EDPB - Binding Decision 4/2022 - 'Meta (Instagram)'

From GDPRhub
EDPB - Binding Decision 4/2022
Authority: EDPB
Jurisdiction: European Union
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 56 GDPR
Article 58 GDPR
Article 60 GDPR
Article 65 GDPR
Article 77 GDPR
Article 79 GDPR
Article 83 GDPR
Type: Other
Outcome: n/a
Started: 25.07.2022
Decided: 05.12.2022
Published: 11.01.2023
Fine: n/a
Parties: Belgian Instagram user (represented by noyb - European Centre for Digital Rights)
Meta Platforms Ireland Limited
National Case Number/Name: Binding Decision 4/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: LR

Following a referral under the Article 60 GDPR procedure, the EDPB issued a binding decision finding Meta IE’s processing of personal data for behavioural advertising to be unlawful.

English Summary


In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a user was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).

Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.

A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (APD), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.

Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.

Secondly, the use of the Instagram service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the data controller seeks to rely is invalid.

Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.

Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.

The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.

In response to the complaint Meta IE submitted, among others points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of Article 6(1)(a) GDPR. The company stated that it “does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use” (Para 41).

On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 11 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.


Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. The EDPB identified six issues in the case at hand, addressing each one in turn before issuing the Binding Decision.

Please note: When describing Issues 1-3, it is necessary to explain the proposals in the Irish DPA’s Draft Decision, in order to provide the context for the EDPB decision.

Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis/Unlawful Data Processing

This issue concerns whether Meta IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”.

In its Draft Decision, the DPC – taking into account the complainant’s submissions, the EDPB guidelines and the framing of Article 6(1)(b) – acknowledged that “consideration of the meaning of the term ‘contract’ within a data protection context is required”. However, the DPC also asserted that an assessment of the terms “necessary” and “performance” is also required, and they “do not have competence to consider substantive issues of contract law, and, accordingly [their] analysis is limited to the specific contract entered into by the named data subject and Meta Ireland in respect of the Instagram service” (DPC - 87). The DPC took a broad approach in determining what is necessary for the performance of a contract based on what is “reflected in the terms of the precise contract between those parties” (DPC - 95). The DPC explained that, in their view, “the core of the service offered is premised on the delivery of personalised advertising” (DPC - 106) and proposed to conclude that “Meta Ireland may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision of the Instagram service, including through the provision of behavioural advertising” (DPC - 116).

Nine DPAs objected to this proposed conclusion from the DPC, and the matter was referred to the EDPB.

In its binding decision, the EDPB sought to emphasise "the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Instagram service" (99). With regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:

"The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model” (108).

"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR... Otherwise, the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not" (112).

"...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (119).

Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Instagram. Firstly, "Meta IE promotes... the perception that the main purpose of the Instagram service serves and for which it processes its users' data is to enable them to communicate with others" (120). The EDPB also takes into account Article 21(2) and (3) GDPR, "the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes." Because this right exists, "the processing cannot be necessary to perform a contract [as the] subject has the possibility to opt out from it at any time, and without providing any reason" (125). The EDPB continues, outlining the inherent risk of a finding in the DPC Decision that Meta IE can process personal data on the basis of Article 6(1)(b):

...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of Article 6(1)(b) GDPR, pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject" (134). "As a result, owing to the number of users, market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the complainant and the millions of users of Instagram service in the EEA and affect the protection of hundreds of millions of people covered the GDPR" (135).

In light of all of the above, the EDPB directed the following:

...behavioural advertising performed by Meta in the context of the Instagram service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Instagram service and is not an essential or core element of it" (136). "Meta has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data in the context of the Instagram terms of service and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Instagram Terms of Service for the purpose of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (137).

Accordingly, the EDPB instructed the DPC to “alter Finding 2 of its Draft Decision, which concludes that Meta IE may rely on Article 6(1)(b) GDPR in the context of its offering of the Instagram Terms of Use, and to include an infringement of Article 6(1) GDPR” (Para 137).

Issue 2 – On whether the LSA’s Draft Decision includes sufficient analysis and evidence to conclude that Meta IE is not obliged to rely on consent to process the Complainant’s personal data

In its Draft Decision, the DPC sought to consider whether clicking the “Agree to Terms” button constitutes or should be considered consent for the purposes of the GDPR. According to the DPC, this question consists of two parts, “first, whether clicking the ‘Agree to Terms’ button actually constitutes consent for the purposes of the GDPR and, second, whether the act of clicking ‘Agree to Terms’ necessarily must be considered consent for such purposes” (DPC - 34).

On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “as a matter of fact, Meta Ireland did not – and did not seek – to rely on consent as the legal basis for all processing” (DPC - 46).

Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasized that there is no hierarchy of legal bases for the processing of personal data under the GDPR, any implication otherwise would be “inherently problematic”, and “[no] one ground has normative priority over the others” (DPC - 51).

However, six DPAs raised objections to this proposed finding by the DPC. In its binding decision, the EDPB stated:

The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (107). “[The DPC] cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve” (202).

As a result, the EDPB instructed the DPC to remove its proposed finding regarding consent as a basis for lawful processing. The EDPB also decided that the DPC shall carry out a new investigation into Meta IE’s processing operations in its Instagram service to determine if it processes special categories of personal data (Article 9 GDPR), and complies with the relevant obligations under the GDPR (Para 203).

Issue 3 – On the Potential Additional Infringement of the Principle of Fairness

During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. The DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Meta IE was not afforded the opportunity to be heard in response to a particularised area of wrongdoing” (DPC - 200). The matter was referred to the EDPB, who determined as follows:

"the principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too" (224).

"the concept of fairness stems from the EU Charter of Fundamental Rights" (225).

Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject… [it] underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (225, 226).

"The combination of factors, such as the asymmetry of the information created by Meta IE with regard to the Instagram service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages the Instagram service users, limits their control over the processing of their personal data and undermines the exercise of their rights” (234).

Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (235).

Issue 4 – On the potential additional infringement of the principles of purpose limitation and data minimisation

During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision, on account of Meta IE’s failure to comply with the purpose limitation and data minimisation principles (239).

The Italian DPA argued that the DPC should not have confined its assessment to only the purpose of personalised advertising (while the Instagram service would actually be composed of several processing activities pursuing several purposes). Accordingly, the fact Meta IE inappropriately based its multifarious processing activities only on Article 6(1)(b) GDPR entails an infringement of the purpose limitation and data minimisation principles (240). Furthermore, “the failure to specify and communicate the purposes of the processing to the data subject creates a risk of artificially expanding the types of processing or the categories or personal data considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would nullify the safeguards afforded to data subjects under data protection law” (241). In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned.

In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it related to specific parts of the DPC’s Draft Decision and the DPC could have made a finding of an infringement of the principles of purpose limitation and data minimisation. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “substantial and plausible” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy Article 4(24) GDPR (Para 252).

Issue 5 – On Corrective Measures Other than Administrative Fines

In its Draft Decision, the DPC proposed the imposition of an order to bring processing in compliance with Articles 5(1)(a), 12(1) and 13(1) GDPR within three months of the date of notification of any final decision. This concerned the DPC’s finding that Meta had breached its transparency obligations under the GDPR, a conclusion which was not objected to by any DPAs and thus was not referred to the EDPB.

However, under the Article 60 GDPR process, a range of objections were made to the proposed order to bring Meta’s processing activities into compliance. These objections proposed: the imposition of corrective measures other than administrative fines (see “Issue 6” below and EDPB decision paras 255, 256); a temporary ban on processing (255); measures to remedy the infringement of Article 6(1)(b) GDPR (Para 257); and to delete any unlawfully processed data (259).

The EDPB considered the objections raised in accordance with Article 4(24) GDPR, assessing whether they are “relevant” and “reasoned”. The EDPB also considered the need for any corrective measures applied by a supervisory authority to be “appropriate, necessary and proportionate in view of ensuring compliance with the regulation” (Article 58(2) GDPR) (Para 280).

Having considered the objections, the EDPB instructed the DPC to include in its final decision an order for Meta IE to bring its data processing for behavioural advertising into compliance with Article 6(1) GDPR within 3 months (290). In addition, the EDPB notes that the order should be modified to reflect the EDPB’s finding that Meta IE is not entitled to rely on Article 6(1)(b) GDPR for this data processing (291). Furthermore, the EDPB instructed the DPC to amend its order regarding transparency obligations to include data processed for the purpose of behavioural advertising, and not just data processed pursuant to Article 6(1)(b) (Para 291).

Issue 6 – On the determination of the administrative fine

The EDPB considered the DPC’s assessment of the criteria in Article 83(2) GDPR in deciding whether to impose an administrative fine for the infringement of its transparency obligations under the GDPR (Paras 293 – 312). The EDPB also noted the objections raised by five DPAs, requesting a “significantly higher administrative fine with reference to the established infringements” (313). The EDPB found these objections to be relevant and reasoned in accordance with Article 4(24) GDPR and, after conducting its own assessment of the factors under Article 83(2) GDPR, found that the proposed fine “is not effective, proportionate and dissuasive, in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of doing business” (Para 364).

Therefore, the EDPB instructed the DPC to “set out a significantly higher fine amount for the transparency infringements identified, in comparison with the upper limit for the administrative fine envisaged in the Draft Decision” (366).

Furthermore, following a range of further objections by DPAs to the administrative fine proposed by the DPC, the EDPB instructed the DPC to impose an administrative fine for the additional infringement of Article 6(1) GDPR (440), and to take into account the additional infringement of the principle of fairness in Article 5(1)(a) GDPR in its adoption of corrective measures (446).


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

BindingDecision4/2022onthedisputesubmittedby the

Irish SAon MetaPlatformsIrelandLimitedand itsInstagram

                Adopted on 5December 2022

AdoptedTableof contents

1    Summaryofthe dispute.................................................................................................. 5

2    The right togoodadministration...................................................................................... 9

3    Conditionsfor adopting a binding decision........................................................................ 9

   3.1    Objection(s)expressedby severalCSA(s)inrelationtoa Draft Decision.......................... 9
   3.2    The IESA finds the objections totheDraftDecision not relevantor reasoned anddoes not

   follow them.....................................................................................................................10
   3.3    Admissibilityofthe case..........................................................................................10

   3.4    Structure ofthe Binding Decision.............................................................................11

4    Onwhether the LSA should have foundaninfringement for lackofappropriate legalbasis.....11

   4.1    Analysisbythe LSA inthe Draft Decision...................................................................11
   4.2    Summaryofthe objectionsraisedbythe CSAs ...........................................................14

   4.3    Positionofthe LSA onthe objections........................................................................19

   4.4    Assessment ofthe EDPB..........................................................................................20
     4.4.1     Assessment ofwhether the objectionswere relevant andreasoned.......................20

     4.4.2     Assessment onthe merits................................................................................24

5    Onwhether the LSA’sDraftDecisionincludes enoughanalysis andevidence toconclude that
MetaIE isnot obligedtorelyonconsent toprocessthe complainant’spersonaldata....................39

   5.1    Analysisbythe LSA inthe Draft Decision...................................................................39

   5.2    Summaryofthe objectionsraisedbythe CSAs ...........................................................40
   5.3    Positionofthe LSA onthe objections........................................................................44

   5.4    Assessment ofthe EDPB..........................................................................................45

     5.4.1     Assessment ofwhether the objectionswere relevant andreasoned.......................45

     5.4.2     Assessment onthe merits................................................................................48
6    Onthe potentialadditionalinfringement ofthe principle offairness....................................54

   6.1    Analysisbythe LSA inthe Draft Decision...................................................................54

   6.2    Summaryofthe objectionraised bythe CSA ..............................................................55
   6.3    Positionofthe LSA onthe objection .........................................................................56

   6.4    Analysisofthe EDPB...............................................................................................56

     6.4.1     Assessment ofwhether the objectionwasrelevant andreasoned..........................56

     6.4.2     Assessment onthe merits................................................................................58
7    Onthe potentialadditionalinfringement of theprinciples of purpose limitationanddata

   7.1    Analysisbythe LSA inthe Draft Decision...................................................................63

Adopted   7.2    Summaryofthe objectionraised bythe CSAs.............................................................63

   7.3    Positionofthe LSA onthe objection .........................................................................64

   7.4    Analysisofthe EDPB...............................................................................................64

     7.4.1     Assessment ofwhether the objectionwasrelevant andreasoned..........................64
8    Oncorrective measuresother thanadministrative fines.....................................................66

   8.1    Analysisbythe LSA inthe Draft Decision...................................................................66

   8.2    Summaryofthe objectionsraisedbythe CSAs ...........................................................67

   8.3    Positionofthe LSA onthe objections........................................................................69
   8.4    Assessment ofthe EDPB..........................................................................................69

     8.4.1     Assessment ofwhether the objectionswere relevant andreasoned.......................69

     8.4.2     Assessment onthe merits................................................................................71

9    Onthe determinationofthe administrative fine................................................................77
   9.1    Onthe determinationofthe administrative fine for the transparencyinfringements.......77

     9.1.1     Analysisbythe LSA inthe Draft Decision............................................................77

     9.1.2     Summaryofthe objectionsraisedbythe CSAs ....................................................82

     9.1.3     Positionofthe LSA onthe objections.................................................................85
     9.1.4     Assessment ofthe EDPB...................................................................................86

   9.2    Onthe determinationofanadministrative fine for further infringements......................95

     9.2.1     Analysisbythe LSA inthe Draft Decision............................................................95
     9.2.2     Summaryofthe objectionsraisedbythe CSAs ....................................................96

     9.2.3     Positionofthe LSA onthe objections...............................................................101

     9.2.4     Analysisofthe EDPB......................................................................................101

10     Binding Decision......................................................................................................113

11     Finalremarks..........................................................................................................116


Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European
Parliamentandofthe Council of27 April2016 onthe protectionofnaturalpersonswithregardtothe
processing ofpersonal dataandonthe freemovement ofsuchdata,andrepealingDirective95/46/EC
(hereinafter“GDPR”)   ,

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as
amendedby theDecision ofthe EEA joint Committee No154/2018 of 6 July 2018 ,    2

HavingregardtoArticle 11 andArticle22 of itsRulesof Procedure (hereinafter“EDPBRoP”) ,    3


(1) The main role of the European Data ProtectionBoard (hereinafter the “EDPB”) is to ensure the
consistent applicationof the GDPRthroughoutthe EEA.Tothiseffect,it follows from Article60 GDPR
that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory

authoritiesconcerned(hereinafter“CSAs”)inanendeavourtoreachconsensus, thattheLSA andCSAs
shall exchange all relevant information with each other, and that the LSA shall, without delay,
communicatethe relevantinformation onthe mattertothe other supervisory authoritiesconcerned.

The LSA shall without delaysubmit a draft decision to the other CSAs for their opinion and take due
account oftheir views.

(2) Where any of the CSAs expressed a reasoned and relevant objection on the draft decision in

accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the
relevantandreasonedobjection or considers thattheobjection isnot reasonedandrelevant,theLSA
shall submit this mattertothe consistency mechanism referredtoinArticle 63 GDPR.

(3)PursuanttoArticle65(1)(a)GDPR,theEDPBshallissueabindingdecision concerningallthematters

which are the subject of the relevant and reasoned objections, in particular whether there is an
infringement ofthe GDPR.

(4)The binding decision of theEDPBshall be adoptedby atwo-thirds majorityofthe membersofthe

EDPB, pursuant toArticle 65(2) GDPR inconjunction withArticle 11(4) EDPB RoP, within one month
after the Chair of the EDPB and the competent supervisory authority have decided that the file is
complete. The deadline may be extendedby a further month, taking into account the complexity of

the subject-matter upon decision of the Chair of the EDPB on own initiative or at the request of at
least one thirdof the membersofthe EDPB.

(5)InaccordancewithArticle65(3)GDPR,if,inspite ofsuchanextension, theEDPBhasnotbeenable

toadopt a decision within the timeframe,it shall do so withintwoweeks following the expiration of
the extensionby a simple majorityof itsmembers.

(6)InaccordancewithArticle 11(6)EDPB RoP, onlythe Englishtext ofthe decisionisauthentic asit is
the languageofthe EDPBadoptionprocedure.

 References to “Member States”madethroughout this decision shouldbeunderstoodas references to “EEA
3EDPBRules ofProcedure,adoptedon25May2018.



1.    This document contains a Binding Decision adopted by the EDPB in accordance with
      Article65(1)(a) GDPR.Thedecisionconcerns thedispute arisenfollowing a draftdecision (hereinafter

      “DraftDecision”)issuedbythe Irishsupervisory authority(“DataProtectionCommission”, hereinafter
      the “IESA”,alsoreferredtointhis contextasthe “LSA”)andthe subsequent objections expressed by
      a number of CSAs (“Österreichische Datenschutzbehörde” hereinafter the “AT SA”; “ Der

      HamburgischeBeauftragtefürDatenschutzundInformationsfreiheit” alsoon behalfofother German
      SAs 4, hereinafter the “DE SAs”;“AgenciaEspañola de Protección de Datos”,hereinafter the “ESSA”;
      “Office of the Data Protection Ombudsman”, hereinafter the “FI SA”; “Commission Nationale de

      l'Informatique et des Libertés", hereinafter the “FR SA”; “Hungarian National Authority for Data
      Protection and Freedom of Information, hereinafter “HU SA”; “Garante per la protezione dei dati
      personali", hereinafter the “IT SA”; “Autoriteit Persoonsgegevens”, hereinafter the “NL SA”;

      “Datatilsynet”, hereinafter the “NO SA”; and “Integritetsskyddsmyndigheten”, hereinafter the “SE

2.    The DraftDecisionatissue relatestoa“complaint-basedinquiry” whichwascommencedbythe IESA
      on 20 August 2018 into the Instagram social media processing activities (hereinafter “Instagram

      service”) of Facebook IrelandLimited, a company established in Dublin, Ireland. The company has
      subsequently changedits name to “Meta PlatformsIrelandLimited” andhereinafter it is referredto
      as“MetaIE”.Any referencetoMetaIEinthis Binding Decisionmeansa referencetoeither Facebook

      IrelandLimitedor MetaPlatformsIrelandLimited,asappropriate.

3.    The complaint was lodged on 25 May 2018 with the Belgian supervisory authority (“Autorité de

      protection des données”), hereinafter the “BE SA” by a data subject who requested the non-profit
      NOYB-EuropeanCenterfor DigitalRights(hereinafter,“NOYB”)torepresentthemunderArticle80(1)
      GDPR(bothhereinafterreferredtoasthe“Complainant”).TheComplainantallegeda violationofthe

      right to data protection and especially infringements of “all the particular requirementsset out in
      Article4(11),Article6(1)(a),Article7and/or Article9(2)(a)oftheGDPR”,byarguingthatthecontroller

      relied on a “forced consent”, as well as alleging misrepresentations of the controller with regardto
      consent and the legal basis for the processing, and consequently, an infringement of Article 5(1)(a)
      GDPR  5.The complaint articulateditsrequests into a request toinvestigate,and a request to impose
      correctivemeasures   .

      4Objections raised on behalf of theHamburg Commissioner forData Protectionand Freedom of Information,
      the Bavarian StateOfficefor Data ProtectionSupervision, theBerlinCommissionerfor Data Protection and

      Federal Commissionerfor Data Protection and Freedom of Information, the State Commissioner for Data
      6 Within its request to investigatein paragraph 3.1 of theComplaint, theComplainant requested that a full
      investigationbemadeto determine“which processingoperations the controllerengages in, in relation to the
      data subject”, “for which purpose they are performed”, “on which legal basis for each specific processing

      alsorequested“that the results of this investigation[be] madeavailableto [them]”. As regards therequest to

      Adopted4.    On31 May2018,the BESA transferredthe complaint totheIESA. The IESA statedinits“Schedule to
      the DraftDecision” 7thatitwassatisfied thattheIESA isthe LSA,withinthe meaningof theGDPR,for
      MetaIE,ascontroller, for the purpose ofthe cross-border processing of personal datain the context
      of theInstagramservice.

5.    The following table presents a summary timeline of the events part of the procedure leading tothe

      submission of the mattertothe consistency mechanism:

                                      Thescope andlegalbasisofthe inquirywereset outinthenotice
                  20.08.2018          ofcommencementofinquiry thattheIESA sent tothe partieson

                                      20August 2018.TheIESA commencedtheinquiry andrequested
                                      information from thisdate.
                                      InquiryReport stage:
            20.08.2018-07.04.2021         •   the IESA commenced workonthe draft inquiry report

                                          •   the IESA preparedadraftinquiryreportandissued it to
                                              Meta IE andto the Complainant to allow them to make

                                              submissions inrelationtothe draftinquiry report;
                                          •   MetaIE provided its submissions in relationto the draft

                                              inquiry report;
                                          •   The Complainant provided its submissions in relation to
                                              the draftinquiry report;

                                          •   Meta IE andthe Complainant were furnished with each
                                              other’ssubmissions andthe finalreport wasprovided to

                                              the decision-maker;
                                          •   The IESA issued a copyof itsfinalinquiry report toMeta

                                              IEandthe Complainant.
                                          •   The IE SA issued a letter to Meta IE and to the
                                              Complainant to confirm the commencement of the

                                              decision-making stage.
                                      The IE SA issued a Preliminary Draft Decision (hereinafter “the
                                      Preliminary Draft Decision”)(including a Schedule) to Meta IE
                                      andtothe Complainant.
                                      The Complainant provided submissions on the Preliminary Draft
                  04.02.2022          Decision to the IE SA (“Complainant’s Preliminary Draft

                                      Submissionsdated4February2022”       ).
                                      Meta IE made submissions on the Preliminary Draft Decision to

                                      the IESA (“Meta IE’sPreliminary DraftSubmissions”).
                                      The IE SA shared its Draft Decisionwith the CSAs in accordance
                                      withArticle60(3) GDPR.

      processing operationsthat are based on invalid consent by the data subject”, and in paragraph3.3 that an
      “effective, proportionateanddissuasivefine”beimposed.
      7IESAScheduletotheDraftDecisionof1April2022inthematterofTSA(throughNOYB)vMeta PlatformsLtd
      8This documentismistakenlydated“11.06.2020”.


      Adopted                   Between           SeveralCSAs (AT,DE,ES,FI,FR,HU,IT,NL,NO,andSESAs)raised
                                     objections in accordancewithArticle60(4)GDPR.

              28 and29.04.2022

                                     The IE SA issued a Composite Response setting out its replies to
                                     such objections and shared it with the CSAs (hereinafter,
                                     “Composite Response”). The IE SA requestedthe relevant CSAs
                                     to confirm whether, having considered the IE SA’s position in

                                     relation to the objections as set out in the Composite
                                     Memorandum,the CSAs intended tomaintaintheir objections.

                                     In light of the arguments put forward by the IE SA in the
                                     Composite Response, the DE, ES, FI, HU, NL, NO, and SE SAs),

                                     confirmed to the IE SA that they maintain their remaining
                                     objections .

                                     The IE SA invited Meta IE to exercise its right to be heard in
                  08.07.2022         respect of the objections (and comments) that the IE SA

                                     proposed to refer to the EDPB under Article 65(1) GDPR along
                                     with the IE SA’s Composite Response and the communications

                                     receivedfrom the CSAs in replytothe Composite Response.
                                     Meta IE furnished the requested submissions (“Meta IE Article
                  09.08.2022         65 Submissionsof9August2022”).

                                     The IE SA referred the matter to the EDPB in accordance with
                  11.08.2022         Article 60(4) GDPR, thereby initiating the dispute resolution

                                     procedure under Article65(1)(a).

6.    The IE SA triggered the dispute resolution process in the Internal Market Information system
      (hereinafter“IMI”) on 11 August 2022 inaccordancewithArticle 60(4)GDPR.

7.    The EDPBSecretariatassessed the completeness of the file on behalf of the Chair of the EDPBin line

      withArticle11(2) EDPBRoPinorder toensure thatallthe necessarydocuments wereincluded inthe

8.    The EDPB Secretariatcontactedthe IESA on 23 and27 September 2022, asking for the transmission
      via IMIof specified documents pertaining to the investigationconducted by the IE SA . The request

      9ResponseoftheDESAs toCompositeResponsedated11July2022;ResponseoftheESSAto IESAComposite

      Responsedated8July2022;ResponseoftheFI SAto CompositeResponsedated8July2022;Responseofthe
      HU SAto CompositeResponsedated7July2022; ResponseoftheNLSA to CompositeResponsedated5July
      2022;ResponseoftheNO SAto CompositeResponsedated11July2022;ResponseoftheSE SAto Composite
      oftheEDPBRules ofProcedure.

      Letter ofDPCto NOYBof23/11/2018outliningthescopeoftheinquiry.
      NOYB's replytoDPCof03/12/2018outliningproceduralconcerns

      Adopted      was made to allow the EDPB to come to a fully informed decision on the objections raised by some
      CSAs onthescope andconductofthe investigation.Fromthe schedule tothe DraftDecision,theEDPB
      Secretariat concluded that both Meta IE and the Complainant were given access to the documents
      requestedandinvited the IESA toconfirm thiswasindeed thecase.

9.    The IE SA declined the request, as it considered that the materialalready provided as sufficient to

      enable theEDPBtodeterminetheobjections referredtoit, asthe draft decisionprovidesinformation
      about the scope of the inquiry commenced for the purpose of examining the complaint, the
      procedural steps taken in the inquiry, the information that was collected during the course of the
      inquiry process, the allegations that were put to the data controller, the submissions made by the

      parties to the inquiry and the assessments and views of the IE SA. Further, the IE SA expressed its
      concern over the possibility of the EDPB concluding its decision on the basis of materialwhich was
      never put to the controller concerned as part of the formulation of any allegation of potential

      wrongdoing.Finally, the IESA underlined that,inaccordancewithArticle11(2) ofthe EDPBRoP,they
      would provide documentsthe Boarddeems necessary.

10.   A matter of particular importance that was scrutinised by the EDPB Secretariat wasthe right to be
      heard,asrequiredbyArticle 41(2)(a)ofthe CharterofFundamentalRights.Furtherdetailson thisare
      provided in Section2 ofthis Binding Decision.

11.   On 5 October 2022, the decision on the completeness of the file was taken, andit was circulatedby
      the EDPBSecretariattoallthemembers ofthe EDPB.

12.   TheChair ofthe EDPBdecided,incompliance withArticle65(3)GDPRinconjunctionwithArticle11(4)
      EDPBRoP, to extendthe default timeline for adoption of one month by a further month on account

      of thecomplexity ofthe subject-matter

      DPC's replytoNOYBof16/01/2019
      DPClettertoMeta of30/01/2019outliningviewsonthescope;
      Meta IEresponsetoDPCof05/02/2019,raisingproceduralquestions;
      DPC's responsetoMeta of08/02/2019;
      Email exchangesbetweenDPCandMetaon08/02and15/02/2019regardingscopeandproceduralissuesraised
      Meta IE’s Submissionsof 22/02/2019includingMeta Submissionof28/09/2018(markedupcopy,ofwhichparts
      Meta consideredoutofscopeofcomplaint);

      Letter fromNOYBtotheIESAdated19April2019whichincludedfurthersubmissionsonthescope
      NOYB's lettertoDPCof24/02/2020raisingproceduralissues;
      DPC's replytoNOYBof23/03/2020;
      DPClettertoNOYB of20/05/2020;
      NOYB's responsetoDPCof03/06/2020;
      Meta IE’s SubmissionsontheDraftInquiryReportof22/06/2020;

      NOYB’s SubmissionsonthePreliminaryDraftDecisioninIN-18-08-05dated11June2021;
      NOYB’s submissiontotheIESAcontainingtheGallupstudyinattachment.



13.   TheEDPBissubject toArticle41 oftheEUCharterofFundamentalRights,inparticularArticle41(right
      togoodadministration).This isalsoreflectedin Article11(1)EDPBRoP.Furtherdetailswere provided
      inthe EDPBGuidelines on Article65(1)(a)GDPR    12.

14.   The EDPB Decision “shall be reasoned and addressed to the lead supervisory authority and all the
      supervisory authorities concerned and binding on them” (Article 65(2) GDPR). It is not aiming to

      address directly anythird party. However, asa precautionarymeasure to address the possible need
      for the EDPBtooffer the righttobe heardatthe EDPBleveltoMetaIE,the EDPBassessed if MetaIE
      was offered the opportunity toexercise its right tobe heard in relationto the procedure led by the
      LSA andthesubject matterofthe dispute tobe resolvedbythe EDPB.Inparticular,theEDPBassessed

      ifallthe documents containingthe mattersoffactsandlaw used bythe EDPBtotake itsdecisionhad
      beenpreviously sharedwithMetaIE.

15.   The EDPBnotes thatMeta IEhas receivedthe opportunity to exercise itsright tobe heard regarding
      allthedocuments containingthe mattersoffactsandoflawconsidered bythe EDPBinthecontext of
      this decision and provided its writtenobservations 1, which have been shared withthe EDPB by the


16.   Considering that Meta IE has been already heard by the IE SA on all matters of facts and of law

      addressed by the EDPB in its decision, the EDPB is satisfied that the Article 41 of the EU Charter of
      FundamentalRightshas beenrespected.

17.   TheEDPBconsidersthattheComplainantisnot likelytobe adverselyaffectedbythisBindingDecision,
      andconsequently does not meetthe conditions tobe grantedaright tobe heardby the EDPBin line
      with Article 41 of the EU Charter of Fundamental Rights, applicable case law, and Article 11 of the

      EDPBRoP. This is without prejudice toany right tobe heardor other relatedrights the Complainant
      mayhave before the competentnationalsupervisory authority(/-ies).


18.   The generalconditionsfor theadoptionof abinding decision bytheEDPBareset forthinArticle60(4)
      andArticle 65(1)(a)GDPR   1.

      3.1 Objection(s) expressed by several CSA(s) in relationto a DraftDecision

19.   The EDPB notes that severalCSAs (AT, DE, ES, FI, FR, HU, IT, NL, NOandSE SAs) raised objections to
      the DraftDecisionvia IMI.Theobjections were raisedpursuant toArticle 60(4)GDPR.

        EDPB Guidelines 3/2021on theapplication of Article65(1)(a) GDPR, adopted on 13April 2021 (versionfor
        In particular, Meta IE Preliminary Draft Submissions dated 4 February 2022, Meta IE Article65 Submissions
      14AccordingtoArt.65(1)(a)GDPR,theEDPBwillissuea bindingdecisionwhena supervisoryauthorityhasraised
      a relevantandreasonedobjectiontoa draftdecisionoftheLSAandtheLSAhas notfollowedtheobjectionor
      theLSAhas rejectedsuchanobjectionasbeingnotrelevantorreasoned.


      Adopted      3.2 The IE SA finds the objections to the DraftDecision not relevantor reasoned and

             does not follow them

20.   On 1 July 2022, the IESA provided to the CSAs ananalysis of the objections raised bythe CSAs inthe
      Composite Response.

21.   The IE SA concluded that it would not follow the objections, as it did not consider them “relevant”

      and/or “reasoned”,withinthe meaningofArticle 4(24)GDPRforthe reasonsset out inthe Composite
      Response andbelow    15.

      3.3 Admissibility of the case

22.   The case at issue fulfils the elements listed by Article 65(1)(a) GDPR, since several CSAs raised
      objections toadraftdecision oftheLSA (theIESA)withinthedeadline providedbyArticle60(4)GDPR,

      and the IE SA has not followed objections or rejected them for being, in its view, not relevant or

23.   The EDPBtakesnote of MetaIE’sposition that the currentArticle 65 GDPRdispute resolution should

      be suspended due to pending preliminary ruling proceedings before the Court of Justice of the EU
      (hereinafter,“CJEU”)  16.MetaIE refersin particulartocases C-252/21 and C-446/21 . Following its
      assessment, the EDPBdecidestocontinueitsproceedingson thisArticle65 GDPR dispute resolution,

      as there is no explicit legal basis for a stay of the dispute resolution procedure in EU law, nor are
      existing CJEU rulings on the matter conclusive for the situation of the EDPB  19. Also, the EDPB takes

      into consideration the data subjects’ right to have their complaints handled within a “reasonable
      period”(Article 57(1)(f) GDPR),andtohave their case handledwithina reasonable time byEU bodies
      (Article 41 Charter).Moreover,ultimatelythereareremediesavailable tothe affectedpartiesin case
      of adiscrepancy betweenthe EDPBBinding DecisionandCJEU rulingsin the aforementionedcases             .

24.   Considering the above, inparticularthatthe conditions of Article65(1)(a) GDPRaremet,the EDPBis
      competent to adopt a binding decision, which shall concern allthe matterswhichare the subject of

      15TheIESAletterto theEDPBSecretariatdated11August2022.
      16Meta IEArticle65Submissions,paragraphs3.4-3.8.
      17Requestfora preliminaryrulingof22April2021,Meta PlatformsandOthers,C-252/21(hereinafter‘C-252/21

        Requestfora preliminaryrulingof20July2021,Schrems,C-446/21(hereinafter‘C-446/21Austrian
      19C-234/89Judgement of theCourt of Justiceof 28 February 1991, Delimitis, C-234/89, ECLI:EU:C:1991:91;C-
      344/98 Judgement of theCourt of Justiceof 14December 2000, Masterfoods, C-344/98, ECLI:EU:C:2000:689.

      These cases concerned proceedings beforethe national courts, where the parties faced the risk of being
      confronted with a conflicting decision of the national judgethat could be seen as de facto nullifying the
      Commission decision – a power which is retained by the CJEU. The current disputeresolutionprocedure
      20In casean action forannulment is brought against theEDPB decision(s) and found admissible, theGeneral

      wereto deliveranyjudgmentinthetimebetweentheadoptionoftheEDPB’s Art.65decisionandtheadoption
      theIESA’s finaldecision,theIESAmayultimatelydecidetorevisethefinalnationaldecisionittakesfollowing
      the EDPB's binding decision - if the CJEU’s rulings givecauseto do so - in accordancewith theprincipleof
      cooperation as elaborated by theCJEU in theC-453/00Judgement of theCourt of Justiceof 12 January2004,
      Kühne&HeitzNV, ECLI:EU:C:2004:17.

      Adopted      the relevantandreasonedobjection(s), i.e.whetherthere isaninfringement ofthe GDPRor whether
      the envisagedactioninrelationtothe controller or processor complieswiththe GDPR        21.

25.   The EDPBrecallsthat itscurrent Decision is without anyprejudice toany assessments the EDPBmay
      be called upon to make in other cases, including with the same parties, taking into account the

      contentsof therelevant draftdecision and theobjections raised bythe CSA(s).

      3.4 Structure of the Binding Decision

26.   For eachof the objections raised, the EDPB decides on their admissibility, by assessing first whether
      they can be considered as a “relevant and reasoned objection” within the meaning of Article 4(24)
      GDPRasclarifiedinthe Guidelines on the conceptof a relevantandreasonedobjection          .

27.   Where the EDPB finds that anobjection does not meet the requirements of Article 4(24) GDPR, the

      EDPBdoes not takeanyposition onthe meritof anysubstantialissues raisedbythat objectionin this
      specific case.TheEDPBwillanalysethemeritsofthesubstantialissues raisedbyallobjections itdeems
      relevantand reasoned     .



      4.1 Analysis by the LSA inthe DraftDecision

28.   The IESA concludes thattheGDPR,the jurisprudence andthe EDPBGuidelinesdo not preclude Meta

      IE from relying on Article 6(1)(b) GDPR as a legal basis to carry out the personal data processing
      activitiesinvolved in the provision of its service tousers, including behavioural advertising insofar as
      thatforms a core partof the service  2.Finding 2 reads“Ifind the Complainant’scase is not made out

      that the GDPR does not permit the reliance by Meta Ireland on 6(1)(b) GDPR in the context of its
      offeringofTermsofUse    25”

29.   The IESA statesthatit does not have competence toconsider substantive issues ofcontractlaw and,
      accordingly, its analysis is limited tothe specific contract enteredintoby the complainant andMeta
      IEin respectof the Instagramservice    .

30.   The IESA understands the complainant’sallegationsas : being that,firstly,theyweregivena binary
      choice: i.e. either acceptthe InstagramTermsof Use andthe associated DataPolicy byselecting the

         Art. 65(1)(a) and Art. 4(24) GDPR. Some CSAs raised comments and not per se objections, whichwere,
      22EDPB Guidelines 9/2020 ontheconcept of relevant and reasoned objection, version 2 adopted on 9 March

      inthe bindingdecision.”)

