As previously explained, the EDPBdoes not share the understanding thatCSAs maynot disagree withthe scope of the inquiry asdecidedby the LSA bywayof anobjection 453. 245. MetaIEpointsout thatthe objectionconcernsmattersthathavenot beeninvestigatedandrelatesto 454 theoreticalfindings on legalbases . Meta IE further arguesthat even if the objection satisfied the abovementioned thresholds, it should be disregarded because otherwise Meta IE’s right to fair 455 proceduresunder bothIrishand EUlaw would be contravened . 246. The EDPB considers that the IT SA objection is relevant as it refers to specific parts of the Draft Decision, namely Finding 2 and Finding 3 456, and argues that the IE SA should have found an infringement of Article 5(1)(b) and Article 5(1)(c) GDPR which lay down the principles of data minimisation andpurpose limitation. 247. The objection also includes argumentson legaland factualmistakesin the IESA’s DraftDecisionthat require amending.According tothe ITSA, theIE SA’sreasoning isinconsistent because thehigh-level, ratherunclearinformation provided tothedatasubjects isa major criticalitythat shouldhave ledthe IE SA not only to question the features of the information notice, but also to verify, in detail, the application of the principles of purpose limitation and data minimisation from a substantive 457 perspective . More specially, the ITSA takesthe view that the IE SA should have hadregardtothe actualconfigurationof theprocessing operations performedin ordertoassess whetherthecontroller had abided by the obligation toprocess personal data for specified, explicit and legitimatepurposes bothwhen collectingthose dataandthereafter 45. 248. As regards the risk posed by the Draft Decision, the EDPB takes note of the IT SA’s reference to paragraph16 of the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR and reiteratesthe particular relevance ofArticle 5(1)(b) andArticle 5(1)(c)GDPRin the contextof contractsfor online services, in view of the risk that data controllers may seek to include generalprocessing terms in contracts in order to maximise the possible collection and uses of data, without adequately specifying those purposes or considering dataminimisationobligations 45.Nevertheless,theEDPBstressesthatamere referencetothe EDPBGuidelinesisnot sufficient todemonstratetherisks posedbythe DraftDecision inthis specific caseand inthese specific circumstances. 249. The IT SA also considers that the purposes for the processing “must be clearly specified and communicated to the data subject, in line with the controller’spurpose limitation and transparency obligations”, otherwise there is “a risk that other data protection obligations might be evaded by artificiallyexpanding the typesofprocessing or thecategoriesofpersonaldata that areconsideredto 452 Meta IEArticle65Submissions,Annex1,paragraphs7.1-7.4. 453Seeparagraphs73-75ofthisBindingDecision. 454Meta IEArticle65Submissions,Annex1paragraphs7.2. 455Meta IEArticle65Submissions,Annex1,paragraphs7.3. 456 TheIT SArefers to theIE SA’s reasoning preceding Finding 2 and to paragraphs 122-149and 184, 185and 187precedingFinding3oftheDraftDecision. 457ITSAObjection,p.4. 458ITSAObjection,p.4. 459EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph16. 65 Adopted be ‘necessary’forperformanceofthecontractunder Article6(1)(b)GDPR -which would in turn nullify thesafeguards affordedto datasubjectsbypersonaldata protectionlaw” 46. 250. The EDPB recalls that the objection must put forward arguments or justifications concerning the consequences of issuing the decision without the changesproposed in the objection, andhow such consequences would pose significant risks for datasubjects’ fundamentalrightsandfreedoms 46.The CSA needs to advance sufficient arguments to explicitly show that such risks are substantial and plausible462. Inaddition,the demonstrationofthe significance ofthe risks cannotbe implied from the legaland/or factualargumentsprovidedbythe CSA, but hastobe explicitlyidentified andelaborated 463 inthe objection . 251. The EDPB considers that the IT SA’s objection fails to meet these requirements as it does not demonstratethe significance of the risk stemmingfrom anomission inthe DraftDecisionof afinding that the principles of purpose limitationand data minimisation have beeninfringed by Meta IE. The risk, asdescribed by the IT SA objection, is not substantial andplausible enough. Moreover, the risk relatesto the IE SA’s decision not to conclude on the inappropriate use of Article 6(1)(b) GDPR asa legalbasis for MetaIE’sprocessing activitiesbut fails toestablish a clear link withthe LSA’sdecision not tomake a finding on the infringement ofArticle 5(1)(b) andArticle5(1)(c) GDPR. 252. Therefore, the EDPB considers that the abovementioned objection by the IT SA is not reasoned (cf. Article4(24) GDPR)andwillnot assess iton the merits. 8 ON CORRECTIVEMEASURESOTHER THAN ADMINISTRATIVE FINES 8.1 Analysis by the LSA inthe DraftDecision 253. The IE SA considers thatanorder tobring processing into compliance (Art. 58(2)(d) GDPR)should be imposed on Meta IE, requiring them tobring their Data Policy andTerms of Service into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR asregardsprocessing carriedout on the basis ofArticle 6(1)(b) GDPRwithinthreemonths of thedate ofnotification ofanyfinal decision 46. 254. The LSA considers an order is necessary and proportionate, contrary to the controller’sposition 46. Regarding the necessity, the IE SA explains that this order is the only way toguarantee that Meta IE amendsthe infringementsoutlined in the DraftDecision,which isessentialfor the protectionofdata subjects’ rights46. Concerning the proportionality, the LSA points out that the proposed measure is the minimum action required to ensure the future compliance of the controller. Further, the IE SA 460ITSAObjection,p.3. 461EDPBGuidelinesonRRO,paragraph18. 462 463EDPBGuidelinesonRRO,paragraph37. EDPBGuidelinesonRRO,paragraph37. 464DraftDecision,paragraphs200and203. 465 Meta IE Submissions on Preliminary Draft Decision, paragraphs 12.1, 12.2, and 12.4; Draft Decision, paragraphs200and201. 466DraftDecision,paragraph204. 66 Adopted recallsMetaIE’savailableresources,thespecificity ofthe LSA’sorder, andthe importanceof thedata 467 subject’srightsconcernedtoconclude thatsuch measureis proportionate . 8.2 Summary of the objections raised by the CSAs 255. The NL SA objects tothe choice of the corrective measuresof the LSA in their Draft Decision 468. The NLSA notesthattheIESA isproposing toimpose anorder pursuant toArticle58(2)(d)GDPRalongside an administrative fine, and that this objection concerns the first of these two measures 46. More specifically, theNL SA objectstotheorder tobringprocessing intocompliance (Article58(2)(d) GDPR) within three months proposed by the LSA, arguing that it is not appropriate, not necessary, nor proportionate to ensure compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR, as well as the additional infringement of Article 6(1)(b) andArticle 9(2) GDPR raisedin its objection 47. The NL SA takes the view that the proposed order is insufficient to remedy the serious situation of non-compliance arising from these infringements, since it does not remedy the illegality of the conduct carriedout during the transitionperiod (i.e. the time between the issuance of the decision andtheexpirationdateof theorder),bearing inmindthateverydaythe service continuesoperations as described in the Terms of Use andData Policy, it does so in an illegalwayharming the rightsand 471 freedoms ofmillions of datasubjects in the EEA .Accordingtothe NL SA, the DraftDecisionshould be modified to include a temporary ban on Meta IE’sprocessing of personal data for the duration necessary for the controller to bring its processing into compliance with the GDPR (Article 58(2)(f) GDPR), as this would be appropriate, necessary and proportionate taking into account the circumstancesofthe case 472,andwouldbe the onlymeasure suitabletomakesure thattheexpansive violation ofthe fundamentalrightsand freedomsof datasubjects is not continued 47. The NL SA also arguesthat the breachesofthe GDPR establishedbythe LSA, combinedwiththe additionalbreaches put forward bythe NL SA, areof a very gravenature andjustify haltingprocessing operations during the time the controller needs to remedy its severe lack of compliance 474. In essence, the NL SA identifies the risk posed by the DraftDecision in thatit allowsthe companyto resume operations as usual while amending the compliance deficits (with regard to transparency), which they argue 475 essentially deprivesdata subjectsof their rightsduring atransitionperiod . 256. The FISA alsoarguesthatthe IESA should “exerciseeffective,proportionateanddissuasive corrective powers” and order Meta IE to“bring itsprocessing operations into compliance with the provision of Article 6(1) GDPR and prohibit to process users’ personal data for behavioural advertising by relying on Article 6(1)(b) GDPR as laid down in Article 58(2)(d) GDPR” 476. The HU SA reaches the same conclusion, proposing toapplythe legalconsequencesunder Article58(2)(d) GDPRandtoinstructthe controller toindicate a different legalbasis47. Onthe risks, boththe FI andthe HU SAs statethatthe absence of appropriate and necessary corrective powers would amount to a dangerous precedent, 467 DraftDecision,paragraph205. 468NLSAObjection,paragraph55. 469NLSAObjection,paragraph56. 470NLSAObjection,paragraph56. 471 NLSAObjection,paragraph57. 472NLSAObjection,paragraph58 473NLSAObjection,paragraph59. 474NLSAObjection,paragraph63. 475 NLSAObjection,paragraphs57,58,and63. 476FI SAObjection,paragraph25. 477HUSAObjection,p.3. 67 Adopted sending a deceiving message to the market and to data subjects whose fundamental rights and freedoms wouldultimatelyjeopardise 478.Moreover, theFI SA notes thattheDraftDecisionaffectsall datasubjectswithintheEEAandthat,therefore,theconsequencesofnot makinguse ofthecorrective measurespursuant Article58(2)would be enormous 479. 257. The AT SA requests thatthe LSA makes use of itscorrective measurespursuant toArticle 58(2)GDPR in relationto the additional infringement of Article 6(1)(b) GDPR 48, inorder tobring the processing 481 482 operationsofthecontroller inline withtheGDPR andremedytheinfringement .Accordingtothe AT SA, the IESA should exercise ‘’correctivepowers’’soastoensure thatMeta IE couldnot continue to unlawfully rely on Article 6(1)(b) GDPR for the processing of users’ personal data for behavioral advertising 483. More specifically, the AT SA suggests that the IE SA prohibits Meta IE “the processing 484 of a user’s datafor behavioural advertising by relying on Article 6(1)(b) GDPR” . Inthe absence of additionalcorrectivemeasures,theATSAconsidersthatifcorrectivemeasuresarenotimposed, there is a risk “that [Meta IE] continues to unlawfully rely on Article 6(1)(b) GDPR for the processing of a user’s data for behavioural advertising and continues to undermine or bypass data protection 485 principles’’ , which would affect millions of data subjects within the EEA and bear vast consequences 486. 258. The FR SA notes that reversing the findings concerning the infringements of Article 6(1) GDPR also affects the scope of the corrective actions proposed by the IE SA, in addition to the administrative fine 487 259. Finally, accordingtothe NOandDESAs,the IESAshould takeconcretecorrectivemeasuresinrelation totheadditionalinfringement ofMetaIEwithArticle6(1)(b) GDPR,namelytoorderMetaIEtodelete personal data that hasbeen unlawfully processed on Article 6(1)(b) GDPR andtoprohibit the use of thislegalbasis for such processing activities 488. 478FI SAObjection,paragraph28;HUSAObjection,p.4. 479FI SAObjection,paragraph29. 480 481AT SAObjection,p.7. AT SAObjection, p. 8. TheAT SAalso highlights that according to theCJEU wherean infringement is found during a complaint-based procedure, theSA is under an obligationto takeappropriateaction by exercising correctivepowers,anditcitesC-311/18,paragraph111.Additionally,theAT SAclarifiesthatalthoughittakes the positionthat a complainant does not havea subjectiveright to request from therespectivesupervisory authoritytheexerciseofa specificcorrectivepoweranditisuptotheauthorityonlytodecidewhichactionis appropriateandnecessary(referringtoC-311/18,paragraph112),itfindstheexerciseofcorrectivepowersto benecessaryinthecurrentcase. 482AT SAObjection,p.8-9. 483 AT SAObjection,p.7-8. 484AT SAObjection,p.9. 485AT SAObjection,p.7. 486AT SAObjection,p.8. 487 FRSAObjection,paragraph50. 488DESAs Objection,p.10;NOSAObjection,p.9. 68 Adopted 8.3 Position of the LSA on the objections 260. The IESA does not consider the objections above tobe relevantand/or reasonedanddoesnot follow them 48. Giventhat these objections were premised upon the requirement for the DraftDecision to include a finding of infringement of Article 6(1)(b) GDPR on which the IE SA expressed its disagreement,theIESAdoesnot consider theobjectionsrequesting theexerciseofacorrectivepower inresponse toa finding of infringementof Article6(1)(b) GDPRasbeing relevant andreasoned 490. 8.4 Assessment of the EDPB 8.4.1 Assessment of whether theobjections were relevant and reasoned 261. The objections raisedby theAT,DE,FI,FR,HU,NLandNOSAsconcern“whethertheactionenvisaged 491 inthe DraftDecisioncomplies withthe GDPR” . 262. Inaddition tothe primaryargumentlevelledagainst allCSA’sobjections, MetaIE provides additional argumentson whetherthese are relevantand/or reasoned 492. 263. Meta IE argues the AT and NL SAs’ objection cannot be considered relevant because they are dependent on another objection, which Meta IE deems inadmissible and without merit 493. On the 494 same basis, MetaIE refutesthatthe AT SA’sobjection isadequatelyreasoned . Asstatedabove,in Section 4.4.1, the EDPB finds the AT and NL SAs’ objections on the subject of Article 6(1)(b) GDPR 495 relevantand reasoned . 264. Additionally, MetaIEarguesthatthe AT andNL SAs’ objections fail toset out how the DraftDecision would pose a direct andsignificant risk to fundamental rightsand freedoms. First, Meta IE refersto theirargumentsputforwardinresponse tothe ATandNL SAs’objections onthematterofcompliance with Article 6(1)(b) GDPR 496. The EDPB has takenthis line of reasoning into consideration above in 489CompositeResponse,paragraphs103-104(inresponsetotheATandFI SAs),paragraph105(inresponseto NLSA), paragraph106(inresponsetoDESAs),paragraph107(inresponsetoNOSA)andparagraph108(in responsetoHUSA). 490 CompositeResponse,paragraphs110. 491EDPBGuidelinesonRRO,paragraph32. 492Meta IEargues that“theEDPBcannotexpandthescopeoftheInquiryinthemannersuggestedbytheCSAs throughObjectionsthatarenotrelevanttothesubstanceoftheComplaint.”and“suchobjectionsoughttobe disregardedintheirentiretybytheEDPB”.TheEDPBdoes notsharethisunderstanding,asexplainedabove. SeeSection4.4.1. 493Meta IEArticle65Submissions,Annex1,p.71:“TheATSA’sObjectionfailstosatisfytheSufficientlyRelevant Threshold,becauseitisitselfbasedonanObjectiongroundedinamistakenallegationofinfringementofArticle 6(1)(b)GDPR,whichdoesnotsatisfytheThresholdsandlacksmerit.Therefore,thisObjectionisnotsufficiently relevantasithasnodirectconnectiontothesubstanceandreasoningoftheDraftDecision.”Analogouswording is usedinresponsetotheNLSA’s objectioninMetaIEArticle65Submissions,Annex1,p.110. 494Meta IEArticle65Submissions,Annex1,p.71:“TheATSA’sObjectionfailstosatisfytheAdequatelyReasoned Threshold because it is premised on its Objection that Meta Ireland infringed Article 6(1) GDPR, which, as analysedintheprevioussection,doesnotsatisfytheThresholdsandlacksmerit”.Analogouswordingisusedin responsetotheNLSA’s objectioninMeta IEArticle65Submissions,Annex1,p.110. 495Paragraph84above. 496Meta IEArticle65Submissions,Annex1,p.72andp.111. 69 Adopted Section 4.4.1 497. Second, Meta IE puts forward that the AT and NL SAs appear to consider that the 498 Draft Decision provides “a mandate for Meta Ireland to unlawfully process data” . Meta IE points out thatnosuchinferencecanbedrawnfrom theDraftDecision,goingontodrawtheconclusion that “asthe DraftDecisiondoesnot in anyway give a blanket approval for any unlawful processing based on Article 6(1)(b) GDPR, there is no direct and significant risk to the fundamental rights and 499 freedoms” .Astothissecond line ofreasoning, theEDPBfails tosee wording by whichthe ATSA or NL SA might have suggested it understands the Draft Decision as a mandate for Meta Ireland to unlawfully process data,thuslimiting future investigations. 265. The NLSA disagreeswiththecorrectivemeasure chosenby theIESA inadditiontothe administrative fine, arguinga temporarybanon processing (Article58(2)(f) GDPR)should have been included inthe Draft Decision instead of an order to bring processing into compliance. If followed, this objection wouldleadtoadifferentconclusion astothechoiceofcorrectivemeasures.Inconsequence,theEDPB considers the objection tobe relevant. 266. The NL SA argues that an order to bring processing into compliance entails that Meta IE would 500 maintain its illegal conduct while they amend their compliance deficits . Conversely, a temporary ban on Meta IE’s processing of data would ensure that data processing is halted during the time 501 needed for the company tochange its practicesto comply withthe GDPR .Intermsof risk, the NL SA puts forwardthat ‘’nottemporarilybanning thisprocessing would underminethe effectivenessof 502 theGDPR’’,andwouldcontinue todeprive datasubjectsoftheir rightsduring thetransitionperiod . The NL SA considers the risk significant, asthe controller provides the Instagramservice tohundreds of millions ofusers across Europe and because the processing involves special categoriesof personal data 503.Therefore, the EDPB considers the objection to be reasonedandtoclearlydemonstrate the significance of therisks posed bythe DraftDecision. 267. TheAT SA disagreeswitha specific partoftheIESA’sDraftDecision,namelyChapter 8‘’Ordertobring processinginto compliance’’,arguingthatthe LSA should have included correctivemeasures inorder toremedyaninfringement ofArticle6(1)(b) GDPR 504.Morespecifically,the ATSA suggeststhattheIE 505 SA prohibits Meta IE from relying on Article 6(1)(b) GDPR . Therefore, if followed, this objection would leadto a different conclusion asto the choice of corrective measures 506. Inconsequence, the EDPBconsiders the objection tobe relevant. 268. Furthermore,theATSAarguesthatwhenaninfringementisfound-notablyinlightofotherobjections raised in the current case in relation to additional infringement of Articles 6(1)(b) - the supervisory authority is under an obligation to issue appropriate corrective measures pursuant to Article 58(2) 497 498Paragraph82above. Meta IEArticle65Submissions,Annex1,p.111.AnalogouswordingisusedinresponsetotheATSA, Meta IE's Article65Submissions,Annex1,p.72. 499Meta IEArticle65Submissions,Annex1,p.111.AnalogouswordingisusedinresponsetotheATSA, Meta IE's Article65Submissions,Annex1,p.72. 500 NLSAObjection,paragraph57-58. 501NLSAObjection,paragraph63. 502NLSAObjection,paragraphs58-59. 503NLSAObjection,paragraphs58-59. 504 AT SAObjection,pp.7-8. 505AT SAObjectionpp.7-8. 506AT SAObjection,pp.7-8. 70 Adopted GDPR.Intermsofrisk, the AT SA arguesthat without this amendment of the DraftDecision, MetaIE “could simply continue to unlawfully rely on Article 6(1)(b) GDPR and to undermine data protection principles” which would continue toaffect millions of datasubjects within the EEA0.Therefore,the EDPBconsiders the objection tobe reasonedandtoclearlydemonstrate the significance of the risks posed by theDraftDecision. 269. Considering the above, the EDPBfinds thatthe objections of theAT andNL SAs requesting additional and/or alternativespecific correctivemeasurestobe imposed arerelevantandreasonedpursuantto Article4(24) GDPR. 270. In addition, the EDPB recalls the analysis made in Section 4.4.1 above concerning the objections in relationtotheadditionalbreachby MetaIEofitslawfulness obligationmadebythe FRSA (requesting totakeappropriate correctivemeasures), andbythe FI andHU SAs(asking the LSA totakecorrective measuresunder Article58(2)(d) GDPR),whichwerefound tobe relevantandreasoned. 271. The EDPBrecallsthatthe DE andNOSAscalledonthe LSA totake specific correctivemeasuresinthe event theEDPBfollowedtheir objectionon compliancewithArticle6(1)(b) GDPR.TheEDPBconsiders these to be reflections upon how, in their view, the LSA should give full effect to the binding direction(s)assetoutintheEDPB’sdecision 50.Intheabsenceoflegalorfactualargumentsthatwould justify including these specific corrective measures in the Draft Decision as opposed to others, the EDPB does not consider this aspect of the DE and NO SAs’ objections to meet the requirements of Article4(24) GDPRastheyarenotsufficientlyreasoned. 8.4.2 Assessment on the merits Preliminarymatters 272. The EDPBconsiders thatthe objections found tobe relevantand reasonedin this subsection require an assessment of whether the Draft Decision needs to be changed in respect of the corrective measures proposed. More specifically, the EDPB needs to assess the request to impose a ban of processing for both the infringements of the transparency obligations found by the LSA and the additional infringement of Article 6(1) GDPR established above in Section 4.4.2, andthe connected issue of the corrective measure to be imposed for the infringement of Article 6(1) GDPR. When assessing the meritsof the objections raised, the EDPBalso takesinto account MetaIE’sposition on the objection anditssubmissions. 273. Bywayofintroduction, the EDPBhighlightsthatthe analysis carriedout in thissection doesnot refer tothecontentoftheDraftDecisionandoftheobjectionsinrespectoftheimposition ofadministrative fines, which arecoveredbelow inSection9. 507 AT SAObjection,p.8. 508EDPBGuidelinesonArticle65(1)(a)GDPR,paragraph50. 71 Adopted MetaIE’sposition on theobjectionsand itssubmissions 274. MetaIEconsidersthe LSAhassole discretiontodeterminethe appropriatecorrectivemeasuresinthe event of a finding of infringement 509and that the EDPB lacks competence to determine or adopt decisions onappropriate correctivemeasures 510. 275. While MetaIEacknowledgesthat“Article65(1)GDPRallowstheEDPBtoconsiderreasonedobjections as to whether the envisaged corrective measures comply with the GDPR”, it argues that CSAs are strictlylimitedtocriticism ofthe correctivemeasuresalreadyput forwardintheDraftDecisionbythe LSA. Therefore,accordingtoMetaIE,“should theEDPBfind an infringementof Article6(1)GDPR[...], theappropriatecoursewouldbetoreferthematterbacktotheLSA(i.e.theDPC)todeterminewhether to impose any appropriate corrective measures. To do otherwise, including direct the DPCto make a specific orderinthetermsproposedbycertainObjections,wouldexceedtheEDPB’scompetenceunder Article65 GDPR” 51. 276. Withrespect tothe issue ofthe correctivemeasure tobe imposed for theinfringement of Article6(1) GDPR,ifany,MetaIE arguesthata temporarybanisneither necessary, nor proportionate toachieve theobjective ofensuringcompliance withtheGDPR,asthereexistsalternative,lessonerousmeasures 512 tobringitsprocessing operationintocompliance withtheGDPR .Inaddition,MetaIEcontendsthat it would be both unfair anddisproportionate to order an immediate ban given that it relied upon a good faith understanding as to what it considered to be a valid legal basis 513. Further, Meta IE considers there is no urgent necessity for a banbased on other decisions takenunder the Article 60 GDPRcooperationmechanism insimilar circumstances 514.Finally,MetaIEputsforwardthesignificant impact of a temporaryban not only on itsactivities but also on third parties’business, such as small andmedium sizedbusinesses acrossEurope, relying onthe platform for behavioural advertising 515. EDPB’sassessment on themerits 277. First of all, according to the EDPB, the views of Meta IE amount to a misunderstanding of the GDPR one-stop-shop mechanism and of the shared competences of the CSAs. The EDPB recalls that the GDPR requires supervisory authorities to cooperate pursuant to Article 60 GDPR to achieve a 516 consistent interpretation of the Regulation . The fact that the LSA will be the authority that can ultimatelyexercise the corrective powerslisted in Article 58(2)GDPRcannot neither limit the role of 517 the CSAs withinthe cooperationprocedure nor theone ofthe EDPBinthe consistency procedure . 509 510Meta IEArticle65Submissions,paragraphs8.4and8.18. Meta IEArticle65Submissions,paragraph8.6. 511Meta IEArticle65Submissions,paragraph8.13. 512Meta IEArticle65Submissions,paragraph8.27. 513Meta IEArticle65Submissions,paragraph8.28. 514 Meta IEArticle65Submissions,paragraph8.28. 515Meta IEArticle65Submissions,paragraph8.29. 516 See Art. 51(2), Art. 60, Art. 61(1) GDPR, and C-645/19, Facebook v Gegevensbeschermingsautoriteit, paragraphs53,63,68,72. 517 See Art. 63 and 65 GDPR. In this regard it should benoted that Recital 11 GDPR stresses that ‘effective protection of personal data throughout the Union requires [...] equivalent sanctions forinfringements in the MemberStates’. Therefore, in orderto ensurethis ‘consistent monitoringandenforcement’ of theGDPR, the legislatorhasdecidedtoprovidesupervisoryauthoritieswiththe‘samecorrectivepowers’(Recital129GDPR). 72 Adopted278. More specifically, when raising an objection on the existing or missing corrective measure(s) in the Drafting Decision, the CSAs should indicate which actionthey believe would be appropriate for the LSA toundertakeandinclude inthe finaldecision 518. Incaseof disagreementonthese objections, the dispute resolution competence of the EDPBcovers ‘’allthe matterswhich are subject of therelevant 519 and reasonedobjection’’(emphasisadded) . Therefore,contrarytoMetaIE’sviews,the consistency mechanism may also be used to promote a consistent application by the supervisory authorities of 520 their correctivepowers, takingintoaccount the rangeofpowerslisted inArticle 58(2)GDPR ,when arelevantandreasonedobjectionquestions theaction(s)envisagedbytheDraftDecisionvis-a-visthe controller/processor, or theabsence thereof. 279. Inaddition, the EDPBfinds thatMeta IEmisunderstands the AT SA’s objection when it arguesthatit does acknowledge that it is for the LSA alone to decide which corrective measures are appropriate andnecessary, byciting paragraph112of the SchremsIICJEU judgment 521.Infact,the ATSA doesno such thing: in its objection it stated‘’acomplainant doesnot have a subjective right to request from the respective supervisoryauthority(in this case: the DPC)the exercise ofa specific corrective power and it is for the supervisory authorityalone to decide which action is appropriate and necessary(see C ‑311/18, point 112)’’522anddid not engage inan interpretationof how Article 58(2) GDPR is to be understood in cross-border cases in the sections referred to. The cooperation and consistency mechanism of the GDPRisnot addressed inCJEU ruling C-311/18 (SchremsII)either. 280. Moving onto the analysis of the issue of corrective measuresas requiredby the objections found to be relevant and reasoned above, the EDPB recalls that when a violation of the GDPR has been established, competent supervisory authorities are required to react appropriately to remedy this infringement in accordance with the means provided to them by Article 58(2) GDPR 523. Article 58(2) GDPRprovidesa wide choice ofeffectivetools for theauthoritiestotakeactionagainstinfringements of the Regulationandwhich can be imposed in addition toor instead of a fine. According to Recital 129 GDPR, every corrective measure applied by a supervisory authority under Article 58(2) GDPR should be ‘‘appropriate, necessary and proportionate in view of ensuring compliance with the Regulation’’inlightof allthe circumstancesofeachindividual case.Recital148 GDPR showsthe duty for supervisory authorities toimpose corrective measuresthat are proportionate to the seriousness of the infringement 52. This highlights the need for the corrective measures and any exercise of powersby supervisory authoritiestobe tailoredtothe specific case 525. 281. Considering the nature and gravityof the infringement of Article 6(1)(b) GDPR established above in Section4.4.2,aswellasthe number of datasubjects affected,theEDPBsharesthe view of the AT,FI, 518SeeEDPBGuidelinesonRRO,paragraph33. 519Art. 65(1)(a)GDPR. 520 521SeeEDPBGuidelinesonArticle65(1)(a)GDPR,paragraph92. Meta IEArticle65Submissions,paragraph8.6.Seeaboveparagraph274. 522AT SAObjection,p.8. 523C-311/18,SchremsII,paragraph111. 524Recital 148GDPR states, forinstance:“in a case of a minorinfringement orif the fine likely to be imposed would constitute a disproportionate burden toa natural person, a reprimand may be issuedinsteadof afine”. TheEDPBconfirmedthat“theindicationsprovidedbythisRecitalcanberelevantfortheimpositionofcorrective measures in general and for the choice of the combination of corrective measures that is appropriate and proportionatetotheinfringementcommitted”.EDPBBindingDecision1/2021,paragraph256. 525EDPBBindingDecision1/2021,paragraph256. 73 Adopted FR, HUand NL SAs thatit is particularlyimportantthat appropriatecorrective measuresbe imposed, inaddition toa fine, inorder toensure thatMetaIEcomplies withthisprovision ofthe GDPR. 282. Inrespectof whichmeasure should be imposed, asstated,theNL SA arguesthatthe IESA's proposal toorder MetaIEtocomplywithArticle5(1)(a), Article12(1)andArticle 13(1)(c)GDPRwithina period of threemonths is not appropriate,considering these breachesinconjunction withthe gravityofthe additional breachesof Article 6(1)(b) and Article 9(2)GDPR identified in its objection526. Instead,the NL SA is of the opinion that only a temporaryban imposed in respect of all these infringements can effectively protectthe rightsof the data subjects during the transition period inwhich the controller remedies to these violations 52. The FI SA considers that the IE SA should “exercise effective, proportionate and dissuasive corrective powers” and, taking into account the nature of the infringement, order MetaIE to“bringits processing operations into compliance with the provision of Article 6(1) GDPR and prohibit to process users’ personal data for behavioural advertising by relying on Article 6(1)(b) GDPR as laid down in Article 58(2)(d) GDPR” 528. The HU SA proposes to apply the legalconsequences under Article 58(2)(d) GDPR in relationtoviolation of Article 6(1) GDPRby Meta IE andtoinstruct the controller toindicate a another alternativelegalbasis 529. Inaddition, the AT SA callsontheIESA touse itscorrectivepowersunder Article58(2)GDPRinordertobringthe processing operations of Meta IE into line with the GDPR, and suggests ‘’that the DPC prohibits Facebook the processing of a user’s data for behavioural advertising by relying on Article 6(1)(b)’ stating that 530 ‘otherwise,Facebookcould simply continue tounlawfully relyon Article6(1)(b) GDPR’’ . 283. Meta IE argues that a temporary ban would not be necessary as less onerous measures could be imposed and that it would be unfair and disproportionate, also considering its impact on third parties 53. 284. The EDPBagreeswiththe observations madeby the NLSA thatthe infringement found inthe case at hand constitutes a “very serious situation of non-compliance” 532with the GDPR, in relation to processing of “extensiveamountsof[...]data,whichis essentialto thecontroller’sbusinessmode”’ 533, 534 thusharming“therightsand freedomsofmillions ofdata subjectsin theEEA” .Asaresult, theEDPB sharestheNLSA’sconcernthatthecorrectivemeasurechoseninthecircumstancesofthiscaseshould aimtobringthe processing intocompliancewiththeGDPRthusminimising thepotentialharm todata subjects createdbythe violations of theGDPR. 526 NL SAObjection, paragraph57. In this respect, theEDPB recalls that, as stated in Sections 4.4.2 and 5.4.2 above,whiletheEDPBfinds thattheIESAshouldhavefoundaninfringementofArt.6(1)(b)GDPRinits Draft Decision,itdoesnothavesufficientfactualevidenceallowingittofinda possibleinfringementbyMeta IEofits obligationsunderArt.9(2)GDPR. 527 NLSAObjection,paragraph58. 528FI SAObjection,paragraph25. 529HUSAObjection,p.3. 530AT SAObjection,p.8-9. 531 532Meta IEArticle65Submissions,paragraphs8.27-8.28. NLSAObjection,paragraph54. 533NLSAObjection,paragraph58. 534NLSAObjection,paragraph57. 74 Adopted285. Inaddition, the EDPB recallsthatcontrarytoMetaIE’scontention, it is not necessarytoestablish an ‘urgentnecessity’ 535for imposing atemporaryban, in thatnothing in the GDPRlimits the application 536 of Article58(2)(f) GDPRtoexceptionalcircumstances . 286. Atthe sametime,theEDPBnotesthatinassessing the appropriatemeasuretobeapplied, Recital129 GDPR provides that consideration should be given to ensuring that the measure chosen does not create ‘’superfluouscosts’’ and‘’excessive inconveniences’’ for the persons concerned in light of the objective pursued. When choosing the appropriate corrective measure, there is a need to assess whether the chosen measure is necessary to enforce the GDPR and achieve protection of the data subjects withregardtothe processing oftheir personaldata,whichis the objective being pursued 53. Compliance withtheprinciple of proportionalityrequiresensuring thatthe chosen measuredoes not createdisproportionate disadvantagesinrelationtothe aim pursued. 287. The EDPB takes note of the elements raised by the objections, particularlythe NL SA, to justify the needfor imposing atemporaryban,consisting in essence inthe need tohalt the processing activities thatarebeingundertakeninviolationoftheGDPRuntilcomplianceisensuredinordertoavoidfurther prejudicing data subject rights. However, the EDPB considers that the objective of ensuring compliance and bringing the harm to the data subjects to an end can, in this particular case, be adequatelymetalsobyamendingtheorder tobring processing intocompliance envisagedintheDraft DecisiontoreflectMetaIE’sinfringementofArticle6(1)GDPRidentifiedinSection4.4.2ofthisBinding Decision. In addition tothe fines that willbe imposed, this measure would require Meta IE toput in placethenecessarytechnicalandoperationalmeasurestoachievecompliance withinaset timeframe. 288. Inrespectofthe imposition of anorder tobring processing intocompliance, MetaIEsubmitsthatany such order should ‘’afforda reasonable opportunity’’toMetaIE tocomply 538. Whendetermining the transitionperiodfor bringingMetaIE’sprocessingintocompliance withGDPR,theEDPBrequeststhat the IE SA gives due regardtothe harm caused tothe data subjects by the continuation of Meta IE’s infringement ofArticle6(1)GDPRduring thisperiod. More specifically, theorder should requireMeta IEtorestorecompliance withinashort periodoftime.Inthisrespect,theEDPBnotesthat,inresponse to Meta IE’s submission, the IE SA considered the three-month deadline for compliance for the infringements of Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR necessary andproportionate in light ofthe potentialfor harmstothe datasubjects rightsthatsuch a measure entails, considering 539 that the interim period for compliance ‘’willinvolve a serious ongoing deprivation of their rights’’ . The LSA also points out the significant financial, technological, and human resources, as well asthe 535Meta IEArticle65Submissions,paragraph8.28. 536 See a contrario Art. 4 Implementing Decision 2010/87, in its version prior to the entry into force of 537lementingDecision2016/2297;C-311/18SchremsII,paragraph114. C-311/18, Schrems II, paragraph112:‘’Althoughthe supervisory authority must determine which actionis appropriate and necessary and take into consideration all the circumstances [...] in that determination, the supervisory authority is nevertheless required to execute its responsibility forensuringthat the GDPR is fully enforcedwithallduediligence’’. 538Meta IEArticle65Submissions,point8.31. 539 Draft Decision, paragraph 202. Inthis regard, Meta IE argues that this was not a reasonableperiodof time within which to makethenecessary changes, as thechanges would beresource-intensiveand wouldrequire “sufficientleadintimeforpreparing,drafting,designingandengineeringtherelevantchanges,conductingand takingaccountofusertestingoftheproposedchanges,internalcross-functionalengagementaswellasofcourse engagement with the Commission, and localisation and translation of the information forcountries in the EuropeanRegion’’.DraftDecision,paragraph201. 75 Adopted clear instructions provided to Meta IE to comply with GDPR 540. The EDPB considers that this line of reasoning applies all the more to the corrective measures imposed in relation to Meta IE’s infringement ofArticle 6(1)GDPR. 289. Finally, the EDPBrecalls thatnon-compliance withanorder issued by a supervisory authoritycanbe relevantboth intermsof it being subject toadministrative fines up to20 million euros or,in the case of anundertaking,up to4% ofthe totalworldwide annualturnover of the preceding financialyear in line with Article 83(6) GDPR, and in terms of it being an aggravating factor for the imposition of administrative fines541. Inaddition, the investigative powers of supervisory authorities allow them to order the provision of all the information necessary for the performance of their tasks including the 542 verificationof compliance withone of theirorders . 290. The EDPBtherefore instructsthe IESA toinclude in itsfinaldecision anorder for MetaIE tobring its processing of personaldatafor thepurpose ofbehaviouraladvertising inthecontextof theInstagram services intocompliance withArticle6(1) GDPRwithinthreemonths. 291. Inaddition, the EDPBnotesthatthe currentwording ofthe order“to bring theDataPolicyand Terms of Use into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR as regards information providedondata processedpursuanttoArticle6(1)(b)GDPR”’shouldbe modifiedinorder toreflecttheEDPB’sfindingsinSection4.4.2thatMetaIEisnotallowedtorelyonArticle6(1)(b)GDPR for the processing of personal data for the purpose of behavioural advertising. Therefore, the EDPB instructstheLSA toadjust itsorder toMetaIEtobringitsInstagramDataPolicyandTermsofUse into compliance withArticle 5(1)(a), Article 12(1) andArticle 13(1)(c) GDPRwithin three months, to refer not onlytoinformationprovided ondataprocessed pursuant toArticle6(1)(b) GDPR,butalsoondata processed for the purpose of behavioural advertising in the context of Instagram services(to reflect the finding of the EDPB inSection 4.4.2 that for this processing the controller cannot rely on Article 6(1)(b) GDPR). 540DraftDecision,paragraph202. 541Art. 83(2)(i)GDPR. 542 Art. 58(1)GDPR. 76 Adopted 9 ON THE DETERMINATIONOF THE ADMINISTRATIVEFINE 292. The EDPB recalls that the consistency mechanism may also be used to promote a consistent applicationof administrativefines 543. 9.1 On the determination of the administrativefine for the transparency infringements 9.1.1 Analysis bythe LSA in the Draft Decision The applicationof thecriteriaunder Article83(2)GDPR 293. InitsDraftDecision,the IESA explainshow itconsidered the criteriainArticle 83(2)GDPRindeciding whether to impose an administrative fine and to determine its amount in the circumstancesof this case 544.The most pertinent criteriafor the present dispute aresummarised below. Thenature,gravityanddurationoftheinfringement,taking into accountthe naturescopeor purpose of theprocessing concernedas wellas the numberof data subjects affectedand the levelofdamage sufferedbythem(Article 83(2)(a)GDPR) 294. The IESAexplains thatitassesses theinfringementsofArticle5(1)(a), Article12(1)andArticle13(1)(c) GDPR identified in the Draft Decision simultaneously in the context of the Article 83(2) GDPR 545 criteria .Further,the IESA explainsthat‘’theprocessing concerned’’refersto“allofthe processing operationsthat[MetaIE]carriesoutinthecontextoftheInstagramserviceonthepersonaldata under its controllership for which it relies on Article 6(1)(b) GDPR”, in line with the scope of the inquiry (permissibility inprinciple ofprocessing personal datafor behaviouraladvertising) 546. 295. In terms of the nature ofthe infringements, the IE SA explains that they concern a cornerstone of data subject rights, namely the right to information. The IE SA argues that ”the provision of the informationconcernedgoes to theveryheart ofthe fundamentalright ofthe individual to protection ofpersonaldata whichstemsfrom thefreewilland autonomyoftheindividual toshare theirpersonal datain avoluntary situation such asthis. Ifthe requiredinformation hasnot been provided, thedata subject has been deprived of the ability to make a fully informed decision as to whethertheywish to use aservice that involves the processing of their personal data and engagestheir associated rights. Furthermore,theextenttowhicha data controller hascomplied with itstransparencyobligationshas a direct impact on the effectivenessof the other data subject rights. If data subjects have not been providedwith the prescribed information, theymaybe deprived of the knowledge theyneedin order to consider exercising one of the other data subject rights”54. Further, the IE SA points out that the 543SeeRecital150GDPR;EDPBGuidelinesonRRO,paragraph34andEDPBGuidelinesonArticle65(1)(a)GDPR, paragraph91. 544 DraftDecision,paragraphs206-207. 545“While I emphasise that each is an individual anddiscrete “infringement”of the GDPR, I am proposingto assessallthreeinfringementssimultaneouslyasallconcerntransparencyand,byreasonoftheircommonnature and purpose, are likely to generate the same, orsimilar, outcomesin the context of some of the Article 83(2) GDPRassessmentcriteria”.DraftDecision,paragraph209. 546DraftDecision,paragraph210. 547 DraftDecision,paragraphs212. 77 Adopted breachof the transparencyprinciple by Meta IE has the potentialto undermine other fundamental dataprotectionprinciplessur astheprinciples offairnessandaccountability 54.Finally,theIESA notes thatthe Europeanlegislator included infringementsonthe right toinformationandArticle 5 GDPRin Article83(5) GDPR,whichcarriesthe highest maximum fine 549. 296. In terms of the gravity of the infringements, the IE SA explains that Meta IE is found to also have infringed Article 12(1) and Article 5(1)(a)GDPR because the company hasnot provided the required information inthe required manner under Article 13(1)(c) GDPR.TheIE SA adds thatthis “represents a significant levelof non-compliance,taking into account theimportance of theright to information, the consequent impact on the data subjects concerned and the number of data subjects potentially affected” 550. 