      Adopted      “accept”button,ordeletingtheirInstagramaccount ,lackofclarityonwhichspecific legalbasisMeta

      IErelies onfor eachprocessing operation    29,andtheir concernon MetaIE’srelianceon Article6(1)(b)
      todeliver the InstagramTermsof Use     30.

31.   While the IE SA acknowledges that the EDPB considers in its Guidelines 2/2019      31 that, as a general

      rule, processing for online behaviouraladvertising is not necessary for the performance of acontract
      for online service under Article 6(1)(b) GDPR  32, in this particular case, having regardto the specific

      terms of the contract andthe nature of the service provided and agreedupon by the parties, IE SA
      concluded thatMetaIEmayinprinciple relyonArticle 6(1)(b)aslegalbasisofthe processing ofusers’

      data necessary for the provision of its service, including through the provision of behavioural
      advertisinginsofar asthisforms acorepartofthatserviceofferedtoandacceptedbyusers            33. Further,

      the IE SA states that while the examples provided in any form of EDPB guidance are helpful and
      instructive, theyare not necessarily conclusive of the position in any specific case andindeed do not
      purport tobe    .

32.   The IE SA disagrees with what it defines as a “strict threshold of ‘impossibility’ in the assessment of
      necessity” proposed by the complainant and the EDPB . By “impossibility”, IE SA refers to the

      argument put forward that a particular term of a contract (here, behavioural advertising) is not
      necessary to deliver an overall service or contract  36. The IE SA is of the view that “it is not for an

      authority such as the Commission, tasked with the enforcement of data protection law, to make
      assessmentsasto whatwillorwillnot maketheperformanceofa contractpossibleor impossible” and
      that the generalprinciples set out in the GDPR andexplained by the EDPB in the guidelines must be

      appliedon a case-by-case basis  37. TheIE SA considers thatArticle 6(1)(b)GDPRcannot be interpreted
      as requiring that it is impossible to perform the contract without the data processing operations in

      question 38.

33.   TheIESA referstoMetaIE’spositionthatinthespecific contextoftheInstagramservice,personalised
      advertising mayconstitute a distinguishing feature of said service which is an “exact rationale” and

      one of the “essential elementsof the Terms of Use” for which the ordinary user would reasonably
      expect their personal data to be processed so as to receive the Instagram service as advertised      39.

      Further, the IE SA refers to Meta IE’ssubmission regarding whether the necessity test encompasses
      an impossibility threshold, and Meta IE’sargument that were impossibility anaspect of necessity, it

      31EDPB Guidelines2/2019ontheprocessingofpersonaldataunderArticle6(1)(b)GDPRinthecontextofthe

      provision of onlineservices to data subjects Version 2.0, adopted on 8 October 2019 (hereinafter, “EDPB
      Guidelines 2/2019onArticle6(1)(b)GDPR”).

      Adopted      would not,inanycase operateasa“blanket prohibition”on relying onArticle(1)(b) GDPRasthe legal
      basis for the processing inthis context  .

34.    The IESA considers personalised advertisinga corepart oftheservice offered toandacceptedbythe
      users, having regardtothe specific termsofthe contractandthe nature of the service provided and
      agreedupon by Meta IE and the user     41. The IE SA points out that the nature of the service being

      offeredtoInstagramusersis setout intheTermsofUse whichdescribe theInstagramserviceasbeing
      “personalised”andconnectsuserswithbrands, including bymeansofproviding “relevant”advertising
      andcontent    .

35.   The IESA considers thisasthe Instagramserviceisadvertisedinthe TermsofUse asbeing predicated
      onpersonalised advertising,anyreasonableuser wouldunderstand andexpectthatthisis partofthe

      core bargainthatis being struckwithMeta IE,evenif theymight prefer thatthe market would offer
      them betteralternativechoices   43.

36.   The IE SA considers that as personalised advertising forms part of the core bargain struck between
      Meta Ireland and Instagram users, any processing necessary for the delivery of such advertising is
      deemedtofall within thescope ofArticle 6(1)(b) GDPR .

37.   The IE SA thus concludes that MetaIE mayinprinciple rely on Article6(1)(b) GDPRasa legalbasis of
      the processing of users’ datanecessaryfor the delivery ofa service basedon behaviouraladvertising
      of thekind provided for under the contractbetweenMetaIEand Instagram’susers          .

38.   The IE SA clarified that, having regard to the scope of the complaint and its inquiry, the above

      conclusion ought not tobe construed as an indication that all processing operations carried out on
      users’ personal dataarenecessarily coveredbyArticle 6(1)(b) GDPR    46.

39.   The IESA alsonotesthatotherprovisions ofthe GDPRsuchastransparencyacttostrictlyregulatethe

      manner inwhich thisservice istobe deliveredandthe information thatshould be giventousers and
      decides to address it separately in its Draft Decision .The IE SA considers that there have been
      significant failings oftransparencyin relationtotheprocessing    .

40.   The IE SA considers that these failings of transparency, having regard to the specific terms of the

      contract andthe nature of the service provided and agreedupon by the parties, do not, in principle
      prevent Meta IEfrom relying on Article 6(1)(b) GDPRasa legalbasis of the processing of users’ data


      Adopted      necessary for the provision of the Instagram service, including throughthe provision of behavioural
      advertising insofar as thisforms acore part ofthatservice offered toandacceptedby users       .

      4.2 Summary of the objections raised by the CSAs

41.   The AT, DE, ES, FI, FR, HU, NL, NO and SE SAs object to Finding 2 of the draft decision and the
      assessment leadingup toit.

42.   The AT, ES, FI,HU,NL, NOand SE SAs    50 consider that,theIE SAshouldhavefoundaninfringement
      ofArticle 6(1)(b)oftheGDPR,inline withthe EDPB’sinterpretationofthisprovision         . The DEandFR
      SAs arguethatthe IESA should have found aninfringement ofArticle 6(1)GDPR .      52

43.   TheDESAs,intheirobjection, furtherarguethattheIESAshouldfindaninfringementofArticle5(1)(a)
      GDPR and make use of corrective powers of Article 58(2)(f) and (i) GDPR and order to erase the

      unlawfully processedpersonaldata,impose abanof therespectiveprocessing ofdatafor the purpose
      of behavioural advertising until a valid legal basis is in place and impose an administrative fine
      pursuant toArticle 83 GDPR    .

44.   The FI SA, in itsobjection, also arguesthatthe finding thatMetaIEwasnot entitledtorelyon Article
      6(1)(b) GDPR asa legalbasis for all the processing operations in the scope of the Instagram Service
      should leadtotheconclusion thatcorrectivepowerspursuant toArticle58(2)GDPRmustbeexercised

      to bring the processing operations of Meta IE intocompliance withthe GDPR      54. Furthermore, the FI
      SA considers that this additional infringement should be properly reflected in the amount of the

      administrative fine imposed pursuant toArticle83 GDPR    55.

45.   The FR SA notes that reversing the findings concerning the infringements of Article 6(1) GDPR also
      affects the scope of the corrective actions proposed by the IE SA, in addition to the administrative
      fine  .

46.   The HU SA, inits objection, arguesthatinlight of the infringement,the legalconsequences of Article
      58(2) (d) (order to bring processing operations into compliance) GDPR should be applied, and the
      controller should be instructedtoindicateanother alternativelegalbasis . 57

47.   The NOSA, initsobjection, alsoarguesthattheIESA should takeconcretecorrectivemeasures.More

      specifically, theNOSAconsiders thattheIESA should orderMetaIEtodeletepersonaldataprocessed
      under Article6(1)(b) GDPR,unlessthose datawerealsocollectedfor otherpurposes witha validlegal

      basis, aswell asorder MetaIE toidentify a valid legalbasis for future online behaviouraladvertising

      50AT SAObjection, pp. 1-7;ES SAObjectionpp. 1-3;FI SAObjection pp. 2-7;HU SAObjectionpp. 2-4;NLSA

      52DESAs Objection,pp.2-7,FRSAObjection,pp.2-7.
      53DESAs Objection,p.10.
      55FI SAObjection,paragraph23.
        FI SAObjection,paragraph26.

      Adopted      or abstain from such processing activities and impose an administrative fine against Meta IE for
      unlawfully processing personaldatain the contextof online behaviouraladvertising       .

48.   The AT,DE,ES,FI, FR,HU,NL,NOandSE SAs put forwardseveralfactualandlegalargumentsforthe
      proposed change in legalassessment . Specifically they argue that Meta IE cannot rely on Article

      6(1)(b) GDPRasa legalbasis toprocessanInstagramuser’sdatafor behavioural advertising.

49.   Inaddition, in the context of their objection, the AT and FR SAs arguethat the factualbackground of
      toinclude adefinition of“behaviouraladvertising”   60.TheATSAsuggestsmentioning alsothetechnical

      possibilities Meta IEuses to conduct it, such ascollecting datafrom other groupservices, third-party
      websites,apps,cookiesor similarstoragetechnologiesplacedontheuser’scomputerormobile device

      and linking that data withthe user’s Instagram account   61. The AT SA alsosuggestsincluding the fact
      thaton 25 May2018 MetaIE switcheditslegalbasistoprocessdata for behaviouraladvertising from
      consent tocontractualperformance       .

50.   TheDEandNL SAs question thevalidityofthecontractbetweenMetaIEandtheInstagramservice’s
      user togroundthesaidprocessing onArticle6(1)(b) GDPRinlightofthe transparencyissues identified
      by the IE SA   . The DE SAs question whether the parties reachedan agreement if the user did not
      know that they would enter into a contract, because Meta IE did not clearly communicate in a
      transparentmanner that the use of itsservices would inthe future be based on a contract       .TheNL
      SA arguesthat,asa generalrule, both partiesmust be awareof the substance of a contractin order
      towillinglyenterinto it 66andconsiders that“theestablishedserious lackoftransparencyonbehalfof

      thecontroller,leads, atthe veryleast, to a reasonable doubt whetherdatasubjectshave indeed been
      able toenterinto a contractwiththecontrollerboth willingly and sufficientlyinformed"    67.TheDEand

      NL SAs therefore considered that Meta IE’s statement that it relies on Article 6(1)(b) GDPR, in
      combination with documents with general descriptions of the service provided, and the IE SA’s

      reference to the controller’s right to choose its own legal basis to process data are insufficient to
      acceptthe performanceof a contractasalegalbasis      68.

      59AT SAObjection,pp.3-6;DESAs Objection,pp.2-9;ESSAObjection,pp.1-3;FI SAObjection,pp.3-7;FRSA
      Objection, pp. 2-4; HU SA Objection, pp. 2-3; NL SA Objection, pp. 2-6; NO SA Objection, pp. 2-8; SE SA

        AT SAObjection,pp.6-7;FRSAObjection,paragraph6.
      61AT SAObjection,pp.6-7.
      62AT SAObjection,p.7.
      64DESAs Objection,p.3-4;NLSAObjection,pp.3-5.
        InFinding3,theIESAstates that“InrelationtoprocessingforwhichArticle6(1)(b)GDPRisreliedon,Articles
      5(1)(a), 12(1)and13(1)(c) GDPR have beeninfringed”. TheIE SAconsidered, among other, that “Meta Ireland
      have not provided meaningful informationas to the processing operation(s) and/orset(s) of operations that
      occurin the context of the Instagram service, eitheron basis of Article 6(1)(b) GDPRorany otherlegal basis.

      processing is carried out onwhat data, on foot ofthe specifiedlawful bases, in orderto fulfil these objectives”
      65DESAs Objection,p.4.

      Adopted51.   The DESAscontendthattheIESA iscompetent toassess thevalidityof contractsinthecontextofthe

      GDPR,whichis aprerequisite for controllerstobase the processing ofpersonal dataonArticle 6(1)(b)
      GDPR  69. Would that not be the case, the assessment of Article 6(1)(b) GDPR would practically be
      deducted from Supervisory Authorities’ tasks provided for in Article 57(1)(a) GDPR    . The DE andNL
      SAs argue that the IE SA should assess whether a valid contract is in place as required under Article
      6(1)(b) GDPR  7.

52.   Without prejudice toany argumentsmade on the existence ofa valid contractabove,the AT, DE,ES,
      FI,FR, HU,NL,NOandSE SAs arenot satisfied bythe assessment ofnecessity inthe DraftDecision .
      They assert that the data processingfor the delivery ofpersonalisedadvertisingis objectively not

      necessaryfortheperformanceofMeta IE’scontractwiththedatasubjecttodelivertheInstagram
      service and it is not an essentialor core element of it. To highlight the unnecessity of behavioural

      advertising toperform the contractwiththe Instagramuser,theAT,DE,NLandSE SAs arguethatthis
      contract of providing personalised advertisement is a contract between Meta IE and a specific
      advertiser, inwhich Meta IE would presumably have this obligationtowards the advertisers, yet not

      towards Instagram users that are not partyto this contract   73. The DE SAs support this assertion by
      pointing out that thereis no obligation tooffer personalised advertising to the user, andcontractual
      sanctions for thefailure toprovide it,asitcanbe seenfrom the termsof use      .The AT,DE,HU,FI,FR,
      HU, NOand SE SAs consider, while referring tothe EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR,

      that the business models tooffer “free” servicesand in return generate income by behavioural and
      personalised advertisement, inter alia, to support the service, cannot be necessary to perform a
      contract and fail to comply with data protection regulations   . The DE, FR and HU SAs also cite the
      EDPB Guidelines 8/2020 tounderscore that processing cannot be rendered lawful by Article 6(1)(b)
      GDPR simply because such advertising indirectly funds the provision of the service and that while

      personalisation of content, may, in certain circumstances, constitute an intrinsic and expected
      element of certainonline services, Article 6(1)(b) GDPR in the context of targeting of social media

      users ishardly applicable76.The AT,ESandSE SAs arguethatadvertisementscanstillbe displayed on
      Instagramusing alternativemethodstobehaviouraladvertising not involving profiling andtracking      7.

      The SE SA adds thatsome degreeof targetingforincreased relevanceis possible, such as geography,
      languageandcontext    78.

53.   Inaddition, theAT,ES,FI,FR,HU,NOandSE SAsargue,alsowhile referringtoEDPBGuidelines2/2019
      on Article6(1)(b) GDPR,thattheIE SA should have consideredthe EDPB’sargumentthatbehavioural

      69DESAs Objection,p.3.
      70DESAs Objection,p.3.
      72DESAs Objection,p.3;NLSAObjection,paragraph11.
        AT SAObjection, p. 3;DE SAs Objection, pp 4-7;ES SAObjection, pp. 1-2;FI SAObjection, pp. 3-5;FR SA
      Objection, pp. 3-4; HU SA Objection, pp. 1-3; NL SA Objection, pp. 4-8; NO SA Objection, pp. 5-6; SE SA
      73AT SAObjection,p.4;DESAs Objection,p.5;NLSAObjection,paragraphs12and19:SESAObjection,p.3.
        DESAs Objection,p.5.
      75EDPB Guidelines 2/2019 on Article6(1)(b) GDPR. AT SA Objection, p. 5;DE SAs Objection, pp. 6-7;HU SA
      Objection,p.3;FI SAObjection,paragraphs13and16;FRSAObjection,paragraphs9and11;NOSAObjection,
         EDPB Guidelines 8/2020on the targeting of social media users, version 2.0, adopted on 13 April 2021,
      paragraph49.DESAs Objection,p.6;FRSAObjection,paragraph11;HUSAObjection,p.3.
      77AT SAObjectionp.4;ESSAObjection,p.2;SESAObjection,p.3.

      Adopted      advertisingcannot be “necessary”withinthe meaningofArticle6(1)(b) GDPRwhilea datasubject can

      object tothe processing of his/her personal data for direct marketing purposes at any time without
      anyreason, inaccordancewithArticle 21(2)GDPR       7.

54.   The AT, DE, FR, NO, NL and SE SAs also point out some argumentson data subjects’ expectations
      abouttheprocessingoftheirpersonaldataforpersonalised advertising asanecessaryelementofthe
      contract entered into between users and Meta IE . The AT, DE, NL, and SE SAs contend that data
      subjects do not reasonably expect that their data is being processed for personalised advertising
      simply because Meta IE briefly refers to it in the Instagram Terms of Use     . The NO SA takes into
      accounthow MetaIEmarketsitsInstagramplatformtowardspotentialusers(“Asimple,fun&creative
      way to capture, edit & share photos, videos & messages with friends & family”) and considers that

      Instagram users (including those with prior knowledge of data protection, technical means for
      profiling or the ad tech industry) should not be deemed to reasonably expect online behavioural
      advertising,especially tothe extentasit is carriedout byMetaIE     .The FR andNOSAs consider that
      the particularly massive and intrusive nature of the processing of the users’ data cannot meet the
      reasonable expectationsofthe users     . The AT, NLand SE SAs alsoconsider thatthe DraftDecision is
      inconsistent infinding thatinformationon specific processing operationsshould have beenprovided,
      linkedwithaspecific or lawfulbasis, anddescribedinanunambiguousmanner,while considering that

      data subjects had a perspective or expectation or were well informed that their data was being
      processed for behavioural advertising 84.

55.   In addition to the arguments made above on the existence of a valid contract and the necessity of

      behavioural advertising for the performance of that contract, severalSAs raise other considerations
      intheir objections.

56.   The NOSA arguesthatthe IESA’sinterpretationofArticle 6(1)(b)iscontrarytothe fairnessprinciple,
      since data subjects face the dilemma of approving contractualtermspossibly entailing intrusive and

      harmfulprocessing practices,andbeingexcludedfromservicesonwhichtheyaredefactodependent,
      due toa lackof realisticalternativestothem   85.

57.   On the risks posed by the Draft Decision, the AT, DE, ES, HU, FI, NL, NOand SE SAs explain that the
      proposed interpretationof Article 6(1)(b) GDPRleads toa situation where dataprotectionprinciples

      are either undermined or bypassed entirely with regards to data subjects using the Instagram
      service86 .

      79Seeparagraph52.ATSAObjection,p.4;ESSAObjection,p.2;FI SAObjection,paragraph19;FRSAObjection,

        ATSAObjection,p.4;DESAs Objectionp.5;FRSAObjection,paragraph9;NLSAObjection,paragraph19;NO
      81AT SAObjection,p.4;DESAs Objection,p.5;NLSAObjection,paragraph19;SESAObjection,p.3.
        AT SAObjection,p.4;NLSAObjection,paragraph12;SESAObjection,p.3.
      86AT SAObjection,p.6;DE SAs Objection,p.9;ES SAObjection,p.3; HU SAObjection,p.4;FI SAObjection,
      paragraphs31-33;NLSAObjection,paragraph29;NOSAObjection,p.8;SE SAObjection,p.5.

      Adopted58.   Specifically, the AT, DE andNO SAs point tothe conditions of consent pursuant toArticle 7 GDPR as

      being bypassed  87. The NL SA considers that the Draft Decision allows Meta IE to engage in online
      behavioural advertising in a way that bypasses informed consent of data subjects       88. The NO SA

      considers thatusers ‘wouldface a dilemma betweenapproving (though not by way ofvalid consent)
      contractualterms possibly entailing intrusive and harmful processing practices, and being excluded

      from services’,whichultimatelywould also‘adverselyaffect datasubjects’ freedomofexpression and
      information’  8. The FI, FR and NO SAs considered that the Draft Decision poses a risk to the

      fundamentalrightsand freedoms of the individuals concerned, insofar asusing the legalbasis ofthe
      contractforthe processing ofthepersonaldatafor personalised advertising,wouldpreventEuropean
      users ofthe social networktohave control over theirdata      .

59.   Further,the AT SA sees therisk materialiseasin itsview Article25(2) GDPR(privacybydefault)is not
      applied, “since Meta Ireland – at least in its contract – declares that behavioural advertising is
      ‘necessary’for thecontractualperformance”      .

60.   The DESAs argue theDraftDecision allowsMeta IEto“bypass the requirementsofa valid legalbasis
      for the processing that cannot be based on contract performance” . The NL SA considers the Draft
      Decisionlowers thethreshold for legalityofdataprocessing onthe basis ofArticle 6(1)(b) severely      .
      The NO SA considers thatthe DraftDecisionerodes the lawfulness principle, as in the DraftDecision

      “it is not the legislation which sets the boundaries for lawfulness under Article 5(1)(a) GDPR, but
      instead the individual contract”, whichis incompatible with Article 8 of the Charter of Fundamental
      Rightsand Article5(1)(a)GDPR    94.

61.   FR, HU,NL andSE SAs take the view that the DraftDecision, asit stands, sets adangerous precedent

      contrarytotheGDPR . TheFRSAnotesthatitcouldbeunderstoodasreflectingthecommonposition
      of the European supervisory authorities on this matter, since it is issued following the cooperation

      procedure among SAs    96. Moreover, the AT, DE, FI, HU and SE SAsraise that this interpretation of
      Article 6(1)(b) GDPR could essentially be used by every controller andtherefore endanger the rights

      of nearlyevery datasubject withinthe EEA    97.

62.   The DE SAs specify that the risks concern the complainant in person but it arguesthat there is alsoa
      significant risk asregardthe fundamentalrightsand freedoms of allMetaIE’susers in the European
      Union that their personal data are processed without any legalbasis     ; the FI SA adds that the risks

      87AT SAObjection,p.2and5;DESAs Objection,p.9;NOSAObjection,p.4.
        FI SAObjection,paragraph35;FRSAObjection,paragraph34;NOSAObjection,p.8.
      91AT SAObjection,p.6;
      92DESAs Objection,p.9.
      97AT SA Objection, p 6;DE SAs Objection, p. 9;FI SAObjection, paragraph34;HU SAObjection, p. 3;SE SA

      98DESAs Objection,p.9.

      Adopted      include fundamental right andfreedom of data subjects whose personal data might be processed in
      the future  .

63.   Finally, theAT,DE,FI,NLandNOSAs explainthattheDraftDecisioncreatesaloophole, allowingMeta

      IE andany other controllers tomake lawful virtually anycollection and reuse of personal data by, as
      long astheydeclare thatit isprocessed for the performance ofa contract    100.

      4.3 Position of the LSA on the objections

64.   The IE SA considers that the objections above are not relevant and/or not reasoned for the purpose

      of Article60(4)GDPRanddecides not tofollow them      101.

65.   The IESA contends thatabroad, directcompetencein contractlawtoassessthevalidityofcontracts
      cannot be inferredfrom theGDPRtasksof supervisory authorities.Itarguesthat thisinference would

      create a very extensive power for SAs to regulate private law, without an appropriate basis in EU
      law 102.

66.   The IE SA arguesthat the core or fundamental aspects of the Terms of Use, including behavioural
      advertising processing, reflects the mutual expectations of the parties on contractualperformance.

      TheIESA contendsthatareasonableuser wouldhave hadsufficient understandingthattheInstagram
      service was provided on the basis of personalised advertising, based also on a “recognised public
      awareness”of behaviouraladvertising asa form of processing       .

67.   Onthe necessityoftheprocessingtoperformthecontract,theIESAconsidersthatit doesnot adopt

      amerelyformalapproachtoArticle6(1)(b)thatreliesonly onthetextualcontentof theTermsof Use.
      The IESA statesthatit does not takethe view thatallwrittencontractualtermsarenecessaryfor the

      performance of the contract. The IE SA contends that it focuses in its Draft Decision on the
      fundamentalpurpose or core function ofthe contractthatis necessaryfor itsperformance       104.

68.   The IESA arguesthatthe EDPBGuidelines2/2019 onArticle 6(1)(b)GDPR donot prohibit behavioural
      advertising processing under Article6(1)(b) GDPRif it falls withinthe core or essentialaspects ofthe

      service105.InrelationtoMetaIE’sprocessing of personal data,theIESA differs from the SAsin thatit
      considers online behavioural advertising as necessary for the performance of the contract (as
      described inthe InstagramTermsofUse) betweenInstagramandthedata subject              .

69.   The IE SA also disagrees with the interpretation of Article 21 GDPR making behavioural advertising
      optional andnot indispensable  107. The IE SA arguesthatArticle6(1)(b) GDPRisnot limitedtoaspects
      of contractual performance which are expressly mandatory and unconditional obligations of the

      100I SAObjection,p.7.
         AT SAObjection,p.5;DESAs Objection,p.9;FI SAObjection,paragraph32;NLSAObjection,paragraphs30-

      Adopted      parties108. The IE SA contends that the CJEU has in the past held that processing which exceeds the
      most minimal level of processing possible may be regardedas necessary, where it renders a lawful

      objective “moreeffective”.The IE SA   affirmsthat the necessityinthe context of Article6(1)(b) GDPR
      cannot be assessed by referenceto hypotheticalalternative forms of the Instagramservice and that
      it is not therole ofSAs toimpose specific business models on controllers    .

70.   The IE SA considers EDPB Guidelines as not binding on supervisory authorities, yet it acknowledges
      that they should be taken into account   11. However, the IE SA arguesthat the EDPB has not been
      provided with the legalpower to mandate that certaincategoriesof processing must be based on

      consent, tothe exclusionofanyother legalbasesfor processing. The IESA’sviewis thatsuchapower
      isproperlyexercisedfrom timetotimebythe EUlegislator,intheformofspecific legislativemeasures.

      The IE SA is therefore not satisfied that the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR canbe
      construedasabinding andspecific prohibition onprocessing for online behavioural advertisingonthe
      basis of Article 6(1)(b)GDPR. The IE SA considers that under these Guidelines, where processing for

      behavioural advertising is a distinguishing characteristicofthe service in question, it cansupport the
      business objectives and interests of the controller and be based on Article 6(1)(b) GDPR. The IE SA

      considers that to be the case regarding Meta IE’s processing with reference to the Instagram

71.   The IE SA arguesthat compliance with GDPR transparencyobligations under Article 13(1)(c) GDPR
      involves a separateand different legalassessment tothatrequired in Article6(1)(b) GDPR.TheIE SA

      acknowledgesthatthe necessity test under Article 6(1)(b) GDPRmayrequire considering contractual
      termsandother relevantinformation, andthatthe informationprovided under Article13(1)(c)GDPR
      could, insome cases, inform a datasubject’sexpectationsastoacontractualservice.However,inthe

      present case,theIESAconsiders thatthetransparencyinfringementsitproposes for itsDraftDecision
      do not impactits findings on the legalbasis, as it considers thatthe expectationsand understanding
      of thepartieson theTermsof Use include personalised advertising       .

      4.4 Assessment of the EDPB

      4.4.1 Assessment of whether theobjections were relevant and reasoned
72.   The objections raised by the AT, DE, ES, FI, FR, HU, NL, NOand SE SAs concern“whether there isan
      infringementof theGDPR”    113.

73.   The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe
      threshold of Article 4(24) GDPR    . Meta IE’sprimaryargument isthat “it isnot open to the EDPB to
      now decideon the lawfulness of Meta Ireland’sactualprocessing as the Objectionssuggest. Such an
      assessment is not within the scope of the Inquiry as defined by the DPC     .” In Meta IE’sview, “the
      EDPBcannotexpand thescope oftheInquiryin themannersuggested bytheCSAs throughObjections

      114Meta IEArticle65Submissions,paragraph2.4andAnnexI,p.65.
      115Meta IEArticle65Submissions,paragraph2.4.

      Adopted      thatarenotrelevanttothesubstanceoftheComplaint.”and“suchobjections‘oughttobedisregarded
      in theirentiretybytheEDPB”   116.Inthiscontext,MetaIEcitesEDPBBinding Decision2/2022, adopted

      on 28 July 2022 (hereinafter,“EDPBBinding Decision2/2022”), and in particular,theEDPB’sanalysis
      of some of the objections in thatcase, which werefound to be not relevant or reasoned, due tothe

      fact thatthese objections “fail[ed] to establish a direct connectionwith thespecific legaland factual
      contentofthe draftdecision”  117.

74.   Contraryto MetaIE’sposition on relevance, asdescribed above, objections canhave bearingon the
      “specific legal and factual content of the Draft Decision”, despite not aligning with the scope of the
      inquiry asdefined by anLSA     .

75.   In essence, Meta IE arguesthat CSAs may not, under any circumstance, express disagreement with
      the scope of the inquiry asdecided by the LSA by wayof anobjection. The EDPB does not share this
      readingof Article65 GDPR,asisexplicitly statedin theEDPBRROGuidelines       11.

76.   Further,MetaIEstatesthat“severalCSAsnow propose toexpand thescopeoftheInquiryevenfurther

      inthe Composite Memothat theseunrelatedissues raised bythe CSAs areirrelevantto theresolution
      of thisInquiryand thatexpanding thescope of the Inquiryat thispoint would seriously infringe Meta

      Ireland’sproceduralrightsunderbothIrishandEUlaw      120.”MetaIEalsoagreeswiththeIESA’sposition
      in theComposite Response that“expanding the scope oftheInquiryat thispoint as theCSAs propose

      would seriously infringe MetaIreland’slegitimateexpectations,rightto fair procedures(including the

      116Meta IEArticle65Submissions,paragraph4.9.
         InrespectofMeta IE’sargumentsinparagraph4.9ofitsArticle65Submissionsontheseobjectionsnotbeing
      “relevant”,theEDPBrecallsthattheanalysisofwhethera givenobjectionmeets thethresholdsetbyArt.4(24)
      GDPRis carriedoutonacase-by-casebasis.MetaIEreferstotheEDPB’sBindingDecision2/2022andspecifically
      to theparagraphswheretheEDPBestablishedthatspecificobjections raisedbytheDE SAs andNOSAinthat

      139,147,164)whereaseachCSAherehas madeseveralclearlinkswiththecontentoftheDraftDecision,asis
         Meta IEdoes notconsiderthatanyoftheobjectionsarereasoned,as setoutintheirrepliestoeachofthe
      objectionsinAnnex1.Meta IEArticle65Submissions,Annex1,pp.66-124.InrespectofMeta IE’sarguments
      inparagraph4.9ofitsArticle65Submissionsontheseobjectionsnotbeingreasoned,theEDPBnotes thatthe
      objections that werefound to benot relevant and/ornot reasoned in theBinding Decision 2/2022 did “not
      provide sufficiently precise and detailed legal reasoning regarding infringement of each specificprovision in

      the rights and freedoms of thedata subjects or thefreeflow of data within theEU (BindingDecision 2/2022,
      paragraphs140,148,165).Here,eachCSAprovidesa numberoflegalandfactualargumentsandexplanations
      as towhyaninfringementforlackofappropriatelegalbasisistobeestablished,andadequatelyidentifiesthe

         “Forinstance,if theinvestigationcarriedoutbytheLSAunjustifiablyfailstocoversomeofthe issuesraised
      120Meta IEArticle65Submissions,paragraph4.2.

      Adopted      rightto beheard)andrightsofdefence     121”.Despiteclaimingitthishasbeenexplained“clearly”inthe
      Composite Response, MetaIE does not demonstrate in whichmanner its proceduralrightswould be
      inevitably breached by the mere fact that the EDPB finds specific objections admissible             .
      Admissibility determines the competence of the EDPB,but not the outcome of the dispute between
      the LSA and the CSAs. Likewise, MetaIE does not explainhow the mere actof considering the merits
      ofadmissible objections inevitablyandirreparablybreachestheproceduralrightscitedbyMetaIE            .
      AcceptingMetaIE’sinterpretationwouldseverelylimit theEDPB possibilitytoresolve disputesarising
      inthe one-stop-shop, andthus undermine the consistent applicationofthe GDPR.

77.   The objections of the AT, DE, ES, FI, HU, FR, NL, NOandSE SAs all have a direct connection withthe

      LSA Draft Decision and refer to a specific part of the Draft Decision, i.e. Finding 2. All of those
      objections concern“whetherthereisaninfringementoftheGDPR”astheyarguethattheIE SA should
      have found aninfringement ofArticle 6,6(1) or (1)(b) ofthe GDPR.Asthe LSA considered thatArticle

      6(1)(b) of the GDPR wasnot breached, the objections entail a need of a change of the LSA decision
      leading toadifferent conclusion. Consequently, theEDPBfinds thatthe AT,DE,ES, FI,HU,FR,NL,NO

      andSE SAs objections relatingtothe infringement ofArticle 6,6(1) or 6(1)(b) GDPRarerelevant.

78.   As regardsthe part of the DE SAs’ objection arguing that the IE SA should find an infringement of

      Article5(1)(a)GDPRandimpose the erasureofunlawfully processed personaldataandthebanofthe
      processing of data for the purpose of behavioural advertising until a valid legalbasis is in place, the
      part of the FI SA objection asking that the infringement of Article 6(1) be properly reflected in the

      amount ofthe administrative fine, aswellasthe partofthe NOSA objectionarguingthe IESA should
      order MetaIE todelete personaldataprocessed under Article 6(1)(b) GDPR,aswell asorder MetaIE
      to identify a valid legalbasis for future online behavioural advertising or from now on abstain from

      such processing activities, the EDPB notes that these parts of the objections concern “whether the
      envisaged action in relation to the controllercomplies with the GDPR.”These partsof the objections

      are linked to the IE SA’s Finding 2 with regardto Article 6(1)(b) GDPR. Therefore, they are directly
      connected with the substance of the Draft Decision and, if followed, would lead to a different
      conclusion. Thus, theEDPBconsidersthatthesepartsoftheDE,FIandNOSAsobjectionsarerelevant.

79.   The objections of the AT,DE,ES, FI, FR, HU,NL, NOand SE SAs on the finding of an infringement are
      reasonedbecausetheyallinclude clarificationsand argumentson legal/factualmistakes inthe LSA’s

      DraftDecisionthat require amending.More specifically, the AT,DE,ES, FI,HU,FR, NL, NOandSE SAs
      provide detailedargumentstochallengetheDraftDecision’sconsiderationofbehaviouraladvertising

      as a necessary,coreor fundamentalaspect of a contractleading to the need tochange the decision
      and to find an infringement of Article 6(1)(b) GDPR  124. Some of them provide detailed arguments

      121Meta IEArticle65Submissions,paragraph4.10,whereMeta IEmakes referencetoparagraphs32-33ofthe

      122Meta IEArticle65Submissions,paragraph4.10.
      123TheEDPB fails to seehow, for instance, declaring anobjection admissiblebut rejecting it on merits could
      impingeontheproceduralrights ofthecontrollerinvolvedintheunderlyingcase.
      124AT SAObjection,pp.4-5;DESAs Objection,p.5-6,ESSAObjection,p.2,FI SAObjection,paragraphs16and

      p. 7,SE SAObjection,pp.3.

      Adopted      challengingthe validityofthe contractonwhichthe use ofArticle 6(1)(b)asa legalbasisdependsand
      whichthe IESA accepts      .

80.   Some SAs recall,while referringtothe termsof the EDPBGuidelines 2/2019 on Article 6(1)(b) GDPR,

      that it is the fundamental and mutually understood contractual purpose, which justifies that the
      processing is necessary 12. This purpose is not only based on the controller’sperspective but also on

      a reasonable data subject’s perspective when entering into the contract and thus on “the mutual

      subjects do not reasonably expect that their data is being processed for personalised advertising
      simply because MetaIE briefly referstoit inthe InstagramTermsof Use      127. The FR and NOSAs also
      support this finding and add that data subjects cannot be presumed tobe aware of the particularly

      massive andintrusive natureof thisprocessing   128. SeveralSAs alsoconsider thatthe DraftDecisionis
      inconsistent infinding thatinformationon specific processing operationsshould have beenprovided,

      linkedwithaspecific or lawfulbasis, anddescribedinanunambiguousmanner,while considering that
      data subjects had a perspective or expectation or were well informed that their data was being
      processed for behavioural advertising    .

81.   The AT,DE,ES,FI,FR,HU,NL,NOandSE SAsobjectionsalsoidentify risks posedby theDraftDecision,

      in particular an interpretationof Article 6(1)(b) that could be invoked by any controller and would
      undermine or bypass dataprotectionprinciples, andthus endangerthe rightsof datasubjects within
      the EEA    .

82.   MetaIE’scontends thatin terms of risk, the objections must “demonstratethe likelihood of a direct
      negative impact of a certainsignificance of the Draft Decision on fundamental rights and freedoms
      under the Charter and not just any data subject rights  131.” Meta IE thus adds a condition to Article
      4(24)GDPR,whichis not supported bythe GDPR          .