297. With regardsto the nature,scopeorpurposeofthe processingconcerned,theIE SA considers that the “processing carried out by [Meta IE] in the context of the Instagram service pursuant to Article 6(1)(b) GDPR is extensive. [Meta IE]processes a varietyof data in order to provide Instagram users with a ‘personalised’ experience, including by way of serving personalised advertisements. The processingis centralto andessentialto thebusiness modeloffered,and,for this reason,the provision of compliant information in relation to that processing becomeseven more important. This, indeed, mayinclude location and IPaddressdata” 551. 298. With reference to the number of data subjects affected, the IE SA points out that, as Meta IE confirmed, ’’asof the date of the commencement ofthe Inquiry, i.e. 31 August 2018, [Meta IE]had approximately monthly active accounts and, as of December 2021, it had approximately monthlyactiveusersin theEuropean EconomicArea” 552.While noting thefiguresprovided by MetaIE incorrectlyexcluded the number of UKactive accountstowhich the GDPRwas applicable at the dateoftheComplaint, the LSA consideredthat,whenmeasuring these figuresby referencetothe totalpopulationoftheEEA(including theUK),a‘’significantportionofthepopulationoftheEEAseems to have beenimpactedby theinfringements’’ 553. 299. Intermsof damagessufferedby affecteddata subjects, the IE SA finds that“failure to provide all of theprescribed information underminesthe effectivenessofthe data subjectrightsand, consequently, infringes the rights and freedomsof the data subjects concerned. A core element oftransparency is empoweringdata subjectsto makeinformed decisions aboutengaging withactivitiesthatcause their personal data to be processed, and making informed decisions about whether to exercise particular rights,and whethertheycan do so. Thisright isundermined bya lackof transparencyon thepart ofa datacontroller” 55. 300. OnArticle 83(2)(a)GDPR,theIESA concludes that“[the]infringementsareserious in nature.Thelack of transparencygoes to the heart of data subject rights and risks undermining their effectivenessby not providing transparentinformation in that regard.While the infringementsconsidered hererelate 548DraftDecision,paragraph213 549 550DraftDecision,paragraph214. DraftDecision,paragraph216. 551DraftDecision,paragraph221. 552DraftDecision,paragraph223. 553DraftDecision,paragraphs223-225and253. 554DraftDecision,paragraph228. 78 Adopted to one lawful basis, it nonethelessconcernsvast swathesof personaldata impacting millions ofdata subjects. When such factors are considered, it is clear that the infringements are serious in their gravity” 55. The IE SA further notes the impact of the infringement on a ‘’significant portion of the population of the EEA’’, as well as on ‘’data subject’s ability to be fully informed about their data protectionrights,or indeed about whetherin theirview theyshould exercisethoserights’’ 556. 301. The IE SA does not attachsignificant weight tothe durationof the infringements 55, considering that the complaint - andtherefor the Inquiry - wasmade againsta specific set of documents (Instagram’s DataPolicy and Termsof Use) and thatmore recentversions of the relevantdocuments areoutside the scope of the Inquiry 55. Theintentionalor negligentcharacterofthe infringements(Article83(2)(b) GDPR) 302. The IESA notesthecomplainantsview thattheinfringement arosefrom ‘’[MetaIE]madea deliberate and calculated decision to present the information in a particular manner such as to mislead data subject’’559 but statesthat there is no evidence that Meta IE ‘’made adeliberate decision to present the information to data subject in a particular way’’ 560. The IE SA further notes that the EDPB Guidelines on Administrative Fines ‘’recognisethatan intentionalbreachgenerallyonly occurswhere thereis a deliberateact to infringe the GDPR’’,andthat,in this regard,‘’afinding of intentionalityis predicatedon knowledgeand wilfulness as tocharacteristicsofan offence’’.TheIESA finds therewas noevidence ofanintentionalandknowing breachofaprovision ofthe GDPR. TheIESAhowever finds thatthe infringement wasnegligent,takingintoaccount ‘’the failure ofan organisation ofthis sizeto provide sufficientlytransparentmaterialsin relation to thecoreof itsbusiness mode” 56. The action taken by the controller or processor to mitigate the damage suffered by data subjects (Article83(2)(c) GDPR) 303. The IE SA notes MetaIE’sposition that “hasdischarged itstransparencyobligations in respectof the Instagram service and, accordingly, complies fully with the GDPR in this respect.” Notwithstanding their disagreementwiththis position, the IESA “accept[s]thatit representsa genuinelyheld beliefon [Meta IE’s] part’’. Onthat basis, the IE SA notes that ‘’there hasnot been an effort to mitigate the damage to data subjects, as it was [Meta IE’s] position that data subjects were incurring no such damage” 562.TheIESA isnot swayedby MetaIE’sargumentthattheireffortstocomplywiththeGDPR 555DraftDecision,paragraph253. 556DraftDecision,paragraph253. 557 558DraftDecision,paragraph253. DraftDecision,paragraphs218and253.TheIESAnotes,however,that“Inimposingcorrectivepowers[...] theGDPRrequiresthatthebroaderimpactofinfringementsbeconsidered”(DraftDecision,paragraph218). 559DraftDecision,paragraph231. 560DraftDecision,paragraph232.Initsanalysis,theIESAtakes intoconsiderationtheEDPBGuidelineson AdministrativeFines onthenotionsof‘intentional’and‘negligent’.DraftDecision,paragraphs230-232. 561Inthis regard,theIESAnotes that‘’Meta Irelandshouldhavebeenawareofitstransparencyrequirements, especiallyinlightofthetransparencyguidelinesandshouldhaveprovidedclarityaboutthepreciseextentofthe processing operations carried out pursuant to Article 6(1)(b) GDPR. Meta Ireland furthershould have ensured that it adhered strictly to its transparency obligations when choosingthe lawful bases onwhich they rely and should have used these obligations as a guide as to the information to be conveyed to data subjects’’ (Draft Decision,paragraph253). 562DraftDecision,paragraph234. 79 Adopted should be takeninto consideration, as -in general-compliance withthe GDPRis a duty imposed on each controller. In the present case, the IE SA finds this factor is neither mitigating nor aggravating insofar as“beyondsimply complyingwith the GDPR,thereareno obvious mitigating stepsthat could 563 have been taken” . Notwithstanding this, the IE SA identifies a mitigating factor in Meta IE’s willingness toengageinstepstobring itsprocessing intocompliance ona voluntarybasispending the conclusion ofthe inquiry 564. The degree of responsibility of the controller taking into account technical and organisational measuresimplementedpursuantto Articles25 and 32 (Article83(2)(d) GDPR) 304. The IE SA does mentionthis factor asanaggravatingfactorin the DraftDecision. The IE SA takesthe view that, considering that guidance on transparency was available to Meta IE at the date of the complaint, it ’’shouldhave been awareof theappropriate standards– albeit at a generallevel– and, having madea deliberatedecisionto presentthe information in a manner which fellsignificant below thestandardrequired,hasa high degreeofresponsibilityfor thelackofcompliancewiththeGDPR’’ 565. Anyrelevantpreviousinfringementsbythe controlleror processor(Article83(2)(e) GDPR) 305. The IESA does not mentionthis factoras anaggravatingormitigatingfactorinthe DraftDecision 56, taking into consideration that‘’theCommission has not made any findings ofinfringementsby Meta Ireland in the context of the Instagram service which could be considered relevant for [this] 567 assessment’’ . Thecategoriesof personaldata affectedbythe infringements(Article83(2)(g) GDPR) 306. The IESA notesthat “[the]lackof transparencyconcernedbroad categoriesofpersonal data relating 568 to userswho sign up to theInstagramservice” .Althoughacknowledgingthatthe assessment made by the IE SA in this Inquiry “was rather generalised in nature” the LSA points out that the lack of transparency by Meta IE contributed to the “lack of clarity as to the precise categories of personal datarelevantfor thisInquiry” 569. 307. Nonetheless, the IE SA concludes that, in the absence of evidence that these personal data are of a particularlysensitive nature,this factorshould be regardedasneitheraggravatingnormitigating 570. 563DraftDecision,paragraph235. 564 DraftDecision,paragraph236. 565DraftDecision,paragraph240. 566DraftDecision,paragraph253. 567Draft Decision, paragraphs 241 and 243. The IE SA notes their disagreement with Meta IE Article 65 568missionsthattheabsenceofpreviousdecisionshouldbeconsideredasa mitigatingfactor. DraftDecision,paragraph247. 569DraftDecision,paragraph247. 570DraftDecision,paragraph247. 80 Adopted The manner in which the infringementsbecame known to the supervisory authority(Article 83(2)(h) GDPR) 308. The IE SA notes that “[the] subject matter became known to the Commission due to an Inquiry conducted on foot of the Complaint. The subject matter did not give rise to any requirement of notification,and Ihave alreadyacknowledged severaltimesthatthe controller’sgenuinelyheld belief 571 is thatno infringementis/was occurring” .The IESA does not mentionthis factoras anaggravating or mitigatingfactorin theDraftDecision 57. Anyotheraggravating ormitigating factor (Article83(2)(k) GDPR) 309. The IE SA considers whether the “lack oftransparencyhas the potentialto have resulted in financial benefitsfor [MetaIE]”basedon theview thata “moretransparentapproachtoprocessing operations carriedouton foot ofthatcontractwouldrepresentariskto[MetaIE]’sbusiness model”,whichwould be thecase“ifexistingorprospectiveusersweredissuaded fromusing theInstagramservicebyclearer explanations of the processing operationscarried out, and their purposes”. The IE SA concludes that thisfactorisneitheraggravatingnormitigating,arguingthat“anygeneralconsiderationofthis[factor] ultimatelyinvolvesanelementofspeculation on both [MetaIE]’sand the Commission’s part” 573. The applicationof thecriteriaunder Article83(1)GDPR 310. Basedonthese circumstances,theIESAconsiders thatadministrativefinespursuant toArticle 58(2)(i) GDPRandArticle83 GDPR,totalinganamountnotlessthan€18 million andanamountnot morethan €23 millionshould be issued onMetaIEforthe infringementofArticle5(1)(a),Article12(1)andArticle 574 13(1)(c) GDPRinthe contextof Instagramservice . 311. The LSA considers that the proposed administrative fines areeffective, proportionate and dissuasive taking into account all of the circumstancesof the Inquiry 575. Regarding the effectiveness, the IE SA argues that the “infringements are serious, both in terms of the extremelylarge number of data subjectspotentiallyaffected,thecategoriesofpersonaldata involved,and theconsequencesthatflow from the failure to comply with the transparency requirements for users” 576. Concerning the dissuasiveness, the LSA states that the fine must “dissuade both the controller/processor concerned as wellas other controllers/processorscarrying out similar processing operationsfrom repeating the 571DraftDecision,paragraph248. 572 DraftDecision,paragraph253. 573DraftDecision,paragraphs251-252. 574DraftDecision,sections9and10. Morespecifically,theIESAproposesthefollowingadministrativefines(DraftDecision,paragraph254): - a fineof between €11.5millionand€14millionforthefailuretoprovidesufficientinformationinrelationto the processing operations carried out on foot of Article6(1)(b) GDPR, thereby infringing Articles 5(1)(a) and 13(1)(c)GDPR; - a fineof between €6.5millionand€9millionforthefailuretoprovidetheinformationthatwasprovidedon theprocessingoperations carried out infoot of Article6(1)(b) GDPR, in a concise, transparent, intelligibleand easilyaccessibleform,usingclearandplainlanguage,therebyinfringingArticles5(1)(a)and12(1)GDPR. Theproposedadministrativefinesaretobeappliedcumulatively,astheydonotsurpassthemaximumprovided forinArt.83(5)GDPR.SeeDraftDecision,paragraphs264,295and296. 575DraftDecision,paragraph258. 576DraftDecision,paragraph255. 81 Adopted conductconcerned” 577.Asregardstheproportionality, theIESA considers thatthefines proposed “do not exceed what is necessary to enforce compliance with the GDPR, taking into account the size of Instagram user base, the impact of the infringementson the effectivenessof the data subject rights enshrinedinChapter IIIofthe GDPRandthe importanceof thoserights in the contextofthe GDPRas awhole” 578. 312. The IE SA refers tothe needto takeinto account the undertaking’sturnover in the calculationofthe 579 maximum possible fine amounts . The notion of “undertaking” is determined to refer to Meta Platforms,Inc. 580.The IESA takesintoconsiderationthe revenue reportedbyMetaPlatforms,Inc.for the yearending 31 December2020 ($85.965billion) 58. 9.1.2 Summary of theobjections raised by theCSAs 582 313. The DE,FR, IT, NL, andNOSAs object tothe envisagedactiontakenby the LSA withregardto the administrative fine proposed in the DraftDecision concerning the infringements of the transparency 583 obligationsbyasking the IESA toimpose a(significantly) higheradministrativefinewithreference totheestablishedinfringements. 314. The dispute arising from these objections concerns whether the proposed fine is effective, proportionate and dissuasive pursuant to Article 83(1) GDPR 58. With reference to these three criteria,theabove mentioned CSAs, specifically, argueasfollows. 315. According tothe DESAs, thefine proposed bythe LSA in the DraftDecisionis not proportionate with regard to the financial position of the undertaking. More specifically, the DE SAs argue that the envisaged fine of at most 23 million euros is not proportionate compared to the worldwide annual turnoveronMetaPlatforms,Inc 585.TheDESAspointoutthattheproposedfine‘’representsonlyabout 586 0.03%oftheturnoverofMetaPlatforms,Inc.andabout 0.72%ofthemaximum fine“ .Withrespect to dissuasiveness, the DE SAs consider that the fine proposed by the LSA “weakensthe position of supervisory authorities and endangers compliance with the GDPR’’ as this would leave controllers under the impression that“enforcementoftheGDPRwill notbe felt economically’’ 587. 316. The FR SA arguesthat the amount of the envisaged fine “seemslow and hardlycompatible with the objective set by Article 83(1) GDPR of ensuring to impose dissuasive fines” taking into account “the 577 DraftDecision,paragraph256. 578DraftDecision,paragraph257. 579DraftDecision,paragraph274. 580 581DraftDecision,paragraphs275-295.FormerlyFacebook,Inc. DraftDecision,paragraph295. 582DE SAs Objection,pp.10-12;FRSAObjection,paragraphs36-48;ITSAObjection,pp.7-10;NLSAObjection, paragraphs39-53;NOSAObjection,pp.9-13. 583All theseCSAsspecifiedthatthefineshouldbeincreased‘’significantly’’or‘’substantially’’excepttheNLand theITSAs (whichstatedthefineshouldbeincreased).SeeDESAs Objection,p.12;FRSAObjection,paragraph 45;ITSAObjection,pp.8-9;NOSAObjection,p.13;NLSAObjection,paragraph51. 584DESAs Objection,p.11;FRSAObjection,paragraph47;ITSAObjectionpp.7-8;NLSAObjection,paragraph 50;NOSAObjection,pp.11-12. 585 DESAs Objection,p.11. 586DESAs Objection,p.11. 587DESAs Objection,p.11. 82 Adopted number of data subjects concerned, the particularlyintrusive nature of the processing operations in question,thebreachesobserved,theposition ofMetaPlatformsIrelandLimited asa quasi-monopolist anditsfinancial situation”588.Inthisrespect,the FRSA notesthatthe fine proposed by theIE SA isno proportionate since “the cumulative amount of the two breaches of the provisions of Articles 5-1-a) and13-1-c) ofthe GDPR,onthe one hand, andthe provisions of Articles5-1-a) and 12-1 of theGDPR, on the otherhand, representsonly about 0.03% of the turnover of MetaPlatforms Inc.and lessthan 1% ofthe maximum fine” 58. 317. The IT SA arguesthat ‘’byhaving regardto the controller, inparticular the nature and size of Meta Platforms Inc. [...]the range at issue would appear to be overly low and neither proportionate nor 590 dissuasive’’ . 318. The NL SA doubts, also referring to the EDPB Guidelines on Administrative Fines, that the fines proposed bythe IESA meettheobjective tobe effective,“particularlyconsidering thestrong financial positionofthecontrollerandthefindingthatthe identifiedlackoftransparencylikelyhashadfinancial benefits for the controller” 59. As regard to dissuasiveness, the NL SA argues, also referring to establishedCJEU case-law,thatMetaIE“generatesaturnoverofover86billion dollars(approximately 79 billion euros)per annum, thereforeit would be able to generatea daily revenueof approximately 235 million dollars. Instead of dissuading future behaviour, the penaltywould be simply regenerated 592 in a few hours” (specific deterrence) . With reference to proportionality, the NL SA questions the lack of reasoning in the Draft Decision as to why the amounts proposed are commensurate to the 593 seriousness of theinfringements . 319. TheNOSA arguesthattheenvisagedamountofthe fine isnoteffective nor dissuasive neithertoMeta IE nor to other controllers, considering the financial benefits accrued because of the violation and worldwide annual turnover ofMetaPlatform, Inc.for 2020 594Inparticular,theNOSA points out that MetaIE“would likelyhave no issue paying theproposed fine,and theamount ofthefine it isnot likely to affect [it] in such a waythat it would see a need to substantially change its practices”5. The NO SA illustratesthisby the factthat in2020, MetaIEset aside one billion euroof provisions toaddress, inter alia,the riskof fines for infringement tothe dataprotectionrules596. 320. In addition, these objections raise arguments with regardsto the weight afforded to some of the criterialistedin Article83(2) GDPR. 321. The ITSA objects totheLSA's decision not toconsider WhatsApp's previous infringementsin the case IN-18-12-2asanaggravatingcircumstanceunderArticle83(2)(e)GDPR,insofarasitispartofthesame group of companies of Meta IE. According to the IT SA “even though the WhatsApp case did raise additional,morespecific issues,one canhardlyquestionthattherelevantdecisionsetsa keyprecedent 588FRSAObjection,paragraph38. 589 FRObjection,paragraph40. 590ITSAObjection,p.8. 591NLSAObjection,paragraph48. 592NLSAObjection,paragraph49. 593 594NLSAObjection,paragraph50. NOSAObjection,p.12. 595NOSAObjection,p.12. 596NOSAObjection,p.11. 83 Adopted in assessing controller’srepetitiveconduct’’as‘’notonly did the controller in question clearlystickto the same business modelin offeringits different social networking services,it also did not change its assessment as to how to manage users’ data with particular regard to its information and 597 transparencyobligations’’ . 322. According to the DE, FR, NL and NO SAs, the fine proposed by the LSA in the Draft Decision is not proportionate withregardtotheseriousness of the infringement 59. 323. The NL SA argues that the fine is not commensurate with the seriousness of the infringements established(Article 83(2)(a)GDPR)andisinconsistent withtheIESA's qualificationsassuch 599.The FR SA alsoarguesthat the fine isincontradictionwiththe seriousnessofthe violationsidentified andthe natureof the processing (Article 83(2)(a)GDPR) 600. 324. The DE,FR,andIT SAs statethatthe fine proposed is not consistent withthe amount retainedbythe IESA initsdecision dated20 August2021 againstthecompanyWhatsAppIrelandLimited(caseIN-18- 12-2), in which the IE SA imposed an administrative fine of 225 million euros, including a fine of 30 million eurosfor the infringementof Article12 and13GDPRanda fine of90 millionon accountofthe 601 infringement ofArticle5(1)(a) GDPR .Moreover,theFR andITSAs statethatthe amount proposed appears low also in comparison with the one retained by the LU SA in its decision of 15 July 2021 againstthecompanyAmazonEuropeCore, whereanadministrativefine of746 millioneuroshasbeen imposed fortheinfringementsofArticles6,12and13GDPR,andwhichwasalso basedonacomplaint that the processing operations carried out by the companies of the Amazon group relating to behaviouraladvertisingdidnot havea validlegalbasis 602.Inaddition, theFRSA notesthattheamount ofthefine proposedbytheIESA“seemstobeunderestimatedincomparisonwiththeamountretained in thedeliberation oftheCNIL’srestrictedcommitteeNo.SAN-2019-001 of21 January2019 imposing a penalty of 50 million euros on the company Google LLC” 603. The FR SA considers this case as comparable because it is also based on a referral “filed by the association ‘NOYB’ with the CNIL, relating to a similar issue and formulated against Google, and that the restricted committee has identifiedabreach ofArticle6 of theGDPRand a breachof theprovisions ofArticles12 and 13 of the GDPR” 60. However, the FR SA notes that “the amount retained against Google LLC is close to that proposed by the Irish data protection authority, even though the processing operations in question concernall European users, [...]which was not the case in the above-mentioned CNIL’s decision, for whichonlyFrench usersweretaken into account” 605. 597 ITSAObjection,p.9. 598DESAs Objectionp.11;FRSAObjection,paragraph47;NLSAObjection,paragraphs39and43-44;NOSA Objection,p.12. 599NLSAObjection,paragraphs39and43-44. 600 FRSAObjection,paragraph50. 601FRSAObjection,paragraph42;ITSAObjection,p.8. 602FR SAObjection,paragraph43.SimilarreasoningisincludedintheITSAObjection,whichstates that‘’even byproportiontotherespectiveturnover[...]there islittle doubtthatthefiningproposalbytheLSAisnotinline 603hthe proportinalityrequirement’’(ITSAObjection,p.8). FRSAObjection,paragraph41. 