83.   As regards the parts of the DE and NO SAs’ objections requesting the finding of an infringement of
      Article 5(1)(a)GDPR,andthe partsofthe DE, FI andNOSAs’ objectionsrequesting specific corrective

      measures under Article 58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the
      imposition of an administrative fine, a ban of the processing of personal data for the purpose of
      behavioural advertising, an order todelete personal data processed under Article 6(1)(b) GDPR and

      anordertoidentifya validlegalbasisfor future online behaviouraladvertising ortoabstainfrom such
      processing activities, the EDPB considers that these parts of the objections do not sufficiently

      elaborate the legalor factualargumentsthat wouldjustify a change in the Draft Decisionleading to
      the finding of an infringement of Article 5(1)(a) GDPR or to the imposition of the specific corrective

      125DESAs Objection,pp.3-4;NLSAObjection,paragraphs7and10-12.
      126ATSAObjection,p.4;DESAs Objectionpp.5-6;FRSAObjection,paragraphs9-11;NLSAObjectionparagraph

      127AT SAObjection,pp.3-4;NLSAObjection,paragraph28,30-32;SESAObjection,p.3.
      129AT SAObjection,p.4;NLSAObjection,paragraph30;SESAObjection,p.3.
      131Meta IEArticle65Submissions,p.64.
      Therefore,thereis noreasontodrawa distinctionbetweenthedata subjectrightsprotectedbytheGDPRand


      Adopted      measures mentioned above. Likewise, the significance of the risk for the data subjects, which stems
      from theIESA’sdecisionnottoconcludeontheinfringementofArticle5(1)(a)GDPRandnottoimpose
      the requestedcorrectivemeasures, isnot sufficiently demonstrated.

84.   Considering the above, theEDPBfinds that theobjections of the AT,DE,ES,FI,FR, HU,NL,NOandSE
      SAs arerelevantand reasonedinaccordancewithArticle 4(24)GDPR.

85.   However,thepartsofthe DEandNOSAs’ objectionsconcerning theadditionalinfringement ofArticle

      5(1)(a) GDPR and the imposition of specific corrective measures, namely the imposition of an
      administrative fine, a ban on the processing of personal data for the purpose of behavioural
      advertising, an order to delete personal data processed under Article 6(1)(b) GDPR and anorder to

      identify a valid legal basis for future behavioural advertising or to abstain from such processing
      activitiesarenot reasonedanddo not meetthe threshold of Article4(24) GDPRSimilarly, the part of
      the FI SA’s objection concerning the imposition of a specific corrective measure, namely an

      administrative fine is not reasonedanddoes not meet the thresholdof Article4(24) GDPR.

      4.4.2 Assessment on the merits
86.   Inaccordancewith Article65(1)(a) GDPR,inthe context of a dispute resolution procedure, the EDPB

      shall take a binding decision concerning all the matterswhich are the subject of the relevant and
      reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.

87.    The EDPBconsiders thatthe objections found tobe relevantand reasonedinthis subsection require
      an assessment of whether the Draft Decision needs to be changed insofar as it rejects the
      Complainant’s claim that the GDPR does not permit Meta IE’sreliance on Article 6(1)(b) GDPR to
      process personal datainthe context of itsoffering of the InstagramTermsof Use       .When assessing
      the merits of the objections raised, the EDPB also takes into account Meta IE’s position on the
      objections andits submissions.

      MetaIE’sposition on theobjectionsand itssubmissions

88.   Initssubmissions, MetaIEarguesthattheobjectionslackmerit.MetaIEconsidersthattheyarebased
      on incorrect factualassumptions and are legallyflawed     . Meta IE statesthat itsreliance on Article
      6(1)(b) GDPRdoes not ‘bypass’ the GDPR.Norwould it,accordingtoMetaIE,jeopardise datasubject
      rights, be limited to individually negotiatedagreementsor be affectedby Meta IE’spurported pre-
      GDPRlegalbasis for processing conductedpre-GDPR        .

89.   Meta IE arguesthat there isa lack of factualmaterialandevidence on the issues on which the CSAs

      raiseobjections, including onitsrelianceonArticle6(1)(b)GDPRforthe specific processing operations
      it conducts in itsInstagramservice for the purposes of behaviouraladvertising 136. MetaIEnotes that
      in its inquiry, the IE SA “only addresses the issue of whether Meta Ireland may in principle rely on

      Article6(1)(b) GDPRforpurpose ofbehavioural advertising,but not theissue of whetherMetaIreland

      133Theseobjections beingthoseoftheAT, DE, ES, FI,FR, HU, NL, NO andSE SAs arguingthattheIESA should
      134Meta IEArticle65Submissions,paragraph2.4.
      136Meta IEArticle65Submissions,paragraph2.5.
         Meta IEArticle65Submissions,paragraph4.24and4.25.

      Adopted      may infact relyon Article6(1)(b) GDPR,which would have requireda detailedfactualassessment of

      allof MetaIreland’sdata processing.   13“

90.   At the same time, Meta IE contendsthat, toaddress the complaint, the IE SA did not have to reach
      any conclusions as to whether the actual processing conducted by Meta IE to deliver behavioural
      advertising based on Article 6(1)(b) GDPR was lawful.      Meta IE supports the IE’sposition that “it
      would not be appropriate to undertake substantial factualfindings for an open-ended assessment of
      allprocessing operationsbyMetaIreland.        ”

91.   MetaIEthus agreeswiththe finding the IESA reachedon MetaIE’snot being precludedfrom relying
      on Article 6(1)(b) GDPR for the processing of data necessary todeliver behavioural advertising upon

      the IESA’sreviewof theInstagramTermsofUse andthe natureofthe Instagramserviceasdescribed
      inthose terms  140.

92.   Meta IE defends that Article 6(1)(b) GDPR can be relied on as a legal basis for behavioural
      advertising   . Meta IE arguesthat its application requires the assessment of whether a given data
      processing operation, when properly investigated and analysed, is actually necessary for the
      performanceof acontract       .MetaIEnotesthattheprovision ofapersonalised experience,including
      in the form of behavioural advertising, is “core” to the Instagram Service (as per the Terms of Use
      whichgovernthe contractualrelationship betweenMetaIEandInstagramusers)               .

93.   MetaIEarguesthat the TermsofUse make clear that userswillbe shownadvertising personalisedto

      their interests under the heading “Connecting you with brands, products, and servicesin ways you
      careabout”  144.MetaIEsupports theDPC’sfinding, basedon itsreview ofthe InstagramTermsofUse

      andthat Instagramis“promotedassuch”, that anaverage user whoacceptsthe TermsofUse would
      have the expectationthat personalisation, including in the form of behavioural advertising, forms a

      core andintegralpartof the InstagramofService     145.MetaIEbacks thisargumentwitha referenceto
      a survey and a study conducted by a private entity and a digital industry association     146. Meta IE

      considers that its compliance with the GDPR’s transparency obligations involves a separate and
      different legalassessment from Article 6(1)(b) GDPR   14.MetaIE considers demonstratedin this case

      that Meta IE and its users have a mutual expectationthat personalisation, including in the form of
      behaviouralads, is core toitsTermsofUse     14.

94.   MetaIE recallsthat the EDPB Guidelines2/2019 onArticle 6(1)(b) GDPRdonot categoricallyprohibit
      reliance on Article 6(1)(b) GDPRfor behavioural advertising    .MetaIE further adds, referring tothe

      137Meta IEArticle65Submissions,paragraph4.23.
      138Meta IEArticle65Submissions,paragraph2.3.
      139Meta IEArticle65Submissions,paragraph4.23.
         Meta IEArticle65Submissions,paragraphs2.3and4.7.
      141Meta IEArticle65Submissions,paragraph6.4.
      142Meta IEArticle65Submissions,paragraph6.7.
      143Meta IEArticle65Submissions,paragraphs6.13and6.17.
         Meta IEArticle65Submissions,paragraph6.18.
      145Meta IEArticle65Submissions,paragraphs6.20and6.21.
      146Meta IEArticle65Submissions,paragraph6.21.
      147Meta IEArticle65Submissions,paragraph6.29.
         Meta IEArticle65Submissions,paragraph6.29.
      149Meta IEArticle65Submissions,paragraph6.34.

      Adopted      CJEU’sHuberjudgment,that“processingbeyond themost minimalrequiredto achievetheprocessing

      purpose could still be deemed ‘necessary’ if it allowed the relevant processing purpose to be ‘more
      effectively’achieved” 150.MetaIEsubmits thateven ifArticle 6(1)(b) GDPRrequiredthe processing to

      be absolutely essential to perform the contract, it would be impossible to provide the Instagram
      Service in accordance with the Term of Use without providing behavioural advertising     151. Meta IE
      statesthat theEDPBmaynot dictatethe natureofthe services MetaIEprovides. MetaIE wouldview

      this asa violation of Article16 of the Charter onthe freedom toconduct a business, enabling service
      providers todetermine whatmeasurestotakein ordertoachieve theresult theyseek,basedon their

      resources,abilities, andcompatibilitywithotherobligationsandchallengestheymayencounter inthe
      exercise oftheir activity52.

95.   Meta IE further arguesthat its reliance on the contractual necessity legal basis does not jeopardise
      datasubject rights    .MetaIEconsidersthatthesewould alsobeprotectedbycontractandconsumer
      protection legislations in the EU Member States   15. Meta IE defends that the contractualnecessity
      legalbasisis notlimitedtoindividually negotiatedagreementsandcanalsobe used for standardform

      contracts 155. Meta IE further adds that it would be improper for CSAs and the EDPB to analyse the
      validity of Instagram Terms of Use under applicable laws of contract or to draw inferences from
      them    .Inresponse towhat MetaIE considers mischaracterisationsin certainobjections of national
      contractlawMetaIEprovidesexpertreportsonthevalidityofitsTermsofUsein10 MemberStates               15.

96.   MetaIEconcludes its argumentsin support ofits relianceon Article6(1)(b) GDPRstating thatitspre-

      GDPRlegalbasisfor dataprocessingdoesnot affectitsflexibilitytorelyonotherlegalbasespostGDPR
      ifit complies withtherelevant requirements   158.MetaIEalsodistinguishes behavioural advertisingon
      the Instagram Service from direct marketing pursuant to Article 21(2) GDPR and thus considers this

      provision not applicable tobehaviouraladvertising  159.

      TheEDPB’sassessment of themerits

97.   The EDPB considers it necessaryto begin its assessment on the meritswith a general description of

      the practice of behavioural advertising carried out in the context of the Instagram service before
      determining whether the legal basis of Article 6(1)(b) GDPR is appropriate for this practice in the
      present case, based on the InstagramTermsof Use and the nature of its products and features as

      describedinthose terms.Therequestsfor preliminaryrulingsmade tothe CJEU inthe casesC-252/21
      andC-446/21 towhichsome of thedocuments in thefile refer containhelpful descriptions of Meta’s

      C-524/06,ECLI:EU:C:2008:724,(hereinafter‘C-524/06Huber’),paragraphs62and66.Meta IEArticle65
      151Meta IEArticle65Submissions,paragraph6.38.
         Meta IEArticle65Submissions,paragraph6.25.
      153Meta IEArticle65Submissions,paragraph6.8.
      154Meta IEArticle65Submissions,paragraph6.8.
      155Meta IEArticle65Submissions,paragraphs6.40-6.46.
      157Meta IEArticle65Submissions,paragraphs6.43and6.44.
         Meta IEArticle65Submissions,paragraphs6.44and6.45andAnnex2.
      158Meta IEArticle65Submissions,paragraphs6.47-6.49.
      159Meta IEArticle65Submissions,paragraphs6.50-6.57.

      Adopted      behavioural advertising practicesin the context of its Facebook services    160. Given that behavioural
      advertising is also carried out in the context of the Instagram service, and given the similarities

      betweenthe twoservices, relying onthe sameDataPolicy        16,the EDPBconsidersthatthese casesare
      also useful in gaining an understanding of the practice of behavioural advertising in relationto the

      Instagram service. Furthermore, in the request for a preliminary ruling in case C-252/21, it is
      mentionedthatiftheCJEU answersthequestion 7positively (regardingthecompetenceofa Member

      State nationalcompetition authoritytodetermine, when assessing the balance of interests whether
      data processing andtheir terms comply withthe GDPR)thatthe questions 3 to5 must be answered
      in relation to data from the use of the group’s Instagram service.     162 In addition, Meta IE makes

      reference to both of these requests for preliminary rulings in its submissions, and therefore clearly
      considers them relevanttothis case    16.

98.   These requests for preliminaryrulings mention that Meta IE collectsdata on its individual users and
      their activitieson and off its Facebook service via numerous means such as the service itself, other

      servicesof the Metagroupincluding Instagram,WhatsAppandOculus, thirdpartywebsitesandapps
      via integratedprogramming interfacessuchasFacebookBusinessToolsor via cookies, socialplug-ins,
      pixels and comparable technologies placed on the internet user’s computer or mobile device             .
      According tothe descriptions provided, MetaIElinks these datawiththe user’s Facebookaccount to
      enable advertisers totailor their advertising toFacebook’s individual users based on their consumer

      behaviour, interests, purchasing power and personal situation. This may also include the user’s
      physical location to display content relevant to the user’s location. Meta IE offers its services to its

      160     C-252/21     Oberlandesgericht     Düsseldorf     request,     pp.     6-7,     available    at:

      occ=first&part=1&cid=644235and C-446/21 Austrian Oberster Gerichtshof request, paragraphs 2-3, 6-13, 15-
      23,                                             available                                             at
      occ=first&part=1&cid=766249;seealso thereferences to theserequests fora preliminary ruling in theAT SA
         SeethesimilaritiesoftheInstagramandFacebookservicesdescribedintheData Policy.TheInstagramData
      Policy refers to both “Facebook settings”and“Instagram settings”(“This policydescribes the informationwe
      process to support Facebook, Instagram, Messengerand other products and features offered by Facebook
      (Facebook Products orProducts). You can find additional tools andinformationin the FacebookSettings and
      Instagram Settings.”) SectionI of this policy refers to the“Facebook products”when describing thekinds of

      information collected for the processing. Instagram Data Policy of 22.05.2018, annex 2 of the Instagram
      sharetechnology,systems,insights,andinformation-includingtheinformationwehaveaboutyou (...)inorder

         Question3 reads “Canan undertaking, such as Facebook Ireland, which operates a digital social network
      andcontinuous,seamlessuseofallofits groupproductsinits terms of service, justifycollectingdataforthese

      Business Tools, orvia cookiesorsimilarstorage technologiesplacedonthe internet user’s computerormobile
      the performanceofthecontract underArticle6(1)(b)oftheGDPRoronthe groundofthepursuitoflegitimate
      163Meta IEArticle65Submissions,paragraphs3.2-3.9.

      Adopted      users free of chargeand generatesrevenue through this personalised advertising thattargetsthem,
      inaddition tostaticadvertising thatis displayed toeveryuser in thesame way.

99.   TheEDPBconsidersthatthesegeneraldescriptionssignalbythemselvesthecomplexity,massive scale
      andintrusiveness ofthe behaviouraladvertisingpracticethatMetaIEconductsthroughthe Facebook

      service, as well as off the Facebook service itself, through third party websites and apps which are
      connected to Facebook.com via programming interfaces (“Facebook Business Tools”), including the
      Instagram service 165. Furthermore, among the aspects described in the Instagram Terms of Use is

      “Providing consistent and seamless experiencesacross other Facebook Company Products.” which
      involves “shar[ing] technology,systems, insights, and information-including the information we have

      about you.” It istherefore clear thatpersonal datais shared betweenFacebook companies (”We use
      data from Instagramand otherFacebook Company Products,as wellas from third-partypartners,to
      show you ads(...)”

100. These are relevant facts toconsider to assess the appropriateness of Article 6(1)(b) GDPR asa legal
      basis for behavioural advertising and to what extent reasonable users may understand and expect

      behaviouraladvertisingwhentheyaccepttheInstagramTermsofUseandperceive itasnecessaryfor
      Meta IE to deliver its service66. Accordingly, the EDPB further considers that the IE SA could have

      addedtoitsDraftDecisiona descriptionofbehaviouraladvertising thatMetaIEconductsthroughthe
      Instagram service to appropriately substantiate its reasoning leading to its acceptance of Article
      6(1)(b) GDPRasa legalbasis for thatpracticein accordancewiththe IESA’sduty tostatethe reasons
      for anindividual decision  .

101. Notwithstanding the EDPB’s considerations above, the EDPB considers that there is sufficient

      information in the file for the EDPB to decide whether the IE SA needs to change its Draft Decision
      insofar asitrejectsthecomplainant’sclaim thattheGDPRdoesnotpermitMetaIE’srelianceonArticle

      6(1)(b) GDPRtoprocess personaldatain thecontextof itsoffering ofthe Instagramservice,basedon
      itsTermsof Use.

102. As described above in section 4.1., the IE SA concludes in Finding 2 of its Draft Decision that the
      Complainant’scasewasnotmadeout thattheGDPRdoesnotpermitthereliancebyMetaIEonArticle
      6(1)(b) GDPRinthe contextof itsoffering of TermsofUse, neither Article6(1)(b) GDPRnor anyother

      provision ofthe GDPRprecludesMetaIEfrom relyingonArticle6(1)(b) GDPRasalegalbasistodeliver

      16C-252/21 Oberlandesgericht Düsseldorf request, pp. 6-7. Facebook Business Tools is also mentioned in

         Inthesamevein,theAdvocateGeneralalsoprovidesa descriptionofbehaviouraladvertisinginhisOpinion
      on the case C-252/21 Oberlandesgericht Düsseldorf request, see Opinion of the Advocate General on 20

      thecase totrial. Havingregardtothedecisionmakingprocesswithinthecooperationmechanism,CSAs
      likewiseneedtobeinthe positiontodecideonpossiblytakingactions(e.g.agreetothedecision,providetheir


      Adopted      a service, including behavioural advertising insofar as that forms a core part of the service8. TheIE

      SA considers that, having regardto the specific terms of the contract and the nature of the service
      provided and agreedupon by the parties, Meta IE mayin principle rely on Article 6(1)(b) GDPR asa

      legal basis of the processing of users’ data necessary for the provision of its Instagram service,
      including throughtheprovision ofbehaviouraladvertisinginsofar asthisformsacorepartofitsservice

      offeredtoand acceptedbyits users    169. TheIE SA considers the core of theservice offeredby MetaIE
      ispremisedonthedeliveryofpersonalised advertising     170.TheIESAconsiders areasonableuser would
      understand andexpect this having readthe Termsof Use         . MetaIE supports this conclusion of the
      IESA 172.

103. Toassess these claimsof the IESA andMetaIE,the EDPBconsiders it necessaryto recallthe general

      objectives that the GDPRpursues, which must guide its interpretation,togetherwiththe wording of
      itsprovisions and itsnormative context  173.

104. The GDPR develops the fundamentalright tothe protection of personal datafound in Article 8(1) of

      the EU Charter of Fundamental Rights and Article 16(1) of the TFEU, which constitute EU primary
      law 174.AstheCJEU clarified,“anEUact mustbe interpreted,asfaras possible, in such a wayasnot to

      affectits validityand inconformitywithprimarylaw as a whole and, in particular,with theprovisions
      oftheCharter.Thus,ifthewordingofsecondaryEUlegislation isopentomorethanoneinterpretation,

      preference should be given to the interpretation which rendersthe provision consistent with primary
      law ratherthantotheinterpretationwhichleadstoitsbeing incompatiblewithprimarylaw”           175.Inthe
      faceofrapidtechnologicaldevelopments andincreasesinthescale ofdatacollectionandsharing,the

      GDPRcreatesa strongand more coherentdata protectionframeworkinthe Union, backedbystrong
      enforcement,andbuilt ontheprinciple thatnaturalpersonsshould havecontroloftheirownpersonal

      data 176.Byensuringa consistent,homogenous andequivalent highlevelofprotectionthroughoutthe
      EU, the GDPR seeks to ensure the free movement of personal data within the EU          177. The GDPR

      acknowledgesthattherighttodataprotectionneedstobe balancedagainstotherfundamentalrights
      and freedoms, such as the freedom to conduct a business, in accordance with the principle of

      proportionality andhas these considerations integratedinto itsprovisions  178. The GDPR,pursuant to
      EU primary law, treatspersonal data as a fundamental right inherent to a data subject and his/her
      dignity,andnot asacommoditydatasubjectscantradeawaythroughacontract               .TheCJEUprovided


      172Meta IEArticle65Submissions,paragraphs6.21and6.30.
         Judgementof theCourtof Justiceof 1 August2022, Vyriausioji tarnybinės etikos komisija, CaseC-184/20,

      ECLI:EU:C:2022:491, (hereinafter ‘C-817/19 Liguedes droits humains'), paragraph 86;andudgement of the

      Adopted      additionalinterpretativeguidancebyassertingthatthe fundamentalrightsofdatasubjectstoprivacy
      andthe protectionoftheir personal dataoverride,asa rule, acontroller’seconomic interests            .

105. The principle of lawfulness of Article 5(1)(a) andArticle 6 GDPRis one of the main safeguardstothe
      protection of personal data. It follows a restrictive approach wherebya controller may only process

      the personal data of individuals if it is able to rely on one of the bases found in the exhaustive and
      restrictivelists of thecases inwhichthe processing ofdatais lawfulunder Article6 GDPR       181.

106. Theprinciple oflawfulnessgoeshandinhandwiththeprinciplesoffairnessandtransparencyinArticle
      5(1)(a)GDPR.The principle of fairness includes, inter alia,recognising the reasonable expectationsof

      the data subjects, considering possible adverse consequences processing may have on them, and
      having regard to the relationship and potential effects of imbalance between them and the

      controller 182.

107. The EDPB agreeswiththe IESA and MetaIE thatthere is no hierarchybetweenthese legalbases                  .
      However,thisdoes not meanthata controller,asMetaIEinthe presentcase, hasabsolute discretion

      tochoose thelegalbasis thatsuitsbetteritscommercialinterests.Thecontroller mayonlyrelyonone
      ofthe legalbases establishedunder Article6 GDPRifit isappropriatefor theprocessing atstake         184.A

      specific legalbasis willbe appropriateinsofar asthe processing canmeet itsrequirements set bythe
      GDPRand fulfil the objective of the GDPRtoprotect the rightsand freedoms of naturalpersons and
      in particulartheir righttothe protectionof personaldata       .The legalbasis willnot be appropriateif
      its applicationto a specific processing defeatsthis practicaleffect “effet utile” pursued by the GDPR
      and Article 5(1)(a) andArticle 6 GDPR   186.These criteria stem from the content of the GDPR andthe

      interpretationfavourabletotherightsofdatasubjectstobe giventheretodescribedinparagraph104
      above  187.

108. The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for

      complying with the Regulation’s principles, including the processing of data in a lawful, fair and
      transparentmanner,andanyobligationsderivedtherefrom           188.Thisobligationappliesevenwherethe

          Judgement of the Court of Justice of 13 May 2014, Google Spain SL, C-131/12, ECLI:EU:C:2014:317,
      181Judgementof theCourtof Justiceof 11 December 2019, TK v Asociaţia deProprietari blocM5A-ScaraA, C
      183See, Recital39GDPRandEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs11and12.
         DraftDecisionparagraph48andMeta IEArticle65Submissionparagraph5.10.
      184As mentionedintheEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph18,theidentificationofthe
      appropriatelawful basis is tied to the principles of fairness and purposelimitation. It will be difficult for

      this BindingDecisiononthepotentialadditionalinfringementoftheprincipleoffairness.
      185C708/18 TK v Asociaţia deProprietari, paragraph 37.
      186See C-524/06Huber, paragraph 52 on theconcept of necessity being interpreted in a mannerthat fully

      reflects theobjectiveof Directive95/46). On theimportanceof considering thepractical effect (effet utile)
      soughtbyEUlawinits interpretation,seealsoforinstance:C-817/19Liguedes droitshumains,paragraph195
      and Judgement of the Court of Justice of 17 September 2002, Muñoz and Superior Fruiticola, C 253/00,
      188 Article5 (2) GDPR “Principle of accountability”of data controllers;seealso C-252/21Oberlandesgericht

      Adopted      practical application of GDPR principles such as those of Article 5(1)(a) and Article (5)(2) GDPR is

      inconvenient or runs counter to the commercial interests of Meta IE and its business model. The
      controller is alsoobliged tobe able todemonstratethatit meetsthese principles andany obligations
      derivedtherefrom,such asthatit meetsthe specific conditions applicable toeachlegalbasis       18.

109. The first condition to be able to rely on Article 6(1)(b) GDPR as a legal basis to process the data

      subject’s data is that a controller, in line with its accountabilityobligations under Article 5(2) GDPR,
      has to be able to demonstrate that (a)a contract exists and (b) the contract is valid pursuant to
      applicable nationalcontractlaws     .

110. Boththe IE SA and Meta IE consider that the Terms of Use make up the entire agreement between

      the InstagramuserandMetaIE andthatthe Data Policyissimply acompliance document settingout
      information tofulfil the GDPRtransparencyobligations    191. The IE SA thus considers thatthe contract
      for which theanalysis based onArticle 6(1)(b) GDPRtakesplace,is the TermsofUse          .

111. The IE SA and Meta IE argue that the GDPR does not confer a broad and direct competence to
      supervisory authoritiestointerpret or assess the validityof contracts 193.

112. TheEDPBagreesthatSAsdonot haveunder theGDPRabroadandgeneralcompetenceincontractual
      matters.However,theEDPBconsidersthatthesupervisory tasksthatthe GDPR bestowsonSAsimply

      a limitedcompetencetoassess acontract’sgeneralvalidityinsofar asthisis relevanttothe fulfilment
      of their tasks under the GDPR.Otherwise,the SAs would see their monitoring andenforcement task

      under Article 57(1)(a) GDPR limited to actions such as verifying whether the processing at stake is
      necessary for the performance of a contract (Article 6(1)(b) GDPR), and whether a contract with a
      processor under Article 28(3)GDPRanddataimporter under Article 46(2)GDPRincludes appropriate

      safeguardspursuant totheGDPR.PursuanttotheIESA’sinterpretation,theSAswouldthusbe obliged
      toalwaysconsider a contractvalid, evenin situations where it is manifestly evident that it is not, for

      instance because there is no proof of agreement betweenthe two parties, or because the contract
      does not comply with its Member State’srules on the validity, formation or effect of a contract in
      relationtoachild     .

113. As theDE andNL SAs     195argue,the validityof the contractfor the InstagramservicebetweenMetaIE

      andthe complainant is questionable, giventhe strong indications thatthe Complainant wasunaware
      ofenteringintoa contract,and(astheIE SA establisheswithitsFinding 3 ofitsDraft Decision)serious

      transparency issues in relation to the legal basis relied on. In contract law, as a general rule, both
      parties must be aware of the substance of the contract and the obligations of both parties to the

      contractinorder towillingly enterinto suchcontract.

        CompositeResponse,paragraph51;DraftDecision,paragraph95,Meta IEArticle65Submissions,paragraph
      195DESAs Objection,p.4andNLSAObjection,paragraph11.

      Adopted114. Notwithstanding thepossible invalidity ofthe contract,theEDPB,referstoitsprevious interpretative

      guidance on this matter to provide below its analysis on whether behavioural advertising is
      objectively necessaryfor Meta IE toprovide its Instagram service tothe user based on its Terms of
      Use andthe natureof the service      .

115. The EDPBrecalls       that for the assessment of necessity under Article 6(1)(b) GDPR,“[i]t is important
      to determinethe exact rationale ofthe contract, i.e. itssubstance and fundamentalobjective, asit is
      against thisthat it will be testedwhetherthedata processing is necessaryfor its performance”       .As
      the EDPBhaspreviously stated,regardshould be giventotheparticular aim, purpose, or objective of
      theservice and,for applicabilityofArticle6(1)(b) GDPR,itisrequiredthatthe processing isobjectively

      necessaryfor apurpose andintegraltothe delivery ofthatcontractualservice tothe datasubject         199.

116. Moreover,the EDPB notesthat the controller should be able tojustify the necessityof its processing
      byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose.Thisdepends notonly

      onthecontroller’sperspective,but alsoonareasonabledatasubject’sperspective whenenteringinto
      the contract 200.

117. The IE SA accepts the EDPB’s position that, as a general rule, processing of personal data for
      behavioural advertising is not necessary for the performance of a contract for online services        .
      However, the IE SA considers that in this particular case, having regardto the specific terms of the

      contract and the nature of the Instagram service provided and agreedupon by the parties, Meta IE
      mayin principle rely on Article 6(1)b) GDPRtoprocess the user’sdata necessary for the provision of
      itsservice, including throughthe provision ofbehaviouraladvertising insofar asthisforms acore part

      of thatservice offeredtoandacceptedby users      202.

118. The IE SA views behavioural advertising as “the core of both Meta Ireland’sbusiness model and the
      bargainstruckbetweenMetaIrelandand Instagram users         ” 20.Insupport ofthis consideration, theIE

      SA refers to the ”first and sixth clauses” of “the specific contract entered into between Meta IE and
      Instagramusers”   20.The IE SA considers thatfrom the textofthese “clauses” it is “clearthatthe core
      of theservice offered byMeta Irelandis premised on the deliveryofpersonalised advertising.        ”The
      IESAconsiders thatthisposition issupportedbythefactthat“theTermsofUsedescribetheInstagram

      service as being ‘personalised’ and connects users with brands, including by means of providing
      ‘relevant’ advertising and content.” Based on this, the IE SA is of the view that “It is clear that the

      Instagram service is advertised as offering a 'personalised' experience, including by way of the
      advertisingit deliversto users 20.”The IE SA considers thatasthe Instagramservice is“advertised”in

      its Terms of Use “as being predicated on personalised advertising (...) any reasonable user would


      Adopted      expectand understand thatthisis partof thecorebargain that isbeing struck(...)”butacknowledges
      that“usersmay preferthatthemarket offeralternativechoices          .”

119. On thisissue, the EDPBrecallsthatthe concept of necessity hasits ownindependent meaning under
      EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU
      instrument,inthiscase,the GDPR     20.Accordingly,theconceptofnecessityunder Article6(1)(b)GDPR

      cannot be interpretedin a way that undermines this provision and the GDPR’sgeneralobjective of
      protecting the right to the protection of personal data or contradictsArticle 8 of the Charter 209. On

      the processing of data in the Facebook services, Advocate General Rantos supports a strict
      of the requirement for consent       . Given the similarities between the Facebook and Instagram
      services, as explained above in paragraph97, and the fact thatthis case mayconcernthe legalbasis
      for processing of personaldatafor theInstagramservice       .

120. As the IE SA states in its Draft Decision, “Instagram is a global online social network service which

      allows registeredusersto communicate with other registered users through messages, audio, video
      calls and video chats, and by sending images and video files      212.” Meta IE promotes among its

      prospective andcurrentusers the perception thatthe mainpurpose of the Instagramservice andfor
      which it processes its users’ data is to enable them to share content and communicate with others.

      MetaIE presentsits Instagramserviceon its “About”page ofits website asa platform which “give[s]
      people the power to build communityand bring[s] the world closer together     213.” At the beginning of

      itsTermsof Use, MetaIE presentsits mission for the Instagramservice as“To bring you closer to the
      people and things you love   214.” The description of the aspects of the service includes “Offering
      personalizedopportunitiesto create,connect,communicate.”

121. The fact thatthe Termsof Use do not provide for any contractualobligationbinding MetaIE tooffer

      personalised advertising to the Instagram usersand any contractualpenaltyif Meta IE fails to do so
      shows that, at least from the perspective of the Instagram user, this processing is not necessary to
      perform the contract     .Providingpersonalised advertisingtoitsusers maybe anobligationbetween

      208Seeparagraphs 103-104 aboveon theprinciples guiding theinterpretationof theGDPR and its provisions.
      The CJEU also stated inHuber that “what is at issue is a concept [necessity] which has its own independent

      Directive, [Directive95/46],aslaiddowninArticle1(1)thereof”.C-524/06Huber,paragraph52.
      210C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,

      ECLI:EU:C:2022:704, paragraph51. (TheEDPB refers to theAdvocateGeneral’s Opinionin its Binding Decision
      as anauthoritativesourceofinterpretationtounderlinetheEDPB’s reasoningontheprocessingofdata inthe
      Cases C-252/21andC-446/21).
      214BoththeIESAandMeta IEconsidertheInstagramTermsofUseasconstitutingtheentirecontractbetween
      Meta IEandtheInstagramusers(seeparagraphs92,110and118ofthisBindingDecision).
         TheInstagramTerms ofUseareformulatedinone-sidedtermsasfollows:“TheseTermsofUse governyour
      Terms of Use(“The InstagramService”), Instagram announces that it “provide[s]“theInstagram service. After
      describing theaspects of theserviceandreferencing theData Policy, theInstagram Terms of Useincludea

      Adopted      MetaIEand thespecific advertisersthatpay for MetaIE’stargeteddisplayoftheir advertisementsin
      the Instagram service to Instagram users, but it is not presented as an obligation towards the


122. Nor does MetaIE’sbusiness model ofoffering services, at nomonetarycost for the user togenerate
      income bybehaviouraladvertisementtosupport itsInstagramservicemakethisprocessing necessary

      to perform the contract. Under the principle of lawfulness of the GDPR and its Article 6, it is the
      business model which must adapt itselfand comply withthe requirementsthat the GDPRsetsout in
      generalandfor eachof the legalbasesand not the reverse.Asthe Advocate GeneralRantosstressed

      recently in his opinion on Meta IE’s processing in Facebook, based on Article 5(2) GDPR, it is the
      controller (Meta IE) in this case who is responsible for demonstrating that the personal data are
      processed inaccordancewiththe GDPR         .

123. As the EDPBprovided in itsguidance, “Assessing what is ‘necessary’involves a combined,fact-based

      assessment ofthe processing‘fortheobjectivepursued and of whetheritisless intrusivecomparedto
      other options for achieving the same goal’. If there are realistic, less intrusive alternatives, the

      processingisnot‘necessary’.Article6(1)(b)willnotcoverprocessing which isusefulbutnot objectively
      necessary for performing the contractualservice or for taking relevant pre-contractualsteps at the
      requestofthe data subject,evenif it isnecessaryfor thecontroller’sotherbusiness purposes.     21”

124. On the question of whether here there are realistic, less intrusive alternatives to behavioural
      advertising that make this processing not “necessary”     , the EDPB considers that there are. The AT
      and SE SAs mention as examplescontextualadvertising based on geography, language andcontent,
      whichdonotinvolve intrusive measuressuchasprofiling andtrackingofusers       219.Inhis recentopinion

      on Facebook, Advocate General Rantos also refers to the Austrian Government’s “pertinent”
      observation that in the past, Meta IE allowed Facebook users to choose between a chronological

      presentationandapersonalised presentationof newsfeedcontent,which, inhis view, provesthatan
      alternativemethodis possible  220. Byconsidering the existence ofalternativepracticestobehavioural

      advertising thataremore respectfulofthe Instagramusers’righttodataprotection, theEDPB,asthe
      Advocate General did in relation to Facebook users, aims to assess if this processing is objectively

      clear that theInstagram Terms of Useunilaterallyimposeduties andobligations on theuser. Otherwise, the

      orTerminatingYourAccount”oftheInstagramTerms ofUse.No(contractual)sanctionsappeartoapplyinthe
      event thatMeta IEfailstoprovideorpoorlyperformsoneormoreoftheseservices.
      216C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,
      218In Schecke, theCJEU held that, when examining thenecessity of processingpersonaldata, thelegislature

      needed to take into account alternative, less intrusive measures. Judgement of the Court of Justice of 9
      C-92/09andC93/09Schecke’),paragraph52.This was repeated by theCJEUintheRīgas casewhereitheld that
      “As regardstheconditionrelatingtothenecessity ofprocessingpersonaldata,itshouldbeborneinmindthat

      derogationsandlimitationsinrelationtotheprotectionofpersonaldatamustapplyonlyinsofarasis strictly
      necessary”. Judgement of theCourt of Justiceof 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības
      policijas pārvaldev Rīgas pašvaldības SIA‘Rīgas satiksme’, C13/16,ECLI:EU:C:2017:336,parag30..
      219AT SAObjection,p.5;SESAObjection,p.3.
      220C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,

      Adopted      necessary to deliver the service offered, as perceived by the Instagramuser whose personal data is
      processed, and not todictate the nature of Meta IE’s service or impose specific business models on

      controllers, as Meta IE and the IE SA respectively argue   22. The EDPB considers that Article 6(1)(b)
      GDPR does not cover processing which is useful but not objectively necessary for performing the
      contractualservice,even ifit is necessaryfor the controller’sotherbusiness purposes       .

125. The EDPBconsiders thatthe absolute right available todatasubjects, under Article 21(2)(3) GDPRto
      object to the processing of their data (including profiling) for direct marketing purposes further
      supports its consideration that, as a generalrule, the processing of personal data for behavioural

      advertising is not necessaryto perform a contract.The processing cannot be necessary toperform a
      contractif adata subject has the possibility toopt out from it atany time,andwithout providing any


126. The EDPB finds that a reasonable user cannot expect that their personal data is being processed for

      behaviouraladvertising simply becauseMetaIEbrieflyreferstothisprocessing in itsInstagramTerms
      of Use (which MetaIEandthe IE SA consider asconstituting the entiretyofthe contract),or because

      ofthe“widercircumstances”or“recognisedpublic awarenessofthisformofprocessing” derivedfrom
      its “widespreadprevalence ofOBA processing” to which the IE SA refers      22. Behaviouraladvertising,
      asbriefly described inparagraph98 above, isa set of processing operations ofpersonal dataof great

      technical complexity, which has a particularly massive and intrusive nature. In view of the
      characteristicsofbehaviouraladvertising,coupledwiththeverybriefandinsufficient informationthat

      Metaprovides about it in the InstagramTermsof Use andDataPolicy (a separatedocument thatthe
      IESAandMetaIEdonotevenconsider partofthecontractualobligations),theEDPBfindsit extremely
      difficult toargue thatanaverageuser canfully graspit,be awareof itsconsequences and impact on

      their rights to privacy and data protection, and reasonably expect it solely based on the Instagram
      Termsof Use. The EDPB recallsits Guidelines 2/2019 on Article6(1)(b) GDPR,inwhich it arguesthat

      the expectations of the average data subject need to be consider in light, not only of the terms of
      service but also the way this service is promoted to users    22. Advocate General Rantos expresses

      similar doubts where he says in relationto Facebook behavioural advertising practices“Iam curious
      as to what extenttheprocessing might correspond to the expectationsof an average user and, more
      generally, what ‘degree of personalisation’ the user can expect from the service he or she signs up
      for”    and adds in a footnote that he does not “believe that the collection and use of personal data
      outside Facebook are necessary for the provision of the services offered as part of the Facebook
      profile”   .

127. The EDPB notes that the mission of the Instagram service, as expressed in its Terms of Use, is

      formulated in a vague and broad manner (“To bring you closer to the people and things you love.”)
      When using the Instagram service, a user is primarily confronted with the possibility of viewing

      221Meta IEArticle65Submissions,paragraph6.25andCompositeResponse,paragraph76.Ontherelevanceof
      this OpinionforassessingInstagram’srelianceonArticle6(1)(b)GDPR,seeparagraph97ofthisBindingDecision.
      225C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,

      Adopted      photographs andvideos by people or organisationsthat theyfollow, as wellas sharing such content
      withtheirfollowers. Thisis acknowledgedbythe IE SA whichprovidesthe following descriptionofthe

      Instagram service in its Draft Decision: “Instagram is a global online social network service which
      allows registeredusersto communicate with other registered users through messages, audio, video
      calls andvideo chats,and bysendingimages and video files    22.”

128. Based on the considerations above, the EDPB considers that the main purpose for which users use

      InstagramandacceptitsTermsofUse istosharecontentandcommunicatewithothers,nottoreceive
      personalised advertisements.

129. Meta IE infringed its transparencyobligations under Article 5(1)(a), Article 12(1) and Article 13(1)(c)
      GDPR by not clearly informing the complainant and other users of the Instagram Service specific

      processing operations, thepersonaldataprocessed inthem,thespecific purposes theyserve, andthe
      legal basis on which each of the processing operations relies, as the IE SA concludes in its Draft
      Decision 228. The EDPB considers that this fundamental failure of Meta IE to comply with its

      transparencyobligations contradictsthe IESA’sfinding thatInstagram userscouldreasonably expect
      online behaviouraladvertising asbeing necessaryfor the performanceof their contract(asdescribed
      inthe InstagramTermsof Use)withMetaIE          .

130. The EDPBrecallsthat “controllersshould make sure to avoid anyconfusion as to what the applicable

      legalbasis is” andthatthis is“particularlyrelevantwheretheappropriatelegal basis isArticle6(1)(b)
      GDPRand a contractregardingonlineservicesisenteredintobydatasubjects”,because “[d]epending

      on the circumstances, data subjects may erroneously get the impression that they are giving their
      consent in line with Article 6(1)(a) GDPR when signing a contract or accepting termsof service”   23.
      Article6(1)(b) GDPRrequires theexistence, validityof acontract,andthe processing being necessary

      toperform it.These conditions cannot be metwhere one of theParties(in thiscase the datasubject)
      is not provided withsufficient informationtoknow thattheyaresigning a contract,theprocessing of

      personal data that it involves, for which specific purposes and on which legal basis, and how this
      processing is necessaryto perform the services delivered. These transparencyrequirements are not
      only anadditionalandseparateobligation,asthe IESA seemstoimply, but also anindispensable and
      constitutive partof the legalbasis   .

131. The risks to the rights of data subjects derived from this asymmetry of information and an
      inappropriate relianceon this legalbasis arehigher in situations suchas inthe present case,in which
      the Complainant and other Instagram users face a “take it or leave it” situation resulting from the

      standardcontract pre-formulated by Meta IE andthe lackof few alternative services in the market.
      The EU legislator hasregularlyidentified and aimedtoaddress withmultiple legalinstruments these

      risks andtheimbalance betweenthepartiestoconsumer contracts.Forexample,Directive93/13/EEC


      Adopted      on unfair termsinconsumer contracts     232mandates,asthetransparencyobligationsunder the GDPR,
      the use of plain, intelligible language in the terms of the contracts offered to consumers       . This
      Directiveeven provides that where there is a doubt about the meaning of a term,the interpretation
      most favourable tothe consumer shall prevail   234.Processing ofpersonal datathatisbasedon whatis

      deemedtobeanunfairtermunder thisDirectivewillgenerallynot beconsistent withthe requirement
      under Article 5(1)(a)GDPRthatthe processing islawfuland fair     23.

132. AdvocateGeneralRantosconcludesinreferencetoMetaIEthatthefactthatanundertakingproviding

      a social network enjoys a dominant position in the domestic market for online social network for
      privateusers “doesplay arole intheassessment ofthefreedomofconsentwithin themeaning ofthat
      provision, which it is for the controller to demonstrate, taking into account, where appropriate, the

      existenceofa clearimbalance ofpowerbetweenthedata subjectand the controller,anyrequirement
      for consent to theprocessing of personaldata other thanthose strictlynecessaryfor the provision of

      the servicesin question, the need for consent to be specific for each purpose of processing and the
      needtopreventthewithdrawalofconsentfrom being detrimentaltouserswho withdrawit              236.”Inline

      withthe logic of this argument,the EDPBconsiders that the dominant position of MetaIE also plays
      an important role in the assessment of Meta IE’sreliance on Article 6(1)(b) GDPR for its Instagram
      service and its risks to data subjects, especially considering how deficiently Meta IE informs the

      Instagramusersofthe datait strictlyneeds toprocesstodeliver the service.

133. Giventhat the mainpurpose for whicha user uses Instagramservice is toshare andreceive content,
      andcommunicate with others     237,and thatMetaIE conditions their use tothe user’s acceptanceofa

      contract andthe behavioural advertising theyinclude, the EDPB cannot see how a user would have
      the option of opting out of a particularprocessing which is partof the contractasthe IE SA seemsto
      argue  23.Theusers’ lackof choice in thisrespect would ratherindicate thatMetaIE’srelianceon the

      contractualperformance legal basis deprives users of their rights, among others, to withdraw their
      consent under Articles6(1)(a) and7 and/or to object tothe processing of their databased on Article

      6(1)(f) GDPR.

134. The EDPB agreeswiththe AT, DE, ES, FI, FR, HU, NL, NOandSE SAsthat there is a risk thatthe Draft
      Decision’s failure to establish Meta IE’sinfringement ofArticle 6(1)(b) GDPR, pursuant tothe IE SA’s
      interpretationof it, nullifies thisprovision andmakeslawful theoreticallyanycollection andreuse of
      personal data in connection with the performance of a contract with a data subject           . Meta IE
      currentlyleaves the complainant and other users of the Instagramservice witha single choice. They

      may either contract awaytheir right to freely determine the processing of their personal data and

      232A contractual term that has not been individually negotiated is unfairunder theDirective93/13/EEC “if,
      236C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,
      ECLI:EU:C:2022:704, Conclusion, paragraph78 (4). On therelevanceof this Opinion forassessing Instagram’s

      239AT SAObjection,pp.5-6;DESAs Objection,p.9;ESSAObjection,p.3;FI SAObjectionparagraphs31-35;FR
      SAObjection,paragraphs34-35;HUSAObjection,p.4;NL SAObjection,paragraphs30-31;NOSAObjection,

      p. 8;SE SAObjection,p.5.

      Adopted      submit toitsprocessing for the obscure, andintrusive purpose of behaviouraladvertising,whichthey
      can neither expect, nor fully understand based on the insufficient information Meta IE provides to
      them. Or, they maydecline accepting Instagram Terms of Use and thus be excluded from a service

      thatenablesthemtocommunicate,sharecontentwithandreceivecontent from millionsofusersand
      for whichtherearecurrentlyfew realisticalternatives. Thisexclusionwouldthus alsoadverselyaffect

      their freedom of expression andinformation.

135. This precedent could encourage other economic operatorstouse the contractualperformance legal

      basis of Article 6(1)(b) GDPR for all their processing of personal data. There would be the risk that
      some controllers argue some connection between the processing of the personal data of their
      consumers and the contractto collect,retainandprocess asmuch personal datafrom their users as

      possible and advance their economic interests at the expense of the safeguards for data subjects.
      Some of the safeguards from whichdata subjects would be deprived due to aninappropriate use of
      Article 6(1)(b) GDPR as legal basis, instead of others such as consent (Article 6(1)(a) GDPR) and

      legitimate interest (Article 6(1)(f) GDPR), are the possibility to specifically consent to certain
      processing operations and not to othersand tothe further processing of their personal data (Article

      6(4)GDPR);theirfreedom towithdrawconsent (Article7 GDPR);theirrighttobe forgotten(Article17
      GDPR);and the balancing exercise of the legitimateinterests of the controller againsttheir interests
      or fundamental rightsandfreedoms (Article 6(1)(f) GDPR).As a result,owing tothe number of users

      of the Instagramservice,the marketpower, andinfluence ofMeta IEand itseconomically attractive
      business model, the risks derivedfrom the currentfindings ofthe DraftDecisioncould gobeyond the
      Complainant andthe millions of usersof Instagramserviceinthe EEAandaffect theprotectionofthe
      hundreds of millions of people coveredbythe GDPR       .

136. TheEDPBthusconcurswiththeobjections oftheAT,DE,ES,FI,FR,HU,NL,NOandSESAs                241toFinding

      2 of the Draft Decision in that the behaviouraladvertising performedby Meta IE in the context of
      with datausersfortheInstagramserviceandisnotanessentialorcoreelementofit.

137. Inconclusion, theEDPBdecides thattheMetaIEhas inappropriatelyreliedonArticle 6(1)(b) GDPRto

      process thecomplainant’spersonaldatainthe contextofInstagramTermsofUse andthereforelacks
      a legalbasis toprocess these datafor thepurposes ofbehavioural advertising.MetaIE hasnot relied
      onany otherlegalbasistoprocess personaldatain thecontext ofthe InstagramTermsofUse for the

      purposes of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by
      unlawfully processing personal data. The EDPB instructs the IE SA to alter its Finding 2 of its Draft
      Decision which concludes thatMeta IEmay relyon Article 6(1)(b) GDPR inthe contextof its offering

      240In theDraft Decision, theIE SAquotes Meta IE’s submissions dated 28September 2018, inwhichit states

      that it “provides the Instagram service to hundreds of millions of users across the European region.”Draft
      Decision, paragraph 223. In its submissions onthePreliminary Draft Decision, Meta IE stated that thecorrect
      of the Inquiry)is approximately          , whileclarifying that this numberrepresents activeaccounts on
      Instagramratherthanuniqueusers andthus doesnotrepresentthenumberofuniqueusers.Thisfiguredoes
      TheIE SA does not sharethis view, on thegrounds that theGDPRwas applicablein theUK at thedateof the

      241plaint.Meta IE’sReponsetothePreliminaryDraftDecision,paragraph14.13.DraftDecision,paragraph223.
         AT SAObjection,pp.4-5;DESAs Objection,p.5-6,ESSAObjection,p.2,FI SAObjection,paragraphs16and
      p. 7,SE SAObjection,pp.3.

      Adopted      of the Instagram Terms of Use and to include an infringement of Article 6 (1) GDPR based on the
      shortcomings thatthe EDPBhasidentified.




           PERSONAL DATA

      5.1 Analysis by the LSA inthe DraftDecision

138. The IESA concludes asamatteroffact,initsDraftDecisionthatMetaIEdidnot rely, anddidnot seek
      torely,onthe complainant’sconsent toprocesspersonaldatain connectionwiththeTermsofUse
      andis not legallyobligedtorelyon consent todo so     24.

139. The IE SA acceptsthatMetaIE never sought to obtainconsent from users throughthe clicking ofthe
      “Agreeto Terms”button,based alsoon MetaIE’sconfirmationthereto          244.

140. TheIESA distinguishes betweenagreeingtoacontract(whichmayinvolve theprocessing ofdata)and

      providing consent to personal data processing specifically for the purposes of legitimising that
      personaldataprocessing under theGDPR      245.TheIESA observes that,asnotedbythe EDPB,theseare
      entirelydifferent conceptswhich “havedifferent requirementsandlegal consequences”        246.

141. The IESA alsoemphasises that thereis no hierarchybetweenthe legalbasis thatcontrollers mayuse
      to process personal data under the GDPR       . The IE SA further arguesthat neither Article 6(1) GDPR
      nor any other provision in the GDPR require that the processing of data in particular contexts must
      necessarily be based on consent   248. The IE SA argues the GDPR does not provide that the specific

      nature and content of a contract, freelyentered into by two parties, requires a higher categoryor
      “default” legal basis. The IE SA includes reference to the EDPB Guidelines 2/2019 on Article 6(1)(b)

      GDPR whichassert that where data processing is necessary to perform a contract, consent is not an
      appropriatelawful basison whichtorely    249.

142. The IE SA considers Article 7 GDPR andits conditions do not in andof themselves indicate the legal
      basis on which a controller should rely on in a particular context. The IE SA contends that these

      conditions would only be relevant where the controller relies upon consent as the legal basis for its
      processing, whichit views asnot being the case for the processing of databy MetaIEinquestion      25.


      Adopted      5.2 Summary of the objections raised by the CSAs

143. The AT,DE,ES,FI,FRandNL SAsobject tothe assessment inthe DraftDecisiononconsent, leadingto

      Finding 1 of the IE SA25. These SAs put forwardseveral factualandlegalargumentsfor the changes
      theypropose tothe DraftDecision.

144. The SE SA holds that ifthe EDPBweretofindthat theprocessing canrely onArticle6(1)(b) GDPR,the

      investigationneedstoencompass whetherspecialcategoriesofpersonal datapursuanttoArticle9(1)
      GDPRareprocessed, since the performance ofacontractis not anexemption pursuant toArticle9(2)
      GDPR.Since the SE SA presents itsobjection as being contingent on whetherthe EDPB finds thatthe

      data processing in Instagram, basedon itsTerms of Use, can relyon Article 6(1)(b) GDPR   252andthe
      EDPBfindsthatMetaIEinappropriatelyreliedonArticle6(1)(b)GDPR(see aboveinSection4.4.2),the

      SE SA objectionis no longerapplicable.

      Argumentson thefinding ofthe LSA thatMetaIEis not legallyobliged torelyon consent

145. TheAT,DEandNL SAsconsider thattheIESA hasnotincluded enoughanalysis,evidence andresearch
      in the DraftDecision toconclude thatMetaIE is not legallyobliged torely onconsent toprocess the
      complainants’ data    .

146. The AT SA points out that the IE SA limits its facts and its legal assessment to the generalquestion

      whether Article 6(1)(b) GDPR canbe used aslegalbasis, specifically for behavioural advertising. The
      Draft Decisiondoes not clarify which data categoriesare being used for behavioural advertising and

      where Meta IE relies on Articles 6(1)(a) and 6(1)(b) GDPR for behavioural advertising. Also
      unaddressed is, if and to which extent Meta IE relies on Article 9(2)(a) GDPR for behavioural

      advertisingasfarassensitive dataareconcernedandwhetherMetaIErespectedtheGDPRconditions
      (for example,Article7GDPR)whenobtainingtheconsentpursuant toArticle6(1)(a)andArticle9(2)(a)
      GDPR. The AT SA argues that the Draft Decision did not address the part of the complaint on the

      differences between“consent”and“contractualperformance”andregardingArticle9 GDPR           254.

147. EventhoughtheDESAssharetheIESA’sfinding thatMetaIEdidnotrelyonconsent for theprocessing
      of dataasdescribedin theInstagramTermsof Use,the DESAs objectsagainstthe IE SA’sassessment

      that in the specific case at issue Meta IE was not legally obliged to obtain consent from the
      Complainant  25. TheDE SAsfurther add, alsoin relationtothe potentialuse of Article6(1)(f) GDPRas
      a legalbasis, that further investigations on the specific processing activities, purposes and their risks

      for rights and freedoms of the Complainant would be necessary to conclude an assessment on the
      applicable legalbasis25.

148. The NL SA notes itsview thatthereis lackof anysubstantive investigationintowhat kind of personal
      data is being processed besides relying on information submitted by the controller      . The NL SA

      251AT SAObjection,p.9-11;DESAObjection,p.2-9;ESSAObjection,p.2-3;FI SAObjection,paragraphs36-44;
      254AT SAObjection,p.10;DESAObjection,p.7-9;NLSAObjection,paragraph21.
         AT SAObjection,p.10.
      255DESAs Objection,p.7-8.
      256DESAs Objection,p.8-9.

      Adopted      considers that thereare clearindications that consent is legallyrequiredfor (partsof) the processing

      operationsof the controller,and thatthe IESA couldthus draw adifferent conclusion on the basis of
      further inquiries andanalysis258. The NL SA considers that the DraftDecision should be amendedifa
      further inquiry bythe IESA establishes thattherelianceon consent asa legalgroundismandatory         .

149. Inaddition, the DE andFR SAs consider thateven if MetaIEhad reliedon consent, it would not have

      met the requirements of Article 7(1) GDPR asbeing “freely given”, as it is conditional on the use of
      their services asa whole (“take it or leave it”). Nor would consent meet the requirements of Article

      7(2)GDPRsince, asthe IE SA finds, informationon theprocessing ofdataasdescribedinthe Termsof
      Use, is not provided in a concise, transparent, intelligible and easily accessible form, using clear and
      plainlanguage     .

      Argumentson thepossible breachoftheobligation to relyon consent to processspecialcategoriesof
      personaldata(Article9 GDPR)

150. TheAT,DE,ES,FI,FRandNLSAs consider thattheIESAshould haveidentifiedandseparatelyassessed

      anyprocessing ofspecialcategoriesofpersonal dataunder Article9GDPRinthe contextofInstagram
      Termsof Use   26.The DESAs conclude that MetaIEprocesses the complainant’sspecialcategoriesof
      datainbreachofArticle9(1)GDPR         .TheAT,ES,FI,FRandNLSAs taketheview thattheIESAshould
      broaden the scope of its investigation and examine whether the conditions for the processing of
      specialcategoriesof personaldatahave been metby MetaIE       263.

151. The AT, ES, FI, FR andNL SAs consider thatthe factualbackground of the DraftDecision misses facts

      on whether Meta IE relies on Article 9(1)(a) GDPR to process special categoriesof personal data for
      the purpose of behaviouraladvertising andwhether MetaIErespectsthe requirementsof the GDPR,
      such asthose of Article7, inobtaining consent tothatend      .

152. The FR and NL SAs argue that the data that Meta IE processes may include special categories of
      personal data under Article 9 GDPR    26. The DE SAs contend that nothing indicates that Meta IE
      excludes these categoriesofdatafrom its processing for advertisingpurposes      .

153. The FR SA notes thatInstagramusers canprovide various sensitive data about themselves, including

      their sexual orientation, religious views and political opinions in the description of their profile. The
      FR SA considers thatthe IESA cannot simply statethatithasno evidence thatMetaIE processessuch

      data in the context of the Instagram service. Inorder todeal with the complaint, the FR SA asks for

      260DESAs Objection,p.8;FRSAObjection,paragraphs24-29.
      261AT SAObjection,p.9-10;DESAs Objection,p.7;ES SAObjection,p.2-3;FI SAObjection,paragraphs36-38,

      262DESAs Objection,p.7,10.
      263AT SAObjection,p.9;ESSAObjection,p.2-3;FI SAObjection,paragraphs41-42;FRSAObjection,paragraph
         AT SAObjection,p.9;ESSAObjection,p.2-3;FI SAObjection,paragraph41;FRSAObjection,paragraph30;
      266DESAs Objection,p.7.

      Adopted      further investigation,in particularitasks the LSA toexaminewhether sensitive dataare processedby
      the controller and,if so, whetherone ofthe conditions ofArticle 9(2)GDPRismet inthis case        .

154. The NL SA argues that there is strong indication that some data processed in the context of the
      Instagram service actuallybelongs toa specialcategoryof data considering “photographsand other

      images that are, or were, potentiallyprocessed with use of facial recognition technology and other
      artificial intelligence technologies in the context of Facebook services”68. The NL SA highlights that

      according tothe CJEU ruling in case C-136/17 the mereindexing of certaindata could alreadysuffice
      toconclude thatArticle9 GDPRapplies     26.

155. The DE and NL SAs recall that only consent may be used in this context among the exceptions that
      Article9 (2)GDPRlaysdowntothegeneralprohibition ofprocessing specialcategoriesofdata           27.The

      FI SA recallsthatthe performance ofa contractisnot anexceptionpursuant toArticle9(2) GDPR         271.

      Argumentson othertypesofdatarequiring consent

156. TheNLSA identifiesasanotherindicator contradictingtheIESA’sconclusionthatthereisnoobligation
      toseek consent the fact that the controller processes a significant amount of personal datathat has

      beencollectedthroughcookies for online advertising purposes and oflocationdata       27.


157. Ontherisks posed bytheDraftDecision,the DESAsconsider that,asthesubject ofthe complaintwas

      the processing as described in the Instagram Terms of Use there is also a significant risk for the
      fundamental rights and freedoms of all Instagram users in the European Union that their personal
      data, including data of special categories are processed without any legal basis     . The AT SA also
      considers thatthe compliance ofMetaIE withthe GDPRruleson the processing of specialcategories
      ofdatagoesbeyond thecase atstakeandaffectshundreds ofmillions ofdatasubjectswithintheEEA,

      asMetaIEis the provider of the biggestmedia networkinthe world       274.

158. The AT,DE,FI,FRandNL SAsarguethatthe IESA’sconclusion thatconsent is not requiredaffectsthe
      rightsofdatasubjects andtheir controlover theirpersonal data     275.

159. The AT SA argues that the first risk is that the data subject’s right to lodge a complaint with a

      supervisory authority pursuant to Article 77(1) GDPR becomesineffective because the IE SA did not
      handle the complaint in its entire scope, including sensitive data pursuant to Article 9 GPDR. The AT

         DESAs Objection,p.7;NLSAObjection,paragraph24.
      271FI SAObjection,paragraph40.
      273DESAs Objection,p.9.
         AT SAObjection,p.9.
      275ATSAObjection,p.11;DESAs Objection,p.9;FI SAObjection,paragraph43;FRSAObjection,paragraph34;

      Adopted      SA argues that this is not in line with the CJEU ruling in case C-311/18, which provides that the
      supervisory authoritymust handle complaints withalldue diligence       .

160. The FR SA arguesthat the DraftDecision poses a risk tothe fundamental rightsandfreedoms of the
      individuals concerned, according to Article 4(24) GDPR, insofar as the legal basis of contractual
      performance toprocessthe personal dataofInstagramuserstosend them targetedadvertisingdoes

      not allow the Europeanusers tohave controlover thefate of their data     277.TheFR SA alsonotes that
      since the DraftDecisionwillbe takenat theendof acooperationprocedure andmade public, it could

      be interpreted as reflecting the common position of the European supervisory authorities on this
      issue, andsetting aprecedent for acceptingthatacompany mayuse the legalbasisof the contractto

      process itsusers’ datafor targetedadvertisingpurposes whensuch processing isparticularlymassive
      andintrusive 278.

161. The NLSA specifies theprotectionsfrom whichthe datasubjectswould be depriveddue totheIESA’s
      conclusion thatconsent is not required, such asthe right todataportability(Article 20(1) GDPR);the

      possibility tospecifically consent tocertainprocessing operations andnot toothersandtothefurther
      processing of personal data (Article 6(4) GDPR); the freedom to withdraw consent (Article 7 GDPR)
      andthe subsequent right tobe forgotten       .

162. TheAT,DE,FIandNLSAsnote asanadditionalriskthatsensitive personaldatafallingwithinthe scope
      of Article9 GDPRis processedwithout meeting therequirementsof Article9(2) GDPR         280.

163. The FI SA highlights that the will of the legislator has been to protect the Article 9 GDPR special
      categorydatawitha duty ofcare andifthere is anyreasonable doubt thatMetaIE hasno legalbasis

      for processing operations of such sensitive data of the Instagram users, the said claim needs to be
      properly investigated or otherwise the lack of investigation would negatively affect hundreds of
      millions ofInstagramuserswithintheEEAandundermine theirrighttoprivacyanddataprotection               .

164. The NL SA underlines the risk that allowing the bypassing of legal provisions requiring consent to
      process datacreateslegaluncertaintythathampersthe freeflow of personaldatawithinthe EU           282.

165. TheNL SA alsoarguesthatnotassessing theprocessing inasufficiently thoroughmannercould create
      a precedent for controllers to exclude from their privacy policies or terms of service processing

      operationsthatmustbebasedonconsent.Thiswouldrisk leavingdatasubjectswithareduceddegree
      of transparency  28.

         AT SAObjection,p.10-11.
      281AT SAObjection,p.11;FI SAObjection,paragraph43;DESAs Objection,p.9;NLSAObjection,paragraph33.
         FI SAObjection,paragraph43.

      Adopted      5.3 Position of the LSA on the objections

166. The IESA considers theobjections not reasonedanddoes not follow them        284.

167. The IE SA argues that the scope of the inquiry is appropriate and relatesto the issues raised in the
      complaint. It also argues that finding of additional infringements which have not been fully

      investigatedor put to the controller would impose a risk of procedural unfairness by depriving the
      controller of itsrighttobe heardin response toaparticularisedallegationof wrongdoing      285.

168. The IE SA notes that it hasdiscretion to determinethe frameworkof the inquiry, taking into account

      the scope of the writtencomplaint aslodged. The IE SA arguesthat it would not have been possible
      to assess each discrete processing operation by Meta IE, without first resolving the fundamental
      dispute between the parties on the interpretationof Article 6(1) GDPR. The IE SA considers that it

      would have beeninappropriate and disproportionate for it toundertake anopen-ended assessment
      of all of Meta IE’s processing operations related to the Instagram Terms of Use to handle the
      complaint    .

169. The IESA arguesthatitsanalysis of Article6(1)(b) GDPRdoes not preclude the possibility thatcertain

      discrete processing operations by Meta IE mayfall outside the scope of Article 6(1)(b) GDPR. The IE
      SA finds it reasonable andpracticaltosetthe scope of theinquiry, focusing onthe principledissues of
      dispute, which itconsiders asnot prejudicing the operationof more specific data protectionrules      .

170. The IESA considers that thereference toArticle 9 GDPRprocessing by MetaIE isanelement of what
      it viewsasthe Complainant’sfundamentalallegation,i.e.thattheagreementtotheTermsof Usewas
      a form ofGDPRconsent toprocessing ofpersonal data,including consent tothe processing of special

      categoriesof data. The IE SA argues that since the scope of its inquiry addresses this issue, it is not
      necessaryfor ittoalsoconduct anindiscriminate andopen-ended assessment ofMetaIE’sprocessing
      thatmayotherwise fallwithin thescope of Article9 GDPR         .

171. The IE SA notes that under Irish national law, there would be a very significant risk of procedural

      unfairness to Meta IE if the IE SA assumed, without any further factualexamination, that Meta IE
      unlawfully processes specialcategoriesof personaldata    289.

172. According totheIESA, the CSAs objectingtothe DraftDecisionintendtomaximise the complainant’s
      rightsbyrequiring consent-based processing for certainprocessing operationsandthus prioritising it

      over other legalbasis. The IESA considers thatveryextensive dataprotectionrightsalsoapply under
      the GDPRwhere theprocessing is basedon Article 6(1)(b) or Article6(1)(f) GDPR.The IESA contends

      that the variationin the extent of data subject rights and protections, depending on the applicable
      legal basis, is an inherent element of the legislative scheme of the GDPR. The IE SA considers that
      Article 6 GDPR does not provide thatthe “appropriate”datasubject rightsdetermine the legalbasis

      for processing. The IE SA notes that separate tothe user’s acceptance of the Terms of Use, Meta IE


      Adopted      relies on different “acts” of consent for specific aspects of the service, including personalised
      advertising basedon users’ off-Instagramactivities.Inthis regard,theIESA statesthatthe complaint

      in this case was about the agreement to the Terms of Use and the processing it entails once
      accepted  290.

173. The IE SA arguesthat the objections are inconsistent withthe principle of legalcertainty, ascitedin

      Recital7 GDPR. The IE SA indicates that it is not satisfied that the GDPR requires the limitation of
      processing for thepurposes ofbehaviouraladvertisingtosituationswhereprocessing isbasedondata
      subject consent  29. The IE SA contends that interpretative approach of the CSAs raising objections

      would result in the arbitraryapplicationofmore restrictive dataprotectionrules for reasons thatare
      not found in the GDPR. The IE SA also states that this approach does not take due account of the

      extensive data protectionrightswhich apply toalllegalbases under theGDPR.The IESA assertsthat
      it is not open tothe supervisory authoritiestocreateadditional binding limitationson the applicable
      legal basis for the processing of data for behavioural advertising. The IE SA states that it is the
      legislator,not the supervisory authorities, whichhasdefined the conditions for lawfulprocessing     .

      5.4 Assessment of the EDPB

      5.4.1 Assessment of whether theobjections were relevant and reasoned
174. The EDPBresponds toMetaIE’sprimaryargumentstothe contraryin Section4.4.1above               29.

175. The AT,DE,ES, FI, FR andNL SAsobjectionsanalysedinthis sectionhave a directconnection withthe
      Draft Decision and refer to a specific part of the Draft Decision, i.e. Finding 1. The AT, DE, ES, FI, FR

      andNLSAs    arguethattheIESAhasnot carriedout enoughinvestigationandlegalanalysis intheDraft
      Decisiontoconclude thatMetaIEisnot legallyobligedtorelyonconsent toprocessthe complainants’
      data    . According to these CSAs, the IE SA should have identified and separately assessed any

      293Meta IEarguesthat“ObjectionswhichraisematterswhicharenotwithintheDefinedScopeofInquiryarenot
      intheirentiretybytheEDPB”.TheEDPBdoes notsharethisunderstanding,asexplainedabove.Seeparagraphs
      73-75ofthisBindingDecisionabove.Inparticular,theEDPBrecallsthattheanalysisofwhethera givenobjection

      meets thethresholdsetbyArt.4(24)GDPRiscarriedoutona case-by-casebasis.Morespecifically,incontrast
      to the objections referred to by Meta IE that did not “establisha direct connectionwith the specificlegal and
      factual content of the Draft Decision”(Binding Decision2/2022paragraphs 139, 147, 164) here, each CSAhas
      150-151ofthisBindingDecision.Moreover,whiletheobjections referencedbyMeta IEinparagraph4.9ofits

      Article65submissions werefound not to berelevant and/or reasoned intheBindingDecision 2/2022 as they
      did “not provide sufficiently precise and detailed legal reasoning regarding infringement of each specific
      proposedcould bereached, or didnot sufficiently demonstratethesignificanceof theriskposed bytheDraft

      2/2022,paragraphs140,148,165),asregardstheobjections analysedinthis section,theAT, DE, FI,FR andNL
      SAs providea numberof legal and factual arguments and explanations as to why an infringement forlack of
      294AT SAObjection,p.9;DESAs Objection,pp.8-9;ESSAObjection,pp.2-3;FI SAObjection,paragraphs36-37;

      Adopted      processing ofspecial categoriesofpersonal datain InstagramTermsof Use       29.The NL SA arguesthat

      processing operationsconcerning locationdataandthe use oftrackingtechnologieson users devices
      should have investigatedandassessed bythe IESA aswell      29.The AT, FI,FR andNL SAs consider that

      the IE SA should broaden the scope of its investigationand examine whether the conditions for the
      processing ofspecialcategoriesofpersonaldatahavebeenmetbyMetaIEinrelationtotheInstagram
      service   . The DE, FR and NL SAs argue that the data that Meta IE’sprocesses may include special
      categoriesofpersonaldataunder Article 9 GDPR     298.Theycontendthatnothing indicatesthatMetaIE

      excludes these categoriesof datafrom itsprocessing for advertising purposes. The AT,DE,ES, FI and
      FR SAs highlight thatthe issue falls within the remitof the complaint since the complainant allegeda
      potentialviolationof Article9 GDPRandshould thereforebe investigatedandassessed bythe LSA         29.

      The AT, DE, ES, FI and FR SAs challenge the reasoning underling the conclusion reached by the LSA.
      This assessment could lead to a different conclusion insofar as the IE SA would fully cover the

      complaint and include factsanda legalassessment on the Instagram’sservice processing operations
      towhich Article6(1)(a), Articles7 and9 GDPRmayapply, whichmayrevealaninfringement byMeta


176. Consequently, the EDPB finds that the AT, DE, ES, FI, FR andNL SAs objections relating toFinding 1,
      whichstatesthatMetaIEisnot requiredtorelyonconsent todeliver theInstagramTermsofUse and
      itsunderlying reasoning,are relevant     .

177. The AT, DE, FI, FR and NL SAs objections are reasoned because they include clarifications and
      argumentsonlegal/factualmistakesinthe LSA’sDraftDecisionthatrequire amending.TheAT,DE,FI,
      FR and NL SAs consider that the IESA should have identified and separatelyassessed any processing

      of special categories of personaldata under Article 9 GDPR in the context of Instagram Terms of
      Use 302. Inparticular, the DE, FR andNL SAs argue that the data that Meta IE processesmayinclude

      special categories of personal data under Article 9 GDPR and that nothing indicates that Meta IE
      excludes these categoriesof data from its processing for advertising purposes  303. The AT, DE, ES, FR

      and NL SAs recallthat only consent maybe used in this context among the exceptionsthat Article 9
      (2) GDPR lays down to the generalprohibition of processing special categoriesof data    304.The FI SA

      recalls that EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR state that the WP29 has observed that
      Article9(2)GDPRdoesnot recognise “necessaryfor theperformanceofa contract”asanexceptionto
      the general prohibition to process special categories of data      . The NL SA identifies as another

         AT SAObjection,p.9;DESAs Objection,p.7;FI SAObjection,paragraph37;FRSAObjection,paragraph30;
      297AT SA Objection, p. 9; FI SA Objection paragraph41;FR SA Objection, paragraph30;NL SA Objection,

         DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraphs24-25.
      299AT SAObjection,p.9;DE SAs Objection,p.7;ES SAObjection,p.2;FI SAObjection,p.42;FRSAObjection,

      302AT SAObjection,p.9;DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraph25.
      303DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraphs24-25.
         AT SAObjectionpp.9-10;DESAs Objection,p.7;ESSAObjection,p.2-3;FRSAObjection,paragraph31;NL
      305FI SAObjection,paragraph40.