604FRSAObjection,paragraph41. 605FRSAObjection,paragraph41. 84 Adopted325. TheNOSA arguesthat“thesuggestedfine isnotproportionatetotheseriousnessofthe violationsand the aggravating factors identified”, the “number of data subjects affected in the EEA amounts to hundredsofmillions” andagreeswiththe LSA thatthe controller’s“levelof responsibility ishigh” 606. 326. Onthe risksposed by the DraftDecision,the DE,FR,IT,NL,andNOSAs consider that,ifadopted,the Draft Decision would lead to a significant risk for the protection of the fundamental rights and freedoms of the data subjects 607. The DE, FR, IT, NL, andNOSAsexplain that it would not ensure an effective enforcementof theGDPR,asthe proposed fine isunable tocreateadeterrenteffect(either specifically towardsthe controller, or in generaltowardsother controllers) 608. The NO SA considers this would mean, “that the complainant and the affected data subjects would in practice be denied the levelof data protectionset out in the GDPR” 60. The FR SA arguesthe Draft Decisionas it stands would “lead to a levelling down of the level of administrative fines imposed by European data protectionauthorities,therebyreducingtheauthorities'coercivepowerand,consequently,theirability to ensureeffectivecompliancewith theprotectionofthe personaldataof Europeanresidents” 610.The 611 DESAsaddthat“theDraftDecisiondoesnotensureaconsistentapplicationofadministrativefines” . 9.1.3 Position ofthe LSA on theobjections 327. The LSA considers none of theobjections relatingtothequantum of theproposed administrative fine asrelevantand reasoned 61. 328. Inrelationtoobjections calling for anincrease ofthe amount ofthe fine setout inthe DraftDecision, the LSA statesthat notwithstanding the variance betweenthe viewsofthe CSAsonthe calculationof the fine that the IE SA has “fully taken into account the criteria at Article 83(2) GDPR, and that the proposedadministrativefinesmeettherequirementsofArticle83(1)GDPR,takinginto accountallthe 613 circumstancesofthismatterand asset out Part9 oftheDraft Decision” .The IESA also arguesthat the IE SA considers “the proposal as to the fine to be meaningful in terms of both the financial significance of it on any view, as well as the significant publicity that a fine in this region will attract’’614. 329. Withreference totheobjections relatingtothe mode ofcalculatingthe proposed administrative fine (assessment of the Article 83(2) GDPR criteria), the LSA does not accept that these objections are relevant 615. The LSA recalls that it has already examined in its Draft Decision whether the infringements were intentional and whether Meta IE obtained a financial benefit as a result of the infringements,questions towhichitansweredinthenegative 61.Furthermore,theLSAtakesthe view 606NOSAObjection,p.12. 607DESAs Objection,p.12;FRSAObjection,paragraph47;ITSAObjection,pp.8-10;NLSAObjection 608agraph52;NOSAObjection,p.12. DESAs Objection,p.12;FRSAObjectionparagraph47;ITSAObjection,pp.8-10;NLSAObjection paragraph49and52;NOSAObjection,p.12. 609NOSAObjection,p.12. 610FRSAObjection,paragraph.48. 611 DESAs Objection,p.11. 612CompositeResponse,paragraph120. 613CompositeResponse,paragraph118. 614CompositeResponse,paragraph119. 615 CompositeResponse,paragraph126. 616CompositeResponse,paragraph124.Onthismatter,theIESArefers torespectivelyparagraphs230-233 and251-252oftheDraftDecision. 85 Adopted that“itwouldbe contraryto a literalinterpretationofArticle83(2)(e)GDPRtotakethedecision made bytheIESA in respectofWhatsApp IrelandLimited(i.e.IN-18-2-1)in the calculationofthefine for this Draft Decision in circumstances where the infringements do not concern the same controller or 617 processor’’ . 9.1.4 Assessment of the EDPB 9.1.4.1 Assessmentof whethertheobjectionswererelevantandreasoned 330. The objections raisedby the DE,FR,IT,NL,andNOSAs concern‘’whethertheactionenvisaged in the DraftDecisioncomplieswiththeGDPR’’ 618. 331. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe 619 threshold ofArticle 4(24)GDPR . 332. With specific regard to these objections on the determination of the administrative fine for the transparency infringements, Meta IE acknowledges that the objections as to whether envisaged corrective measures comply with the GDPR fall within the scope of the dispute resolution mechanism 62,however intheir view,objections thatsolelyobject totheamount ofa fine areoutside the scope of this mechanism 621. Meta IE arguesthat ‘’the DPC, asthe LSA, has the sole competence and discretion to impose an administrative fine’’ 62. Moreover, Meta IE claims that the EDPB is not competenttodeterminewhethertheadministrativefine iseffective,proportionate,anddissuasive 623. The EDPBdoes not share thisreading ofthe GDPR,asexplainedabove (see Section 8.4.2,paragraphs 277-279 ofthis Binding Decision)andconsiders thatCSAs mayobject tothefine amount proposed by 624 anLSA in itsdraftdecision . 617CompositeResponse,paragraph126. 618 EDPBGuidelinesonRRO,paragraph32. 619Meta IEArticle65Submissions,Annex1,p.65. 620Meta IEArticle65Submissions,paragraph8.5 621Meta IEArticle65Submissions,paragraph9.2 622 623Meta IEArticle65Submissions,paragraph9.2. Meta IEArticle65Submissions,paragraph9.2.Meta IEarguesthat“TheGDPRdoesnotconferanypoweron theEDPBto considerobjectionssolelychallengingtheamountofafine,andtheEDPBmaynotgiveinstructions asto whetherafineoughttobeimposed,orastoitsamount’’. 624 Inthis regard,Recital150GDPRcanberecalled,asitstatesthattheconsistencymechanismmayalsobeused to promote a consistent application of administrativefines. Consequently, an objection can challengethe elements reliedupontocalculatetheamountofthefine,andiftheassessmentoftheEDPBwithinthiscontext identifiesshortcomingsinthereasoningleadingtotheimpositionofthefineatstake,theLSAwillbeinstructed to re-assess thefineandremedytheidentifiedshortcomings(EDPBGuidelinesonArt.65(1)(a),para 91;EDPB RROGuidelines,paragraph34). TheEDPBfoundseveralobjectionsonthissubjectmatteradmissibleinthepast, seeinteraliaBindingDecision1/2020,paragraphs 175-178and180-181,BindingDecision1/2021,paragraphs 310-314, Binding Decision 1/2022 paragraphs 53-55, Binding Decision 2/2022, paragraphs 186-190. Consequently,withinitsmissionofensuringa consistentapplicationoftheGDPR,theEDPBis fullycompetent to resolvethedisputearisenamongsupervisoryauthoritiesandremedytheshortcomingsintheDraftDecision concerningthecalculationoftheamountofthefine,whichwillinanyeventbequantifiedandimposedbythe LSAinits nationaldecisionadoptedonthebasisoftheEDPB’s bindingdecision. 86 Adopted333. The EDPBtakesnote of further argumentsput forwardbyMetaIE,aiming todemonstratethe lackof 625 relevance of the objections raised by the DE, FR, IT, NL, and NO SAs . Meta IE disagrees with the content ofthese objections, whichconcerns itsmeritsandnot itsadmissibility. 334. The EDPB finds that the DE, FR, IT, NL, and NO SAs disagree with specific parts of the IE SA’s Draft Decision, namelythe assessment madeby the LSA in Chapter 9 ‘’Administrativefine’’andChapter 10 ‘’Otherrelevantfactors’’insettingtheadministrative fine applicable tothe violationsof transparency identified626. Iffollowed, these objections would leadtoa different conclusion in termsof corrective measures imposed. In consequence, the EDPB considers the objections raised by the DE, FR, IT, NL, andNOSAs tobe relevant. 335. MetaIEfurtherconsiders thatthe DE,FR,IT,NLandNOSAs’ objections have not created“reasonable doubt’’astothe validityofthe LSA’scalculationofthe fine anddonot explainwhythe fine envisaged in the DraftDecision is incompatible withArticle 83 GDPR 627.Inthis respect, MetaIE claims thatthe objections ofthe DE,FR,IT,NLandNOSAsare not sufficientlyreasonedastheyfocusonhypothetical “preventiveeffects”ofthefine on other controllersinfuture proceedings 628.Inaddition, MetaIEputs forward that the comparison made by the DE, FR, and IT SAs in their objections with other fines imposed in other cases is not relevant to the extent that fines should result in a case-by-case assessment 629. Meta IE also objects to the FR SA’s objection that the fine should be tied to the turnover, considering that Meta IE’s turnover is only relevant for determining the maximum fine amount under Articles83(4)-(6) GDPRand not the fine amount 630.Finally, in response tothe NOSA’s objection, Meta IE argues that controller’s financial provisions for potential regulatory-related expenses cannot be considered asa relevant factor under Article 83(2) GDPR 63. It follows from the above argumentsthatMetaIEdisagreeswiththe reasoning provided inthese objections, which thus concernsthe meritsandnot the admissibility ofthe objection. 336. The EDPB finds that the DE, FR, IT, NL, and NO SAs argue why they propose amending the Draft Decisionandhow this leadstoadifferent conclusion intermsof administrativefine imposed, i.e.why 632 theypropose toimpose a higherfine for the transparencybreaches . 625Meta IEargues thattheseobjectionsare“adirectcriticismof theamountoftheDPC’sproposedfine(i.e.an areawithintheDPC’ssolediscretionasLSA)ratherthanthelawfulnessoftheDPC’srelianceontherelevant factorstocalculatethefine(whichwouldbetheDraftDecision’srelevantlegalandfactualcontenttowhich the[CSAs]couldobject)’’.Meta IEArticle65Submissions,Annex1,paragraphs2.17-2.19,5.13,7.12,8.23,and 9.19. 626 DESAs Objection,p.10;FRSAObjection,paragraph36;ITSAObjection,pp.7-9;NLSAObjection, paragraph40and53;NOSAs’Objection,pp.9-10. 627Meta IEArticle65Submissions,Annex1,paragraphs2.21,5.15,5.17-18,7.14,8.25,and9.22.Inthisregard Meta IEsubmitsthat‘’afineproposedbytheLSAiseffective,proportionate,anddissuasiveaslongasthecriteria laiddowninArticle83(2)GDPRaredulytakenintoaccount(whichisclearlythecasehere).Indeed,thecalculation of fines is subjective, and there is significant variance amongst objecting CSAsas to what the appropriate fine shouldbe’. 628Meta IEArticle65Submissions,Annex1,paragraphs2.22,5.19,7.16,8.26,and9.23. 629Meta IEArticle65Submissions,Annex1,paragraphs2.23,5.18,and7.17. 630 631Meta IEArticle65Submissions,Annex1,paragraph5.21. Meta IEArticle65Submissions,Annex1,paragraph9.26. 632DESAs Objection,p.11-12;FRSAObjection,paragraphs38,40,42,43,47;ITSAObjection,pp.7-9;NLSA Objection,paragraphs44-45and47-50;NOSAObjection,pp.11-12. 87 Adopted337. Intermsof risks, Meta IEclaims the DraftDecision does not pose any risk, let alone a significant risk tofundamentalrightsandarguesthe objections of the DE,FR,IT,NL,andNOSAs failtodemonstrate the contrary,asrequired 63. 338. Inparticular,MetaIEconsidersthattheDE,FRSA andITSAs’ objections appeartofocusonincreasing the “punitive impact” of the fine on Meta IE, instead of demonstrating any significant risks to the fundamentalrightsofdatasubjects 63.MetaIEfurtherclaimsthattheNLandNOSAs’objections does not set out how the proposed fine would pose a direct andsignificant risk tofundamentalrightsand 635 freedoms . In addition, Meta IE argues the DE, FR, IT, NL and NO SAs’ objections rest on unsubstantiatedpossible effecttheDraftDecisioncouldhaveonfuture behaviourofothercontrollers, 636 without demonstrating how this Decision would lead to significant risks in the case at hand . Therefore, Meta IE claims that, in doing so, the assessment made by the DE, FR, IT and NL SAs is 637 incorrectastheydo not consider the reputationalcosts generatedbysuch afine . 339. First, the EDPBnotes thatany risk assessment addresses future outcomes whichare tosome degree uncertain,andfinds thereis no basis in theGDPRtolimit the notion ofrisks tothe boundaries ofthe particular case at hand. Article 4(24) GDPR referstothe risks posed to the "fundamentalrights and freedomsof data subjects" and “where applicable, the free flow of personaldata within the Union”. Bothofthese aspectsare phrasedina generalway. The wording ofthisprovisiondoesnot in anyway limit the demonstration of the risks to showing the risks posed to the data subjects affectedby the concrete processing carriedout by the specific controller, in light of the objective of guaranteeing a 638 ‘’highlevelofprotectionintheEUfortherightsand interestsoftheindividuals’’ .Therefore,therisks posedbyadraftdecision tobe demonstratedbya relevantandreasonedobjectionmightalsoconcern datasubjects whose personaldatamight be processed inthe future, including by other controllers. 340. The EDPB also notes that the DE, FR, IT, NL, and NO SAs 639 considered both of the aspects that are entailedbydissuasiveness ofthe fine, i.e.specific deterrenceandgeneraldeterrence 640. 633Meta IEArticle65Submissions,Annex1,paragraphs2.24-2.27,5.22-5.25,7.18-7.21,8.28-8.32,and9.25- 9.27. 634Meta IEArticle65Submissions,Annex1,paragraphs2.24,5.22,and7.18. 635 Meta IEArticle65Submissions,Annex1,paragraphs8.28,and9.25. 636Meta IEArticle65Submissions,Annex1,paragraphs2.25,5.23,7.19,8.30,and9.26. 637Meta IEArticle65Submissions,Annex1,paragraphs2.26,5.24,7.20,8.31.Meta IEaddsthat,inanycase,it ‘’doesnotconsiderthatfinessuchastheoneproposedintheDraftDecisioncouldencourageothercompanies 638tocomplywiththeGDPR’’. Judgement of the Court of Justiceof 6 November 2003, Lindqvist, CaseC-101/01, ECLI:EU:C:2003596, (hereinafter‘C-101/01Lindqvist'),paragraph95;JudgementoftheCourtofJusticeof16December2008,Heinz HubervBundesrepublikDeutschland,C‑524/06,ECLI:EU:C:2008:724,(hereinafter‘C‑524/06Huber’),paragraph 50; Judgement of the Court of Justice of 24 November 2011, Asociación Nacional de Establecimientos FinancierosdeCrédito,C-468/10andC-469/10,ECLI:EU:C:2011:777,paragraph28. 639DESAs Objection,p.12(referringtothe‘’undertakinginquestion’’),FRSAObjection,paragraph47(referring to ‘’the controller’’); IT SA Objection pp.8-9 (referring to ‘’the controller’’); NL SA Objection, paragraph52 (referring to the risk in relation to ‘’the illegal processing at hand’’);NO SA Objection, p.12 (referring to 640ncentivesforMetaIE’’). TheCJEUhas consistentlyheldthata dissuasivefineisonethathasagenuinedeterrenteffect,encompassing bothspecificdeterrence(discouragingtheaddresseeofthefinefromcommittingthesameinfringementagain) andgeneral deterrence(discouragingothersfromcommittingthesameinfringementinthefuture).See, inter 88 Adopted341. The EDPB finds that the DE, FR, IT, NL, and NO SAs articulate an adverse effect on the rights and freedomsof datasubjectsifthe DraftDecisionis leftunchanged,by referringtoa failuretoguarantee 641 a highlevelof protectioninthe EU for the rightsand interestsof the individuals . 342. Therefore,the EDPBconsiders the DE,FR,IT,NL,andNOSAs objections tobe reasoned. 9.1.4.1 9.1.4.2. Assessment on themerits 343. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the matters which are the subject of the relevant and reasoned objections, in particular whether the envisagedactioninrelationtothe controller complies withtheGDPR. 344. The EDPB recalls that the consistency mechanism may also be used to promote a consistent 642 application of administrative fines . A fine should be effective, proportionate and dissuasive, as required byArticle 83(1) GDPR,takingaccount of the factsof the case 643. Inaddition, when deciding ontheamount ofthe fine,theLSA shalltakeintoconsiderationthecriterialistedinArticle83(2)GDPR. 345. The EDPB responds to Meta IE’s argument that the LSA has sole discretion to determine the appropriate corrective measures in the event of a finding of infringement above (see Section 8.4.2, paragraphs277 -279 aswellasfootnote 624). 346. The finding in the Draft Decision of a transparency infringement for the processing concerned still stands. The EDPB recalls that, on substance, no objections were raised on this finding. Meta IE infringed its generaltransparency obligations by being unclear on the link between the purposes of processing, the lawful bases of processing and the processing operations involved 644, irrespective of the validityofthe legalbasis reliedonfor the ‘processing concerned’.Itremainsthecase that,forthe transparencyinfringements, ‘‘theprocessing concerned’’shouldbe understood asmeaning all ofthe processing operations thatMetaIEcarriesout onthe personaldata under itscontrollershipfor which 645 Meta IE indicated it relied on Article 6(1)(b) GDPR , including for the purposes of behavioural advertising.This is without prejudice tothe fact thatMetaIE inappropriatelyrelied on Article6(1)(b) GDPR asa legalbasis to process personal data for the purpose of behavioural advertising as part of the delivery of its Instagram service under the Termsof Use. Whether or not Meta IE appropriately chose its legal basis for processing, the transparencyinfringement as assessed in the Draft Decision still stands. Therefore, the IE SA must not modify this description retro-actively in light of the assessment ofthevalidityofthelegalbasis, including forthepurpose ofcarryingoutanyreassessment of the administrative fines originally proposed by the Draft Decision, as might be required by this Binding Decision. alia, Judgement of the Court of Justiceof 13 June 2013, Versalis Spa v European Commission, C-511/11P, ECLI:EU:C:2013:386,(hereinafter‘C-511/11,Versalis’),aragraph 94. 641DESAs Objection,p.12,FRSAObjection,paragraphs47-48;ITSAObjection,pp.8-9;NLSAObjection, paragraph52;NOSAObjection,p.12.SeealsoEDPBGuidelinesonRRO,paragraph37. 642 Recital 150GDPR. EDPB Guidelines on RRO, paragraph 34;EDPB Guidelines on Administrativefines p. 7 (“When the relevant andreasonedobjection raises the issue of the compliance ofthe corrective measure with the GDPR, the decision of EDPB will also discuss how the principles of effectiveness, proportionality and deterrence are observed in the administrative fine proposedin the draft decision of the competent supervisory authority”). 643 644EDPBGuidelinesonAdministrativefines,p.7;EDPBGuidelinesoncalculationoffines,paragraphs132-134. DraftDecision,paragraph189. 645DraftDecision,paragraph210. 89 Adopted347. Inlightofthe objectionsfound relevantandreasoned, theEDPBaddresseswhetherthe DraftDecision proposes afine for the transparencyinfringements thatis inaccordancewith thecriteria established by Article83(2) GDPRandthe criteria provided for by Article 83(1)GDPR.Indoing this, the EDPBwill first assess the disputes arisen in respect of the analysis of specific criteria under Article 83(2)GDPR performed by the LSA, and then examine whether the proposed fine meets the requirements of effectiveness, dissuasiveness and proportionality set in Article 83(1) GDPR, including by affording adequateweighttothe relevant factorsandtothe circumstancesofthe case. On any relevantpreviousinfringementsby thecontrolleror processor (Article83(2)(e)GDPR) 348. Article 83(2)(e) GDPR requires supervisory authorities to give due regard to any previous relevant infringement of the GDPRbythe controller or processor asone of the circumstancesthat justifies an increase inthe basic amount of the fine. Assimilar reference canbe found inRecital148 GDPR. 349. For the purposes of Article 83(2)(e) GDPR, both previous infringements of the same subject matter and infringements of a different subject matter but committed in a manner similar to that under investigation, should be considered as relevant. Furthermore, the EDPB recalls that the scope of assessment ofinfringementsmayinclude not only previous decisions bythe investigatingsupervisory authority, but also infringements found by other authorities, provided that theyare relevant tothe 646 case under investigation . 647 350. The EDPB first notes that, contrary to Meta IE’s views , substantial similarities exist in the infringements found by the LSA in its draft decision and in its decision IN-18-12-2 in relation to WhatsApp Ireland Limited and in which breach of GDPR obligations were established. As rightly pointed out by the IT SA, the LSA indeed considered in both decisions that the controller had not provided transparentinformationon thelegalbasisandpurposesofthe processing operationsor sets ofprocessing operationscarriedout,therebyinfringing Article5(1)(a),Article12(1)andArticle13(1)(c) GDPR 648. 351. TheITSA contendsthat,totheextentthatMetaIEandWhatsAppIrelandLimitedarepartofthesame corporategroup, theprevious decision concerning WhatsAppIrelandLimited“setsa keyprecedentin assessing a controller’srepetitive conduct”,as“not onlydid the controller in question clearlystickto the same business modelin offering its different social networking services,it also did not change its assessment as to how to manage users’ data with particular regard to its information and 649 transparencyobligations” . The IE SA disagreeswiththis objection, considering thatArticle83(2)(e) 646EDPBGuidelinesonAdministrativeFines,paragraph93. 647Meta IEArticle65Submissions,paragraph10.3.AccordingtoMeta IE’s theDPCFinalDecisionIN-18-12-2 againstWhatsAppIrelandLimitedconcerns‘’whollyseparateproceedinginvolvingwhollyseparateallegations andclaims’’. 648DPCFinalDecisionIN-18-12-2concerningWhatsAppIrelandLimited,20August2021,paragraphs496,591 and595,availableat: https://edpb.europa.eu/system/files/2021-09/dpc final decision redacted for issue to edpb 01-09-21 en.pdf;DraftDecision,p.71. 649 ITSAObjection,p.9. 90 Adopted GDPRcannot apply in the circumstancesof thiscase insofar as itsdecision againstWhatsApp Ireland 650 Limitedwasaddressedtoa different controller . 