      Adopted      indicator contradictingthe IE SA’sconclusion thatthere isno obligationto seekconsent the factthat

      thecontroller processesasignificant amountofpersonaldatathathasbeencollectedthroughcookies
      for online advertising purposes and of location data  306. The NL SA also arguesthat the IE SA should

      have investigated more into the safeguards that are implemented by the controller to address the
      specific interests of children307. Lastly, the NL SA states that the information shared by users on

      Instagrammaycontainpersonaldataconcerningthehealthofindividual usersandmentionstheruling
      of the CJEU in case C-136/17 stating that the mere indexing of certaindata could already suffice to
      conclude thatArticle9 of the GDPRapplies       .

178. Onthe risks posed by the DraftDecision,the AT,DE,FI,FR andNL SAs explainthatthe IE SA’sFinding

      1 providing that consent isnot requiredputs at risk the rightsof datasubjects and their controlover
      their personal data 309.The AT SA mentions the risk thatthe data subject’sright tolodge a complaint

      with a supervisory authority pursuant to Article 77(1) GDPR becomes ineffective because the IE SA
      does not handle it initsentirescope, including specialcategoriesofdataunder Article9 GDPR      310.The

      FR SA arguesthat the Draft Decision could set a precedent for accepting the use of the contractual
      performance legalbasis to process users’ data for targetedadvertising purposes, which it views as
      particularlymassive and intrusive    . The NL SA specifies thatthe datasubjects could be deprived of
      the following protections derived from the use of consent: the rightto dataportability (Article 20(1)

      GDPR);thepossibility tospecificallyconsent tocertainprocessing operationsandnot toothersandto
      the furtherprocessing ofpersonal data(Article6(4) GDPR);thefreedom towithdrawconsent (Article
      7 GDPR) and the subsequent right to be forgotten         . The AT, DE, FI and NL SAs also note as an
      additional risk that special categoriesofpersonal data falling within the scope of Article 9 GDPR are
      processed without meeting the requirementsof Article 9 (2) GDPR      313.TheNL SA alsounderlines the

      data protection deficits that are foreseeable with a switch from consent tocontract legal basis and
      the risk that this conclusion would create legaluncertainty that hampers the free flow of personal

      data within the EU  314. The NL SA further adds the risk that the decision could create by setting a
      precedent for controllers to exclude from their privacy policies or terms of service processing

      operations based on consent, thus undermining the principle of transparency     31.The ES SA does not
      describe any riskon thisspecific topic in theirobjection316.

179. On the basis of the above considerations, the EDPBfinds that the objections raised bythe AT, DE,FI,

      FR and NL SAs concerning the conclusions in the Draft Decision about the fact that Meta IE is not
      obliged to relyon consent toprocess the complainant’sdata, are relevant and reasonedobjections

      under Article 4(24)GDPR.

      309AT SA Objectionpp. 10-11;DE SAs Objection, p. 9;FI SAObjection, pp. 9-10;FR SAObjection, p. 7;NLSA
         AT SAObjection,p.10.
      313AT SAObjection,p.11;DESAs Objection,p.9;FI SAObjection,paragraph43;NLSAObjection,paragraph33.

      Adopted180. However,thepart ofthe NLSA objection asking the IESA toinclude in itsDraftDecisiontheelements
      concerning the need torely on consent for the placing of tracking technology on end users devices
      under ePrivacylegislationfalls outside thescope of theEDPB’smandate        .

181. Finally, theEDPBconsidersthattheobjection raisedby theESSA regardingthepotentialinfringement

      of Article 9 GDPR is not sufficiently reasonedwith reference tothe significance of the risks posed by
      the Draft Decision at stake and, therefore, the objection of the ES SA does not meet the threshold

      provided for by Article4(24) GDPR.

      5.4.2 Assessment on the merits
182. Inaccordance withArticle 65(1)(a) GDPR, inthe context of a dispute resolution procedure the EDPB

      shall take a binding decision concerning all the matterswhich are the subject of the relevant and
      reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.

183. TheEDPBconsidersthattheobjectionsfound toberelevantandreasonedinthissubsection                 require
      anassessment of whether the DraftDecision needs to be changedon its Finding 1, which concludes
      thatMetaIEhas(a)notsought torelyonconsent toprocess personaldatatodeliver the TermsofUse

      and (b) is not legallyobliged to rely on consent in order todo so. When assessing the merits of the
      objections raised, the EDPB also takes into account Meta IE’s position on the objections and its


      MetaIE’sposition on theobjectionsand itssubmissions

184. Inits submissions, MetaIE supports the IESA’s conclusion thatMeta IE does not rely on consent for
      the purposes of behaviouraladvertising andis not requiredtorelyon it    31.

185. Meta IE states that it does not seek or rely on consent as its legalbasis for purposes of processing
      personal data to provide behavioural advertising, except in limited circumstances where Meta IE
      separately obtains consent, yet not through users’ acceptance the Terms of Use       . Meta IE claims
      that it explains in its DataPolicy todata subjects thatMeta IE relieson consent under Article 6(1)(a)
      GDPR“[f]orusing datathatadvertisersandotherpartnersprovideusabout[users’]activityoffofMeta

      Company Products, so we can personalise ads we show [them] on Meta Company Productsand on
      websites, apps and devices that use our advertising services” and that it has a separate process for

      obtaining this consent in amanner thatsatisfies the requirementsof Article4(11) andArticle7 GDPR
      andwhich is “entirelyseparate from any interactionby userswith the TermsofUse or DataPolicy, is
      not part of the Complaint and has not beenexamined” inthe IESA’s inquiry    321. Meta IEsubmits that

      the Complaint is limitedto the question of whether MetaIE seeks forcedconsent todata processing
      throughacceptance ofthe Termsof Use. Meta IE thenasserts that since it does not seek, obtain, or

      relyon consent asa legalbasis under Article 6(1)(a) GDPRtoprocess user data via acceptanceofthe

         Theseobjections beingthoseoftheAT, DE, FI,FR andNLSAs,disagreeingwiththeIESA’s Finding1,which
      states thatMeta IEis notrequiredtorelyonconsenttodelivertheInstagramTermsofUseandits underlying
      319Meta IEArticle65Submissions,paragraphs5.2and5.6.
      320Meta IEArticle65Submissions,paragraph5.4.
         Meta IEArticle65SubmissionsFootnote61andparagraph6.27.

      Adopted      Terms of Use, the inquiry should end there and all unrelatedassertions in the objections should be
      disregarded    .

186. Meta IE allegesthat some CSAs suggest that behavioural advertising must in all cases be based on
      consent, andin doing so, the CSAs suggest anapproachthatmandatesMetaIE torelyonconsent for
      “itsdataprocessingfor purposesofbehaviouraladvertising (or anyotherpurpose)”          .MetaIEagrees
      with the IE SA’s assertion that any approachlimiting the legalbasis on which a controller could rely
      would not be consistent withthe principle of legalcertainty     .MetaIEconsiders thatthe GDPRwas
      drafted in a way that protects data subjects while affording flexibility to controllers and that its
      applicationishighlydependent onfactsandcircumstancesunderlying therelevantprocessing andthe

      natureof the service providers 325. MetaIEcontends thatthe GDPRcontainsno expressreferencesto
      behavioural advertising and establishes no specific limitations on the available legalbasis for such

      processing; it is technology neutral and does not include specific derogations or rules for any one
      specific industry32.

187. Withregardtotheconsiderationthatconsentasalegalbasisprovides moreextensive dataprotection

      rights, Meta IE argues that in defining the conditions for lawful processing, the EU legislature has
      ensured that appropriate data protection rightswould be afforded to data subjects no matter what
      legalbasisis reliedon andextensive dataprotectionrightsapplytoalllegalbases         .MetaIEsupports
      the IESA’s view thatArticle 6(1)GDPR doesnot require legalbasestobe determinedby referenceto
      the applicable datasubject rightsfor eachbasis     .

      EDPB’sassessment on themerits

188. The EDPB notesthat the IE SA’s Draft Decision submitted via the Article 60 GDPR procedure results
      from an inquiry that the IE SA conducted based on a complaint from a data subject and Instagram
      user    . The BE SA forwarded this complaint to the IE SA as LSA in the case, given Meta IE’s main
      establishment in Ireland.

189. In this complaint, the Complainant alleges that Meta IE violated Articles 5, 6, 7 and 9 GDPR. The

      Complainant arguesthatit is unclear to whatthe datasubject has consented when the data subject
      agreedtoInstagramTermsofUse andPrivacyPolicy         33. Morespecifically, the Complainant points out
      that it remains unclear which exact processing operations the controller chooses to base on each

      specific legalbasisunder Articles6 and9 GDPR    33.TheComplainant arguesthatthe Termsof Use and
      PrivacyPolicy alsoinclude specialcategoriesofdataunder Article9(1)GDPRbecausethedatasubject,

      as an Instagram user, has interactedwith various groups and individuals, which would accordingly
      reveal the data subject’s political affiliation, sexual orientation, health condition, etc    332. The

         Meta IEArticle65Submissions,paragraph5.8.
      323Meta IEArticle65Submissions,paragraph5.2.
      324Meta IEArticle65Submissions,paragraph5.14.
      325Meta IEArticle65Submissions,paragraph5.15.
         Meta IEArticle65Submissions,paragraph5.15.
      327Meta IEArticle65Submissions,paragraph5.16.
      328Meta IEArticle65Submissions,paragraphs5.16-5.17.

      Adopted      Complainant claims that the controller also allows to target such information for advertisement  333.

      The Complainant considers that it would be necessary for the SA toinvestigate the concrete subject
      of the allegedconsent and the legalbasis for allprocessing operations andto request the record of
      processing activitiesunder Article30(4)GDPR     .

190. Basedon the scope ofthe IE SA’sinvestigationinto this complaint,the EDPB considers thatthe IE SA

      decidedtolimit thescope of itsDraftDecisiontothe following legalissues:

                  o Issue 1 – Whether clicking on the “Agree to Terms” button constitutes or must be
                      consideredconsent for thepurposes oftheGDPRand,ifso,whetheritis validconsent

                      for the purposes ofthe GDPR.

                  o Issue 2 – Whether Meta IE could rely on Article 6(1)(b) GDPR as a lawful basis for
                      processing ofpersonal datainthe context ofTermsofUse and/or DataPolicy.

                  o Issue 3 – Whether Meta IE provided the requisite information on the legal basis for
                      processing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent

191. The IESA arguesthatit hasdiscretion todetermine the frameworkofthe inquiry takinginto account
      the scope of the written complaint as lodged   33. The IE SA considers that it would not have been

      possible to undertake anassessment of eachdiscrete processing operation by Meta IE without first
      resolving the fundamentaldispute betweenthe partieson the interpretationof Article6(1) GDPR      337.
      Inrelationtothe processing ofArticle 9 GDPRcategoriesof data,the IESA considers thatthe inquiry

      has addressedthe fundamental issue of principle onwhich the complaint depends, andthis makesit
      unnecessarytoconduct anindiscriminate andopen-endedassessment ofprocessing falling withinthe
      scope ofthis Article   .The IESA thus concludes thatMetaIE has(a)not sought torelyon consent in
      order to process personal data to deliver the Terms of Use and (b) is not legally obliged to rely on
      consent inorder todoso, basedonthe submissions of thePartiesandInstagramTermsofUse              .The
      IESA warnsCSAs onthe legalrisks derivedfrom asking throughthe objections toexpandthematerial

      scope of the inquiry and thus cover infringements outside of the complaint and Draft Decision that
      the IE SA has not investigated(pursuant to itsown decision tolimit the scope of the inquiry) andput
      toMetaIE   340.

192. The EDPBnotesthattheComplaint makesplaintheconfusion oftheInstagramuserover whichofthe

      user’sspecialcategoriesof dataareprocessed, for whichpurposes andonwhich basis.

193. The Instagram Terms of Use themselves note in general terms “Providing our Service requires
      collecting and using your information. The Data Policy explains how we collect, use, and share


      Adopted      information across the Facebook Products”        341 (service which includes “Offering personalized

      products,andservicesinwaysyoucareabout”         342).The InstagramTermsofUse include a referenceto
      a separate document “the DataPolicy”        , which lists under the heading “Things you and others do
      andprovide”:“Datawithspecialprotections:You canchoose to provide information in your Facebook

      profile fields or Life Events, about your religious views, political views, who you are ‘interested in’ or
      your health. Thisand other information (such as racialor ethnic origin, philosophical beliefs or trade
      union membership) is subject to special protectionsunder EU law”        . The Data Policydescribes the
      purposes for which these data areprocessed in verygeneraltermssuch as“Provide,personalize and
      improve ourproducts” and“toselectand personalizeads, offersand othersponsored contentthatwe

      show you”  345 with no specific reference tothe specific processing operations and categoriesof data
      eachpurpose wouldcover. MetaIEthusseems toacknowledgein itsDataPolicy             346thatituses special

      categoriesof data for behavioural advertising purposes, without specifying the “special protections
      under EU law” that it would apply to such processing. Meta IE only includes a generalreference to

      consent amongotherlegalbasisinthe samepage         347,whichincludesalink toaseparatefacebook.com
      page mentioning the use of consent on data with special protection and referring to the Instagram
      Settings    .

194. The IE SA finds that the way in which Meta IE provides, in relation to processing for which Article
      6(1)(b) GDPR is relied upon, this information and the lack of information on the specific processing

      operations, the data involved, their purposes and legal basis constitute an infringement of
      transparencyobligations under the GDPR(Article5(1)(a), Article12 (1), andArticle13(1)(c) GDPR)      349.
      The IE SA considers the complaint inthis case tobe limitedtothe Termsof Use and the processing it

      entailsonce accepted   350.Inthese circumstances,the IESA acceptsatfacevalue MetaIE’ssubmission
      on its reliance on different “acts” of consent for discrete aspectsof the service separatelyfrom the

      user’sacceptanceof theTermsof Use       35. The IESA does not engageintoanyfurther examinationor
      verificationonhow consent issought inthe caseof processing carriedout toprovide discreteaspects

      of the service. The IE SA also does not examine or verify whether special categoriesof data under
      Article 9 GDPR are processed in the context of the Instagram service and, if so, whether they are

      subject tothese “acts”of consent andthus effectivelytreatedoutside the scope ofthe Termsof Use

      343The document is titled as “Instagram Data Policy”, howeverit is explainedinits chapeauthat “[t]his policy

      describes the information we process to support Facebook, Instagram, Messengerand other products and
      345 Instagram Data Policy, Section “How do we use this information? -Provide, personalize and improve our

         Instagram Data Policy, Section “Things you andothers do and provide” and Section“How do we use this
      347Data Policy,Section“Whatisourlegalbasisforprocessingdata?”.
      348Facebookwebsitehttps://www.facebook.com/about/privacy/legal bases.
      350 The IE SA mentions in its Scheduleto the Draft Decision, paragraphs 134-135“My view is that [...] the
      Complaint even taken at its height quite clearly only concerns data processing arising out of the act of

      ofArticle 9GDPRconsentfallswithinthescopeofthisInquiry.ThereisnoevidencethatMetaIrelandprocesses

      Adopted      and the legalbasis of Article 6(1)(b) GDPR on which the Terms of Use purportedly rely, or whether
      some special categoriesof personal data, as defined by the GDPR and EU case-law        352, are treated

      under the InstagramTermsof Use.

195. The CJEU assertedrecentlythatthe purpose ofArticle9(1)GDPRis toensure anenhancedprotection
      of data subjects for processing, which, because of the particular sensitivity of the data processed, is

      liable to constitute a particularly serious interference with the fundamental rights to respect for
      private life and to the protection of personal data, guaranteedbyArticles7 and 8 of the Charter    353.
      TheCJEU adoptsawide interpretationoftheterms“specialcategoriesofpersonaldata”and“sensitive

      data” that includes data liable indirectly to reveal sensitive information concerning a natural
      person 354. Advocate GeneralRantosreiteratesthe importance for the protectionof data subjects of

      Article 9 GDPR andapplies the same interpretationto the dataprocessing insocial network services
      for behavioural advertising bystatingthat “theprohibition on processing sensitive personaldata may
      include theprocessing ofdatacarriedout byan operatorof an online socialnetworkconsisting in the

      collectionofauser’sdatawhenhe or she visits otherwebsitesor apps or enterssuch data into them,
      the linking of suchdata to the user account on the social networkand the use of such data,provided

      thattheinformation processed,consideredin isolation or aggregated,makeitpossible toprofile users
      on the basis of the categories that emerge from the listing in that provision of types of sensitive
      personaldata”   35.

196. Therefore,theGDPRandthecase-lawpayespecialattentiontotheprocessing orpotentialprocessing

      of special categories of personal data under Article 9 GDPR to ensure the protection of the data
      subjects. In this connection, the Complainant allegesin the Complaint, among others, a violation of
      Article 9 GDPRand expressly requeststhe IESA toinvestigateMeta IE’sprocessing operations inthe

      context of the Instagram service covered by this Article     356. In a subsequent submission on the
      Preliminary DraftDecision, the Complainant criticisesthe scope thatthe IE SA decided togive tothe

      Complaint anditslackofinvestigationofMetaIE’sprocessingactivitiesandallegesthattheIESAfailed
      to give due consideration to processing under Article 9 GDPR and other cases in which it relies on
      consent    .

197. Inthe present case,theIESA limiteditsfactsandlegalassessment inthe DraftDecisiontothegeneral

      question of whether Meta IE has (a) sought to rely on consent in order to process personal data to
      deliver the Termsof Use and (b) if it is legallyobliged to relyon consent in order todo so. The IE SA

      categoricallyconcludes on these questions. At the same time, the IE SA acknowledgesa serious lack
      of transparency by Meta IE, as regards the information provided concerning the processing being
      carriedout in reliance on Article 6(1)(b) GDPR and does not clarify which data categoriesare being

      processed for behaviouraladvertising,if MetaIEprocesses specialcategoriesofdata,andifit does, if

      353C-184/20 Vyriausiojitarnybinės etikos komisija, paragraph126.
      354C-184/20 Vyriausiojitarnybinės etikos komisija, paragraph127.
      355C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,

      5-5 of 11 June2021, pp. 11-13(ina letter to theIE SAof 4 February 2022p. 2 theComplainant explains that
      their submissions in IN-18-5-5on facebook.com shouldbe considered as their submissions in IN-18-5-7on

      Adopted      MetaIE complies withthe conditions of Article 9 GDPRand othersrelevant tothe application of this
      provision (for example,Articles6(1)(a) andArticle7 GDPR).

198. By deciding not to investigate, further to the Complaint, the processing of special categories of
      personal data in the context of the Instagram service, the IE SA leaves unaddressed the risks this

      processing poses for the Complainant and for Instagram users. First, there is the risk that the
      Complainant’sspecialcategoriesof personaldataareprocessed withinthe Instagramservice tobuild
      intimate profiles of them for behavioural advertising purposes without a legalbasis and ina manner

      not compliant with the GDPR and the strict requirements of its Article 9(2) GDPR and other GDPR
      provisions relevant thereto. Second, there is also the risk that Meta IE does not consider as special
      categoriesof personal data (in line with the GDPR and the CJEU case-law         ) certain categoriesof
      personaldatait processes andconsequently, thatMetaIEdoes not treatthemaccordingly.Third,the
      Complainant and other Instagram users whose special categoriesof are processed may be deprived

      of certainspecial protections derived from the use of consent, such as the possibility tospecifically
      consent tocertainprocessing operations andnot toothersand tothe further processing of personal

      data(Article 6(4)GDPR);thefreedom towithdraw consent (Article 7 GDPR)andthe subsequent right
      to be forgotten 359. Fourth, given the great size and dominant market share of Meta IE in the social
      media market, leaving unaddressed its current ambiguity in the processing of special categoriesof

      personal data, and its limited transparency vis-à-vis Instagram users, may set a precedent for
      controllers to operate in the same manner and create legaluncertaintyhampering the free flow of
      personal datawithinthe EU.

199. The EDPB further considers, also in view of these risks to the Complainant and to other Instagram
      users, thatthe IE SA did not handle the Complaint withalldue diligence   36.The EDPBsees thelackof

      anyfurtherinvestigationintothe processing ofspecialcategoriesofpersonaldataasanomission, and
      in the present case finds it relevant that the Complainant allegedinfringements of Article 9 GDPR in
      the Complaint    . The EDPB contends that inthe present case, the IE SA should have verified on the
      basis of the contract and the data processing actually carried out on which legal bases each data
      processing operationatissue relies.

200. The EDPB alsohighlights that bylimiting excessively the scope of its inquiry despite the scope of the
      complaint in this cross-border case and systematically considering all the objections raised by CSAs

      not relevantand/or reasonedandthusdenying theirformaladmissibility, the IESA asLSA inthiscase,
      constrains the capacityof CSAs to act and tackle the risks to data subjects in sincere and effective

      cooperation. Asruledby theCJEU, the LSA must exercise itscompetence withina frameworkof close
      cooperationwithothersupervisory authoritiesconcernedandcannot“eschewessentialdialoguewith

      358See C-184/20 Vyriausioji tarnybinėsetikos komisija and more recently on the processing in Facebook:
      C-252/21Oberlandesgericht Düsseldorf request, Opinion of the AdvocateGeneral on 20 September 2022,
         Art. 17GDPR.
      and MaximillianSchrems, C-311/18, ECLI:EU:C:2020:559, (hereinafter ‘C-311/18, Schrems II'), paragraph109;
      Judgement of the Court of Justiceof 6 October2015, Schrems, C-362/14, ECLI:EU:C:2015:650, paragraph63;
      Judgement of the Court of Justice of 4 April 2017, European Ombudsman v Staelen, C-337/15,

      Adopted                                                                                            362
      and sincereandeffectivecooperationwiththeothersupervisoryauthoritiesconcerned”           .Thelimited
      scope the IESA gavetotheinquiry anditsconsideration ofalltheobjections made asinadmissible for
      being not relevant or reasoned also impairs the EDPB’scapacityto conclude on the matterpursuant

      to Article 65 GDPR and thus ensure a consistent application of EU data protection law, especially
      considering thatthe complaint wasintroducedmore thanfour yearsago.

201. As a result of the limited scope of the inquiry and the fact that the IE SA did not verify and assess in
      the DraftDecisionMetaIE’sprocessing ofspecial categoriesofpersonal datainitsInstagramservice,

      the EDPBdoes not have sufficient factualevidence on MetaIE’sprocessing operationstoenable it to
      make a finding on any possible infringement by Meta IE of its obligations under Article 9 GDPR and
      other GDPRprovisions relevantthereto.

202. Inconclusion, the EDPB decides thatthe IE SA cannot categoricallyconclude at this stagethroughits
      Finding 1 that Meta IE isnot legallyobliged to rely on consent toprocess personal data tocarryout

      the personal data processing activities involved in the delivery of the Instagram Service, including
      behavioural advertising as set out in the Instagram Terms of Use without further investigating its

      processing operations, the categoriesof data processed (including to identify special categories of
      personal datathatmaybe processed), andthe purposes theyserve.

203. The EDPBinstructs the IE SA toremove from its DraftDecisionits conclusion on Finding 1. The EDPB
      decides that the IE SA shall carry out a new investigationinto Meta IE’sprocessing operations in its
      Instagramservicetodetermineifit processesspecialcategoriesofpersonaldata(Article9GDPR),and

      complies with the relevant obligations under the GDPR, to the extent that this new investigation
      complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding
      Decision,andbasedontheresultsofthisinvestigation,issue anew draftdDecisioninaccordancewith
      Article60(3) GDPR     .



      6.1 Analysis by the LSA inthe DraftDecision

204. TheIESA initsDraftDecisionaddresses theComplainant’sallegationsthattheunclearandmisleading
      nature of the InstagramTermsof Use andDataPolicy, togetherwiththe mode of acceptanceofthe

      Terms of Use, have made Instagram users believe that all processing operations were based on
      consent under Article 6(1)(a) GDPR and thus constituted a breach of the Meta IE’s transparency
      obligations under Articles 5(1)(a)and 13(1)(c) GDPR 364. The IE SA analyses the submissions provided
      by the Meta IE and, noting the Complaint’s focus on the alleged“forced consent”      , concludes that
      Meta IE has breached Article 5(1)(a), Article 13(1)(c) and Article 12(1) GDPR due to the lack of

      C-645/19, ECLI:EU:C:2021:483, (hereinafter ‘C-645/19 Facebook v Gegevensbeschermingsautoriteit),

      Adopted      transparencyin relationtothe processing for whichArticle 6(1)(b) GDPRhasbeenreliedon        366. TheIE

      SA explains that,while aninfringement of Article 5(1)(a) GDPRdoes not necessarily or automatically
      flow from findings of infringement under Articles 12 and/or 13 GDPR, there is an important link

      between these provisions  367. Nevertheless, the IE SA takes the view that “[t]he factual question of
      whetherthedatasubject was misled asto the legalbasis isthereforepart ofthe broaderquestion as

      to whether there was compliance with transparency requirements and should not be considered in
      isolation ofthis broaderissue” 368. The IE SA points out thatArticle 5(1)(a)GDPRlinks transparencyto
      the overallfairness of the activitiesof the controller  and concludes on the breachofthis provision
      inrelationtothe infringement ofthe transparencyobligations     370.

      6.2 Summary of the objection raisedby the CSA

205. The IT SA objects tothe scope of Finding 3 of the DraftDecision andtothe assessment leading up to
      it.The ITSA agreestoalargeextent withthe Draft Decision’sFinding 3 on theinfringement of Article
      12(1), Article13(1)(c),andArticle5(1)(a)GDPRintermsoftransparency          .However,theITSA argues
      thatMetaIEhasalsofailedtocomply withthemore generalprinciple offairnessunder Article5(1)(a)
      GDPR, which, inthe view of the IT SA, entails separate requirementsfrom those relating specifically

      totransparency   37.

206. According to the IT SA, the relationship between Meta IE and Instagram users is markedly and
      significantlyunbalanced  373andaninfringement of the fairnessprinciple resulted, first ofall, from the

      misrepresentation of the legal basis for processing by the controller    374, considering that “Meta
      presenteditsserviceto usersin a misleading manner”and“withouttaking dueaccount ofusers’ right

      tothe protectionoftheirpersonaldata”    375. TheITSA arguesthat“thecontrollerleavesitsusersinthe
      dark as theyare expected to tellor actually ‘figure out’, from time to time, the possible connections
      betweenpurposesought, applicable legalbasis and relevantprocessing activities”       .

207. Secondly, such infringementalsostemsfrom the“high-leveland all-encompassing referencetoArticle
      6(1)(b) GDPRas relied upon to enable the massive collection of personaldata [...]and theirreuse for

      multifarious,distinct purposes”,considering the“pervasiveaswellasprolongedanalysis of[theusers’]
      online behaviour” amounting toa disproportionate interference withtheir private lives comparedto
      the pursuit of freedom of enterprise    .

208. The IT SA thus considers that the IE SA should have found an infringement of the fairness principle
      under Article 5(1)(a) GDPR, inaddition to the infringement of the transparencyobligations derived


      Adopted      from this provision, without any need for supplementary investigations    378. According to the IT SA,

      should the objection be followed, it would also impactthe exercise of by correctivepowers by the IE
      SA, i.e.themeasurestobe imposed on thecontroller in order tobring the processing into conformity
      withthe GDPR      .

      6.3 Position of the LSA on the objection
209. The IESA does not consider the ITSA objection tobe relevantandreasonedanddoes not follow it           .
      The IE SA examines it together with the other objections relating to the scope and conduct of the

      inquiry andcontends thatintroducing novel issues not raisedby the Complainant or otherwise put to
      the partieswould represent a significant departureintermsof thescope of theinquiry     381.

210. TheIESA highlightsthelegalconsequences thatwouldflow from makingmaterialchangesconcerning
      infringementsoutside of the Complaint andDraftDecision, namelythe likelihood thatMetaIEwould

      succeed in arguing before the Irish Courts that it has been denied an opportunity to be heard on
      additional and extraneousfindings that are adverse toit   382. The IE SA’s concernarose from the fact

      that,accordingtothe IESA, MetaIEwasnever invitedtobe heardinresponse toanallegationthatit
      hadinfringedthe fairnessprinciple set out inArticle5(1)(a)GDPR.TheIESA notes,in thisregard,that

      a respondent has the rightto be heardin response tothe particularsof the case being made against
      it and that this is a core element of a fair procedure pursuant to Irish law. The IE SA takes the view

      thatexpandingthe materialscopeofthe inquiryis neithernecessary,nor couldbe reconciledwiththe
      controller’srighttoa fair procedure  38.

      6.4 Analysis of the EDPB

      6.4.1 Assessment of whether theobjection was relevant and reasoned
211. The ITSA objectionconcerns “whetherthereisan infringementoftheGDPR”               .

212. The EDPBtakesnote of MetaIE’sview thatthe objections categorisedby the IE SA asrelatingtothe

      scope andconduct of the inquiry, among whichthe ITSA objectionregardingthe infringement ofthe
      fairness principle, are “irrelevant to the resolution of this Inquiry” and, if accepted, would seriously
      infringe Meta IE’sproceduralrightsunder both Irish and EU law       . According toMeta IE, “the EDPB
      cannot expand the scope ofthe Inquiryin the manner suggested bythe CSAs through Objectionsthat

      are not relevantto thesubstance of the Complaint” andin relationtothis MetaIEreferstothe EDPB
      Binding Decision2/2022   386.

         Meta IE Article65 Submissions, paragraph 4.2and paragraphs 4.10 to 4.20 regarding the right to fair
      procedure,aswellasMeta IEArticle65Submissions,Annex1,paragraph7.7.
      386Meta IEArticle65Submissions,paragraph4.9.Inparticular,Meta IEreferstoparagraphs139,140,147,148,

      Adopted213. Meta IE further contends that the IT SA objection is not reasoned as it provides broad and
      unsubstantiatedallegationswithout presentingfactsor evidence in thisregard         andfailstoaddress
      the significance ofthe risk tofundamentalrightsandfreedomsposed by the DraftDecision         388.

214. Asitwaspreviously explained,theEDPBdoesnotshare theunderstanding thatCSAsmaynot disagree
      withthescope ofthe inquiry asdecidedbythe LSA bywayofanobjection              .The EDPBrecallsthatan
      objection could go as far as identifying gaps in the draft decision justifying the need for further

      investigation by the LSA, for example in situations where the investigation carried out by the LSA
      unjustifiably fails to cover some of the issues raised by the complainant 390. In this regard, the EDPB
      observes that,in theircomplaint, the Complainant allegesthat the informationprovided in MetaIE’s

      PrivacyPolicy“isinherentlynon-transparentandunfair withinthemeaningofArticles5(1)(a)and 13(c)
      GDPR”   39. Inaddition, the Complainant alleges that “Asking for consent to a processing operation,

      whenthe controllerreliesin fact on another legalbasis is fundamentally unfair, misleading and non-
      transparentwithin themeaning ofArticle5(1)(a) oftheGDPR”        39.Therefore,theEDPBdisagreeswith

      the IE SA’s finding that assessing Meta IE’s compliance with the principle of fairness would amount
      addressing matters“whichfall outside ofthescope of theunderlying complaint”       39.

215. The EDPB notes that the IT SA agreeswiththe IE SA’sfinding with regardtothe infringement of the
      principle of transparencyunder Article5(1)(a) GDPR      .Asthis finding is not subject toa dispute, the
      EDPBwillnot examine this matter.

216. After analysing the IT SA objection, the EDPB finds that the objection is relevant, as it refers to a
      specific part of the Draft Decision (Finding 3 39), and if followed would lead to the conclusion that

      there isaninfringement of the generalprinciple of fairness under Article 5(1)(a)GDPR,in additionto
      the breach of the separate requirements relating to transparency under this provision          39. The

      387Meta IEArticle65Submissions,Annex1,paragraph7.8.
      388Meta IEArticle65Submissions,Annex1,paragraph7.9.
      In respect of Meta IE’s arguments in paragraph 4.9 of its Article65 Submissions on this objection not being
      relevant, theEDPB recalls that theanalysis of whethera given objectionmeets thethreshold set by Art. 4(24)

      GDPRis carriedoutonacase-by-casebasis.MetaIEreferstotheEDPB’sBindingDecision2/2022andspecifically
      to theparagraphswheretheEDPBestablishedthatspecificobjections raisedbytheDE SAs andNOSAinthat
      oftheITSAthatis beinganalysedinthissection.

      to specificobservationsmadebytheLSAandexplainshowtheadditionalinfringementofArt.5(1)(a)couldbe

      established on that basis (see, for example, p. 6 of the IT Objection referring to paragraph 185of theDraft

      Adopted      objection, if followed, would also entail the exercise of corrective powers, i.e. the measures to be
      imposed on the controller inorder tobring the processing into conformitywiththe GDPR          .

217. The ITSA objectionis alsoreasonedbecauseitincludesseveralspecific legalandfactualargumentsin
      support of finding anadditionalinfringement oftheprinciple offairnessunder Article5(1)(a)GDPR         .
      For example,the IT SA explainsthat “[t]ransparencyand fairness are two separatenotions” andthat

      “transparencyrelatestoclarityoftheinformationprovided tousersvia theToSandtheprivacypolicy”,
      while “fairness relatesto how the controller addressed the lawfulness of the processing activities in
      connection with its social networking service”     . The IT SA contends that the “overall relationship
      betweenMetaandInstagram usersis markedly as wellas significantly unbalanced”          400. According to
      the IT SA, the first wayin which Meta IE hasinfringed the principle of fairness is by misrepresenting

      the legalbasis for processing in order to pursue its business model “without taking due account of
      users’ rightto theprotectionofpersonaldata” andleaving “itsusersin thedark”       401.Further, intheIT

      SA’s view, Meta IE has breached the fairness principle, by justifying via the broad reference to the
      legalbasis ofperformanceof contractamassive collectionof personaldataandtheirreuse for awide
      rangeof purposes, disproportionately interfering withusers’ private life    .

218. The ITSA objection alsoidentifies the risks posed by the absence inthe DraftDecisionof a finding on

      the infringement of thefairness principle, namelysettinga dangerousprecedent for future decisions
      concerning otherdigitalplatform operators-more generally,other controllersbelonging tothesame

      business sector -andmarkedlyweakeningthesafeguardsthatmustbe provided throughtheeffective
      implementationof the dataprotectionframeworkon account ofthe comprehensive disregardofthe
      fairness ofthe processing principle   .

219. Therefore, the EDPB considers that the IT SA objection is relevant and reasoned (cf. Article 4(24)


      6.4.2 Assessment on the merits
220. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the

      matterswhichare the subject of the relevantand reasonedobjections, inparticularwhether there is
      aninfringement ofthe GDPR.

      402ITSAObjection,p.6.Seealsoabove,paragraphs206-208.InrespectofMeta IE’sargumentsinparagraph4.9

      ofits Article65Submissionsonthisobjectionnotbeingreasoned,theEDPBnotesthattheobjectionsthatwere
      and detailed legal reasoning regardinginfringement of each specific provision in question”, did not explain
      sufficiently clearly, nor substantiateinsufficient detail how theconclusion proposed could bereached, or did

      ofthedata subjectsorthefreeflowofdatawithintheEU(BindingDecision2/2022,paragraphs140,148,165).
      The IT SAobjection provides, instead, a numberof legal and factual arguments andexplanations as to why a
      ifitwas adoptedunchanged.

      Adopted221. The EDPBconsiders thatthe objection found tobe relevant andreasoned in thissubsection requires
      anassessment of whetherthe DraftDecision needstobe changedinsofar as it containsno finding of

      infringement of the fairness principle under Article 5(1)(a) GDPR. Whenassessing the merits of the
      objection raised, the EDPB also takes into account Meta IE’s position on the objection and its

222. The EDPBtakesnoteof MetaIE’sviewthattheITSA objection lacksmeritasit goesbeyondthe scope
      of theinquiry    . The EDPBalsonotes thatMetaIElinks the issue ofthe potentialinfringement ofthe
      principle offairness, raisedinthe ITSA objection, withthequestion ofthe competenceof CSAsor the
      EDPB toassess the validity of contractsinthe context of Article 6(1)(b) GDPR and, when responding

      tothe meritsof the ITSA objection, Meta IEreferstoits submissions on applicationof Article6(1)(b)
      GDPRwithrespect tostandardform contracts       405.While takingnote of MetaIE’sview onthis matter,

      the EDPB considers the question of Meta IE’scompliance withthe principle of fairness under Article
      5(1)(a) GDPRtobe distinct from the question of the choice of the appropriate legalbasis (althougha
      connectedone, asexplainedbelow) andproceedswithits respectiveassessment below.