352. In this respect, the EDPB notes that Meta IE and WhatsApp Ireland Limited are both subsidiaries of MetaPlatforms, Inc. 651.Nonetheless,the EDPBrecallsthat the GDPRdrawsa distinction betweenon the one handthe “controller”or“processor” 652,whichare responsible for complying withthe rulesof the GDPR,andonthe otherhand the“undertaking” 653towhichthe controller or processor is partof, andthatmaybefound jointly andseverallyliable for thepaymentofthe fine 65.Inthiscontext,Article 83(2)(e)GDPRexplicitlyreferstotheneedtoconsider previousrelevantinfringementscommitted‘’by thecontrolleror processor’’(emphasis added). 353. Therefore,the EDPBconsiders thatthe Final Decisiondoes not needtorefer tothe infringements by WhatsAppIrelandLimited,asestablishedinDecisionIN-18-12-2,asanaggravatingfactorunderArticle 83(2)(e) GDPRfor thecalculationof thefine. Theeffectiveness,proportionalityanddissuasiveness ofthe administrativefine (Article 83(1)GDPR) 354. Withregardtoeffectivenessofthe fines, theEDPBrecallsthattheobjective pursuedby thecorrective measure chosencanbe tore-establishcompliance withthe rules,or topunish unlawfulbehaviour, or both 655. In addition, the EDPB notes that the CJEU has consistently held that a dissuasive penalty is one that has a genuine deterrent effect. Inthat respect, a distinction canbe made betweengeneral deterrence (discouraging others from committing the same infringement in the future) and specific deterrence(discouraging theaddressee of the fine from committingthe same infringement again) 656. Therefore, in order to ensure deterrence, the fine must be set at a level that discourages both the controller or processor concerned as well as other controllers or processors carrying out similar processing operations from repeating the same or a similar unlawful conduct. Proportionality of the fine needs also to be ensured as the measure must not go beyond what is necessary to attainthat 657 objective .Inthisrespect,theEDPBdisagreeswithMetaIE’sviewsthatthereisnobasis toconclude thatthe amount ofthe fine must have a generalpreventive effect 65. 650CompositeResponse,paragraph125.AccordingtotheIE SA, this stems directlyfromthewordingofArticle 83(2)(e) GDPR, which ‘’expressly states that only relevant previous infringements by the same controlleror 651cessormustbetakenintoconsideration’’. DPCFinalDecisionIN-18-12-1concerningWhatsAppIrelandLimited,20August2021,paragraph872;Draft Decision,paragraphs5and288. 652SeeArt. 4(7)-(8)GDPR. 653AccordingtoRecital150,‘’whereadministrativefinesareimposedonanundertaking,anundertakingshould beunderstoodtobeanundertakinginaccordancewithArticles101and102TFEUforthosepurposes’’.According to settled case-law of theCJEU, the term ‘undertaking’ “encompasses every entity engagedin an economic activity,regardlessofthelegalstatusoftheentityandthewayinwhichitisfinanced’’(see,inthisregard,EDPB BindingDecision1/2021,paragraph292). 654 655EDPBBindingDecision1/2021,paragraph290. EDPBGuidelinesonAdministrativeFines,p.6. 656See, interalia,C-511/11,Versalis,paragraph94. 657SeeJudgementoftheGeneral Courtof14October2021,MTvLandespolizeidirektionSteiermark,C‑231/20, , ECLI:EU:C:2021:845,paragraph 45(“theseverityofthepenaltiesimposedmust[…]becommensuratewiththe seriousness of the infringements forwhich they are imposed, in particularby ensuring a genuinelydeterrent effect, whilenotgoingbeyondwhatisnecessarytoattainthatobjective”). 658Meta IEArticle65Submissions,Annex1,paragraphs,2.22,5.16,7.16,8.30and9.23. 91 Adopted355. The EDPB reiterates that it is incumbent upon the supervisory authorities to verify whether the amount of the envisaged fines meets the requirements of effectiveness, proportionality and dissuasiveness, or whetherfurther adjustmentstothe amountarenecessary,considering the entirety of the fine imposed and allthe circumstancesof the case,including e.g.theaccumulationof multiple infringements, increases and decreases for aggravating and mitigating circumstances and 659 financial/socio-economic circumstances . Further, the EDPB recallsthat the setting of a fine is not an arithmeticallyprecise exercise 66, andsupervisory authoritieshave a certainmarginof discretion 661 inthis respect . 356. The DE,FR,IT,NL,andNOSAs ,object tothe level ofthe fine envisaged inthe DraftDecisionas they consider the proposed fine not effective,proportionate anddissuasive (Article83(1) GDPR) 662. 357. These CSAs arguethatthe elementsof Article83(2)GDPRarenot weighedcorrectlybythe LSA when calculating the administrative fines in the present case, in light of the requirements of Article 83(1) 663 GDPR .Specifically,theDE,FR,IT, NLandNOSAs arguethatthefine envisagedintheDraftDecision isnot proportionatewithIESA’sfindings inrelationtothenatureandseriousness oftheinfringements 664 andthe number of datasubjects concerned . 358. In addition, these CSAs argue that the fine is not effective, proportionate and dissuasive taking into account thefinancial position of MetaPlatform,Inc. 66. 359. The EDPBtakesnote of MetaIE’sdisagreement withthe fine proposed by the IESA 666 andtheir view that the LSA alreadyconsiders all factorsit considered tobe relevant toArticle 83(2) GDPR andthat ‘’noneoftheCSAs have createdanyreasonable doubt asto thevalidity ofthe DPC’scalculation’’ 667. 360. The EDPB notes that in the Draft Decisionthe IE SA indicates being satisfied the proposed fines are effective, proportionate and dissuasive, taking into account all the circumstances of the IE SA’s 668 inquiry . TheIESAassessed thedifferentcriteriaofArticle83(2)GDPRinrelationtothe transparency 659EDPB Guidelines on calculation offines, paragraph 132, and EDPB Guidelines on AdministrativeFines, p. 6, specifyingthat”administrativefinesshouldadequatelyrespondtothenature,gravityandconsequencesofthe breach, and supervisory authorities must assess all the facts of the case in a mannerthat is consistent and objectivelyjustified”. 660See Judgement of the General Court of 22 September 2021, AlticeEuropeNV v Commission, T 425/18, ECLI:EU:T:2021:607, paragraph 362; Judgement of theGeneral Court of 5 October 2011, Romana Tabacchi v Commission,CaseT‑11/06,ECLI:EU:T:2011:560, paragraph 266. 661See, inter alia, judgement of the General Court of 16 June 2011, Caffaro Srl v Commission, T-192/06, ECLI:EU:T:2011:278, paragraph 38.SeealsoEDPBGuidelinesoncalculationoffines,p.2. 662 DE SAs Objection,pp.10-12;FRSAObjection,paragraphs36-48;ITSAObjectionpp.7-10;NLSAObjection, paragraphs39-53;NOSAObjection,pp.9-13; 663DESAs Objection,p.11;FRSAObjection,paragraph47;ITSAObjectionpp.7-8;NLSAObjection,paragraph 50;NOSAObjection,pp.11-12 664 DESAs Objection,p.11;FRSAObjection,paragraph38;ITSAObjection,p.8;NLSAObjection,paragraph42 and48;NOSAObjection,p.12. 665DESAs Objection,p.11;FRSAObjection,paragraph38-40;ITSAObjection,pp.8;NLSAObjection,paragraph 48-49;NOSAObjection,pp.11-12. 666 Meta IEArticle65Submissions,paragraph9.1. 667Meta IEArticle65Submissions,paragraph9.3. 668DraftDecision,paragraphs255-258. 92 Adopted infringements found 669. The IE SA considered the infringements as serious in nature 670, andin terms of gravityofthe infringements found a significant levelof non-compliance 671. Furthermore,the EDPB underlines that, as established by the IE SA, the infringements affect a significant number of data subjects 672 and are extensive 673. The EDPB also observes that the IE SA considered the negligent character ofthe infringement 674, aswell as the high level of responsibility of Meta IE for the lackof compliance with the GDPR 675 as aggravating factors under Article 83(2) GDPR. Further, the IE SA qualifiedthelevelofdamagesufferedbydatasubjectsassignificant 676.Inaddition,theIESAidentified only one mitigating factor, without indicating, however, whether this should lead to a slight or substantialreductionof the fine range 677. 361. MetaIEarguesthatreputationcostsshould alsobe takenintoconsideration, citingthe IESA’sremark 678 on “the significant publicity that a fine in this region will attract” . Onprinciple, the EDPB agrees thatreputationcostscould be takenintoconsideration tosome extent,ifcredible argumentsareput 679 forward about the grave detriment that would ensue. Meta IE does not present such arguments . The EDPBisoftheview thatinthis caseother incentiveswouldoffset anyreputationalcosts. Asfaras advertisers are concerned, Meta IE puts forward that “The personalised nature of the Instagram Service is also the reason why it has been instrumental in the success of small and medium sized businesses (“SMBs”) worldwide, including across the EU. Personalisation on social media and other digitaltechnologies,including theInstagram Service,enablesSMBstocompeteforcustomersthrough “customizing [sic] productsand services,[...]building a unique brand image,tailoring marketing to a specific audienceand developing a strong one-to-oneconnectionwith a communityof customers’’ 680. As far asusers of the Instagramservice are concerned,there are networkeffectsat playwhich leads to incentives to join - or not leave - the platform, so as not to be excluded from participating in discussions, corresponding withandreceiving informationfrom others 68. 362. According tothe DE, FR, and IT SAs, the proposed fine is not consistent with the fine of 225 million eurosdecideduponbytheIESAinitsdecision dated20August2021againstWhatsAppIrelandLimited 669 DraftDecision,paragraphs209-252. 670DraftDecision,paragraphs212-215and253. 671DraftDecision,paragraphs216-217and253. 672 673DraftDecision,paragraphs223-225and253. DraftDecision,paragraph221. 674DraftDecision,paragraphs230-233and253. 675 Draft Decision, paragraph240. The IE SA considers that ‘’Meta Ireland should have been aware of the appropriate standards– albeit at a general level – and, having made a deliberate decision to present the information in a mannerwhich fellsignificant below the standard required, hasa high degree of responsibility forthe lackofcompliancewiththeGDPR’’. 676TheIESAfindsitsufficientlyshownthat“rightshavebeendamagedinasignificantmanner,giventhelackof 677pportunitytoexercisedatasubjectrightswhilebeingfullyinformed”,DraftDecision,paragraph229 DraftDecision,paragraphs234-236. 678CompositeResponse, paragraph 119. SeeMeta IE Article65 Submissions, Annex 1, paragraphs 2.26, 5.24, 7.20,8.31. 679Meta IE states that“evenifMetaIrelandorothercompaniescouldeverconsiderthatmulti-millionfinesare negligible from a financial point of view (a statement that is unsubstantiated anddisputed), such companies wouldobviouslybeconcernedbythereputationalcostofsuchfines.”Meta IE Article65Submissions,Annex1, paragraphs2.26,5.24,7.20,and8.31. 680Meta IEArticle65Submissions,paragraph6.23. 681 NO SA Objection, p. 5. Inthesamevein, theFR SAdescribes Meta IE’s position as quasi-monopolist (FR SA Objection,paragraph38). 93 Adopted for the same transparencyinfringements(breaches of Articles12 and 13 GDPR) 68. Inparticular, the DE SAs point out that ‘’the facts and the seriousness of the infringements in the two cases are no sufficiently different to justify a difference of 85% in the fine imposed’’83. The FR and IT SAs also comparewiththe fine of 746million euros decidedbythe LU SA initsdecision of 15July 2021 against the companyAmazonEurope Core for carryingout behaviouraladvertising without a validlegalbasis andfor transparencyinfringements(Articles 6,12 and13 GDPR) 684.While theEDPBagreeswithboth theIESAandMetaIEthatimposingfinesrequiresacase-by-caseassessment under Article83GDPR 685, the EDPB notes that the cases cited by the DE, FR and IT SAs do show marked similarities with the currentcase,astheybothrefertolargeinternetplatformsrunbydatacontrollerswithmulti-national operations and significant resources available tothem, including large, in-house, compliance teams. Moreover, there are similarities with regards to the nature and gravity of the infringements 686 involved . Thus, these casescangive anindication onthe matter. 687 363. The DE,FR,ITandNOSAscalculatethatthe envisagedupper limit of thefine rangeisabout 0.03% of the global annual turnover of Meta Platforms, Inc., which the DE SAs note is about 0.72% of the 688 maximum ceiling provided for in Article 83(5) GDPR . For illustrative purposes also, is the amount oftimeit wouldtakeMetaPlatforms,Inc.onaveragetogenerate23millioneurosinturnover in2020, 689 whichwasabout 2 hours and33 minutes . 364. The EDPB agreeswith the objections raised that - if the proposed fine was to be imposed for the transparency infringements - there would be no sufficient special preventive effect towards the controller, nor a credible generalpreventive effect 69.The proposed fine amount,even where a final amountattheupper limitoftherangewouldbe chosen, isnot effective,proportionateanddissuasive, in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of doing business 691. Asbehavioural advertising is atthe core of MetaIE’sbusiness model 692, the riskof this occurring is allthe greater69.Bybearingthe cost of the administrative fine, the undertaking can avoidbearing the cost ofadjusting their business modeltoone that iscompliant aswellasanyfuture losses that wouldfollow from theadjustment. 682 DESAObjection,p.11-12;FRSAObjection,paragraph42;ITSAObjection,p.8.TheIESA’s decisioninthis case(caseIN-18-12-2)isunderappealbeforetheIrishcourts. 683DESAObjection,p.12. 684 685FRSAObjection,paragraph43;ITSAObjectionp.8. DraftDecision,paragraph219-220;Meta IEArticle65Submissions,pargraphs2.23,5.18,7.17. 686Inthis regard,theDE SApoints outthatinbothdecisionstheIESAstatedthattheprovisionsinfringed‘’go tothe heartofthegeneralprincipleoftransparencyandthefundamentalrightoftheindividualtoprotectionof his/herpersonal data which stems from the free will andautonomyof the individual to share his/herpersonal data”.DESAObjection,p.11. 687DESAObjection,p.11;FRSAObjection,paragraph40;ITSAObjection,p.8;NOSAObjection,p.12. 688DESAObjection,p.11. 689Basedonthetotal annualturnoverof2020beingEUR79billioncalculatedbytheNLSAinits objection(NL SAObjection,paragraph49)onthebasisoftheturnoverofMeta Platforms,Inc.referredtointheDraft Decision(86billiondollars).Thus,a fineofEUR23millionwouldhavetaken2h33togenerate. 690DESAObjection,p.12; ITSAObjection,pp.8-9;NOSAObjection,p.12;FRSAObjection,paragraph47. 691NOSAObjection,p.11. 692 DraftDecision,paragraphs102,221,227and251. 693NOSAObjection,pp.11-12. 94 Adopted365. Though the IE SA touches upon the notions of effectiveness, proportionality and dissuasiveness in relation to the proposed fine 69, there is no justification based on elements specific to the case to explain the modest fine range chosen. Moreover, the EDPB notes that while the IE SA takes into considerationthe turnoverof theundertakingtoensure thatthefine it proposed doesnot exceedthe 695 maximum amount of the fine provided for in Article83(5) GDPR ,theIESA does not articulatehow andtowhatextentthe turnover ofthisundertaking isconsidered toascertainthatthe administrative 696 fine meetsthe requirementof effectiveness, proportionality and dissuasiveness . Inthis regardthe EDPB recalls that, contraryto Meta IE’sviews 69, the turnover of the undertaking concerned is not exclusively relevant for the determination of the maximum fine amount in accordance with Article 83(4)-(6) GDPR,butshould alsobe consideredfor thecalculationof thefine itself, whereappropriate, toensure the fine iseffective,proportionate anddissuasive inaccordancewithArticle 83(1)GDPR 698. The EDPB therefore instructs the IE SA to modify its Draft Decision to elaborate on the manner in which the turnover of the undertaking concerned has beentakeninto account for the calculationof the fine. 366. In light of the above, the EDPB considers that the proposed fine does not adequately reflect the seriousness andseverity of the infringements nor has a dissuasive effect on Meta IE. Therefore, the fine does not fulfil the requirement of being effective, proportionate and dissuasive in accordance with Article 83(1) and (2) GDPR. Inlight of this, the EDPB directs the IE SA to set out a significantly higher fine amount for the transparencyinfringementsidentified, in comparison withthe upper limit for the administrative fine envisagedin the Draft Decision. Indoing so, the IESA must remainin line withthe criteriaof effectiveness, proportionality, anddissuasiveness enshrined inArticle 83(1)GDPR inits overallreassessment of the amountof the administrativefine. 9.2 On the determination of anadministrative finefor further infringements 9.2.1 Analysis bythe LSA in the Draft Decision 367. The IE SA in the Draft Decisionconcludes that Meta IE hasnot sought to relyon consent in order to processpersonal datatodeliver itsservice asoutlinedinthe InstagramTermsofUseandis not legally obligedtorelyon consent inorder todo so(Finding 1) 699. Alongside, theIE SA concludes thatMetaIE can rely on Article 6(1)(b) GDPR as a legalbasis to carryout the personal data processing activities involved inthe provision of itsservice tousers, including behaviouraladvertisinginsofar asthatforms 700 a core part of the service (Finding 2) . In these terms, the IE SA did not propose to establish an infringement ofArticle 6(1)GDPR. 694 DraftDecision,paragraphs255-258. 695DraftDecision,paragraph295. 696EDPBGuidelinesoncalculationoffines,paragraph120. 697Meta IEArticle65Submissions,paragraphs9.8-9.10.Inaddition,Meta IE’sargumentthat“[turnover]isnota relevant consideration whendeterminingthe amount of the fine underArticle 83(2) GDPR”is not withinthe scopeofthedisputeasnoCSAsraisedanobjectionontheconsiderationofturnoverunderthisprovision(Meta IEArticle65Submissions,paragraphs9.5-9.8). 698EDPBBindingDecision1/2021,paragraphs405-412. 699DraftDecision,p.23. 700DraftDecision,paragraphs111-115andp.40. 95 Adopted368. Inaddition, no infringement of Article 9(1) GDPR hasbeen found as the IE SA has not identified and separatelyassessed anyprocessing of specialcategoriesofpersonal databyMetaIEin thecontext of InstagramTermsof Use. 369. The IESA initsDraftDecision concludes thatMetaIEhasinfringed Article5(1)(a), Article 13(1)(c)and Article12(1)GDPRduetothelackoftransparencyinrelationtotheprocessing for whichArticle6(1)(b) GDPRhasbeenreliedon (Finding 3) 701. 9.2.2 Summary ofthe objections raised bythe CSAs 702 370. The AT, DE,FR, IT, NO, andSE SAs object tothe LSA’s failure totake actionwithrespect toone or more specific infringementstheydeem should have beenfound and askthe IESA toimpose a higher administrativefineas a resultoftheseadditionalinfringements. Objectionsrequesting the imposition of a fine for the additional infringement of Article 6(1)GDPR or Article6(1)(b) GDPR 703 371. TheDEandFR SAsaskfor theadministrative fine tobe increased asa consequence ofthe proposed finding of an infringement of Article 6(1) GDPR704. The AT, NOandSE SAs argue that the fine should 705 be increasedfollowing the finding of aninfringement ofArticle 6(1)(b) GDPR . 372. The DE SAs state that the fact that Article 6(1) GDPR was infringed is not properly reflected in the calculationofthefine intheDraftDecision 706.TheDESAsarguethatinthecurrentcasetheprocessing of personal data was performed without a legal basis as consent of the data subjects would be required,whichwasnot given,andthatthe“DraftDecisionisinsofar not incompliancewithArticle83 GDPR as it does not consider the additional infringement of Articles 5(1)(a), Art. 6(1), 9(1) when 707 calculating the amount of the administrative fine” . The DE SAs state that it is a highly serious infringement under Article 83(2)(a) GDPR considering that personal data of at least 708 individuals were affected .TheDE SAs also highlight thatthe fine imposed needs toaim toprevent further infringementsof theGDPR;first, itshould have “specialpreventive”effects,meaningthatthe amount imposedneeds tobe such that“itisnot tobeexpectedthatthespecificcontrollerwillcommit similar infringementsagain” byhaving“such anoticeableimpacton theprofitsoftheundertakingthat future infringementsofdata protectionlaw would not be ‘discounted’ into the processing performed 701 702DraftDecision,p.71. AT SAObjection,pp.11-12;DESAs Objection,p.10and12;FRSAObjection,pp.9-10.;NOSAObjection,pp. 9-13;SESAObjection,pp.4-5. 703FRSAObjection,paragraph44;DESAs Objection,p.10. 704DESAs Objection,pp.1-6andpp.9-10;FRSAObjection,paragraphs5-14,33and52; 705 AT SAObjection,pp.11-12;NOSAObjection,pp.10-11;SESAObjection,pp.4-5. In addition, also theDE (DE SAs objection, p. 10), FI and NO (NO SA objection, p. 9) SAs (FI SA Objection, paragraph26)arguethatanadministrativefineshouldbeimposedfortheinfringementofArticle6(1)(b)GDPR; however, this aspect of theobjectionraisedby the DE, FI and NO SAs was deemed to be not relevant and 706sonedbytheEDPBinparagraph85above. DESAs Objection,p.10. 707DESAs Objection,p.10. 708DESAs Objection,p.10. 96 Adopted by the undertaking lightly”; secondly, it should have ‘’generalpreventive” effects by leading other controllersto“make asignificant effortto avoid similar violations” 709. 373. The FRSA considers thatsome violations arewronglynot included inthe DraftDecision 710andargues that “since it considers that breach of Articles 6 has been committed, which is added to the other breachesfound by the Irish data protection authority, the amount proposed by the latter should be accordinglyincreased” 71.TheFRSArecallsthatthesame approachofcumulating theamountsofthe 712 fine hasbeenadoptedby theEDPBin points 324 to327 ofits Binding Decision1/2021 . 