223. Firstly, the EDPBrecallsthatthe basic principles relating toprocessing listed inArticle 5 GDPRcan,as
      such, be infringed    . This is apparent from the text of Article 83(5)(a) GDPR which subjects the
      infringement ofthe basic principles for processing toadministrative fines ofupto20 million euros, or
      inthe caseof undertaking,upto4% ofthetotalworldwide annualturnover ofthe precedingfinancial

      year,whichever is higher.

224. The EDPBunderlines thatthe principles of fairness, lawfulness andtransparency,allthree enshrined
      in Article 5(1)(a) GDPR, are three distinct but intrinsically linked and interdependent principles that
      every controller should respect when processing personal data. The link between these principles is

      evident from a number of GDPR provisions: Recitals39 and 42, Article 6(2) and Article 6(3)(b) GDPR
      referto lawfulandfair processing,while Recitals60and71GDPR,aswellasArticle13(2),Article14(2)

      andArticle 40(2)(a)GDPRrefertofair andtransparentprocessing.

225. On the basis of the above consideration, the EDPB agreeswiththe IE SA’s view that “Article 5(1)(a)
      links transparencyto the overall fairness of the activities of a controller”   but considers that the
      principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s

      compliance with the principle of transparency does not automatically rule out the need for an
      assessment ofMetaIE’scompliance withthe principle offairness too.

      404Meta IEArticle65Submissions,Annex1,paragraph7.10.Inthisrespectseeparagraphs73-75(section4.41)
      onthis BindingDecision.
      405“To the extent the IT SAObjects tothe lawfulnessofMetaIreland’sdataprocessingbasedonthenatureof

      the contract between Meta Ireland and users of the Instagram Service (i.e. a standard form contract), Meta
      Ireland respectfully asks the EDPB to take into account its submission abovewith respect to standard form
      contracts”.Meta IEArticle65Submissions,Annex1,paragraph7.10.

      Adopted226. The EDPB recallsthat, in data protection law, the concept of fairness stems from the EU Charter of
      Fundamental Rights      . The EDPB hasalreadyprovided some elementsas tothe meaning andeffect
      of the principle of fairness in the context of processing personal data. For example, the EDPB has

      previously opined in its Guidelines on DataProtectionby Designand by Defaultthat “[f]airness is an
      overarching principle which requires that personal data should not be processed in a way that is
      unjustifiably detrimental,unlawfullydiscriminatory, unexpectedormisleading to thedata subject”    409.

227. Among the key fairness elements that controllers should consider in this regard, the EDPB has

      mentioned autonomy of the data subjects, data subjects’ expectation, power balance, avoidance of
      deception, ethicaland truthful processing  410. These elements are particularlyrelevant in the caseat

      hand. The principle of fairness under Article 5(1)(a) GDPR underpins the entire data protection
      framework and seeks to address power asymmetries between the data controllers and the data

      subjects in order to cancel out the negative effects of such asymmetries and ensure the effective
      exercise of thedata subjects’ rights.The EDPBhas previously explained that“theprinciple of fairness
      includes, interalia, recognisingthe reasonable expectationsofthe data subjects, considering possible

      adverse consequences processing may have on them, and having regard to the relationship and
      potentialeffectsofimbalance betweenthemand thecontroller”        411.

228. The EDPB recalls that a fair balance must be struck between, on the one hand, the commercial

      interests of the controllers and, on the other hand, the rights andexpectations of the data subjects
      under theGDPR    41.Akeyaspectofcompliancewiththeprinciple offairnessunder Article5(1)(a)GDPR
      refersto pursuing “powerbalance” asa “key objectiveof the controller-datasubject relationship”       ,
      especiallyinthecontextofonline servicesprovidedwithoutmonetarypayment,whereusersareoften
      not aware ofthe ways andextent to which their personal data is being processed      41. Consequently,

      lack of transparency can make it almost impossible in practice for the data subjects to exercise an
      informed choice over the use oftheir data  415which is incontrast withthe element of “autonomy”of

      datasubjects astothe processing of their personaldata    416.

229. Considering theconstantlyincreasing economic value ofpersonal datainthedigitalenvironment, it is
      particularly important to ensure that data subjects are protected from any form of abuse and

      deception, intentionalor not, whichwould result in the unjustified loss ofcontrol over their personal

      408Art. 8 EU Charter of Fundamental Rights states as follows:“1. Everyone has the right to the protection of

      personal data concerninghim orher. 2. Such data must be processed fairlyforspecified purposes andon the
      409EDPB Guidelines 4/2019 onArticle25 Data Protection by Designand by Default, Version 2, Adopted on 20
      412Onthebalancebetweenthedifferentinterests atstakeseeforexample:JudgementoftheCourtofJustice
      vanburgemeesterenwethoudersvanRotterdamvM.E.E. Rijkeboer,C-553/07,ECLI:EU:C:2009:293;Judgment

      of the Court (GrandChamber) of 9 November 2010, Volker undMarkus ScheckeGbR (C-92/09)andHartmut
         EDPB Guidelines on Data Protectionby Design and byDefault, paragraph70. According to this element of

      Adopted      data.Compliance by providers ofonline services actingascontrollers withallthree of thecumulative

      requirements under Article 5(1)(a) GDPR, taking into account the particular service that is being
      provided and the characteristicsof their users, serves as a shield from the danger of abuse and
      deception, especiallyin situationsof power asymmetries.

230. The EDPB haspreviously emphasised that the identification of the appropriate lawfulbasis is tiedto
      theprinciples of fairnessandpurpose limitation     .Inthisregard,theITSA rightlyobserves thatwhile
      finding a breachof transparencyrelatesto the wayin which information hasbeen provided to users

      via the InstagramTermsof Use andDataPolicy, compliance withthe principle of fairnessalso relates
      to“how thecontrolleraddressedthelawfulnessoftheprocessingactivitiesin connectionwithitssocial
      networkingservice”   41. Thus the EDPB considers that anassessment of compliance by Meta IE with

      the principle of fairness requires also an assessment of the consequences that the choice and
      presentation of the legal basis entail for the users of the Instagram service. In addition, that

      assessment cannot be made in the abstract, but has to take into account the specificities of the
      particularsocialnetworking serviceandof theprocessing ofpersonaldatacarriedout,namelyfor the
      purpose of online behaviouraladvertising     .

231. The EDPBnotesthatin thisparticularcase thebreachof MetaIE’stransparencyobligationsisofsuch

      gravitythatit clearlyimpactsthe reasonable expectationsof the Instagramusers by confusing them
      on whether clicking the “Agree to Terms” button results in giving their consent to the processing of

      their personal data. The EDPB notes in this regardthat one of the elementsof compliance withthe
      principle offairness is avoiding deception i.e.providing information“in an objectiveand neutralway,
      avoiding anydeceptiveor manipulative language or design”       .

232. Asoutlined inthe DraftDecision,the Complainant arguesthatMetaIEreliedon“forcedconsent” asa

      result of being led to believe that the legalbasis for processing the controller was relying upon was
      consent 421. The Complaint demonstratesthe confusion suffered bythe Complainant both due tothe
      (lack of) information presented to Instagram users in the context of their “agreement”        and the
      circumstancesof how the act of“agreement”wassought by MetaIE          423.TheEDPBconsiders thatthe

      LSA should have takeninto account such Meta IE’spracticesin relationto the principle of fairness,
      regardlessof its finding that Meta IE hasnot sought to rely on consent in order to process personal
      datatodeliver the Termsof Use    424.

233. Inaddition, andasrecognisedby the LSA itself, further toitsassessment of the informationprovided

      concerning processing being carriedout in reliance on Article 6(1)(b) GDPR, “it is impossible for the
      user to identify with any degreeof specificitywhat processing is carriedout on what data, on foot of

      is premised on the delivery of personalised advertising”and Meta IE Article65 Submissions, paragraph 6.38
      whereMeta IEclaimsthat“ItwouldbeimpossibletoprovidetheInstagramServiceinaccordancewiththeTerms
      ofUse withoutprovidingbehaviouraladvertising”.

      Adopted      the specified lawful bases” 425. Considering this, in the EDPB’sview, there are clear indications that
      Instagram users’ expectations with regard to the applicable legal basis have not been fulfilled       .
      Therefore, the EDPB shares the IT SA’s concern that Instagram users are left “in the dark”      427and
      considers that the processing by Meta IE cannot be regardedas ethicaland truthful      428because it is

      confusing withregardtothetype ofdataprocessed,the legalbasisandthepurpose oftheprocessing,
      whichultimatelyrestrictsthe Instagramusers’ possibility toexercisetheir datasubjects’ rights.

234. Furthermore, the EDPBconsiders that the extensive analysis by the IE SA withregardto the issue of

      legalbasisandtransparencyinrelationtotheprocessing being carriedoutinrelianceonArticle6(1)(b)
      GDPRisclosely linkedtotheissue of complianceby MetaIEwiththe principle offairness. Considering
      the seriousness of the infringementsof the transparencyobligations by MetaIE alreadyidentified in

      theDraftDecisionandthe relatedmisrepresentationofthelegalbasis reliedon, theEDPBagreeswith
      the IT SA that Meta IE has presented its service to the Instagram users in a misleading manner     429,

      which adversely affectstheir control over the processing of their personal data and the exercise of
      their data subjects' rights. Therefore, the EDPB isof the opinion that the IE SA’sfinding of breachof
      Article 5(1)(a) GDPRwithregardto the principle of transparency       should extend tothe principle of
      fairness too.

235. This is all the more supported by the fact that, in the circumstances of the present case as
      demonstrated above    431, the overall effect of the infringements by Meta IE of the transparency

      obligations under Article 5(1)(a), Article 12(1), Article 13(1)(c) GDPR and the infringement of Article
      6(1)(b) GDPR  432furtherintensifiestheimbalancednatureof therelationshipbetweenMetaIEandthe

      Instagramusersbrought upbytheITSA objection. Thecombinationoffactors,such asthe asymmetry
      of the informationcreatedby MetaIEwithregardto theInstagram service users, combinedwiththe
      “take it or leave it” situation that they are faced with due to the lack of alternative services in the

      marketand the lackofoptions allowing them toadjust or opt out from a particularprocessing under
      the contract with Meta IE, systematically disadvantages the Instagram service users, limits their

      control over the processing of their personal data andundermines the exercise of their rightsunder
      Chapter IIIofthe GDPR.

236. Therefore, the EDPB instructs the IE SA to include a finding of an infringement of the principle of
      fairness under Article 5(1)(a) GDPR by Meta IE, in addition to the infringement of the principle of

      transparency under the same provision, and to adopt the appropriate corrective measures, by
      addressing, but without being limited to, the question of anadministrative fine for thisinfringement

      asprovided for in Section9 of thisBinding Decision.

      426According to the fairness element of “expectation”, “processing should correspond with data subjects’

      427sonableexpectations”.EDPBGuidelinesonData ProtectionbyDesignandbyDefault,paragraph70.
      428See EDPB Guidelines on Data Protection by Designand byDefault, paragraph 70, wheretheEDPB explains
      that “ethical”means that “[t]he controllershouldsee the processing’s widerimpact on individuals’ rights and
      dignity“and “truthful”means that “[t]he controllermust make available information about how theyprocess




      7.1 Analysis by the LSA inthe DraftDecision
                                             433                         434
237. The IESA referstoArticle5(1)(b)GDPR        andArticle5(1)(c) GDPR      whenanalysingthe extentofthe
      controller’sobligation under Article 13(1)(c) GDPRandwhether Meta IEhas infringed this provision.

      More specifically, the IESA highlightsthat Article13 GDPRrequiresthat the purposesandlegalbases
      must be specified in respect of the intended processing and cannot just be cited in the abstract  435.
      AfterexplainingwhyMetaIE’sviewthatthereisnospecific obligationfor thelegalbasistobe mapped

      to the purpose of processing cannot be reconciled with a literalreading of the GDPR, the IE SA, for
      completeness, alsoengagesina systemic readingbasedon thelegislator’sobjective andthecontents
      of theGDPRasa whole        .

238. In this context, the IE SA points out that the six principles laid down under Article 5 GDPR are
      interconnectedandoperatein combinationtounderpin the whole GDPR           437.However,theIESA does
      not assess whether MetaIE’sprocessing activitiesentaila separate infringement of the principles of

      purpose limitationanddataminimisation under Article5(1)(b) andArticle 5(1)(c)GDPR.

      7.2 Summary of the objection raisedby the CSAs

239. According tothe ITSA, thereisanadditionalinfringement ofpoints (b)and(c)of Article5(1)GDPRon
      accountof MetaIE’sfailuretocomplywiththe purpose limitationanddataminimisation principles. It

      considers that suchinfringement should be found without the needfor anyfurther investigationand
      should result intoa substantialincrease ofthe proposed administrative fine  438.

240. The IT SA puts forward several factual and legal arguments for the proposed change to the Draft

      Decision.First,itpointsout thattheIESAconfinesitsassessment toonlyone ofthecontractspurposes
      (the provision of online behavioural advertising), while the Instagram service would actually be
      composed of several processing activities pursuing several purposes   439. According to the IT SA, the

      fact that Meta IE inappropriately based its multifarious processing activities only on Article 6(1)(b)
      GDPRentailsaninfringement ofthe purpose limitationanddataminimisation principles         440. The IT SA

      stresses the relevance of these principles in online services contracts, astheyare not negotiatedon
      an individual basis, and refers to pages 15 and 16 of the WP29 Opinion 03/2013 on purpose
      limitation   .The ITSA also refersto the EDPBGuidelines 2/2019 on Article 6(1)(b) GDPR andrecalls
      that, where the contract consists of several separate services or elements of a service that can be

      437Draft Decision, paragraph 152 andparagraphs 153-160withrespect to theprincipleof purposelimitation


      Adopted      performed independently, the applicability of Article 6(1)(b) GDPR should be assessed for each of
      those services separately    .

241. On the risks posed by the Draft Decision, the IT SA refers to the risk identified by the WP29 in its
      Opinion 03/2013 on purpose limitation      443, namely that “data controllers may seek to include

      processingtermsincontractsto maximise thepossible collectionand usesof datawithout adequately
      specifying those purposes or considering data minimisation obligations”  444. In addition, in the IT SA’s

      view, the failure to specify and communicate the purposes of the processing to the data subject
      creates a risk of artificially expanding the types of processing or the categories or personal data
      considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would

      nullify the safeguardsaffordedtodata subjectsunder dataprotectionlaw       445.

      7.3 Position of the LSA on the objection

242. The IE SA does not consider that the IT SA’s objection is relevant and reasoned    446. Categorising the

      objection asrelating tothe scope andconduct ofthe inquiry, the IE SA adopts the same approachas
      with regard to the alleged infringement of the principle of fairness. More specifically, the IE SA

      contends thatintroducing novel issues not raised bythe Complainant or otherwise put tothe parties
      would represent a significant departurein termsof the scope of the inquiry    44. It highlightsthe legal

      consequences thatwouldflow frommaking materialchangesconcerninginfringementsoutside ofthe
      complaint andDraftDecision,namelythelikelihood thatMetaIEwouldsucceedinarguingbeforethe
      IrishCourts thatit hasbeendenied anopportunity tobe heardon additionalandextraneousfindings

      thatare adverse toit  448.The IE SA’sconcernarose from the fact that,accordingtothe IE SA, MetaIE
      wasnever invitedto be heardin response toanallegationthatit had infringedthe fairness principle

      set out in Article 5(1)(a) GDPR. The IE SA notes, in this regard, that a respondent has the right tobe
      heardin response tothe particularsof the case being made against it andthat this is a core element

      of a fair procedure pursuant toIrish law.The IESA takesthe view thatexpanding the materialscope
      of the inquiry is not possible under Irish procedurallaw 449.Itfurther notes that avery significant risk

      ofproceduralunfairness, under Irishnationallaw,wouldresult from the proposal toassume, without
      anyfurther factualexamination,thatMetaIE hasinfringedthe purpose limitationprinciple         45.

      7.4 Analysis of the EDPB

      7.4.1 Assessment of whether theobjection was relevant and reasoned
243. The ITSA’sobjection concerns “whetherthereisan infringement oftheGDPR”              .


      Adopted244. The EDPB takes note of Meta IE’s view that the IT SA’s objection does not meet the relevant and
      reasoned thresholds because it falls outside the defined scope of the inquiry        . As previously
      explained, the EDPBdoes not share the understanding thatCSAs maynot disagree withthe scope of
      the inquiry asdecidedby the LSA bywayof anobjection     453.

245. MetaIEpointsout thatthe objectionconcernsmattersthathavenot beeninvestigatedandrelatesto
      theoreticalfindings on legalbases    . Meta IE further arguesthat even if the objection satisfied the
      abovementioned thresholds, it should be disregarded because otherwise Meta IE’s right to fair
      proceduresunder bothIrishand EUlaw would be contravened          .

246. The EDPB considers that the IT SA objection is relevant as it refers to specific parts of the Draft

      Decision, namely Finding 2 and Finding 3    456, and argues that the IE SA should have found an
      infringement of Article 5(1)(b) and Article 5(1)(c) GDPR which lay down the principles of data

      minimisation andpurpose limitation.

247. The objection also includes argumentson legaland factualmistakesin the IESA’s DraftDecisionthat
      require amending.According tothe ITSA, theIE SA’sreasoning isinconsistent because thehigh-level,
      ratherunclearinformation provided tothedatasubjects isa major criticalitythat shouldhave ledthe

      IE SA not only to question the features of the information notice, but also to verify, in detail, the
      application of the principles of purpose limitation and data minimisation from a substantive
      perspective    . More specially, the ITSA takesthe view that the IE SA should have hadregardtothe
      actualconfigurationof theprocessing operations performedin ordertoassess whetherthecontroller

      had abided by the obligation toprocess personal data for specified, explicit and legitimatepurposes
      bothwhen collectingthose dataandthereafter      45.

248. As regards the risk posed by the Draft Decision, the EDPB takes note of the IT SA’s reference to
      paragraph16 of the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR and reiteratesthe particular

      relevance ofArticle 5(1)(b) andArticle 5(1)(c)GDPRin the contextof contractsfor online services, in
      view of the risk that data controllers may seek to include generalprocessing terms in contracts in

      order to maximise the possible collection and uses of data, without adequately specifying those
      purposes or considering dataminimisationobligations   45.Nevertheless,theEDPBstressesthatamere
      referencetothe EDPBGuidelinesisnot sufficient todemonstratetherisks posedbythe DraftDecision

      inthis specific caseand inthese specific circumstances.

249. The IT SA also considers that the purposes for the processing “must be clearly specified and
      communicated to the data subject, in line with the controller’spurpose limitation and transparency

      obligations”, otherwise there is “a risk that other data protection obligations might be evaded by
      artificiallyexpanding the typesofprocessing or thecategoriesofpersonaldata that areconsideredto

         Meta IEArticle65Submissions,Annex1,paragraphs7.1-7.4.
      454Meta IEArticle65Submissions,Annex1paragraphs7.2.
      455Meta IEArticle65Submissions,Annex1,paragraphs7.3.
         TheIT SArefers to theIE SA’s reasoning preceding Finding 2 and to paragraphs 122-149and 184, 185and

      Adopted      be ‘necessary’forperformanceofthecontractunder Article6(1)(b)GDPR -which would in turn nullify
      thesafeguards affordedto datasubjectsbypersonaldata protectionlaw”         46.

250. The EDPB recalls that the objection must put forward arguments or justifications concerning the

      consequences of issuing the decision without the changesproposed in the objection, andhow such
      consequences would pose significant risks for datasubjects’ fundamentalrightsandfreedoms       46.The

      CSA needs to advance sufficient arguments to explicitly show that such risks are substantial and
      plausible462. Inaddition,the demonstrationofthe significance ofthe risks cannotbe implied from the
      legaland/or factualargumentsprovidedbythe CSA, but hastobe explicitlyidentified andelaborated
      inthe objection    .

251. The EDPB considers that the IT SA’s objection fails to meet these requirements as it does not
      demonstratethe significance of the risk stemmingfrom anomission inthe DraftDecisionof afinding
      that the principles of purpose limitationand data minimisation have beeninfringed by Meta IE. The

      risk, asdescribed by the IT SA objection, is not substantial andplausible enough. Moreover, the risk
      relatesto the IE SA’s decision not to conclude on the inappropriate use of Article 6(1)(b) GDPR asa

      legalbasis for MetaIE’sprocessing activitiesbut fails toestablish a clear link withthe LSA’sdecision
      not tomake a finding on the infringement ofArticle 5(1)(b) andArticle5(1)(c) GDPR.

252. Therefore, the EDPB considers that the abovementioned objection by the IT SA is not reasoned (cf.
      Article4(24) GDPR)andwillnot assess iton the merits.


      8.1 Analysis by the LSA inthe DraftDecision

253. The IE SA considers thatanorder tobring processing into compliance (Art. 58(2)(d) GDPR)should be
      imposed on Meta IE, requiring them tobring their Data Policy andTerms of Service into compliance

      with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR asregardsprocessing carriedout on the
      basis ofArticle 6(1)(b) GDPRwithinthreemonths of thedate ofnotification ofanyfinal decision       46.

254. The LSA considers an order is necessary and proportionate, contrary to the controller’sposition     46.
      Regarding the necessity, the IE SA explains that this order is the only way toguarantee that Meta IE

      amendsthe infringementsoutlined in the DraftDecision,which isessentialfor the protectionofdata
      subjects’ rights46. Concerning the proportionality, the LSA points out that the proposed measure is

      the minimum action required to ensure the future compliance of the controller. Further, the IE SA

      465 Meta IE Submissions on Preliminary Draft Decision, paragraphs 12.1, 12.2, and 12.4; Draft Decision,

      Adopted      recallsMetaIE’savailableresources,thespecificity ofthe LSA’sorder, andthe importanceof thedata
      subject’srightsconcernedtoconclude thatsuch measureis proportionate           .

      8.2 Summary of the objections raised by the CSAs

255. The NL SA objects tothe choice of the corrective measuresof the LSA in their Draft Decision    468. The
      NLSA notesthattheIESA isproposing toimpose anorder pursuant toArticle58(2)(d)GDPRalongside

      an administrative fine, and that this objection concerns the first of these two measures     46. More
      specifically, theNL SA objectstotheorder tobringprocessing intocompliance (Article58(2)(d) GDPR)

      within three months proposed by the LSA, arguing that it is not appropriate, not necessary, nor
      proportionate to ensure compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR, as

      well as the additional infringement of Article 6(1)(b) andArticle 9(2) GDPR raisedin its objection 47.
      The NL SA takes the view that the proposed order is insufficient to remedy the serious situation of

      non-compliance arising from these infringements, since it does not remedy the illegality of the
      conduct carriedout during the transitionperiod (i.e. the time between the issuance of the decision

      andtheexpirationdateof theorder),bearing inmindthateverydaythe service continuesoperations
      as described in the Terms of Use andData Policy, it does so in an illegalwayharming the rightsand
      freedoms ofmillions of datasubjects in the EEA     .Accordingtothe NL SA, the DraftDecisionshould
      be modified to include a temporary ban on Meta IE’sprocessing of personal data for the duration

      necessary for the controller to bring its processing into compliance with the GDPR (Article 58(2)(f)
      GDPR), as this would be appropriate, necessary and proportionate taking into account the
      circumstancesofthe case   472,andwouldbe the onlymeasure suitabletomakesure thattheexpansive

      violation ofthe fundamentalrightsand freedomsof datasubjects is not continued       47. The NL SA also
      arguesthat the breachesofthe GDPR establishedbythe LSA, combinedwiththe additionalbreaches

      put forward bythe NL SA, areof a very gravenature andjustify haltingprocessing operations during
      the time the controller needs to remedy its severe lack of compliance      474. In essence, the NL SA

      identifies the risk posed by the DraftDecision in thatit allowsthe companyto resume operations as
      usual while amending the compliance deficits (with regard to transparency), which they argue
      essentially deprivesdata subjectsof their rightsduring atransitionperiod     .

256. The FISA alsoarguesthatthe IESA should “exerciseeffective,proportionateanddissuasive corrective
      powers” and order Meta IE to“bring itsprocessing operations into compliance with the provision of

      Article 6(1) GDPR and prohibit to process users’ personal data for behavioural advertising by relying
      on Article 6(1)(b) GDPR as laid down in Article 58(2)(d) GDPR”     476. The HU SA reaches the same
      conclusion, proposing toapplythe legalconsequencesunder Article58(2)(d) GDPRandtoinstructthe

      controller toindicate a different legalbasis47. Onthe risks, boththe FI andthe HU SAs statethatthe
      absence of appropriate and necessary corrective powers would amount to a dangerous precedent,

      476FI SAObjection,paragraph25.

      Adopted      sending a deceiving message to the market and to data subjects whose fundamental rights and

      freedoms wouldultimatelyjeopardise      478.Moreover, theFI SA notes thattheDraftDecisionaffectsall
      datasubjectswithintheEEAandthat,therefore,theconsequencesofnot makinguse ofthecorrective

      measurespursuant Article58(2)would be enormous         479.

257. The AT SA requests thatthe LSA makes use of itscorrective measurespursuant toArticle 58(2)GDPR
      in relationto the additional infringement of Article 6(1)(b) GDPR    48, inorder tobring the processing
                                                          481                              482
      operationsofthecontroller inline withtheGDPR           andremedytheinfringement         .Accordingtothe
      AT SA, the IESA should exercise ‘’correctivepowers’’soastoensure thatMeta IE couldnot continue

      to unlawfully rely on Article 6(1)(b) GDPR for the processing of users’ personal data for behavioral
      advertising 483. More specifically, the AT SA suggests that the IE SA prohibits Meta IE “the processing
      of a user’s datafor behavioural advertising by relying on Article 6(1)(b) GDPR”       . Inthe absence of
      additionalcorrectivemeasures,theATSAconsidersthatifcorrectivemeasuresarenotimposed, there

      is a risk “that [Meta IE] continues to unlawfully rely on Article 6(1)(b) GDPR for the processing of a
      user’s data for behavioural advertising and continues to undermine or bypass data protection
      principles’’    , which would affect millions of data subjects within the EEA and bear vast
      consequences   486.

258. The FR SA notes that reversing the findings concerning the infringements of Article 6(1) GDPR also

      affects the scope of the corrective actions proposed by the IE SA, in addition to the administrative
      fine 487

259. Finally, accordingtothe NOandDESAs,the IESAshould takeconcretecorrectivemeasuresinrelation
      totheadditionalinfringement ofMetaIEwithArticle6(1)(b) GDPR,namelytoorderMetaIEtodelete

      personal data that hasbeen unlawfully processed on Article 6(1)(b) GDPR andtoprohibit the use of
      thislegalbasis for such processing activities 488.

      478FI SAObjection,paragraph28;HUSAObjection,p.4.
      479FI SAObjection,paragraph29.
      481AT SAObjection,p.7.
         AT SAObjection, p. 8. TheAT SAalso highlights that according to theCJEU wherean infringement is found
      during a complaint-based procedure, theSA is under an obligationto takeappropriateaction by exercising
      correctivepowers,anditcitesC-311/18,paragraph111.Additionally,theAT SAclarifiesthatalthoughittakes

      the positionthat a complainant does not havea subjectiveright to request from therespectivesupervisory
      authoritytheexerciseofa specificcorrectivepoweranditisuptotheauthorityonlytodecidewhichactionis
      482AT SAObjection,p.8-9.
         AT SAObjection,p.7-8.
      484AT SAObjection,p.9.
      485AT SAObjection,p.7.
      486AT SAObjection,p.8.
      488DESAs Objection,p.10;NOSAObjection,p.9.

      Adopted      8.3 Position of the LSA on the objections

260. The IESA does not consider the objections above tobe relevantand/or reasonedanddoesnot follow
      them  48. Giventhat these objections were premised upon the requirement for the DraftDecision to
      include a finding of infringement of Article 6(1)(b) GDPR on which the IE SA expressed its

      disagreement,theIESAdoesnot consider theobjectionsrequesting theexerciseofacorrectivepower
      inresponse toa finding of infringementof Article6(1)(b) GDPRasbeing relevant andreasoned     490.

      8.4 Assessment of the EDPB

      8.4.1 Assessment of whether theobjections were relevant and reasoned

261. The objections raisedby theAT,DE,FI,FR,HU,NLandNOSAsconcern“whethertheactionenvisaged
      inthe DraftDecisioncomplies withthe GDPR”       .

262. Inaddition tothe primaryargumentlevelledagainst allCSA’sobjections, MetaIE provides additional
      argumentson whetherthese are relevantand/or reasoned      492.

263. Meta IE argues the AT and NL SAs’ objection cannot be considered relevant because they are
      dependent on another objection, which Meta IE deems inadmissible and without merit       493. On the
      same basis, MetaIE refutesthatthe AT SA’sobjection isadequatelyreasoned        . Asstatedabove,in
      Section 4.4.1, the EDPB finds the AT and NL SAs’ objections on the subject of Article 6(1)(b) GDPR
      relevantand reasoned     .

264. Additionally, MetaIEarguesthatthe AT andNL SAs’ objections fail toset out how the DraftDecision
      would pose a direct andsignificant risk to fundamental rightsand freedoms. First, Meta IE refersto
      theirargumentsputforwardinresponse tothe ATandNL SAs’objections onthematterofcompliance

      with Article 6(1)(b) GDPR 496. The EDPB has takenthis line of reasoning into consideration above in

      489CompositeResponse,paragraphs103-104(inresponsetotheATandFI SAs),paragraph105(inresponseto
      NLSA), paragraph106(inresponsetoDESAs),paragraph107(inresponsetoNOSA)andparagraph108(in
      492Meta IEargues that“theEDPBcannotexpandthescopeoftheInquiryinthemannersuggestedbytheCSAs

      disregardedintheirentiretybytheEDPB”.TheEDPBdoes notsharethisunderstanding,asexplainedabove.
      493Meta IEArticle65Submissions,Annex1,p.71:“TheATSA’sObjectionfailstosatisfytheSufficientlyRelevant

      is usedinresponsetotheNLSA’s objectioninMetaIEArticle65Submissions,Annex1,p.110.
      494Meta IEArticle65Submissions,Annex1,p.71:“TheATSA’sObjectionfailstosatisfytheAdequatelyReasoned
      Threshold because it is premised on its Objection that Meta Ireland infringed Article 6(1) GDPR, which, as

      responsetotheNLSA’s objectioninMeta IEArticle65Submissions,Annex1,p.110.
      496Meta IEArticle65Submissions,Annex1,p.72andp.111.

      Adopted      Section 4.4.1 497. Second, Meta IE puts forward that the AT and NL SAs appear to consider that the
      Draft Decision provides “a mandate for Meta Ireland to unlawfully process data”       . Meta IE points
      out thatnosuchinferencecanbedrawnfrom theDraftDecision,goingontodrawtheconclusion that

      “asthe DraftDecisiondoesnot in anyway give a blanket approval for any unlawful processing based
      on Article 6(1)(b) GDPR, there is no direct and significant risk to the fundamental rights and
      freedoms”     .Astothissecond line ofreasoning, theEDPBfails tosee wording by whichthe ATSA or
      NL SA might have suggested it understands the Draft Decision as a mandate for Meta Ireland to

      unlawfully process data,thuslimiting future investigations.

265. The NLSA disagreeswiththecorrectivemeasure chosenby theIESA inadditiontothe administrative

      fine, arguinga temporarybanon processing (Article58(2)(f) GDPR)should have been included inthe
      Draft Decision instead of an order to bring processing into compliance. If followed, this objection

      wouldleadtoadifferentconclusion astothechoiceofcorrectivemeasures.Inconsequence,theEDPB
      considers the objection tobe relevant.

266. The NL SA argues that an order to bring processing into compliance entails that Meta IE would
      maintain its illegal conduct while they amend their compliance deficits     . Conversely, a temporary
      ban on Meta IE’s processing of data would ensure that data processing is halted during the time
      needed for the company tochange its practicesto comply withthe GDPR           .Intermsof risk, the NL
      SA puts forwardthat ‘’nottemporarilybanning thisprocessing would underminethe effectivenessof
      theGDPR’’,andwouldcontinue todeprive datasubjectsoftheir rightsduring thetransitionperiod            .
      The NL SA considers the risk significant, asthe controller provides the Instagramservice tohundreds
      of millions ofusers across Europe and because the processing involves special categoriesof personal

      data 503.Therefore, the EDPB considers the objection to be reasonedandtoclearlydemonstrate the
      significance of therisks posed bythe DraftDecision.

267. TheAT SA disagreeswitha specific partoftheIESA’sDraftDecision,namelyChapter 8‘’Ordertobring

      processinginto compliance’’,arguingthatthe LSA should have included correctivemeasures inorder
      toremedyaninfringement ofArticle6(1)(b) GDPR       504.Morespecifically,the ATSA suggeststhattheIE
      SA prohibits Meta IE from relying on Article 6(1)(b) GDPR      . Therefore, if followed, this objection
      would leadto a different conclusion asto the choice of corrective measures   506. Inconsequence, the

      EDPBconsiders the objection tobe relevant.

268. Furthermore,theATSAarguesthatwhenaninfringementisfound-notablyinlightofotherobjections
      raised in the current case in relation to additional infringement of Articles 6(1)(b) - the supervisory

      authority is under an obligation to issue appropriate corrective measures pursuant to Article 58(2)

         Meta IEArticle65Submissions,Annex1,p.111.AnalogouswordingisusedinresponsetotheATSA, Meta
      IE's Article65Submissions,Annex1,p.72.
      499Meta IEArticle65Submissions,Annex1,p.111.AnalogouswordingisusedinresponsetotheATSA, Meta
      IE's Article65Submissions,Annex1,p.72.
         AT SAObjection,pp.7-8.
      505AT SAObjectionpp.7-8.
      506AT SAObjection,pp.7-8.

      Adopted      GDPR.Intermsofrisk, the AT SA arguesthat without this amendment of the DraftDecision, MetaIE
      “could simply continue to unlawfully rely on Article 6(1)(b) GDPR and to undermine data protection
      principles” which would continue toaffect millions of datasubjects within the EEA0.Therefore,the

      EDPBconsiders the objection tobe reasonedandtoclearlydemonstrate the significance of the risks
      posed by theDraftDecision.

269. Considering the above, the EDPBfinds thatthe objections of theAT andNL SAs requesting additional
      and/or alternativespecific correctivemeasurestobe imposed arerelevantandreasonedpursuantto
      Article4(24) GDPR.

270. In addition, the EDPB recalls the analysis made in Section 4.4.1 above concerning the objections in
      relationtotheadditionalbreachby MetaIEofitslawfulness obligationmadebythe FRSA (requesting

      totakeappropriate correctivemeasures), andbythe FI andHU SAs(asking the LSA totakecorrective
      measuresunder Article58(2)(d) GDPR),whichwerefound tobe relevantandreasoned.

271. The EDPBrecallsthatthe DE andNOSAscalledonthe LSA totake specific correctivemeasuresinthe
      event theEDPBfollowedtheir objectionon compliancewithArticle6(1)(b) GDPR.TheEDPBconsiders
      these to be reflections upon how, in their view, the LSA should give full effect to the binding

      direction(s)assetoutintheEDPB’sdecision   50.Intheabsenceoflegalorfactualargumentsthatwould
      justify including these specific corrective measures in the Draft Decision as opposed to others, the
      EDPB does not consider this aspect of the DE and NO SAs’ objections to meet the requirements of

      Article4(24) GDPRastheyarenotsufficientlyreasoned.

      8.4.2 Assessment on the merits


272. The EDPBconsiders thatthe objections found tobe relevantand reasonedin this subsection require
      an assessment of whether the Draft Decision needs to be changed in respect of the corrective

      measures proposed. More specifically, the EDPB needs to assess the request to impose a ban of
      processing for both the infringements of the transparency obligations found by the LSA and the
      additional infringement of Article 6(1) GDPR established above in Section 4.4.2, andthe connected

      issue of the corrective measure to be imposed for the infringement of Article 6(1) GDPR. When
      assessing the meritsof the objections raised, the EDPBalso takesinto account MetaIE’sposition on
      the objection anditssubmissions.