374. On risks posed by the Draft Decision, the DE SAs explain that the shortcoming of the Draft Decision would cause significant risks for the fundamentalrightsandfreedoms of the datasubjects, “because an effectiveenforcement oftheGDPR,which isthepreconditionfortheprotectionofthefundamental rights and freedoms of the data subjects, cannot be ensured’’ 713. The DE SAs also point out that administrative fines shall in eachindividual case be effective,proportionate anddissuasive and both special andgeneralpreventive since these two“conceptsaim to protect the fundamentalrightsand 714 freedom ofthe data subjectsby preventingfurther infringementsof the GDPR” .Moreover,theDE SAs raisethat“thenon-compliance withone ofthecentralprovisions oftheGDPRwould not have any negativefinancial impacton theundertakingand therefore,fromaneconomicalpoint ofa view could beareasonable optionfor controllers’’ 715.TheFRSAconsiders thatadoptingthe IESA'sDraftDecision asitstands“presentsarisktothefundamentalrightsand freedomsofthedata subjects,inaccordance with Article 4(24)of the GDPR” 716and“would lead to a levelling down of the levelof administrative fines imposed by European data protection authorities, thereby reducing the authorities' coercive power and, consequently, their ability to ensure effective compliance with the protection of the personaldata ofEuropean residents” 717. *** 375. The AT,NOand SE SAs, whichconsidered that theIE SA should have found aninfringement of Article 6(1)(b)GDPR 71,askfor theadministrativefine tobeincreasedasa consequence ofthatinfringement. 376. The AT SA arguesthat “theadditional infringement [of Article 6(1)(b) GDPR]is not properlyreflected in the envisaged amount of the administrative fine” and that the IE SA’s Draft Decision is not in compliance withArticle83 GDPRinsofar asit does not consider the additionalinfringement of Article 6(1)(b) GDPRwhencalculatingthe amount ofthe administrative fine 719. 709DESAs Objection,p.10. 710 FRSAObjection,paragraph44. 711FRSAObjection,paragraph44. 712FRSAObjection,paragraph44. 713DESAs Objection,p.12. 714 DESAs Objection,p.10. 715DESAs Objection,p.12. 716FRSAObjection,paragraph47. 717FRSAObjection,paragraph48. 718 AT SAObjection,pp.1-7;NOSAObjection,pp.10-11;SESAObjection,pp.2-3. 719AT SAObjection,p.11. 97 Adopted377. The NO SA statesthat anadministrative fine should be imposed for MetaIE’sprocessing of personal 720 datainthecontext ofonline behaviouraladvertisingwithout avalidlegalbasis . The NOSA analyses severalof the criteria listedin Article 83(2) GDPR in order to prove the need of the imposition of an 721 administrative fine . Specifically, the NO SA argues that an administrative fine of a substantial amount is needed, in light of the nature andgravityof the infringement (giventhat “the principle of lawfulness [...] is a fundamental pillar of the GDPR” and “processing personal data without a legal basis is a clear violation of the data subjects’ fundamental right to data protection because no one should have to tolerate processing of their personal data save for when it is legitimised by the 722 legislators” ), as well as the scope of the processing (“wide”, as ‘’all data subject activity may potentiallybeusedfor OBApurposes”),the number ofdatasubjects affectedinthe EEA(“hundredsof millions”) and the intangible damage suffered by them (Article 83(2)(a) GDPR), the high level of responsibility of Meta IE(Article 83(2)(d) GDPR),the categoriesof personal datainvolved (“of a very personal and private nature”, able to“revealintimate detailsofthe data subjects’ lifestyle, mindset, preferences,psychologicalwellbeinget cetera”)(Article83(2)(g)GDPR)andanadditionalaggravating factor(highlikelihood of contributiontodevelopment of‘’targetingalgorithmswhichmaybeharmful onanindividual andsocietallevel’’,Article83(2)(k)GDPR) 723. 378. The SE SA arguesthat“theDraftDecisionis not in compliance withArticle 83 insofar asthe additional infringement of Article 6(1)(b) is not considered in calculating the administrative fine” and that “an administrative fine pursuant to Article 83 GDPR cannot be regarded as ‘effective, proportionate and dissuasive’ when the provision that the processing is based on, namely Article 6(1)(b) GDPR, was infringed and when this infringement is not properly reflected in the envisaged amount of the administrativefine” 724.TheSESAtakestheview thatthattheintentionalcharacteroftheinfringement (Article83(2)(b) GDPR)andthefinancialbenefitsgainedfrom theinfringement (Article83(2)(k)GDPR) must be found as aggravating factors 725. Astointentionality, the SE SA arguesthat the switch from consent toArticle6(1)(b)GDPRin2018 suggeststhisactwasdone withthe intentionof circumventing the new rights afforded to users by the GDPR when the processing relies upon consent, and that in anywaytheinfringement needstobe consideredasintentionalatleast asofthe moment ofadoption of the EDPB Guidelines on Article 6(1)(b) GDPR which “clearly gives doubt to the legality of the processing” 726.Astothefinancialbenefitsgained,theSE SAargues“MetaIrelandhasmadesignificant financial gain from being able to provide personal advertisementaspart ofa whole takeit or leaveit offer for its social media platform service” andthat due tothe unclear information provided todata subjects itcanbe reasonablyassumedthatmore datasubjectshave beenmisledintobeing subject to the processing 727. Lastly, the SE SA considers it would be appropriate to take into account Meta IE’s turnover for the calculationofthe fine inorder tomake it effective anddissuasive 728. 720NOSAObjection,p.10. 721NOSAObjection,p.10-11. 722 TheNO SAalsohighlightsthat“[behaviouraladvertising]entailsprofiling,whichinherentlyconstitutesrisks forthe datasubjects’integrity”. 723NOSAObjection,p.10-11. 724SESAObjection,p.4. 725 726SESAObjection,p.4. SESAObjection,p.4. 727SESAObjection,p.4. 728SESAObjection,p.4-5. 98 Adopted379. Onrisks posed bythe DraftDecision, theAT SA arguesthat“should theDraft Decisionbe approvedin its current version, the risks for the fundamental rights and freedomsof data subjects lie in the fact that theactionenvisagedin relationto the controlleris likelyto fall short ofthe proportionalityand– above all– dissuasiveness requirementssetforthin Article83 GDPR”andthat“ignoring infringements of the GDPRwhencalculatingfines would lead to lesser compliance with the GDPRand ultimatelyto lesserprotectionofdatasubjectsinrelationtotheprocessing ofpersonaldata” 72.TheNOSA explains thatnot imposing afine for the lackof legalbasis createsthe risk thatthe violatedprovisions arenot respectedby MetaIEor other controllersand the LSA would not be able toeffectively safeguardthe data subjects’ rights, and that “in absence of corrective measures that create the appropriate incentivesfor [MetaIE]andothercontrollersto changetheir behaviour,the same or similar violations 730 arelikelyto reoccurtothedetrimentofthecomplainantandotherdata subjects” .TheSE SA argues the infringement of Article 6(1)(b) GDPR “is not properly reflected in the envisaged amount of the administrative fine,it shows controllers(MetaIreland included)thatenforcementoftheGDPRand its provisions is not effective.Thisthreatenscompliancewith the GDPRon a generallevel, seeing ashow non-compliance could be a viable option for controllers when the costs for compliance are greater. Given the proposed changed findings regarding legal basis, there are significant risks to the fundamental rights of data subjects if these does not also merits a substantive increase in fines to 731 dissuade MetaIrelandand other controllers” . Objectionsrequestingthe imposition of a fine for theadditional infringementof Article9 GDPR 380. The DE and FR SAs argue that, as the IE SA should have identified and separately assessed any processing of specialcategoriesofpersonaldataunder Article 9GDPRinthe contextofthe Instagram Terms of Use and that Meta IE processes the entire amount of data it holds, including special categoriesof data in breachof Articles6 and9 GDPR 732,the amount of the fine should be increased 733 accordingly . 381. The DE SAs state that “the infringement ofArticle 5(1)(a), Article 6(1)and Article 9(1) GDPR [...]also entailsanadministrativemeasureand a fine accordingtoArt.83(2)(5)GDPR” 734,andarguethatthese 735 infringements are “serious” . The FR SA considers that a breach of Article 9 GDPR is wrongly not included in the Draft Decision 736 and that the amount of the fine proposed by the LSA should be increased in light of the addition of such infringements to those already established 73. The FR SA recallsthatthe same approachof cumulatingthe amounts ofthe fine hasbeen adoptedbythe EDPB inpoints 324 to327 of the Binding Decision1/2021 73. 382. On risks posed by the Draft Decision, the DE SAs explain that the shortcoming of the Draft Decision would cause significant risks for the fundamentalrightsandfreedoms of the datasubjects, “because an effectiveenforcement oftheGDPR,which isthepreconditionfortheprotectionofthefundamental 729AT SAObjection,p.12. 730NOSAObjection,p.12. 731 SESAObjection,p.5. 732SeeSection5.2.,paragraphs150-155. 733DESAs Objection,pp.7-8;FRSAObjection,paragraph30. 734DESAs Objection,p.10. 735 736DESAs Objection,p.10. FRSAObjection,paragraph44. 737FRSAObjection,paragraph44. 738FRSAObjection,paragraph44. 99 Adopted rights and freedoms of the data subjects, cannot be ensured’’ 73. The DE SAs also point out that administrative fines shall in eachindividual case be effective,proportionate anddissuasive and both special andgeneralpreventive since these two“conceptsaim to protect the fundamentalrightsand 740 freedom ofthe data subjectsby preventingfurther infringementsof the GDPR” .Moreover,theDE SA raisesthat“thenon-compliance withone ofthecentralprovisions oftheGDPRwould not have any negativefinancial impacton theundertaking and therefore,fromaneconomicalpoint ofa view could beareasonable optionfor controllers’’ 74.TheFRSAconsiders thatadoptingthe IESA'sDraftDecision asitstands“presentsarisktothefundamentalrightsand freedomsofthedata subjects,inaccordance with Article 4(24)of the GDPR” 742and“would lead to a levelling down of the levelof administrative fines imposed by European data protection authorities, thereby reducing the authorities' coercive power and, consequently, their ability to ensure effective compliance with the protection of the personaldataofEuropeanresidents” 743. Objections requesting the imposition of a fine for the additional infringement of Article 5(1)(a) and 5(1)(b)-(c) GDPR 383. The IT SA arguesthat the fine should be increasedfollowing the finding of aninfringement of Article 744 745 5(1)(a) GDPR , and of Article 5(1)(b) and Article 5(1)(c) GDPR . As stated in Section 6.2 of this Binding Decision, the IT SA agrees to a large extent with the Draft Decision’s Finding 3 on the infringement ofArticle12(1), Article13(1)(c), andArticle5(1)(a)GDPRintermsoftransparency 746but itarguesthatMetaIEhasalsofailedtocomplywiththemoregeneralprincipleoffairnessunder Article 5(1)(a) GDPR, which, in the view of the IT SA, entails separate requirements from those relating specifically to transparency747.Moreover,as analysedin Section 7.2,the IT SA statesthatthere is an additional infringement of points (b) and (c) of Article 5(1) GDPR on account of Meta IE’sfailure to 748 comply withthe purpose limitationanddataminimisation principles . The ITSA asks for afine tobe issued for those two additional infringements. With regardtoArticle 5(1)(a) GDPR, the IT SA argues thatthe finding of such infringement“should resultinto theimposition of the relevantadministrative fine asperArticle83(5)(a)GDPR”asfaras“theinfringementofthefairnessprinciple in additionto the transparencyone [...] should result into increasing the amount ofthe said fine substantiallybyhaving regardto the requirementthateach fine should be proportionate and dissuasive. Indeed,thegravity 749 of the infringementwould be factually compounded” .With referenceto Article 5(1)(b) andArticle 5(1)(c) GDPR,theIT SA considers that “theinfringementof purpose limitation and data minimisation principles(...)should result into increasing the amount of the said fine substantially by having regard to the requirement that each fine should be proportionate and dissuasive. Indeed, the gravityof the infringementwould befactually compounded” 75. 739 740DESAs Objection,p.12. DESAs Objection,p.10. 741DESAs Objection,p.12. 742FRSAObjection,paragraph47. 743FRSAObjection,paragraph48. 744 ITSAObjection,Section2,p.7 745ITSAObjection,Section2,p.4 746ITSAObjection,Section2,pp.4-5. 747ITSAObjection,Section2,pp.4-7 748 ITSAObjection,Section1,pp.2-4. 749ITSAObjection,pp.6-7 750ITSAObjection,p.4. 100 Adopted384. On the significance of risks posed by the Draft Decision, the IT SA arguesthat “the failure to find an infringement ofArticle5(1)(a) GDPRasfor the fairnessprinciple may becomea dangerousprecedent with a view to future decisions concerning other digital platform operators– more generally, other controllersthatrelyonthesamebusiness model–and markedlyweakenthesafeguardstobeprovided by way of the effective, comprehensive implementation of the data protection framework including thefairness ofprocessingprinciple” 751.Withreference toArticle5(1)(b) andArticle5(1)(c) GDPR,the ITSA addsthat,should theDraftDecision be approvedin itscurrent version, the infringement oftwo key principles of the whole data protection framework as introduced by the GDPR will not be punished, “which would seriously jeopardise the safeguards the data subjects (Instagram users) are entitledto” 752. 9.2.3 Position ofthe LSA on theobjections 385. The LSA considers none of the objections requesting the imposition of a fine for the proposed additional infringements as meeting the threshold set by Article 4(24) GDPR 753. Given that these objections were premised upon the requirement for the Draft Decision to include findings of infringement of Article 6(1)(b), Article 9, Article 5(1)(a), 5(1)(b) and5(1)(c) GDPR,on which the IE SA expressed its disagreement – the IE SA does not consider the objections requesting exercise of a correctivepower in response tothese findings ofinfringement asbeing relevant andreasoned. 9.2.4 Analysis ofthe EDPB 9.2.4.1 Assessmentof whethertheobjectionswererelevantandreasoned 386. The objections raised by the AT,DE,FR, IT,NO,and SE SAs concern“whethertheaction envisaged in 754 theDraft Decisioncomplieswith theGDPR” . 387. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe threshold of Article 4(24) GDPR 755. Meta IE rejects the objections in this section based on its view that the LSA has sole discretion to determine corrective measures 756. The EDPB responds to these arguments above (see Section 8.4.2) and is of the view that CSAs may ask for specific corrective measurestobe takenby the LSA, whetherthis concernsinfringements alreadyidentified in theDraft 757 Decision or as a result of the one identified by the CSA in its objection . Meta IE refutes the allegations of additional infringements put forward in the objections, and by consequence, any 758 demands for increasing the administrative fine in relation them . The EDPB recalls that the assessment ofadmissibility ofobjections and theassessment of themeritsare twodistinct steps 75. 388. The EDPB finds that the objections concerning the increase of the administrative fine in connection withthe additional infringement ofArticle 6(1)/6(1)(b) GDPRand/or Article 9 GDPRraisedby the AT, 751ITSAObjection,p.7. 752ITSAObjection,p.4 753CompositeResponse,paragraph110.. 754 EDPBGuidelinesonRRO,paragraph32. 755Meta IEArticle65Submissions,Annex1,p.65. 756Meta IEArticle65Submissions,Annex1,paragraphs1.31,2.21,5.18,7.15,9.22,and10.16. 757EDPBRROGuidelines,paragraph34.SeealsoRecital150GDPR.TheEDPBfoundseveralobjectionsonthis 758jectmatteradmissibleinthepast,seeBindingDecision2/2022,paragraphs186-190. SeeMeta IEArticle65Submissions,paragraphs8.10-8.15,andmorespecificallyAnnex1,paragraphs1.33, 2.18,5.20,7.13,9.18and9.20,and10.16. 759EDPBGuidelinesonArticle65(1)(a),paragraph63. 101 Adopted DE, FR, NO, and SE SAs stand in direct connection withthe substance of the Draft Decision, as they concerntheimposition ofa correctivemeasurefor anadditionalinfringement,whichwould be found as a consequence of reversing the conclusions in the Draft Decision also in scope of this dispute 76. Clearly, the decision on the merits of the demands to take corrective measures for a proposed additional infringement is affectedby the EDPB’sdecision on whether to reverse the findings in the DraftDecisionandwhether toinstruct theLSA toestablishadditionalinfringements. 389. The EDPBtakesnote of further argumentsput forwardbyMeta IEaiming todemonstrate the lackof 761 relevance of these objections, specifically with regard to the objections raised by the ATSA . However,theEDPBnotesthatMetaIEdisagreeswiththe contentofthese objections, whichconcerns itsmeritsandnot its admissibility. 390. If followed, these objections would lead to a different conclusion in terms of corrective measures imposed 762. Inconsequence, the EDPB considers the objections raised by the AT, DE, FR, NOand SE SAs in connection to imposing an administrative fine for the alleged breach of Article 6(1)/6(1)(b) GDPRand/or Article 9 GDPRtobe relevant. 391. Meta IE arguesthat the AT, NO, and SE SAs objections in relation to the need to increase the fine amount because ofthe allegedinfringement ofArticle 6(1)(b)GDPRlacksadequatereasoning asthey 763 fail todemonstrate why Meta IE could not rely on Article 6(1)(b) GDPR . According toMeta IE, the SE SA’sobjectionisalsobasedontheunfounded claimthatMetaIEintentionallysoughttocircumvent 764 datasubjectrightsbyswitchingfrom consenttocontractualnecessityasthelegalbasisinMay2018 . Furthermore, Meta IE takes the view that the objections from the AT, DE, FR and NO SAs are not sufficiently reasoned astheyrefer tothe use of administrativefine as''generalpreventivemeasures'' on controllers, thus speculating on potential future behaviour or intentions of unidentified controllers765. The EDPB understands that Meta IE disagrees with the reasoning provided in the objections, whichthusconcerns their meritsandnot their admissibility. 392. Inaddition, MetaIEarguesthattheFRSA’sobjectionis notreasonedbecause itdoes not substantiate “how a fine for the additional purportedinfringementswould be calculated, whether thisfine would 766 needto be added to the proposed fine and how this would affect the overallfine” .Meta IEfurther takesissue withthe AT SA’sobjection andarguesit has not put forwarda sufficiently reasonedbasis for itsobjection tochallenge theLSA’scalculationof thecriterialaiddowninArticle83(2) GDPR 767. In this respect, the EDPB recalls that CSAs are not required to engage in a full assessment of all the 760AT SAObjection,p.11;DESAs Objection,p.2;FRSAObjection,paragraphs44and50;NOSAObjection,p. 761SE SAObjection,p.4. Meta IEArticle65Submissions,Annex1,paragraph1.32.AccordingtoMeta IE,byreferringtothefactthat ‘’MetaIrelandis... theproviderofoneofthebiggestsocialmedianetworkintheworld’’,theAT SA‘’failsto explainhowthisrelatestoanyspecificfactualandlegalcontentoftheDraftDecision’’. 762AT SAObjection,p.11;DESAs Objection,p.2;FRSAObjection,paragraph44and50;NOSAObjection,p. 11;SE SAObjection,p.4. 763Meta IEArticle65Submissions,Annex1,1.33,9.20,and10.17. 764Meta IEArticle65Submissions,Annex1,10.17. 765Meta IEArticle65Submissions,Annex1,paragraphs1.35,2.22,5.16and9.23.Meta IEaddsthat‘’inany event,wherea fineaslargeasthatcurrentlyproposedintheDraftDecisionisimposed,thereisnodoubtthat othercontrollerswilltakenoteofthisinsuchcircumstances’’. 766Meta IEArticle65Submissions,Annex1,paragraph5.20. 767Meta IEArticle65Submissions,Annex1,paragraph1.34. 102 Adopted aspects of Article 83 GDPR in order for an objection on the appropriate administrative fine to be considered reasoned.Itis sufficient tolayout whichaspect ofthe DraftDecisionthat,intheir view, is deficient/erroneous and why. Second, the EDPB recalls that the criteria listed in Article 83(2) GDPR are not exhaustive, thus it is entirely possible to argue an administrative fine is not “effective, proportionate and dissuasive” in the meaning of Article 83(1) GDPR without referring to a specific criterionlistedin Article83(2)GDPR. 393. The EDPBfinds thatthe AT,DE,FR, NOandSE SAsadequatelyargue whytheypropose amendingthe Draft Decision 768 and how this leads to a different conclusion in terms of administrative fine imposed 769. 394. Intermsof risks, Meta IEclaims the DraftDecision does not pose any risk, let alone a significant risk to fundamental rights, and argues the objections of the AT, DE ,FR, NO and SE SAs 770 fail to demonstratethe contrary,asrequired. 395. More specifically, Meta IE considers that the DE and FR SAs’ objections focus on increasing the ‘’punitive impact’’ of the fine on Meta IE rather than demonstrating any significant risks to the fundamental rights of data subjects 771. In this regard, Meta IE argues the AT, DE, NO, and SE SAs’ objections rest on unsubstantiated possible effect of the Draft Decision on the future behaviour of other controllers, instead of doing a case by case assessment under Article 83 GDPR 772.Inparticular, MetaIEclaimsthat,indoing so, the assessment made by these supervisory authoritiesis incorrectto the extentit only takesintoaccount financialcostsanddoes not consider reputationalcosts 773. 396. The EDPB recalls that any risk assessment addresses future outcomes which are to some degree uncertain 774. Contrary to Meta IE’s views, the objections reflect specifically on Meta IE’s future approachintheevent the DraftDecisionisadoptedasit standsandgobeyondproviding “speculative argumentbasedon theputativelackofa generalpreventiveimpactonothercontrollers” 775. TheEDPB also notes that the DE, FR, NL, NOandSE SAs 776considered both of the aspects that are entailedby dissuasiveness of the fine, i.e.specific deterrenceand generaldeterrence 777. 768AT SAObjection,pp.11;DESAs Objection,p.10;FRSAObjection,paragraph50;NOSAObjectionpp.9-11; SE SAObjectionp.4. 769AT SAObjection,pp.11-12;DESAs Objection,p.12;FRSAObjection,paragraphs44-45;NOSAObjection 77013;SE SAObjection,p.4 Meta IEArticle65Submissions,Annex1,paragraphs1.36-1.40,2.24-2.27,5.22-5.25,9.25-9.27,and10.18- 10.20. 771Meta IEArticle65Submissions,Annex1,paragraphs2.24and5.22. 772 773Meta IEArticle65Submissions,Annex1,paragraphs1.38,2.255.23,9.26,and10.18. Meta IEArticle65Submissions,Annex1,paragraphs1.38,2.26,5.24,and10.19.Meta IEaddsthat,inany case,it‘’doesnotconsiderthatfinessuchastheoneproposedintheDraftDecisioncouldencourageother companiesnottocomplywiththeGDPR’’. 774SeeSection9.1.4.1ofthisBindingDecision. 775 Meta IEArticle65Submissions,Annex1,paragraph10.18(SESA). 776DESAs Objection,p.12(referringtothe‘’undertakinginquestion’’),FRSAObjection,paragraph47(referring to ‘’the controller’’); IT SA Objection pp.8-9 (referring to ‘’the controller’’); NL SA Objection, paragraph52 (referringto the risks in relation to ‘’the illegal processing at hand’’);NO SA Objection, p.12 (referring to ‘’incentivesforMetaIE’’). 777TheCJEUhas consistentlyheldthata dissuasivefineisonethathasa genuinedeterrenteffect, encompassingbothspecificdeterrence(discouragingtheaddresseeofthefinefromcommittingthesame 103 Adopted397. The EDPB finds that the AT, DE, FR, NO, and SE SAs articulate an adverse effect on the rights and freedomsof datasubjectsifthe DraftDecisionis leftunchanged,by referringtoa failuretoguarantee a highlevelof protectioninthe EU for the rightsand interestsof the individuals 77. 398. Therefore,theEDPBconsiders the AT,DE,FR, NO, andSE SAsobjectionsconcerning the impositionof a fine for the alleged additional infringements of Article 6/6(1)(b) and/or Article 9 GDPR to be reasoned. *** 399. With respect tothe objection raisedby the IT SA concerning the imposition of anadministrative fine for the infringement of the fairness principle enshrined in Article 5(1)(a) GDPR, the EDPB finds, contrarytoMetaIE’sviews 77, thatit standsin connection withthe substance of the DraftDecision, asit concerns the imposition of a correctivemeasure for anadditionalinfringement, whichwould be found asaconsequence ofincorporatingthefinding putforwardbythe objection.Clearly,thedecision on the merits of the demand to take corrective measures for a proposed additional infringement is affectedby the EDPB’sdecision onwhether toinstruct theLSA toinclude anadditionalinfringement. 400. If followed, the IT SA’s objection would lead to a different conclusion in terms of corrective measuresimposed 78. Taking note of Meta IE’sposition 781, the EDPB finds the objections raisedby the ITSA tobe relevant. 401. MetaIE arguesthe IT SA’s objection does not put forward reasonable doubt as tothe validityof the LSA’s calculation of the fine and claims there is no basis in the GDPR for suggesting that an administrativefine must havea ‘’generaldeterrenteffect’’ 78.TheEDPBfindsthattheITSAadequately argueswhy theypropose amending the DraftDecisionandhow this leadstoa different conclusion in termsofadministrative fine imposed 783. infringementagain)andgeneraldeterrence(discouragingothersfromcommittingthesameinfringementin thefuture).See,interalia,C-511/11,Versalis,paragraph94. 778AT SAObjection,p.11-12;DESAs Objection,p.12;FRSAObjection,paragraphs47-48;NOSAObjection,p. 12; SESAObjection,p.5.SeealsoEDPBGuidelinesonRRO,paragraph37. 779Meta IEArticle65Submissions,paragraph7.13.AccordingtoMeta IE,theITSAobjectionsisnotrelevant giventhattheLSAhas notfoundanyinfringementofthefairness,purposelimitationanddata minimisation principles(Article5(1)(a)-(c)GDPR). 780ITSAObjection,p.7. 781Meta IE Article65 Submissions, paragraph 7.13. According to Meta IE, given theIE SA has not found any infringementofthefairnessprinciple,thereisnobasisfortheimpositionofa fineonthisground.EDPBalready 782pondedtothislineofreasoningaboveinSection8.4.2. Meta IEArticle65Submissions,paragraphs7.15-16. 783TheITSAargues thatthefindingofsuchinfringement“shouldresultintoincreasingtheamountofthesaid finesubstantiallybyhavingregardtotherequirementthateachfineshouldbeproportionateanddissuasive’’ insofaras‘’thegravityoftheinfringementwouldbefactuallycompounded.”(ITSAObjection,pp.6-7). 104 Adopted402. MetaIEarguesthe objectionof theIT SA fails todemonstrate the riskposed by the DraftDecision,as required 784 and,indoing so, MetaIEdismisses the concernsarticulatedbythe ITSA ontheprecedent 785 the DraftDecisionsetsfor othercontrollers . 403. The EDPBfindsthattheITSA articulatesanadverse effectonthe rightsandfreedomsof datasubjects ifthe DraftDecision isleft unchanged, byreferringtoa failure toguaranteea highlevelofprotection inthe EU for the rightsandinterestsofthe individuals 78. 404. Therefore, the EDPB considers the IT SA’s objection concerning the imposition of a fine for the additionalinfringement of theprinciple of fairnessenshrined in Article5(1)(a) GDPRtobe reasoned. *** 405. The EDPB recallsits analysis of whether the objection raisedby the IT SA in respect of the proposed additionalinfringements ofArticle 5(1)(b) andArticle 5(1)(c)GDPRmeetsthe threshold set by Article 4(24)GDPR(see Section7.4.1above).Inlight ofthe conclusion thatsuchobjection isnot relevantand reasoned, theEDPBdoes not need tofurtherexamine thislinked objection. 9.2.4.2 Assessmenton themerits 406. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a Binding Decision concerning all the matters which are the subject of the relevant and reasoned objections, in particular whether the envisagedactioninrelationtothe controller or processor complies withthe GDPR.Morespecifically, the EDPB needs to assess whether an administrative fine should be imposed for the additional infringementsof Article 6(1)GDPRandthe principle of fairnessunder Article 5(1)(a)GDPR.However, in light of its findings in Section 5.4.2 above, the EDPB does not need to examine the merits of the objections ofthe DEand FR SAs requesting the imposition of a fine for the allegedadditional breach of Article9 GDPR. 407. The EDPB recalls that the consistency mechanism may also be used to promote a consistent application of administrative fines 787 and that the objective pursued by the corrective measure 788 chosen canbe tore-establish compliance withthe rulesor topunish unlawful behaviour (or both) . The EDPB responds above toMeta IE’sposition that the LSA has sole discretion to determine which correctivemeasuresare appropriate(see Section 8.4.2). 9.2.4.2.1 Assessment of whether an administrative fine should be imposed for the infringement of Article6(1) GDPR 784Meta IEArticle65Submissions,paragraph7.18. 785Meta IEArticle65Submissions,paragraph7.19.Onthis,theEDPBhassetoutitspositionaboveinSection 9.1.4.1above. 786ITSAObjection,p.7. 787 Recital150GDPR.EDPBGuidelinesonRRO,paragraph34;EDPBGuidelinesonAdministrativefinesp.7 (“Whentherelevantandreasonedobjectionraisestheissueofthecomplianceofthecorrectivemeasurewith theGDPR,the decisionofEDPBwillalsodiscusshowtheprinciplesofeffectiveness,proportionalityand deterrence areobservedintheadministrativefineproposedinthedraftdecisionofthecompetentsupervisory authority”). Seealsoaboveparagraph344. 788 EDPBGuidelinesonAdministrativeFines,p.6.Seealsoparagraph354ofthisBindingDecision. 105 Adopted408. The EDPB recallsits conclusion in this Binding Decision on the infringement of Article 6(1) GDPR 789 and that the objections raised by the AT, DE, FR, NOand SE SAs found to be relevant and reasoned requestedthe IESA toexercise itspower toimpose anadministrative fine 790. 409. The EDPBtakesnote of MetaIE’sviewsthat,evenifaninfringement isfound, the appropriatecourse would be to refer the matter back to the LSA to determine whether to impose any appropriate correctivemeasures 791,andthattheLSA hassole competenceanddiscretionregardingtheamountof the fine792. The EDPB responds toMeta IE’sargument that the LSA has sole discretion todetermine the appropriatecorrectivemeasures inthe event ofa finding ofinfringement above in Section8.4.2. 410. The EDPBconcurs thatthe decision toimpose anadministrativefine needs tobe takenon a case-by- case basis in light ofthe circumstancesand is not anautomaticone 793. Inthe case athand, however, the EDPBagreeswiththe reasoning put forwardby theAT, DE, FR, NOandSE SAsintheir objections. The EDPB reiterates that lawfulness of processing is one of the fundamental pillars of the data protectionlaw and considers that processing of personal data without anappropriate legalbasis isa clearandserious violationof the datasubjects’ fundamental righttodataprotection 794. 411. Several of the factors listed in Article 83(2) GDPR speak strongly in favour of the imposition of an administrative fine for the infringement of Article6(1)GDPR. Thenature,gravityand duration of theinfringement(Article83(2)(a) GDPR) 412. Asmentionedabove andoutlined below 795,the natureandgravityoftheinfringementclearlytipthe balance infavour of imposing anadministrativefine. 413. Withrespecttothe scopeofprocessing,theEDPBnotestheIESA’sassessment thatthepersonaldata processing carriedout by MetaIEon thebasis of Article6(1)(b) GDPRis extensive,adding that“Meta Irelandprocessesavarietyofdatain ordertoprovideInstagramuserswitha‘personalised’experience, including byway ofserving personalised advertisements.Theprocessing is centralto and essentialto 796 thebusiness modeloffered[...]’’ . 789Section4.4.2ofthisBindingDecision. 790 Paragraph390and398ofthisBindingDecision. 791Meta IEArticle65Submissions,paragraph8.13 792Meta IEArticle65Submissions,paragraph9.2,10.4, 793EDPB Guidelines onAdministrativefines, p. 6 (“Like all corrective measures in general, administrative fines should adequately respond to the nature, gravity and consequences of the breach, and supervisory authorities must assess all the facts of the case in a mannerthat is consistent andobjectively justified. The assessment of whatis effective, proportionalanddissuasiveineachcasewillhaveto alsoreflect the objectivepursuedbythe corrective measure chosen, that is either to re-establish compliance with the rules, or to punish unlawful behaviour(or both)”), p. 7 (“The Regulation requires assessment of each case individually”;“Fines are an importanttoolthatsupervisoryauthoritiesshoulduseinappropriatecircumstances.Thesupervisoryauthorities are encouraged to use a considered and balancedapproach in theiruse of corrective measures, in order to achieve both an effective and dissuasiveas well as a proportionate reactionto the breach. The point is to not qualifythefinesaslastresort,nortoshyawayfromissuingfines,butontheotherhandnottousetheminsuch 794ywhichwoulddevaluetheireffectivenessasatool.”). Article8(2),EUCharterofFundamentalRights.SeeNOSAobjection,p.10. 795Inparticular,seeSection4.4.2ofthisBindingDecisionaswellasparagraphs408,413-415. 796DraftDecision,paragraphs221. 106 Adopted414. Inthisrespect,theEDPBalsorecallsthattheinfringementatissuerelatestotheprocessingofpersonal dataof asignificant numberofpeople 797andthatthe impacton them hastobe considered. 415. Thoughthe damageis very difficult toexpress intermsof a monetaryvalue, it remainsthe case that data subjects have been faced with data processing that should not have occurred (by relying inappropriately on Article 6(1)(b) GDPR as a legal basis as established in Section 4.4.2). The data processing in question - behavioural advertising - entails decisions about information that data subjects are exposed to or excluded from receiving. The EDPB recalls that non-material damage is explicitly regardedasrelevant in Recital75 and thatsuch damagemay result from situations “where data subjectsmight bedeprivedoftheirrightsand freedomsor preventedfromexercisingcontrolover their personaldata”. Given the nature and gravityofthe infringement of Article 6(1)(b) GDPR, a risk of damage caused todata subjects is, in such circumstances, consubstantial with the finding of the infringement itself. Theintentionalor negligentcharacterofthe infringement(Article83(2)(b) GDPR) 416. The SE SA arguesthe infringement of Article 6(1)(b) GDPRshould be considered intentionalon Meta IE’spart,whichis anaggravatingfactor 798. 417. The EDPBtakesnote ofMetaIE’sposition thatit did not actintentionally withtheaim toinfringe the GDPR,nor wasnegligent- but “has reliedon what it has consistentlyconsidered in good faith to be a valid legalbasis for thepurpose ofprocessing ofpersonal data for behaviouraladvertising andwhich now requiresescalation to theEDPBfor resolution” 799.Beforeaddressing eachofthe elementsofthis claim, the EDPB first notes that establishing either intent or negligence is not a requirement for imposing a fine, but deserves “due regard”. Second, contrary to what Meta IE implies, the mere circumstancethat a dispute betweenthe LSA and the CSAs hasescalatedtothe EDPBdoes not serve asevidence thata controller actedingoodfaithwithrespect tothe disputedissues. First, the dispute arisesonly (long)afterthe controllerhas decidedonitscourse of action,andthereforecannot inform it. Second, a dispute may simply bring to light that an LSA has decided to challenge a position commonly held by(a majorityof) theCSAs. 418. The EDPB Guidelines on calculation of fines confirm that there are two cumulative elements on the basis of which aninfringement canbe considered intentional: the knowledge of the breach andthe willfulness inrelationtosuchact 800.Bycontrast,aninfringementis “unintentional”whentherewasa breachofthe dutyof care,withouthaving intentionally causedthe infringement. 419. The characterisation of an infringement as intentional or negligent shall be done on the basis of objective elements of conduct gatheredfrom the facts of the case 801. It is worthnoting the broader 797DraftDecision,paragraph253,theInstagramserviceisprovidedtoa significantportionofthepopulationof theEEA. This aspectwasalsohighlightedbytheobjectionsraisedbytheNOSA(NOSAObjection,pp.10-11) andDESAs (DESAs Objection,pp.9and11). 798SESAObjection,pp.4-5. 799 Meta IEArticle65Submissions,paragraph8.28. 800 The EDPB Guidelines on calculation of fines, paragraphs 56, referring to the EDPB Guidelines on AdministrativeFines:“ingeneral,‘intent’includesbothknowledgeandwilfulnessinrelationtothecharacteristics ofanoffence,whereas‘unintentional’meansthattherewasnointentiontocausetheinfringementalthoughthe controller/processorbreachedthedutyofcarewhichisrequiredinthelaw”. 801 EDPBGuidelinesoncalculationoffines,paragraph57andEDPBGuidelinesonAdministrativeFinesp.12. 107 Adopted approachadopted withrespect to the concept of negligence,since it also encompasses situations in which the controller or processor has failedtoadopt the requiredpolicies, whichpresumes a certain 802 degree of knowledge about a potential infringement . This provides an indication that non- compliance insituations inwhichthe controlleror processor should have beenawareofthepotential breach(inthe exampleprovided, due tothelackofthenecessarypolicies) mayamount tonegligence. 420. The SE SA arguesthatMetaIE “hascontinued to relyon Article6(1)(b) for theprocessing, despite the aforementioned[EDPB Guidelines2/2019 on Article 6(1)(b) GDPR]– which clearlygives doubt to the legalityoftheprocessing–which werefirstadoptedon9 April2019and madefinalon 8October2019. Theinfringement must inall casesbeconsidered intentionalfromthat laterdate” 803. 421. The EDPB recalls that even prior to the adoption EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR, therewereclearindicatorsthatspoke againstrelyingon contractaslegalbasis. First, inWP29 Opinion 02/2010 on online behavioural advertising, only consent - asrequired by Article 5(3) of the ePrivacy Directive-is put forwardaspossible legalbasis for thisactivity.As Article6 GDPRresembles Article7 ofthe DataProtectionDirectivetoalargeextent,WP29 Opinion 02/2010 remaineda relevantsource onthismatterfor controllerspreparingfor theGDPRtoenter intoapplication. Second, WP29 Opinion 06/2014 onthenotion oflegitimateinterestsexplicitlystatesthat“thefactthatsomedata processing is covered by a contract does not automatically mean that the processing is necessary for its performance.Forexample,Article7(b)is nota suitable legalground for building a profile ofthe user’s tastes and lifestyle choices based on his click-stream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example. Even if these processing activities are specifically mentionedin the small print of the contract, thisfact alone does not make them ‘necessary’ for the performanceofthecontract” 804. 422. Itstems from the above thatMetaIE had(or should have had)knowledge about the infringement of Article 6(1)(b) GDPR. However, this mere element is not sufficient to consider an infringement intentional, asstatedabove, since the “aim” or “wilfulness” of the actionshould be demonstrated. 423. TheEDPBrecallsthatthathavingknowledge ofaspecific matterdoesnotnecessarily implyhavingthe “will” to reacha specific outcome. This is in fact the approach adopted in the EDPB Guidelines on calculation of fines and WP29 Guidelines on Administrative Fines, where the knowledge and the “wilfulness” are considered two distinctive elements of the intentionality 805. While it may prove difficult todemonstrateasubjective element suchasthe “will” toactina certainmanner,thereneed 806 tobe some objective elementsthatindicate theexistence of such intentionality . 424. TheEDPBrecallsthattheCJEU hasestablisheda highthreshold inorder toconsider anactintentional. Infact,evenincriminalproceedingstheCJEU hasacknowledgedtheexistenceof“seriousnegligence”, 802The EDPB Guidelines on calculation of fines, paragraph 56 (Example4) quote the EDPB Guidelines on Administrative Fines, which mention, among the circumstances indicative of negligence, “failure to adopt policies(ratherthansimplyfailuretoapplythem)”. 803SESAObjection,p.4. 804WP29Opinion06/2014onthenotionoflegitimateinterests,p.16-17. 805EDPBGuidelinesoncalculationoffines,paragraph56,andEDPBGuidelines onAdministrativeFines,p.11. 806SeeEDPBGuidelinesoncalculationoffines,paragraphs56and57,andWP29GuidelinesonAdministrative Fines,p.12. 108 Adopted ratherthan“intentionality”when“thepersonresponsible commitsapatentbreachofthedutyofcare whichhe should have andcould have compliedwith in view ofhis attributes,knowledge,abilitiesand 807 individual situation” . In this regard, while the EDPB confirms that a company for whom the processing of personal data is at the core of its business activities is expected to have sufficient measures in place for the safeguard of personal data 80, this does not, however, per se change the natureof the infringement from negligenttointentional. 425. Inthisregard,theSESA putsforwardthatMetaIEbaseditsprocessing ofpersonalised advertisement on consent until the GDPR came intoforce on 25 May2018, and at this time switchedto relying on Article6(1)(b) GDPRfor the processing inquestion instead. Thetiming andthe logisticsfor thisswitch suggeststhis act wasdone withthe intention of circumventing the new rights of users under Article 6(1)(a) GDPR. The SE SA adds that “[the] proposed finding of infringement concerning information deficitsabout the processing, namelyonwhat legal basis it is based, furthersupports thisconclusion, since it goes to show that MetaIrelandwas aware ofthe questionable legalityof thatbasis and tried to concealthe infringementto avoidscrutinybysupervisory authoritiesand data subjects” 809. 426. The EDPB considers the timing of the changes made by Meta IE toits Instagram Termsof Use asan objective element, however this alone does not indicate intention. Around this time period, many controllers updated their data protection policies. The objection suggests that the conclusion on intentionalityiscorroboratedbythe shortcomingstothetransparencyobligations.Inthe EDPB’sview, thecombinationofthetimingofthechangeoflegalbasiswiththelackoftransparencyisnotsufficient toindicate intentioneither. 427. Therefore,on the basis of the available information, the EDPBis not able to identify awill of MetaIE toactinbreachofthe lawasit cannotbe concluded thatMetaIEintentionallyactedtocircumvent its legalobligations. 428. Therefore,theEDPBconsidersthattheargumentsputforwardbytheSE SA donotmeetthethreshold to demonstrate the intentionality of the behaviour of Meta IE. Accordingly, the EDPB is of the view thatthe DraftDecisiondoes not needtoinclude thiselement. 429. At the same time, the EDPB notes that, even establishing that the infringement was committed negligently,acompanyfor whom theprocessing ofpersonaldataisatthecoreofitsbusiness activities should have inplace sufficient proceduresfor ensuring compliance withthe GDPR 810. 