273. Bywayofintroduction, the EDPBhighlightsthatthe analysis carriedout in thissection doesnot refer
      tothecontentoftheDraftDecisionandoftheobjectionsinrespectoftheimposition ofadministrative

      fines, which arecoveredbelow inSection9.

         AT SAObjection,p.8.


      Adopted      MetaIE’sposition on theobjectionsand itssubmissions

274. MetaIEconsidersthe LSAhassole discretiontodeterminethe appropriatecorrectivemeasuresinthe

      event of a finding of infringement  509and that the EDPB lacks competence to determine or adopt
      decisions onappropriate correctivemeasures    510.

275. While MetaIEacknowledgesthat“Article65(1)GDPRallowstheEDPBtoconsiderreasonedobjections

      as to whether the envisaged corrective measures comply with the GDPR”, it argues that CSAs are
      strictlylimitedtocriticism ofthe correctivemeasuresalreadyput forwardintheDraftDecisionbythe

      LSA. Therefore,accordingtoMetaIE,“should theEDPBfind an infringementof Article6(1)GDPR[...],
      to impose any appropriate corrective measures. To do otherwise, including direct the DPCto make a

      specific orderinthetermsproposedbycertainObjections,wouldexceedtheEDPB’scompetenceunder
      Article65 GDPR”   51.

276. Withrespect tothe issue ofthe correctivemeasure tobe imposed for theinfringement of Article6(1)

      GDPR,ifany,MetaIE arguesthata temporarybanisneither necessary, nor proportionate toachieve
      theobjective ofensuringcompliance withtheGDPR,asthereexistsalternative,lessonerousmeasures
      tobringitsprocessing operationintocompliance withtheGDPR           .Inaddition,MetaIEcontendsthat
      it would be both unfair anddisproportionate to order an immediate ban given that it relied upon a
      good faith understanding as to what it considered to be a valid legal basis     513. Further, Meta IE

      considers there is no urgent necessity for a banbased on other decisions takenunder the Article 60
      GDPRcooperationmechanism insimilar circumstances       514.Finally,MetaIEputsforwardthesignificant

      impact of a temporaryban not only on itsactivities but also on third parties’business, such as small
      andmedium sizedbusinesses acrossEurope, relying onthe platform for behavioural advertising       515.

      EDPB’sassessment on themerits

277. First of all, according to the EDPB, the views of Meta IE amount to a misunderstanding of the GDPR

      one-stop-shop mechanism and of the shared competences of the CSAs. The EDPB recalls that the
      GDPR requires supervisory authorities to cooperate pursuant to Article 60 GDPR to achieve a
      consistent interpretation of the Regulation    . The fact that the LSA will be the authority that can
      ultimatelyexercise the corrective powerslisted in Article 58(2)GDPRcannot neither limit the role of
      the CSAs withinthe cooperationprocedure nor theone ofthe EDPBinthe consistency procedure             .

      510Meta IEArticle65Submissions,paragraphs8.4and8.18.
         Meta IEArticle65Submissions,paragraph8.6.
      511Meta IEArticle65Submissions,paragraph8.13.
      512Meta IEArticle65Submissions,paragraph8.27.
      513Meta IEArticle65Submissions,paragraph8.28.
         Meta IEArticle65Submissions,paragraph8.28.
      515Meta IEArticle65Submissions,paragraph8.29.
      516 See Art. 51(2), Art. 60, Art. 61(1) GDPR, and C-645/19, Facebook v Gegevensbeschermingsautoriteit,
         See Art. 63 and 65 GDPR. In this regard it should benoted that Recital 11 GDPR stresses that ‘effective
      protection of personal data throughout the Union requires [...] equivalent sanctions forinfringements in the
      MemberStates’. Therefore, in orderto ensurethis ‘consistent monitoringandenforcement’ of theGDPR, the

      Adopted278. More specifically, when raising an objection on the existing or missing corrective measure(s) in the

      Drafting Decision, the CSAs should indicate which actionthey believe would be appropriate for the
      LSA toundertakeandinclude inthe finaldecision    518. Incaseof disagreementonthese objections, the
      dispute resolution competence of the EDPBcovers ‘’allthe matterswhich are subject of therelevant
      and reasonedobjection’’(emphasisadded)        . Therefore,contrarytoMetaIE’sviews,the consistency
      mechanism may also be used to promote a consistent application by the supervisory authorities of
      their correctivepowers, takingintoaccount the rangeofpowerslisted inArticle 58(2)GDPR          ,when
      arelevantandreasonedobjectionquestions theaction(s)envisagedbytheDraftDecisionvis-a-visthe

      controller/processor, or theabsence thereof.

279. Inaddition, the EDPBfinds thatMeta IEmisunderstands the AT SA’s objection when it arguesthatit

      does acknowledge that it is for the LSA alone to decide which corrective measures are appropriate
      andnecessary, byciting paragraph112of the SchremsIICJEU judgment        521.Infact,the ATSA doesno

      such thing: in its objection it stated‘’acomplainant doesnot have a subjective right to request from
      the respective supervisoryauthority(in this case: the DPC)the exercise ofa specific corrective power

      and it is for the supervisory authorityalone to decide which action is appropriate and necessary(see
      C ‑311/18, point 112)’’522anddid not engage inan interpretationof how Article 58(2) GDPR is to be
      understood in cross-border cases in the sections referred to. The cooperation and consistency

      mechanism of the GDPRisnot addressed inCJEU ruling C-311/18 (SchremsII)either.

280. Moving onto the analysis of the issue of corrective measuresas requiredby the objections found to
      be relevant and reasoned above, the EDPB recalls that when a violation of the GDPR has been

      established, competent supervisory authorities are required to react appropriately to remedy this
      infringement in accordance with the means provided to them by Article 58(2) GDPR     523. Article 58(2)
      GDPRprovidesa wide choice ofeffectivetools for theauthoritiestotakeactionagainstinfringements

      of the Regulationandwhich can be imposed in addition toor instead of a fine. According to Recital
      129 GDPR, every corrective measure applied by a supervisory authority under Article 58(2) GDPR

      should be ‘‘appropriate, necessary and proportionate in view of ensuring compliance with the
      Regulation’’inlightof allthe circumstancesofeachindividual case.Recital148 GDPR showsthe duty

      for supervisory authorities toimpose corrective measuresthat are proportionate to the seriousness
      of the infringement  52. This highlights the need for the corrective measures and any exercise of
      powersby supervisory authoritiestobe tailoredtothe specific case    525.

281. Considering the nature and gravityof the infringement of Article 6(1)(b) GDPR established above in

      Section4.4.2,aswellasthe number of datasubjects affected,theEDPBsharesthe view of the AT,FI,

      519Art. 65(1)(a)GDPR.
         Meta IEArticle65Submissions,paragraph8.6.Seeaboveparagraph274.
      522AT SAObjection,p.8.
      524Recital 148GDPR states, forinstance:“in a case of a minorinfringement orif the fine likely to be imposed

      would constitute a disproportionate burden toa natural person, a reprimand may be issuedinsteadof afine”.
      measures in general and for the choice of the combination of corrective measures that is appropriate and

      Adopted      FR, HUand NL SAs thatit is particularlyimportantthat appropriatecorrective measuresbe imposed,

      inaddition toa fine, inorder toensure thatMetaIEcomplies withthisprovision ofthe GDPR.

282. Inrespectof whichmeasure should be imposed, asstated,theNL SA arguesthatthe IESA's proposal
      toorder MetaIEtocomplywithArticle5(1)(a), Article12(1)andArticle 13(1)(c)GDPRwithina period
      of threemonths is not appropriate,considering these breachesinconjunction withthe gravityofthe

      additional breachesof Article 6(1)(b) and Article 9(2)GDPR identified in its objection526. Instead,the
      NL SA is of the opinion that only a temporaryban imposed in respect of all these infringements can

      effectively protectthe rightsof the data subjects during the transition period inwhich the controller
      remedies to these violations   52. The FI SA considers that the IE SA should “exercise effective,

      proportionate and dissuasive corrective powers” and, taking into account the nature of the
      infringement, order MetaIE to“bringits processing operations into compliance with the provision of

      Article 6(1) GDPR and prohibit to process users’ personal data for behavioural advertising by relying
      on Article 6(1)(b) GDPR as laid down in Article 58(2)(d) GDPR”  528. The HU SA proposes to apply the
      legalconsequences under Article 58(2)(d) GDPR in relationtoviolation of Article 6(1) GDPRby Meta

      IE andtoinstruct the controller toindicate a another alternativelegalbasis  529. Inaddition, the AT SA
      callsontheIESA touse itscorrectivepowersunder Article58(2)GDPRinordertobringthe processing

      operations of Meta IE into line with the GDPR, and suggests ‘’that the DPC prohibits Facebook the
      processing of a user’s data for behavioural advertising by relying on Article 6(1)(b)’ stating that
      ‘otherwise,Facebookcould simply continue tounlawfully relyon Article6(1)(b) GDPR’’        .

283. Meta IE argues that a temporary ban would not be necessary as less onerous measures could be
      imposed and that it would be unfair and disproportionate, also considering its impact on third
      parties 53.

284. The EDPBagreeswiththe observations madeby the NLSA thatthe infringement found inthe case at

      hand constitutes a “very serious situation of non-compliance”      532with the GDPR, in relation to
      processing of “extensiveamountsof[...]data,whichis essentialto thecontroller’sbusinessmode”’      533,
      thusharming“therightsand freedomsofmillions ofdata subjectsin theEEA”            .Asaresult, theEDPB

      aimtobringthe processing intocompliancewiththeGDPRthusminimising thepotentialharm todata
      subjects createdbythe violations of theGDPR.

         NL SAObjection, paragraph57. In this respect, theEDPB recalls that, as stated in Sections 4.4.2 and 5.4.2
      above,whiletheEDPBfinds thattheIESAshouldhavefoundaninfringementofArt.6(1)(b)GDPRinits Draft
      Decision,itdoesnothavesufficientfactualevidenceallowingittofinda possibleinfringementbyMeta IEofits
      528FI SAObjection,paragraph25.
      530AT SAObjection,p.8-9.
      532Meta IEArticle65Submissions,paragraphs8.27-8.28.

      Adopted285. Inaddition, the EDPB recallsthatcontrarytoMetaIE’scontention, it is not necessarytoestablish an
      ‘urgentnecessity’ 535for imposing atemporaryban, in thatnothing in the GDPRlimits the application
      of Article58(2)(f) GDPRtoexceptionalcircumstances       .

286. Atthe sametime,theEDPBnotesthatinassessing the appropriatemeasuretobeapplied, Recital129

      GDPR provides that consideration should be given to ensuring that the measure chosen does not
      create ‘’superfluouscosts’’ and‘’excessive inconveniences’’ for the persons concerned in light of the

      objective pursued. When choosing the appropriate corrective measure, there is a need to assess
      whether the chosen measure is necessary to enforce the GDPR and achieve protection of the data
      subjects withregardtothe processing oftheir personaldata,whichis the objective being pursued       53.

      Compliance withtheprinciple of proportionalityrequiresensuring thatthe chosen measuredoes not
      createdisproportionate disadvantagesinrelationtothe aim pursued.

287. The EDPB takes note of the elements raised by the objections, particularlythe NL SA, to justify the
      needfor imposing atemporaryban,consisting in essence inthe need tohalt the processing activities

      prejudicing data subject rights. However, the EDPB considers that the objective of ensuring

      compliance and bringing the harm to the data subjects to an end can, in this particular case, be
      adequatelymetalsobyamendingtheorder tobring processing intocompliance envisagedintheDraft

      Decision. In addition tothe fines that willbe imposed, this measure would require Meta IE toput in
      placethenecessarytechnicalandoperationalmeasurestoachievecompliance withinaset timeframe.

288. Inrespectofthe imposition of anorder tobring processing intocompliance, MetaIEsubmitsthatany
      such order should ‘’afforda reasonable opportunity’’toMetaIE tocomply      538. Whendetermining the

      transitionperiodfor bringingMetaIE’sprocessingintocompliance withGDPR,theEDPBrequeststhat
      the IE SA gives due regardtothe harm caused tothe data subjects by the continuation of Meta IE’s

      infringement ofArticle6(1)GDPRduring thisperiod. More specifically, theorder should requireMeta
      IEtorestorecompliance withinashort periodoftime.Inthisrespect,theEDPBnotesthat,inresponse
      to Meta IE’s submission, the IE SA considered the three-month deadline for compliance for the

      infringements of Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR necessary andproportionate
      in light ofthe potentialfor harmstothe datasubjects rightsthatsuch a measure entails, considering
      that the interim period for compliance ‘’willinvolve a serious ongoing deprivation of their rights’’ .
      The LSA also points out the significant financial, technological, and human resources, as well asthe

      535Meta IEArticle65Submissions,paragraph8.28.
      536 See a contrario Art. 4 Implementing Decision 2010/87, in its version prior to the entry into force of

         C-311/18, Schrems II, paragraph112:‘’Althoughthe supervisory authority must determine which actionis
      appropriate and necessary and take into consideration all the circumstances [...] in that determination, the
      supervisory authority is nevertheless required to execute its responsibility forensuringthat the GDPR is fully
      538Meta IEArticle65Submissions,point8.31.
         Draft Decision, paragraph 202. Inthis regard, Meta IE argues that this was not a reasonableperiodof time
      within which to makethenecessary changes, as thechanges would beresource-intensiveand wouldrequire
      engagement with the Commission, and localisation and translation of the information forcountries in the


      Adopted      clear instructions provided to Meta IE to comply with GDPR    540. The EDPB considers that this line of
      reasoning applies all the more to the corrective measures imposed in relation to Meta IE’s

      infringement ofArticle 6(1)GDPR.

289. Finally, the EDPBrecalls thatnon-compliance withanorder issued by a supervisory authoritycanbe

      relevantboth intermsof it being subject toadministrative fines up to20 million euros or,in the case
      of anundertaking,up to4% ofthe totalworldwide annualturnover of the preceding financialyear in
      line with Article 83(6) GDPR, and in terms of it being an aggravating factor for the imposition of

      administrative fines541. Inaddition, the investigative powers of supervisory authorities allow them to
      order the provision of all the information necessary for the performance of their tasks including the
      verificationof compliance withone of theirorders      .

290. The EDPBtherefore instructsthe IESA toinclude in itsfinaldecision anorder for MetaIE tobring its

      processing of personaldatafor thepurpose ofbehaviouraladvertising inthecontextof theInstagram
      services intocompliance withArticle6(1) GDPRwithinthreemonths.

291. Inaddition, the EDPBnotesthatthe currentwording ofthe order“to bring theDataPolicyand Terms
      of Use into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR as regards

      information providedondata processedpursuanttoArticle6(1)(b)GDPR”’shouldbe modifiedinorder
      for the processing of personal data for the purpose of behavioural advertising. Therefore, the EDPB

      instructstheLSA toadjust itsorder toMetaIEtobringitsInstagramDataPolicyandTermsofUse into
      compliance withArticle 5(1)(a), Article 12(1) andArticle 13(1)(c) GDPRwithin three months, to refer
      not onlytoinformationprovided ondataprocessed pursuant toArticle6(1)(b) GDPR,butalsoondata

      processed for the purpose of behavioural advertising in the context of Instagram services(to reflect
      the finding of the EDPB inSection 4.4.2 that for this processing the controller cannot rely on Article

      6(1)(b) GDPR).

      541Art. 83(2)(i)GDPR.
         Art. 58(1)GDPR.


292. The EDPB recalls that the consistency mechanism may also be used to promote a consistent
      applicationof administrativefines 543.

      9.1 On the determination of the administrativefine for the transparency


      9.1.1 Analysis bythe LSA in the Draft Decision

          The applicationof thecriteriaunder Article83(2)GDPR

293. InitsDraftDecision,the IESA explainshow itconsidered the criteriainArticle 83(2)GDPRindeciding
      whether to impose an administrative fine and to determine its amount in the circumstancesof this
      case 544.The most pertinent criteriafor the present dispute aresummarised below.

      Thenature,gravityanddurationoftheinfringement,taking into accountthe naturescopeor purpose
      of theprocessing concernedas wellas the numberof data subjects affectedand the levelofdamage

      sufferedbythem(Article 83(2)(a)GDPR)

294. The IESAexplains thatitassesses theinfringementsofArticle5(1)(a), Article12(1)andArticle13(1)(c)
      GDPR identified in the Draft Decision simultaneously in the context of the Article 83(2) GDPR
      criteria   .Further,the IESA explainsthat‘’theprocessing concerned’’refersto“allofthe processing
      operationsthat[MetaIE]carriesoutinthecontextoftheInstagramserviceonthepersonaldata under
      its controllership for which it relies on Article 6(1)(b) GDPR”, in line with the scope of the inquiry

      (permissibility inprinciple ofprocessing personal datafor behaviouraladvertising) 546.

295. In terms of the nature ofthe infringements, the IE SA explains that they concern a cornerstone of
      data subject rights, namely the right to information. The IE SA argues that ”the provision of the
      informationconcernedgoes to theveryheart ofthe fundamentalright ofthe individual to protection

      ofpersonaldata whichstemsfrom thefreewilland autonomyoftheindividual toshare theirpersonal
      datain avoluntary situation such asthis. Ifthe requiredinformation hasnot been provided, thedata
      subject has been deprived of the ability to make a fully informed decision as to whethertheywish to

      use aservice that involves the processing of their personal data and engagestheir associated rights.
      Furthermore,theextenttowhicha data controller hascomplied with itstransparencyobligationshas

      a direct impact on the effectivenessof the other data subject rights. If data subjects have not been
      providedwith the prescribed information, theymaybe deprived of the knowledge theyneedin order
      to consider exercising one of the other data subject rights”54. Further, the IE SA points out that the

      545“While I emphasise that each is an individual anddiscrete “infringement”of the GDPR, I am proposingto
      and purpose, are likely to generate the same, orsimilar, outcomesin the context of some of the Article 83(2)

      Adopted      breachof the transparencyprinciple by Meta IE has the potentialto undermine other fundamental
      dataprotectionprinciplessur astheprinciples offairnessandaccountability     54.Finally,theIESA notes

      thatthe Europeanlegislator included infringementsonthe right toinformationandArticle 5 GDPRin
      Article83(5) GDPR,whichcarriesthe highest maximum fine      549.

296. In terms of the gravity of the infringements, the IE SA explains that Meta IE is found to also have

      infringed Article 12(1) and Article 5(1)(a)GDPR because the company hasnot provided the required
      information inthe required manner under Article 13(1)(c) GDPR.TheIE SA adds thatthis “represents
      a significant levelof non-compliance,taking into account theimportance of theright to information,

      the consequent impact on the data subjects concerned and the number of data subjects potentially
      affected” 550.

297. With regardsto the nature,scopeorpurposeofthe processingconcerned,theIE SA considers that
      the “processing carried out by [Meta IE] in the context of the Instagram service pursuant to Article

      6(1)(b) GDPR is extensive. [Meta IE]processes a varietyof data in order to provide Instagram users
      with a ‘personalised’ experience, including by way of serving personalised advertisements. The

      processingis centralto andessentialto thebusiness modeloffered,and,for this reason,the provision
      of compliant information in relation to that processing becomeseven more important. This, indeed,
      mayinclude location and IPaddressdata”    551.

298. With reference to the number of data subjects affected, the IE SA points out that, as Meta IE

      confirmed, ’’asof the date of the commencement ofthe Inquiry, i.e. 31 August 2018, [Meta IE]had
      approximately       monthly active accounts and, as of December 2021, it had approximately
              monthlyactiveusersin theEuropean EconomicArea”       552.While noting thefiguresprovided by

      MetaIE incorrectlyexcluded the number of UKactive accountstowhich the GDPRwas applicable at
      the dateoftheComplaint, the LSA consideredthat,whenmeasuring these figuresby referencetothe

      totalpopulationoftheEEA(including theUK),a‘’significantportionofthepopulationoftheEEAseems
      to have beenimpactedby theinfringements’’     553.

299. Intermsof damagessufferedby affecteddata subjects, the IE SA finds that“failure to provide all of
      theprescribed information underminesthe effectivenessofthe data subjectrightsand, consequently,

      infringes the rights and freedomsof the data subjects concerned. A core element oftransparency is
      empoweringdata subjectsto makeinformed decisions aboutengaging withactivitiesthatcause their

      personal data to be processed, and making informed decisions about whether to exercise particular
      rights,and whethertheycan do so. Thisright isundermined bya lackof transparencyon thepart ofa
      datacontroller”  55.

300. OnArticle 83(2)(a)GDPR,theIESA concludes that“[the]infringementsareserious in nature.Thelack

      of transparencygoes to the heart of data subject rights and risks undermining their effectivenessby
      not providing transparentinformation in that regard.While the infringementsconsidered hererelate


      Adopted      to one lawful basis, it nonethelessconcernsvast swathesof personaldata impacting millions ofdata

      subjects. When such factors are considered, it is clear that the infringements are serious in their
      gravity” 55. The IE SA further notes the impact of the infringement on a ‘’significant portion of the

      population of the EEA’’, as well as on ‘’data subject’s ability to be fully informed about their data
      protectionrights,or indeed about whetherin theirview theyshould exercisethoserights’’      556.

301. The IE SA does not attachsignificant weight tothe durationof the infringements      55, considering that
      the complaint - andtherefor the Inquiry - wasmade againsta specific set of documents (Instagram’s

      DataPolicy and Termsof Use) and thatmore recentversions of the relevantdocuments areoutside
      the scope of the Inquiry 55.

      Theintentionalor negligentcharacterofthe infringements(Article83(2)(b) GDPR)

302. The IESA notesthecomplainantsview thattheinfringement arosefrom ‘’[MetaIE]madea deliberate
      and calculated decision to present the information in a particular manner such as to mislead data

      subject’’559 but statesthat there is no evidence that Meta IE ‘’made adeliberate decision to present
      the information to data subject in a particular way’’    560. The IE SA further notes that the EDPB

      Guidelines on Administrative Fines ‘’recognisethatan intentionalbreachgenerallyonly occurswhere
      thereis a deliberateact to infringe the GDPR’’,andthat,in this regard,‘’afinding of intentionalityis

      predicatedon knowledgeand wilfulness as tocharacteristicsofan offence’’.TheIESA finds therewas
      noevidence ofanintentionalandknowing breachofaprovision ofthe GDPR. TheIESAhowever finds

      thatthe infringement wasnegligent,takingintoaccount ‘’the failure ofan organisation ofthis sizeto
      provide sufficientlytransparentmaterialsin relation to thecoreof itsbusiness mode”     56.

      The action taken by the controller or processor to mitigate the damage suffered by data subjects
      (Article83(2)(c) GDPR)

303. The IE SA notes MetaIE’sposition that “hasdischarged itstransparencyobligations in respectof the

      Instagram service and, accordingly, complies fully with the GDPR in this respect.” Notwithstanding
      their disagreementwiththis position, the IESA “accept[s]thatit representsa genuinelyheld beliefon

      [Meta IE’s] part’’. Onthat basis, the IE SA notes that ‘’there hasnot been an effort to mitigate the
      damage to data subjects, as it was [Meta IE’s] position that data subjects were incurring no such
      damage”   562.TheIESA isnot swayedby MetaIE’sargumentthattheireffortstocomplywiththeGDPR

      560DraftDecision,paragraph232.Initsanalysis,theIESAtakes intoconsiderationtheEDPBGuidelineson

      AdministrativeFines onthenotionsof‘intentional’and‘negligent’.DraftDecision,paragraphs230-232.
      561Inthis regard,theIESAnotes that‘’Meta Irelandshouldhavebeenawareofitstransparencyrequirements,
      processing operations carried out pursuant to Article 6(1)(b) GDPR. Meta Ireland furthershould have ensured

      that it adhered strictly to its transparency obligations when choosingthe lawful bases onwhich they rely and
      should have used these obligations as a guide as to the information to be conveyed to data subjects’’ (Draft

      Adopted      should be takeninto consideration, as -in general-compliance withthe GDPRis a duty imposed on

      each controller. In the present case, the IE SA finds this factor is neither mitigating nor aggravating
      insofar as“beyondsimply complyingwith the GDPR,thereareno obvious mitigating stepsthat could
      have been taken”      . Notwithstanding this, the IE SA identifies a mitigating factor in Meta IE’s
      willingness toengageinstepstobring itsprocessing intocompliance ona voluntarybasispending the
      conclusion ofthe inquiry 564.

      The degree of responsibility of the controller taking into account technical and organisational

      measuresimplementedpursuantto Articles25 and 32 (Article83(2)(d) GDPR)

304. The IE SA does mentionthis factor asanaggravatingfactorin the DraftDecision. The IE SA takesthe
      view that, considering that guidance on transparency was available to Meta IE at the date of the

      complaint, it ’’shouldhave been awareof theappropriate standards– albeit at a generallevel– and,
      having madea deliberatedecisionto presentthe information in a manner which fellsignificant below
      thestandardrequired,hasa high degreeofresponsibilityfor thelackofcompliancewiththeGDPR’’          565.

      Anyrelevantpreviousinfringementsbythe controlleror processor(Article83(2)(e) GDPR)

305. The IESA does not mentionthis factoras anaggravatingormitigatingfactorinthe DraftDecision          56,

      taking into consideration that‘’theCommission has not made any findings ofinfringementsby Meta
      Ireland in the context of the Instagram service which could be considered relevant for [this]
      assessment’’    .

      Thecategoriesof personaldata affectedbythe infringements(Article83(2)(g) GDPR)

306. The IESA notesthat “[the]lackof transparencyconcernedbroad categoriesofpersonal data relating
      to userswho sign up to theInstagramservice”      .Althoughacknowledgingthatthe assessment made
      by the IE SA in this Inquiry “was rather generalised in nature” the LSA points out that the lack of

      transparency by Meta IE contributed to the “lack of clarity as to the precise categories of personal
      datarelevantfor thisInquiry”  569.

307. Nonetheless, the IE SA concludes that, in the absence of evidence that these personal data are of a
      particularlysensitive nature,this factorshould be regardedasneitheraggravatingnormitigating      570.

      567Draft Decision, paragraphs 241 and 243. The IE SA notes their disagreement with Meta IE Article 65

      568missionsthattheabsenceofpreviousdecisionshouldbeconsideredasa mitigatingfactor.

      Adopted      The manner in which the infringementsbecame known to the supervisory authority(Article 83(2)(h)


308. The IE SA notes that “[the] subject matter became known to the Commission due to an Inquiry

      conducted on foot of the Complaint. The subject matter did not give rise to any requirement of
      notification,and Ihave alreadyacknowledged severaltimesthatthe controller’sgenuinelyheld belief
      is thatno infringementis/was occurring”     .The IESA does not mentionthis factoras anaggravating
      or mitigatingfactorin theDraftDecision   57.

      Anyotheraggravating ormitigating factor (Article83(2)(k) GDPR)

309. The IE SA considers whether the “lack oftransparencyhas the potentialto have resulted in financial
      benefitsfor [MetaIE]”basedon theview thata “moretransparentapproachtoprocessing operations

      carriedouton foot ofthatcontractwouldrepresentariskto[MetaIE]’sbusiness model”,whichwould
      be thecase“ifexistingorprospectiveusersweredissuaded fromusing theInstagramservicebyclearer

      explanations of the processing operationscarried out, and their purposes”. The IE SA concludes that
      ultimatelyinvolvesanelementofspeculation on both [MetaIE]’sand the Commission’s part”        573.

          The applicationof thecriteriaunder Article83(1)GDPR

310. Basedonthese circumstances,theIESAconsiders thatadministrativefinespursuant toArticle 58(2)(i)

      GDPRandArticle83 GDPR,totalinganamountnotlessthan€18 million andanamountnot morethan
      €23 millionshould be issued onMetaIEforthe infringementofArticle5(1)(a),Article12(1)andArticle
      13(1)(c) GDPRinthe contextof Instagramservice       .

311. The LSA considers that the proposed administrative fines areeffective, proportionate and dissuasive
      taking into account all of the circumstancesof the Inquiry 575. Regarding the effectiveness, the IE SA
      argues that the “infringements are serious, both in terms of the extremelylarge number of data

      subjectspotentiallyaffected,thecategoriesofpersonaldata involved,and theconsequencesthatflow
      from the failure to comply with the transparency requirements for users”         576. Concerning the

      dissuasiveness, the LSA states that the fine must “dissuade both the controller/processor concerned
      as wellas other controllers/processorscarrying out similar processing operationsfrom repeating the


      - a fineof between €11.5millionand€14millionforthefailuretoprovidesufficientinformationinrelationto
      the processing operations carried out on foot of Article6(1)(b) GDPR, thereby infringing Articles 5(1)(a) and
      - a fineof between €6.5millionand€9millionforthefailuretoprovidetheinformationthatwasprovidedon
      theprocessingoperations carried out infoot of Article6(1)(b) GDPR, in a concise, transparent, intelligibleand


      Adopted      conductconcerned”   577.Asregardstheproportionality, theIESA considers thatthefines proposed “do

      not exceed what is necessary to enforce compliance with the GDPR, taking into account the size of
      Instagram user base, the impact of the infringementson the effectivenessof the data subject rights

      enshrinedinChapter IIIofthe GDPRandthe importanceof thoserights in the contextofthe GDPRas
      awhole”  578.

312. The IE SA refers tothe needto takeinto account the undertaking’sturnover in the calculationofthe
      maximum possible fine amounts       . The notion of “undertaking” is determined to refer to Meta
      Platforms,Inc. 580.The IESA takesintoconsiderationthe revenue reportedbyMetaPlatforms,Inc.for
      the yearending 31 December2020 ($85.965billion)     58.

      9.1.2    Summary of theobjections raised by theCSAs

313. The DE,FR, IT, NL, andNOSAs        object tothe envisagedactiontakenby the LSA withregardto the
      administrative fine proposed in the DraftDecision concerning the infringements of the transparency
      obligationsbyasking the IESA toimpose a(significantly)     higheradministrativefinewithreference

314. The dispute arising from these objections concerns whether the proposed fine is effective,
      proportionate and dissuasive pursuant to Article 83(1) GDPR      58. With reference to these three

      criteria,theabove mentioned CSAs, specifically, argueasfollows.

315. According tothe DESAs, thefine proposed bythe LSA in the DraftDecisionis not proportionate with
      regard to the financial position of the undertaking. More specifically, the DE SAs argue that the

      envisaged fine of at most 23 million euros is not proportionate compared to the worldwide annual
      turnoveronMetaPlatforms,Inc     585.TheDESAspointoutthattheproposedfine‘’representsonlyabout
      0.03%oftheturnoverofMetaPlatforms,Inc.andabout 0.72%ofthemaximum fine“                 .Withrespect
      to dissuasiveness, the DE SAs consider that the fine proposed by the LSA “weakensthe position of

      supervisory authorities and endangers compliance with the GDPR’’ as this would leave controllers
      under the impression that“enforcementoftheGDPRwill notbe felt economically’’       587.

316. The FR SA arguesthat the amount of the envisaged fine “seemslow and hardlycompatible with the
      objective set by Article 83(1) GDPR of ensuring to impose dissuasive fines” taking into account “the

      582DE SAs Objection,pp.10-12;FRSAObjection,paragraphs36-48;ITSAObjection,pp.7-10;NLSAObjection,
      583All theseCSAsspecifiedthatthefineshouldbeincreased‘’significantly’’or‘’substantially’’excepttheNLand

      theITSAs (whichstatedthefineshouldbeincreased).SeeDESAs Objection,p.12;FRSAObjection,paragraph
      584DESAs Objection,p.11;FRSAObjection,paragraph47;ITSAObjectionpp.7-8;NLSAObjection,paragraph
         DESAs Objection,p.11.
      586DESAs Objection,p.11.
      587DESAs Objection,p.11.

      Adopted      number of data subjects concerned, the particularlyintrusive nature of the processing operations in

      question,thebreachesobserved,theposition ofMetaPlatformsIrelandLimited asa quasi-monopolist
      anditsfinancial situation”588.Inthisrespect,the FRSA notesthatthe fine proposed by theIE SA isno

      proportionate since “the cumulative amount of the two breaches of the provisions of Articles 5-1-a)
      and13-1-c) ofthe GDPR,onthe one hand, andthe provisions of Articles5-1-a) and 12-1 of theGDPR,
      on the otherhand, representsonly about 0.03% of the turnover of MetaPlatforms Inc.and lessthan

      1% ofthe maximum fine”    58.

317. The IT SA arguesthat ‘’byhaving regardto the controller, inparticular the nature and size of Meta
      Platforms Inc. [...]the range at issue would appear to be overly low and neither proportionate nor
      dissuasive’’  .

318. The NL SA doubts, also referring to the EDPB Guidelines on Administrative Fines, that the fines
      proposed bythe IESA meettheobjective tobe effective,“particularlyconsidering thestrong financial
      positionofthecontrollerandthefindingthatthe     identifiedlackoftransparencylikelyhashadfinancial

      benefits for the controller” 59. As regard to dissuasiveness, the NL SA argues, also referring to
      establishedCJEU case-law,thatMetaIE“generatesaturnoverofover86billion dollars(approximately

      79 billion euros)per annum, thereforeit would be able to generatea daily revenueof approximately
      235 million dollars. Instead of dissuading future behaviour, the penaltywould be simply regenerated
      in a few hours” (specific deterrence)   . With reference to proportionality, the NL SA questions the
      lack of reasoning in the Draft Decision as to why the amounts proposed are commensurate to the
      seriousness of theinfringements    .

319. TheNOSA arguesthattheenvisagedamountofthe fine isnoteffective nor dissuasive neithertoMeta

      IE nor to other controllers, considering the financial benefits accrued because of the violation and
      worldwide annual turnover ofMetaPlatform, Inc.for 2020     594Inparticular,theNOSA points out that

      MetaIE“would likelyhave no issue paying theproposed fine,and theamount ofthefine it isnot likely
      to affect [it] in such a waythat it would see a need to substantially change its practices”5. The NO

      SA illustratesthisby the factthat in2020, MetaIEset aside one billion euroof provisions toaddress,
      inter alia,the riskof fines for infringement tothe dataprotectionrules596.

320. In addition, these objections raise arguments with regardsto the weight afforded to some of the
      criterialistedin Article83(2) GDPR.

321. The ITSA objects totheLSA's decision not toconsider WhatsApp's previous infringementsin the case

      group of companies of Meta IE. According to the IT SA “even though the WhatsApp case did raise

      additional,morespecific issues,one canhardlyquestionthattherelevantdecisionsetsa keyprecedent


      Adopted      in assessing controller’srepetitiveconduct’’as‘’notonly did the controller in question clearlystickto

      the same business modelin offeringits different social networking services,it also did not change its
      assessment as to how to manage users’ data with particular regard to its information and
      transparencyobligations’’    .

322. According to the DE, FR, NL and NO SAs, the fine proposed by the LSA in the Draft Decision is not

      proportionate withregardtotheseriousness of the infringement      59.

323. The NL SA argues that the fine is not commensurate with the seriousness of the infringements
      established(Article 83(2)(a)GDPR)andisinconsistent withtheIESA's qualificationsassuch      599.The FR

      SA alsoarguesthat the fine isincontradictionwiththe seriousnessofthe violationsidentified andthe
      natureof the processing (Article 83(2)(a)GDPR)  600.

324. The DE,FR,andIT SAs statethatthe fine proposed is not consistent withthe amount retainedbythe
      IESA initsdecision dated20 August2021 againstthecompanyWhatsAppIrelandLimited(caseIN-18-

      12-2), in which the IE SA imposed an administrative fine of 225 million euros, including a fine of 30
      million eurosfor the infringementof Article12 and13GDPRanda fine of90 millionon accountofthe
      infringement ofArticle5(1)(a) GDPR      .Moreover,theFR andITSAs statethatthe amount proposed
      appears low also in comparison with the one retained by the LU SA in its decision of 15 July 2021

      againstthecompanyAmazonEuropeCore, whereanadministrativefine of746 millioneuroshasbeen
      imposed fortheinfringementsofArticles6,12and13GDPR,andwhichwasalso basedonacomplaint

      that the processing operations carried out by the companies of the Amazon group relating to
      behaviouraladvertisingdidnot havea validlegalbasis    602.Inaddition, theFRSA notesthattheamount
      ofthefine proposedbytheIESA“seemstobeunderestimatedincomparisonwiththeamountretained

      in thedeliberation oftheCNIL’srestrictedcommitteeNo.SAN-2019-001 of21 January2019 imposing
      a penalty of 50 million euros on the company Google LLC”       603. The FR SA considers this case as

      comparable because it is also based on a referral “filed by the association ‘NOYB’ with the CNIL,
      relating to a similar issue and formulated against Google, and that the restricted committee has

      identifiedabreach ofArticle6 of theGDPRand a breachof theprovisions ofArticles12 and 13 of the
      GDPR”   60. However, the FR SA notes that “the amount retained against Google LLC is close to that

      proposed by the Irish data protection authority, even though the processing operations in question
      concernall European users, [...]which was not the case in the above-mentioned CNIL’s decision, for
      whichonlyFrench usersweretaken into account”      605.