430. The EDPBdoesnot acceptMetaIE’sclaimof“good faith”,butis oftheview thatMetaIEwascertainly seriously negligent in not taking adequate action, within a reasonable time period, following the adoption of the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR on 9 April 2019. Even before that date, the EDPB considers there was at the very least negligence on Meta IE’s part considering the contentsof WP29 Opinion 02/2010 on online behaviouraladvertising andWP29 Opinion 06/2014 on the notion of legitimateinterests(see paragraph421 of this Binding Decision), whichmeans MetaIE had (or should have had) knowledge about the infringement of Article 6(1)(b) GDPR, giventhe fact 807JudgementoftheCourtofJusticeof3June2008,TheQueen,ontheapplicationofInternationalAssociation of Independent Tanker Owners (Intertanko) and Others v. Secretary of State for Transport, C-308/06, ECLI:EU:C:2008:312,paragraph77. 808 809EDPBBindingDecision1/2020,adoptedon9November2020,paragraph195. SESAObjection,p.4. 810SeeEDPBBindingDecision1/2020,paragraph195. 109 Adopted thatprocessing ofpersonal dataisat thecore of itsbusiness practices,andtheresources availableto MetaIEtoadaptits practicesso astocomply withdataprotectionlegislation. The degree of responsibility of the controller taking into account technical and organisational measuresimplementedpursuantto Articles25 and 32(Article83(2)(d) GDPR) 431. The EDPB considers the degree of responsibility of Meta IE’spart to be of a high level, on the same 811 grounds asset inthe DraftDecisionwithregardstothe transparencyinfringements . Thefinancial benefit obtainedfrom the infringement(Article83(2)(k) GDPR) 432. TheSE SA arguesMetaIEgainedfinancialbenefitsfrom theirdecision torelyoncontractaslegalbasis for behavioural advertising,rather thanobtaining consent from the users of Instagram 812.While not providing an estimate of its size, the SE SA considers the existence of financial benefit sufficiently provenonthe basisof“theself-evidentfactthatMetaIrelandhasmadesignificant financialgain from being able to provide personal advertisement aspart of a whole take it or leave it offer for its social mediaplatform service,as opposed to establishing a separate legalbasis for it.Byalso being unclear in the informationto data subjects, it is a reasonable assumption that more data subjectshave been misled into being subject to the processing, thus increasing the financial benefits gained by Meta Irelandpursuant to personaladvertisement” 813. 433. As explicitly statedin Article 83(2)(k) GDPR, financialbenefits gaineddirectly or indirectly from the infringement can be considered an aggravating element for the calculation of the fine. The aim of Article 83(2)(k) GDPRis toensure that the sanctionapplied is effective,proportionate and dissuasive 814 ineachindividual case . 434. Inparticular,in view of ensuring fines that areeffective, proportionate and deterrent,andin light of common acceptedpracticeinthe fieldof EU competitionlaw 81,whichinspired the fining framework under the GDPR, the EDPB isof the view that, whencalculating the administrative fine, supervisory authorities could take account of the financial benefits obtained from the infringement, in order to impose a fine thataim at“counterbalancing thegains from theinfringement” 816. 435. When applying this provision, the supervisory authorities must “assess all the facts of the case in a 817 manner that is consistent and objectively justified” . Therefore, financial benefits from the infringement could be an aggravating circumstance if the case provides information about profit obtainedasa result of theinfringement of the GDPR 818. 811DraftDecision,paragraph240.Inthisrespect,theEDPBnotes thatthehighdegreeofresponsibilityofMeta IEforthenon-compliancewiththeGDPRwasconsideredasanaggravatingfactorbyLSAforthecalculationof thefine. 812SESAObjection,p.4. 813SESAObjectionp.4. 814 815EDPBGuidelinesoncalculationoffines,paragraph107. SeetheCJEUrulingscitedinEDPBBindingDecision2/2022,paragraph219. 816EDPBGuidelinesoncalculationoffines,examples7cand7d. 817 EDPB Guidelines on Administrative Fines, p. 6 (emphasis added), quoted in Binding Decision 1/2021, paragraph403. 818 EDPBGuidelinesoncalculationoffines,paragraph110. 110 Adopted436. In the present case, the EDPB considers that it does not have sufficiently precise information to evaluatethe specific weightofthe financialbenefit obtainedfrom the infringement. 437. Nonetheless, the EDPBacknowledgesthe needtoprevent thatthe fineshave littletono effectifthey are disproportionally low compared to the benefits obtained with the infringement. The EDPB considers thattheIESAshould ascertainifanestimationofthefinancialbenefit fromtheinfringement ispossible inthis case.Insofar asthisresultsin theneedtoincrease theamount of thefine proposed, the EDPBrequeststhe IESA toincrease the amount of thefine proposed. Competitiveadvantage -otherfactor (Article83(2)(k) GDPR) 438. The NOSA identifies anaggravatingfactorinthat“thatthe unlawfulprocessing ofpersonaldata in all likelihood hascontributedtothedevelopmentofalgorithmswhich maybe harmfulon an individualor societal level, andwhich may have considerable commercialvalue to [Meta IE]. The algorithms may have contributedto giving[MetaIE]acompetitiveadvantage vis-à-vis its competitors” 81. 439. Onprinciple, the EDPBagreesthatacompetitive advantagecouldbe anaggravatingfactorifthe case 820 provides objective information thatthis wasobtained asa result of the infringement of the GDPR . In the present case, the EDPB considers that it does not have sufficiently precise information to evaluate the existence of a competitive advantage resulting from the infringement. The EDPB considers that the IESA should ascertainif anestimation ofthe competitive advantagederived from the infringement is possible in this case.Insofar asthis results inthe need toincrease the amount of the fine proposed, the EDPBrequeststhe IESA toincrease the amount of thefine proposed. *** 440. Takinginto accountthe nature andgravityofthe infringement aswellasother aspectsinaccordance with Article 83(2) GDPR, the EDPB considers that the IE SA must exercise its power to impose an additionaladministrative fine. Also, covering this additionalinfringement witha fine would be in line with the IE SA’s (proposed) decision toimpose administrative fines in this case for the transparency 821 infringements relating to processing carried out in reliance on Article 6(1)(b) GDPR . The EDPB underlines that, in order to be effective, proportionate and dissuasive, a fine should reflect the circumstances of the case. Such circumstances not only refer to the specific elements of the infringement,but alsothose ofthe controller or processor whocommittedthe infringement,namely itsfinancialposition. 9.2.4.2.2 Assessmentof whetheranadministrativefineshouldbeimposedfor theinfringementofthe fairnessprincipleunderArticle5(1)(a) GDPR 441. The EDPBrecallsits conclusion in thisBinding Decision onthe infringement byMetaIEof the fairness principle under Article 5(1)(a)GDPR 822andthatthe objection raisedbythe ITSA, which wasfound to 819NOSAObjection,p.11. 820EDPBGuidelinesoncalculationoffines,paragraph109.Seealsoparagraphs433ofthisBindingDecision. 821DraftDecision,paragraphs253-258. 822 Section4.4.2ofthisBindingDecision. 111 Adopted be relevant and reasoned, requested the IE SA to exercise its power to impose an administrative fine823. 442. The EDPBtakesnote of MetaIE’sviewsthat it would not be appropriatefor the EDPBtoinstruct the LSA to take corrective measures in relation to the additional infringement of the fairness principle under Article5(1)(a)GDPRconsidering thatthisissue does not fallwithinthescope ofthe Inquiry.The 824 EDPBresponds tothese argumentsabove inSection6.4.2 . 443. The EDPB recallsthat the decision to impose an administrative fine needs tobe takenon a case-by- 825 case basis in light of the circumstances andis not an automatic one . Inthe same vein, the EDPB’s assessment ofMetaIE’scompliance withthe principle of fairnessis carriedout bytakinginto account the specificities of the case, ofthe particular social networking service at handand of the processing of personaldatacarriedout,namelyfor thepurpose of online behaviouraladvertising 826. 444. As previously established, the principle of fairness under Article 5(1)(a) GDPR, althoughintrinsically linked tothe principles oflawfulness andtransparencyunder thesame provision, hasanindependent 827 meaning . It underpins the whole data protection framework and plays a key role for securing a balance ofpower in thecontroller-data subject relationship 828. 445. Considering the EDPB’sfindingsin Section6.4.2thatMetaIEhasnot compliedwithkeyrequirements ofthe principle offairness asdefinedbythe EDPB,namelyallowing for autonomyofthe datasubjects as tothe processing of their personal data, fulfilling data subjects’ reasonable expectation, ensuring power balance,avoiding deceptionandensuring ethicalandtruthfulprocessing, aswellastheoverall effect of the infringement by Meta IE of the transparencyobligations and of Article 6(1) GDPR, the EDPBreiteratesitsview thatMetaIEhasinfringed theprinciple offairness under Article5(1)(a)GDPR andagreeswiththeITSA thatthisinfringement should be adequatelytakenintoaccount bythe IESA in the calculationofthe amount ofthe administrative fine tobe imposed following the conclusion of thisinquiry. 446. Therefore,theEDPBinstructstheIESAtotakeintoaccounttheinfringementbyMetaIEofthefairness principle enshrined inArticle5(1)(a) GDPRasestablished above whenre-assessing the administrative fines for the transparencyinfringements andthe determinationof the fine for the lack oflegalbasis. If, however, the IE SA considers an additional fine for the breach of the principle of fairness is an appropriatecorrectivemeasure,the EDPBrequeststhe IE SA toinclude thisinitsfinaldecision. Inany case,the IESA must take into account the criteriaprovided for by Article83(2) GDPRand ensuring it is effective,proportionate anddissuasive inline withArticle 83(1)GDPR. 823Paragraphs399-404ofthisBindingDecision. 824Meta IEArticle65Submissions,paragraph8.15. 825Seeaboveparagraph410. 826Seeabovesection6.4.2 827 828Seeabovesection6.4.2,paragraph224. Seeabovesection6.4.2 112 Adopted 10 BINDINGDECISION 447. Inlightof theabove, andinaccordancewiththetaskof theEDPBunder Article 70(1)(t)GDPRtoissue binding decisions pursuant to Article 65 GDPR, the EDPB issues the following Binding Decision in accordancewithArticle65(1)(a) GDPR. 448. The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in accordancewithArticle65(2) GDPR. On the objections concerning whether the LSA should have found an infringement for lack of appropriatelegalbasis 449. The EDPBdecidesthattheobjections ofthe AT,DE,ES,FI,FR,HU,NL,NO, andSE SAs regardingMeta IE’sreliance onArticle 6(1)(b) GDPRin thecontext of itsoffering of the InstagramTermsof Use meet the requirementsofArticle 4(24)GDPR. 450. Onthepartsofthe DESAs’objectionrequesting thefinding ofaninfringementofArticle5(1)(a)GDPR, and the partsof the DE andNO SAs objections requesting specific correctivemeasures under Article 58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the imposition of an administrative fine, a ban of the processing of personal data for the purpose of behavioural advertising, anorder to delete personal data processed under Article 6(1)(b) GDPR, andan order to identify a valid legal basis for future behavioural advertising or to abstain from such processing activities, the EDPB decides that these partsof their objections do not meet the threshold of Article 4(24)GDPR.Similarly,thepartofthe FISA objection concerningthe imposition ofa specific corrective measures, namely anadministrative fine is not reasoned anddoes not meet the threshold of Article 4(24)GDPR. 451. The EDPB instructsthe IESA to alterits Finding 2 of itsDraftDecision, which concludes that MetaIE mayrelyonArticle6(1)(b)GDPRinthecontextofitsoffering ofInstagramTermsofUse,andtoinclude aninfringement of Article 6(1) GDPR,basedon the shortcomings that the EDPBhas identified in this Binding Decision. On theobjectionsconcerningwhethertheLSA’sDraftDecisionincludessufficientanalysis andevidence to concludethat MetaIEis not obliged to relyon consentto processtheComplainant’spersonal data 452. The EDPB decidesthat the objections of the AT,DE, FI,FR, andNL SAs regardingthe LSA’sFinding 1 thatMetaIEisnot legallyobligedtorelyon consent toprocesspersonal datatodeliver the Instagram TermsofUse meetthe requirementsofArticle 4(24)GDPR. 453. On the part of the NL SA objection asking the IE SA to include in its Draft Decision the elements concerning the need torely on consent for the placing of tracking technology on end users devices under ePrivacy legislation, the EDPB decides that this part falls outside the scope of the EDPB’s mandate.The objection raisedby the ESSA regardingthe potentialinfringement of Article9 GDPRis not sufficiently reasoned and, therefore, the EDPB decides that the objection of the ES SA does not meetthe threshold provided for by Article4(24) GDPR. 454. The EDPBinstructs the IE SA toremove from its DraftDecisionits conclusion on Finding 1. The EDPB decides that the IE SA shall carry out a new investigationinto Meta IE’sprocessing operations in its 113 Adopted Instagramservicetodetermineifit processesspecialcategoriesofpersonaldata(Article9GDPR),and complies with the relevant obligations under the GDPR to the extent that the investigation complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding Decision; and,basedon theresults ofthisinvestigation, issue anew draftdecision inaccordancewith Article60(3) GDPR. Onthe objectionconcerningthepotentialadditional infringementof theprinciple offairness 455. TheEDPBdecidesthattheobjectionofthe ITSAregardingtheinfringementbyMetaIEofthe principle of fairnessunder Article5(1)(a)GDPR,meetsthe requirementsof Article4(24) GDPR. 456. The EDPBinstructs the IE SA to find in itsfinal decision anadditionalinfringement of the principle of fairness under Article 5(1)(a)GDPRbyMetaIE. On the objection concerning the potential additional infringement of the principles of purpose limitationanddataminimisation 457. On the objection by the IT SA concerning the possible additional infringements of the principles of purpose limitation and data minimisation under Article 5(1)(b) and (c) GDPR, the EDPB decides this objection does not meetthe requirementsofArticle 4(24)GDPR. Onthe objectionsconcerningcorrectivemeasuresotherthan administrativefines 458. The EDPB decidesthat the objections of the AT and NL SAs requesting additional and/or alternative specific correctivemeasurestobe imposed meet the requirementsofArticle 4(24)GDPR. 459. The EDPBinstructsthe IESA toinclude inits finaldecision anorder for MetaIEtobring its processing of personal data for the purposes of behavioural advertising in the context of the Instagram service intocompliance withArticle 6(1)GDPRwithinthree months. 460. TheEDPBalsoinstructstheLSA toadjust itsorder toMetaIEtobring InstagramDataPolicyandTerms of Use into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR within three months, torefernot only toinformationprovided ondataprocessedpursuant toArticle6(1)(b)GDPR, but also to data processed for the purposes of behavioural advertising in the context of Instagram service (toreflect thefinding of theEDPBthat for thisprocessing thecontroller cannot relyon Article 6(1)(b) GDPR). On the objections concerning the determination of the administrative fine for the transparency infringements 461. The EDPBdecidesthatthe objections oftheDE,FR,IT,NL,andNOSAsregardingthedeterminationof the administrative fine for the transparencyinfringements, meet the requirements of Article 4(24) GDPR. 462. The EDPBconsiders thatthe Final Decisiondoes not needtorefer tothe infringementsby WhatsApp IrelandLimited,as established in DecisionIN-18-12-2, as anaggravatingfactorunder Article 83(2)(e) GDPRfor the calculationofthe fine. 463. The EDPB instructs the IE SA to modify its Draft Decision to elaborate on the manner in which the turnover of the undertakingconcernedhas beentakenintoaccount for the calculationofthe fine, as 114 Adopted appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Article 83(1)GDPR. 464. The EDPB considers that the proposed fine does not adequatelyreflect the seriousness and severity of the infringements nor has a dissuasive effect on Meta IE. Therefore, the fine does not fulfil the requirement ofbeing effective,proportionate anddissuasive inaccordance withArticle83(1) and(2) GDPR. Inlight ofthis, the EDPB directsthe IE SA toset out a significantly higher fine amount for the transparencyinfringementsidentified, incomparison withthe upper limit for the administrative fine envisaged in the Draft Decision. In doing so, the IE SA must remain in line with the criteria of effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR in its overall reassessment of the amount ofthe administrative fine. Onthe objectionsconcerningtheimposition ofan administrativefine for the lackoflegal basis 465. The EDPBdecidesthattheobjections of theAT,DE,FR,NO,andSE SAs regardingthe impositionofan administrative fine for the infringement ofArticle 6(1)or Article 6(1)(b)GDPRmeetthe requirements of Article4(24)GDPR. 466. Inrelation tointentionality under Article 83(2)(b) GDPR, the EDPB considersthat the argumentsput forwardby the SE SA in their objection do not containsufficient objective elementsto demonstrate the intentionalityofthe behaviour ofMetaIE. 467. Regarding the possible financial benefit obtained from the infringement as well as the competitive advantage (Article 83(2)(k) GDPR), the EDPB instructs the IE SA to ascertain if an estimation of the financial benefit from the infringement is possible in this case. Insofar as further estimation of the financialbenefit from the infringement is possible in thiscase and resultsin the needto increasethe amountofthefine proposed, theEDPBrequeststheIESAtoincreasetheamount ofthefineproposed. 468. The EDPB instructs the IE SA to cover the additional infringement of Article 6(1) GDPR with an administrative fine which is effective, proportionate and dissuasive in accordance with Article 83(1) GDPR. Indetermining the fine amount, the IE SA must give due regardto all the applicable factors listed in Article 83(2) GDPR, inparticular the nature and gravityof the infringement, the number of datasubjects affectedand theseriously negligentcharacteroftheinfringement. On the objection concerning the imposition of an administrative fine for the infringement of the fairness principleunder Article5(1)(a) GDPR 469. The EDPBdecidesthatthe objectionofthe ITSA regardingtheimposition ofanadministrative fine for the infringement ofArticle 5(1)(a)GDPRmeetsthe requirementsof Article4(24) GDPR. 470. TheEDPBinstructstheIESA tofactortheadditionalinfringementoftheprinciple offairnessenshrined in Article5(1)(a) GDPRintoits adoptionof appropriate correctivemeasures. Inthisrespect,the IE SA is instructed totake due account of this infringement when re-assessing the administrative fines for the transparency infringements and the determination of the fine for the lack of legal basis. If, however, the IE SA considers an additional fine for the breach of the principle of fairness is an appropriatecorrectivemeasure,the EDPBrequeststhe IE SA toinclude thisinitsfinaldecision. Inany case,the IESA must take into account the criteriaprovided for by Article83(2) GDPRand ensuring it is effective,proportionate anddissuasive inline withArticle 83(1)GDPR. 115 Adopted On the objection concerning the imposition of an administrative fine for the infringement of Article 5(1)(b) and(c)GDPR 471. The EDPBdecidesthatit doesnot needtoexamine theobjectionof theITSA regardingthe imposition of anadministrative fine for the infringement ofArticle 5(1)(b) andArticle5(1)(c) GDPR. 11 FINAL REMARKS 472. ThisBinding Decision isaddressed tothe IESA andtheCSAs. TheIE SA shalladopt itsfinal decision on the basis ofthis Binding Decisionpursuant toArticle 65(6)GDPR. 473. Regardingtheobjections deemednot tomeetthe requirementsstipulatedby Article4(24)GDPR,the EDPB does not take any position on the merit of any substantial issues raised therein. The EDPB reiteratesthatitscurrentdecisioniswithoutanyprejudice toanyassessments theEDPBmaybecalled upon tomake inother cases, including withthesame parties,taking intoaccount the contentsofthe relevantdraft decision andthe objections raisedby the CSAs. 474. According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding Decision without undue delayandat the latestby one monthafter the Boardhas notified itsBinding Decision. 475. The IESA shall inform the Boardof the datewhen itsfinal decision is notified tothe controller or the 829 processor . This Binding Decisionwill be made public pursuant toArticle 65(5)GDPRwithout delay afterthe IESA hasnotified itsfinaldecision tothe controller 830. 476. The IESA will communicateits finaldecision tothe Board 831.PursuanttoArticle 70(1)(y) GDPR,theIE SA’sfinal decision communicatedtothe EDPBwillbe included in the registerofdecisions whichhave beensubject totheconsistency mechanism. For the EuropeanDataProtectionBoard The Chair (Andrea Jelinek) 829 Art. 65(6)GDPR. 830Art. 65(5)and(6)GDPR. 831Art. 60(7)GDPR. 116 Adopted