      598DESAs Objectionp.11;FRSAObjection,paragraph47;NLSAObjection,paragraphs39and43-44;NOSA
      602FR SAObjection,paragraph43.SimilarreasoningisincludedintheITSAObjection,whichstates that‘’even
      byproportiontotherespectiveturnover[...]there islittle doubtthatthefiningproposalbytheLSAisnotinline

      603hthe proportinalityrequirement’’(ITSAObjection,p.8).

      Adopted325. TheNOSA arguesthat“thesuggestedfine isnotproportionatetotheseriousnessofthe violationsand

      the aggravating factors identified”, the “number of data subjects affected in the EEA amounts to
      hundredsofmillions” andagreeswiththe LSA thatthe controller’s“levelof responsibility ishigh”     606.

326. Onthe risksposed by the DraftDecision,the DE,FR,IT,NL,andNOSAs consider that,ifadopted,the

      Draft Decision would lead to a significant risk for the protection of the fundamental rights and
      freedoms of the data subjects 607. The DE, FR, IT, NL, andNOSAsexplain that it would not ensure an

      effective enforcementof theGDPR,asthe proposed fine isunable tocreateadeterrenteffect(either
      specifically towardsthe controller, or in generaltowardsother controllers)  608. The NO SA considers
      this would mean, “that the complainant and the affected data subjects would in practice be denied

      the levelof data protectionset out in the GDPR”   60. The FR SA arguesthe Draft Decisionas it stands
      would “lead to a levelling down of the level of administrative fines imposed by European data

      to ensureeffectivecompliancewith theprotectionofthe personaldataof Europeanresidents”         610.The
      DESAsaddthat“theDraftDecisiondoesnotensureaconsistentapplicationofadministrativefines”              .

      9.1.3 Position ofthe LSA on theobjections

327. The LSA considers none of theobjections relatingtothequantum of theproposed administrative fine
      asrelevantand reasoned    61.

328. Inrelationtoobjections calling for anincrease ofthe amount ofthe fine setout inthe DraftDecision,
      the LSA statesthat notwithstanding the variance betweenthe viewsofthe CSAsonthe calculationof

      the fine that the IE SA has “fully taken into account the criteria at Article 83(2) GDPR, and that the
      proposedadministrativefinesmeettherequirementsofArticle83(1)GDPR,takinginto accountallthe
      circumstancesofthismatterand asset out Part9 oftheDraft Decision”          .The IESA also arguesthat
      the IE SA considers “the proposal as to the fine to be meaningful in terms of both the financial

      significance of it on any view, as well as the significant publicity that a fine in this region will

329. Withreference totheobjections relatingtothe mode ofcalculatingthe proposed administrative fine

      (assessment of the Article 83(2) GDPR criteria), the LSA does not accept that these objections are
      relevant 615. The LSA recalls that it has already examined in its Draft Decision whether the
      infringements were intentional and whether Meta IE obtained a financial benefit as a result of the

      infringements,questions towhichitansweredinthenegative        61.Furthermore,theLSAtakesthe view

      607DESAs Objection,p.12;FRSAObjection,paragraph47;ITSAObjection,pp.8-10;NLSAObjection

         DESAs Objection,p.12;FRSAObjectionparagraph47;ITSAObjection,pp.8-10;NLSAObjection
         DESAs Objection,p.11.
      616CompositeResponse,paragraph124.Onthismatter,theIESArefers torespectivelyparagraphs230-233

      Adopted      that“itwouldbe contraryto a literalinterpretationofArticle83(2)(e)GDPRtotakethedecision made

      bytheIESA in respectofWhatsApp IrelandLimited(i.e.IN-18-2-1)in the calculationofthefine for this
      Draft Decision in circumstances where the infringements do not concern the same controller or
      processor’’   .

      9.1.4 Assessment of the EDPB Assessmentof whethertheobjectionswererelevantandreasoned

330. The objections raisedby the DE,FR,IT,NL,andNOSAs concern‘’whethertheactionenvisaged in the
      DraftDecisioncomplieswiththeGDPR’’      618.

331. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe
      threshold ofArticle 4(24)GDPR      .

332. With specific regard to these objections on the determination of the administrative fine for the
      transparency infringements, Meta IE acknowledges that the objections as to whether envisaged

      corrective measures comply with the GDPR fall within the scope of the dispute resolution
      mechanism   62,however intheir view,objections thatsolelyobject totheamount ofa fine areoutside
      the scope of this mechanism  621. Meta IE arguesthat ‘’the DPC, asthe LSA, has the sole competence

      and discretion to impose an administrative fine’’ 62. Moreover, Meta IE claims that the EDPB is not
      competenttodeterminewhethertheadministrativefine iseffective,proportionate,anddissuasive         623.

      The EDPBdoes not share thisreading ofthe GDPR,asexplainedabove (see Section 8.4.2,paragraphs
      277-279 ofthis Binding Decision)andconsiders thatCSAs mayobject tothefine amount proposed by
      anLSA in itsdraftdecision    .

      619Meta IEArticle65Submissions,Annex1,p.65.
      620Meta IEArticle65Submissions,paragraph8.5
      621Meta IEArticle65Submissions,paragraph9.2
      623Meta IEArticle65Submissions,paragraph9.2.
         Meta IEArticle65Submissions,paragraph9.2.Meta IEarguesthat“TheGDPRdoesnotconferanypoweron
      theEDPBto considerobjectionssolelychallengingtheamountofafine,andtheEDPBmaynotgiveinstructions
      asto whetherafineoughttobeimposed,orastoitsamount’’.
         Inthis regard,Recital150GDPRcanberecalled,asitstatesthattheconsistencymechanismmayalsobeused
      to promote a consistent application of administrativefines. Consequently, an objection can challengethe
      elements reliedupontocalculatetheamountofthefine,andiftheassessmentoftheEDPBwithinthiscontext
      to re-assess thefineandremedytheidentifiedshortcomings(EDPBGuidelinesonArt.65(1)(a),para 91;EDPB

      RROGuidelines,paragraph34). TheEDPBfoundseveralobjectionsonthissubjectmatteradmissibleinthepast,
      seeinteraliaBindingDecision1/2020,paragraphs 175-178and180-181,BindingDecision1/2021,paragraphs
      310-314, Binding Decision 1/2022 paragraphs 53-55, Binding Decision 2/2022, paragraphs 186-190.
      Consequently,withinitsmissionofensuringa consistentapplicationoftheGDPR,theEDPBis fullycompetent

      to resolvethedisputearisenamongsupervisoryauthoritiesandremedytheshortcomingsintheDraftDecision
      LSAinits nationaldecisionadoptedonthebasisoftheEDPB’s bindingdecision.

      Adopted333. The EDPBtakesnote of further argumentsput forwardbyMetaIE,aiming todemonstratethe lackof
      relevance of the objections raised by the DE, FR, IT, NL, and NO SAs     . Meta IE disagrees with the
      content ofthese objections, whichconcerns itsmeritsandnot itsadmissibility.

334. The EDPB finds that the DE, FR, IT, NL, and NO SAs disagree with specific parts of the IE SA’s Draft
      Decision, namelythe assessment madeby the LSA in Chapter 9 ‘’Administrativefine’’andChapter 10

      ‘’Otherrelevantfactors’’insettingtheadministrative fine applicable tothe violationsof transparency
      identified626. Iffollowed, these objections would leadtoa different conclusion in termsof corrective

      measures imposed. In consequence, the EDPB considers the objections raised by the DE, FR, IT, NL,
      andNOSAs tobe relevant.

335. MetaIEfurtherconsiders thatthe DE,FR,IT,NLandNOSAs’ objections have not created“reasonable

      doubt’’astothe validityofthe LSA’scalculationofthe fine anddonot explainwhythe fine envisaged
      in the DraftDecision is incompatible withArticle 83 GDPR   627.Inthis respect, MetaIE claims thatthe
      objections ofthe DE,FR,IT,NLandNOSAsare not sufficientlyreasonedastheyfocusonhypothetical

      “preventiveeffects”ofthefine on other controllersinfuture proceedings    628.Inaddition, MetaIEputs
      forward that the comparison made by the DE, FR, and IT SAs in their objections with other fines

      imposed in other cases is not relevant to the extent that fines should result in a case-by-case
      assessment  629. Meta IE also objects to the FR SA’s objection that the fine should be tied to the

      turnover, considering that Meta IE’s turnover is only relevant for determining the maximum fine
      amount under Articles83(4)-(6) GDPRand not the fine amount     630.Finally, in response tothe NOSA’s

      objection, Meta IE argues that controller’s financial provisions for potential regulatory-related
      expenses cannot be considered asa relevant factor under Article 83(2) GDPR     63. It follows from the
      above argumentsthatMetaIEdisagreeswiththe reasoning provided inthese objections, which thus

      concernsthe meritsandnot the admissibility ofthe objection.

336. The EDPB finds that the DE, FR, IT, NL, and NO SAs argue why they propose amending the Draft
      Decisionandhow this leadstoadifferent conclusion intermsof administrativefine imposed, i.e.why
      theypropose toimpose a higherfine for the transparencybreaches         .

      625Meta IEargues thattheseobjectionsare“adirectcriticismof theamountoftheDPC’sproposedfine(i.e.an

      the[CSAs]couldobject)’’.Meta IEArticle65Submissions,Annex1,paragraphs2.17-2.19,5.13,7.12,8.23,and
         DESAs Objection,p.10;FRSAObjection,paragraph36;ITSAObjection,pp.7-9;NLSAObjection,
      627Meta IEArticle65Submissions,Annex1,paragraphs2.21,5.15,5.17-18,7.14,8.25,and9.22.Inthisregard
      Meta IEsubmitsthat‘’afineproposedbytheLSAiseffective,proportionate,anddissuasiveaslongasthecriteria

      of fines is subjective, and there is significant variance amongst objecting CSAsas to what the appropriate fine
      628Meta IEArticle65Submissions,Annex1,paragraphs2.22,5.19,7.16,8.26,and9.23.
      629Meta IEArticle65Submissions,Annex1,paragraphs2.23,5.18,and7.17.
      631Meta IEArticle65Submissions,Annex1,paragraph5.21.
         Meta IEArticle65Submissions,Annex1,paragraph9.26.
      632DESAs Objection,p.11-12;FRSAObjection,paragraphs38,40,42,43,47;ITSAObjection,pp.7-9;NLSA

      Adopted337. Intermsof risks, Meta IEclaims the DraftDecision does not pose any risk, let alone a significant risk

      tofundamentalrightsandarguesthe objections of the DE,FR,IT,NL,andNOSAs failtodemonstrate
      the contrary,asrequired   63.

338. Inparticular,MetaIEconsidersthattheDE,FRSA andITSAs’ objections appeartofocusonincreasing
      the “punitive impact” of the fine on Meta IE, instead of demonstrating any significant risks to the

      fundamentalrightsofdatasubjects     63.MetaIEfurtherclaimsthattheNLandNOSAs’objections does
      not set out how the proposed fine would pose a direct andsignificant risk tofundamentalrightsand
      freedoms     . In addition, Meta IE argues the DE, FR, IT, NL and NO SAs’ objections rest on
      unsubstantiatedpossible effecttheDraftDecisioncouldhaveonfuture behaviourofothercontrollers,
      without demonstrating how this Decision would lead to significant risks in the case at hand          .
      Therefore, Meta IE claims that, in doing so, the assessment made by the DE, FR, IT and NL SAs is
      incorrectastheydo not consider the reputationalcosts generatedbysuch afine          .

339. First, the EDPBnotes thatany risk assessment addresses future outcomes whichare tosome degree

      uncertain,andfinds thereis no basis in theGDPRtolimit the notion ofrisks tothe boundaries ofthe
      particular case at hand. Article 4(24) GDPR referstothe risks posed to the "fundamentalrights and

      freedomsof data subjects" and “where applicable, the free flow of personaldata within the Union”.
      Bothofthese aspectsare phrasedina generalway. The wording ofthisprovisiondoesnot in anyway

      limit the demonstration of the risks to showing the risks posed to the data subjects affectedby the
      concrete processing carriedout by the specific controller, in light of the objective of guaranteeing a
      ‘’highlevelofprotectionintheEUfortherightsand interestsoftheindividuals’’         .Therefore,therisks
      posedbyadraftdecision tobe demonstratedbya relevantandreasonedobjectionmightalsoconcern
      datasubjects whose personaldatamight be processed inthe future, including by other controllers.

340. The EDPB also notes that the DE, FR, IT, NL, and NO SAs    639 considered both of the aspects that are

      entailedbydissuasiveness ofthe fine, i.e.specific deterrenceandgeneraldeterrence      640.

      633Meta IEArticle65Submissions,Annex1,paragraphs2.24-2.27,5.22-5.25,7.18-7.21,8.28-8.32,and9.25-
      634Meta IEArticle65Submissions,Annex1,paragraphs2.24,5.22,and7.18.
         Meta IEArticle65Submissions,Annex1,paragraphs8.28,and9.25.
      636Meta IEArticle65Submissions,Annex1,paragraphs2.25,5.23,7.19,8.30,and9.26.
      637Meta IEArticle65Submissions,Annex1,paragraphs2.26,5.24,7.20,8.31.Meta IEaddsthat,inanycase,it

         Judgement of the Court of Justiceof 6 November 2003, Lindqvist, CaseC-101/01, ECLI:EU:C:2003596,
      50; Judgement of the Court of Justice of 24 November 2011, Asociación Nacional de Establecimientos

      639DESAs Objection,p.12(referringtothe‘’undertakinginquestion’’),FRSAObjection,paragraph47(referring
      to ‘’the controller’’); IT SA Objection pp.8-9 (referring to ‘’the controller’’); NL SA Objection, paragraph52
      (referring to the risk in relation to ‘’the illegal processing at hand’’);NO SA Objection, p.12 (referring to

         TheCJEUhas consistentlyheldthata dissuasivefineisonethathasagenuinedeterrenteffect,encompassing
      andgeneral deterrence(discouragingothersfromcommittingthesameinfringementinthefuture).See, inter

      Adopted341. The EDPB finds that the DE, FR, IT, NL, and NO SAs articulate an adverse effect on the rights and
      freedomsof datasubjectsifthe DraftDecisionis leftunchanged,by referringtoa failuretoguarantee
      a highlevelof protectioninthe EU for the rightsand interestsof the individuals      .

342. Therefore,the EDPBconsiders the DE,FR,IT,NL,andNOSAs objections tobe reasoned. Assessment on themerits

343. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the
      matters which are the subject of the relevant and reasoned objections, in particular whether the
      envisagedactioninrelationtothe controller complies withtheGDPR.

344. The EDPB recalls that the consistency mechanism may also be used to promote a consistent
      application of administrative fines    . A fine should be effective, proportionate and dissuasive, as
      required byArticle 83(1) GDPR,takingaccount of the factsof the case     643. Inaddition, when deciding
      ontheamount ofthe fine,theLSA shalltakeintoconsiderationthecriterialistedinArticle83(2)GDPR.

345. The EDPB responds to Meta IE’s argument that the LSA has sole discretion to determine the

      appropriate corrective measures in the event of a finding of infringement above (see Section 8.4.2,
      paragraphs277 -279 aswellasfootnote 624).

346. The finding in the Draft Decision of a transparency infringement for the processing concerned still
      stands. The EDPB recalls that, on substance, no objections were raised on this finding. Meta IE

      infringed its generaltransparency obligations by being unclear on the link between the purposes of
      processing, the lawful bases of processing and the processing operations involved   644, irrespective of
      the validityofthe legalbasis reliedonfor the ‘processing concerned’.Itremainsthecase that,forthe

      transparencyinfringements, ‘‘theprocessing concerned’’shouldbe understood asmeaning all ofthe
      processing operations thatMetaIEcarriesout onthe personaldata under itscontrollershipfor which
      Meta IE indicated it relied on Article 6(1)(b) GDPR       , including for the purposes of behavioural
      advertising.This is without prejudice tothe fact thatMetaIE inappropriatelyrelied on Article6(1)(b)
      GDPR asa legalbasis to process personal data for the purpose of behavioural advertising as part of

      the delivery of its Instagram service under the Termsof Use. Whether or not Meta IE appropriately
      chose its legal basis for processing, the transparencyinfringement as assessed in the Draft Decision

      still stands. Therefore, the IE SA must not modify this description retro-actively in light of the
      assessment ofthevalidityofthelegalbasis, including forthepurpose ofcarryingoutanyreassessment
      of the administrative fines originally proposed by the Draft Decision, as might be required by this

      Binding Decision.

      alia, Judgement of the Court of Justiceof 13 June 2013, Versalis Spa v European Commission, C-511/11P,
      ECLI:EU:C:2013:386,(hereinafter‘C-511/11,Versalis’),aragraph  94.
      641DESAs Objection,p.12,FRSAObjection,paragraphs47-48;ITSAObjection,pp.8-9;NLSAObjection,
         Recital 150GDPR. EDPB Guidelines on RRO, paragraph 34;EDPB Guidelines on Administrativefines p. 7
      (“When the relevant andreasonedobjection raises the issue of the compliance ofthe corrective measure with
      the GDPR, the decision of EDPB will also discuss how the principles of effectiveness, proportionality and
      deterrence are observed in the administrative fine proposedin the draft decision of the competent supervisory

      Adopted347. Inlightofthe objectionsfound relevantandreasoned, theEDPBaddresseswhetherthe DraftDecision
      proposes afine for the transparencyinfringements thatis inaccordancewith thecriteria established

      by Article83(2) GDPRandthe criteria provided for by Article 83(1)GDPR.Indoing this, the EDPBwill
      first assess the disputes arisen in respect of the analysis of specific criteria under Article 83(2)GDPR
      performed by the LSA, and then examine whether the proposed fine meets the requirements of

      effectiveness, dissuasiveness and proportionality set in Article 83(1) GDPR, including by affording
      adequateweighttothe relevant factorsandtothe circumstancesofthe case.

      On any relevantpreviousinfringementsby thecontrolleror processor (Article83(2)(e)GDPR)

348. Article 83(2)(e) GDPR requires supervisory authorities to give due regard to any previous relevant

      infringement of the GDPRbythe controller or processor asone of the circumstancesthat justifies an
      increase inthe basic amount of the fine. Assimilar reference canbe found inRecital148 GDPR.

349. For the purposes of Article 83(2)(e) GDPR, both previous infringements of the same subject matter
      and infringements of a different subject matter but committed in a manner similar to that under

      investigation, should be considered as relevant. Furthermore, the EDPB recalls that the scope of
      assessment ofinfringementsmayinclude not only previous decisions bythe investigatingsupervisory
      authority, but also infringements found by other authorities, provided that theyare relevant tothe
      case under investigation    .

350. The EDPB first notes that, contrary to Meta IE’s views          , substantial similarities exist in the
      infringements found by the LSA in its draft decision and in its decision IN-18-12-2 in relation to
      WhatsApp Ireland Limited and in which breach of GDPR obligations were established. As rightly

      pointed out by the IT SA, the LSA indeed considered in both decisions that the controller had not
      provided transparentinformationon thelegalbasisandpurposesofthe processing operationsor sets

      ofprocessing operationscarriedout,therebyinfringing Article5(1)(a),Article12(1)andArticle13(1)(c)
      GDPR  648.

351. TheITSA contendsthat,totheextentthatMetaIEandWhatsAppIrelandLimitedarepartofthesame
      corporategroup, theprevious decision concerning WhatsAppIrelandLimited“setsa keyprecedentin

      assessing a controller’srepetitive conduct”,as“not onlydid the controller in question clearlystickto
      the same business modelin offering its different social networking services,it also did not change its
      assessment as to how to manage users’ data with particular regard to its information and
      transparencyobligations”     . The IE SA disagreeswiththis objection, considering thatArticle83(2)(e)

      647Meta IEArticle65Submissions,paragraph10.3.AccordingtoMeta IE’s theDPCFinalDecisionIN-18-12-2

      and595,availableat:  https://edpb.europa.eu/system/files/2021-09/dpc final decision redacted for issue
       to edpb 01-09-21 en.pdf;DraftDecision,p.71.

      Adopted      GDPRcannot apply in the circumstancesof thiscase insofar as itsdecision againstWhatsApp Ireland
      Limitedwasaddressedtoa different controller       .

352. In this respect, the EDPB notes that Meta IE and WhatsApp Ireland Limited are both subsidiaries of
      MetaPlatforms, Inc.  651.Nonetheless,the EDPBrecallsthat the GDPRdrawsa distinction betweenon
      the one handthe “controller”or“processor”    652,whichare responsible for complying withthe rulesof

      the GDPR,andonthe otherhand the“undertaking”         653towhichthe controller or processor is partof,
      andthatmaybefound jointly andseverallyliable for thepaymentofthe fine        65.Inthiscontext,Article

      83(2)(e)GDPRexplicitlyreferstotheneedtoconsider previousrelevantinfringementscommitted‘’by
      thecontrolleror processor’’(emphasis added).

353. Therefore,the EDPBconsiders thatthe Final Decisiondoes not needtorefer tothe infringements by

      83(2)(e) GDPRfor thecalculationof thefine.

      Theeffectiveness,proportionalityanddissuasiveness ofthe administrativefine (Article 83(1)GDPR)

354. Withregardtoeffectivenessofthe fines, theEDPBrecallsthattheobjective pursuedby thecorrective

      measure chosencanbe tore-establishcompliance withthe rules,or topunish unlawfulbehaviour, or
      both 655. In addition, the EDPB notes that the CJEU has consistently held that a dissuasive penalty is
      one that has a genuine deterrent effect. Inthat respect, a distinction canbe made betweengeneral

      deterrence (discouraging others from committing the same infringement in the future) and specific
      deterrence(discouraging theaddressee of the fine from committingthe same infringement again)      656.

      Therefore, in order to ensure deterrence, the fine must be set at a level that discourages both the
      controller or processor concerned as well as other controllers or processors carrying out similar

      processing operations from repeating the same or a similar unlawful conduct. Proportionality of the
      fine needs also to be ensured as the measure must not go beyond what is necessary to attainthat
      objective   .Inthisrespect,theEDPBdisagreeswithMetaIE’sviewsthatthereisnobasis toconclude
      thatthe amount ofthe fine must have a generalpreventive effect     65.

      650CompositeResponse,paragraph125.AccordingtotheIE SA, this stems directlyfromthewordingofArticle
      83(2)(e) GDPR, which ‘’expressly states that only relevant previous infringements by the same controlleror

      652SeeArt. 4(7)-(8)GDPR.

      to settled case-law of theCJEU, the term ‘undertaking’ “encompasses every entity engagedin an economic
      656See, interalia,C-511/11,Versalis,paragraph94.
      657SeeJudgementoftheGeneral Courtof14October2021,MTvLandespolizeidirektionSteiermark,C‑231/20,
      , ECLI:EU:C:2021:845,paragraph 45(“theseverityofthepenaltiesimposedmust[…]becommensuratewiththe

      seriousness of the infringements forwhich they are imposed, in particularby ensuring a genuinelydeterrent
      effect, whilenotgoingbeyondwhatisnecessarytoattainthatobjective”).
      658Meta IEArticle65Submissions,Annex1,paragraphs,2.22,5.16,7.16,8.30and9.23.

      Adopted355. The EDPB reiterates that it is incumbent upon the supervisory authorities to verify whether the

      amount of the envisaged fines meets the requirements of effectiveness, proportionality and
      dissuasiveness, or whetherfurther adjustmentstothe amountarenecessary,considering the entirety

      of the fine imposed and allthe circumstancesof the case,including e.g.theaccumulationof multiple
      infringements, increases and decreases for aggravating and mitigating circumstances and
      financial/socio-economic circumstances      . Further, the EDPB recallsthat the setting of a fine is not
      an arithmeticallyprecise exercise  66, andsupervisory authoritieshave a certainmarginof discretion
      inthis respect    .

356. The DE,FR,IT,NL,andNOSAs ,object tothe level ofthe fine envisaged inthe DraftDecisionas they

      consider the proposed fine not effective,proportionate anddissuasive (Article83(1) GDPR)      662.

357. These CSAs arguethatthe elementsof Article83(2)GDPRarenot weighedcorrectlybythe LSA when
      calculating the administrative fines in the present case, in light of the requirements of Article 83(1)
      GDPR     .Specifically,theDE,FR,IT, NLandNOSAs arguethatthefine envisagedintheDraftDecision
      isnot proportionatewithIESA’sfindings inrelationtothenatureandseriousness oftheinfringements
      andthe number of datasubjects concerned         .

358. In addition, these CSAs argue that the fine is not effective, proportionate and dissuasive taking into
      account thefinancial position of MetaPlatform,Inc.    66.

359. The EDPBtakesnote of MetaIE’sdisagreement withthe fine proposed by the IESA           666 andtheir view
      that the LSA alreadyconsiders all factorsit considered tobe relevant toArticle 83(2) GDPR andthat

      ‘’noneoftheCSAs have createdanyreasonable doubt asto thevalidity ofthe DPC’scalculation’’         667.

360. The EDPB notes that in the Draft Decisionthe IE SA indicates being satisfied the proposed fines are
      effective, proportionate and dissuasive, taking into account all the circumstances of the IE SA’s
      inquiry   . TheIESAassessed thedifferentcriteriaofArticle83(2)GDPRinrelationtothe transparency

      659EDPB Guidelines on calculation offines, paragraph 132, and EDPB Guidelines on AdministrativeFines, p. 6,

      breach, and supervisory authorities must assess all the facts of the case in a mannerthat is consistent and
      660See Judgement of the General Court of 22 September 2021, AlticeEuropeNV v Commission, T 425/18,
      ECLI:EU:T:2021:607, paragraph 362; Judgement of theGeneral Court of 5 October 2011, Romana Tabacchi v

      Commission,CaseT‑11/06,ECLI:EU:T:2011:560,   paragraph  266.
      661See, inter alia, judgement of the General Court of 16 June 2011, Caffaro Srl v Commission, T-192/06,
      ECLI:EU:T:2011:278, paragraph 38.SeealsoEDPBGuidelinesoncalculationoffines,p.2.
         DE SAs Objection,pp.10-12;FRSAObjection,paragraphs36-48;ITSAObjectionpp.7-10;NLSAObjection,
      663DESAs Objection,p.11;FRSAObjection,paragraph47;ITSAObjectionpp.7-8;NLSAObjection,paragraph
         DESAs Objection,p.11;FRSAObjection,paragraph38;ITSAObjection,p.8;NLSAObjection,paragraph42
      665DESAs Objection,p.11;FRSAObjection,paragraph38-40;ITSAObjection,pp.8;NLSAObjection,paragraph
         Meta IEArticle65Submissions,paragraph9.1.
      667Meta IEArticle65Submissions,paragraph9.3.

      Adopted      infringements found  669. The IE SA considered the infringements as serious in nature  670, andin terms

      of gravityofthe infringements found a significant levelof non-compliance    671. Furthermore,the EDPB
      underlines that, as established by the IE SA, the infringements affect a significant number of data

      subjects 672 and are extensive 673. The EDPB also observes that the IE SA considered the negligent
      character ofthe infringement   674, aswell as the high level of responsibility of Meta IE for the lackof

      compliance with the GDPR     675 as aggravating factors under Article 83(2) GDPR. Further, the IE SA
      qualifiedthelevelofdamagesufferedbydatasubjectsassignificant         676.Inaddition,theIESAidentified

      only one mitigating factor, without indicating, however, whether this should lead to a slight or
      substantialreductionof the fine range   677.

361. MetaIEarguesthatreputationcostsshould alsobe takenintoconsideration, citingthe IESA’sremark
      on “the significant publicity that a fine in this region will attract” . Onprinciple, the EDPB agrees
      thatreputationcostscould be takenintoconsideration tosome extent,ifcredible argumentsareput
      forward about the grave detriment that would ensue. Meta IE does not present such arguments            .
      The EDPBisoftheview thatinthis caseother incentiveswouldoffset anyreputationalcosts. Asfaras

      advertisers are concerned, Meta IE puts forward that “The personalised nature of the Instagram
      Service is also the reason why it has been instrumental in the success of small and medium sized

      businesses (“SMBs”) worldwide, including across the EU. Personalisation on social media and other
      digitaltechnologies,including theInstagram Service,enablesSMBstocompeteforcustomersthrough

      “customizing [sic] productsand services,[...]building a unique brand image,tailoring marketing to a
      specific audienceand developing a strong one-to-oneconnectionwith a communityof customers’’         680.
      As far asusers of the Instagramservice are concerned,there are networkeffectsat playwhich leads

      to incentives to join - or not leave - the platform, so as not to be excluded from participating in
      discussions, corresponding withandreceiving informationfrom others       68.

362. According tothe DE, FR, and IT SAs, the proposed fine is not consistent with the fine of 225 million

      eurosdecideduponbytheIESAinitsdecision dated20August2021againstWhatsAppIrelandLimited

      675 Draft Decision, paragraph240. The IE SA considers that ‘’Meta Ireland should have been aware of the

      appropriate standards– albeit at a general level – and, having made a deliberate decision to present the
      information in a mannerwhich fellsignificant below the standard required, hasa high degree of responsibility
      forthe lackofcompliancewiththeGDPR’’.

      678CompositeResponse, paragraph 119. SeeMeta IE Article65 Submissions, Annex 1, paragraphs 2.26, 5.24,
      679Meta IE states that“evenifMetaIrelandorothercompaniescouldeverconsiderthatmulti-millionfinesare

      negligible from a financial point of view (a statement that is unsubstantiated anddisputed), such companies
      wouldobviouslybeconcernedbythereputationalcostofsuchfines.”Meta IE Article65Submissions,Annex1,
      680Meta IEArticle65Submissions,paragraph6.23.
         NO SA Objection, p. 5. Inthesamevein, theFR SAdescribes Meta IE’s position as quasi-monopolist (FR SA

      Adopted      for the same transparencyinfringements(breaches of Articles12 and 13 GDPR)        68. Inparticular, the

      DE SAs point out that ‘’the facts and the seriousness of the infringements in the two cases are no
      sufficiently different to justify a difference of 85% in the fine imposed’’83. The FR and IT SAs also

      comparewiththe fine of 746million euros decidedbythe LU SA initsdecision of 15July 2021 against
      the companyAmazonEurope Core for carryingout behaviouraladvertising without a validlegalbasis

      andfor transparencyinfringements(Articles 6,12 and13 GDPR)       684.While theEDPBagreeswithboth
      theIESAandMetaIEthatimposingfinesrequiresacase-by-caseassessment under Article83GDPR              685,

      the EDPB notes that the cases cited by the DE, FR and IT SAs do show marked similarities with the

      operations and significant resources available tothem, including large, in-house, compliance teams.
      Moreover, there are similarities with regards to the nature and gravity of the infringements
      involved   . Thus, these casescangive anindication onthe matter.

363. The DE,FR,ITandNOSAscalculatethatthe envisagedupper limit of thefine rangeisabout 0.03%
      of the global annual turnover of Meta Platforms, Inc., which the DE SAs note is about 0.72% of the
      maximum ceiling provided for in Article 83(5) GDPR      . For illustrative purposes also, is the amount
      oftimeit wouldtakeMetaPlatforms,Inc.onaveragetogenerate23millioneurosinturnover in2020,
      whichwasabout 2 hours and33 minutes         .

364. The EDPB agreeswith the objections raised that - if the proposed fine was to be imposed for the
      transparency infringements - there would be no sufficient special preventive effect towards the
      controller, nor a credible generalpreventive effect 69.The proposed fine amount,even where a final

      amountattheupper limitoftherangewouldbe chosen, isnot effective,proportionateanddissuasive,
      in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of

      doing business 691. Asbehavioural advertising is atthe core of MetaIE’sbusiness model   692, the riskof
      this occurring is allthe greater69.Bybearingthe cost of the administrative fine, the undertaking can

      avoidbearing the cost ofadjusting their business modeltoone that iscompliant aswellasanyfuture
      losses that wouldfollow from theadjustment.

         DESAObjection,p.11-12;FRSAObjection,paragraph42;ITSAObjection,p.8.TheIESA’s decisioninthis
         DraftDecision,paragraph219-220;Meta IEArticle65Submissions,pargraphs2.23,5.18,7.17.
      686Inthis regard,theDE SApoints outthatinbothdecisionstheIESAstatedthattheprovisionsinfringed‘’go
      tothe heartofthegeneralprincipleoftransparencyandthefundamentalrightoftheindividualtoprotectionof

      his/herpersonal data which stems from the free will andautonomyof the individual to share his/herpersonal
      689Basedonthetotal annualturnoverof2020beingEUR79billioncalculatedbytheNLSAinits objection(NL

      SAObjection,paragraph49)onthebasisoftheturnoverofMeta Platforms,Inc.referredtointheDraft
      Decision(86billiondollars).Thus,a fineofEUR23millionwouldhavetaken2h33togenerate.
      690DESAObjection,p.12; ITSAObjection,pp.8-9;NOSAObjection,p.12;FRSAObjection,paragraph47.

      Adopted365. Though the IE SA touches upon the notions of effectiveness, proportionality and dissuasiveness in
      relation to the proposed fine  69, there is no justification based on elements specific to the case to

      explain the modest fine range chosen. Moreover, the EDPB notes that while the IE SA takes into
      considerationthe turnoverof theundertakingtoensure thatthefine it proposed doesnot exceedthe
      maximum amount of the fine provided for in Article83(5) GDPR        ,theIESA does not articulatehow
      andtowhatextentthe turnover ofthisundertaking isconsidered toascertainthatthe administrative
      fine meetsthe requirementof effectiveness, proportionality and dissuasiveness       . Inthis regardthe
      EDPB recalls that, contraryto Meta IE’sviews    69, the turnover of the undertaking concerned is not
      exclusively relevant for the determination of the maximum fine amount in accordance with Article

      83(4)-(6) GDPR,butshould alsobe consideredfor thecalculationof thefine itself, whereappropriate,
      toensure the fine iseffective,proportionate anddissuasive inaccordancewithArticle 83(1)GDPR        698.

      The EDPB therefore instructs the IE SA to modify its Draft Decision to elaborate on the manner in
      which the turnover of the undertaking concerned has beentakeninto account for the calculationof
      the fine.

366. In light of the above, the EDPB considers that the proposed fine does not adequately reflect the

      seriousness andseverity of the infringements nor has a dissuasive effect on Meta IE. Therefore, the
      fine does not fulfil the requirement of being effective, proportionate and dissuasive in accordance
      with Article 83(1) and (2) GDPR. Inlight of this, the EDPB directs the IE SA to set out a significantly

      higher fine amount for the transparencyinfringementsidentified, in comparison withthe upper limit
      for the administrative fine envisagedin the Draft Decision. Indoing so, the IESA must remainin line

      withthe criteriaof effectiveness, proportionality, anddissuasiveness enshrined inArticle 83(1)GDPR
      inits overallreassessment of the amountof the administrativefine.

      9.2 On the determination of anadministrative finefor further infringements

      9.2.1    Analysis bythe LSA in the Draft Decision
367. The IE SA in the Draft Decisionconcludes that Meta IE hasnot sought to relyon consent in order to

      processpersonal datatodeliver itsservice asoutlinedinthe InstagramTermsofUseandis not legally
      obligedtorelyon consent inorder todo so(Finding 1)     699. Alongside, theIE SA concludes thatMetaIE

      can rely on Article 6(1)(b) GDPR as a legalbasis to carryout the personal data processing activities
      involved inthe provision of itsservice tousers, including behaviouraladvertisinginsofar asthatforms
      a core part of the service (Finding 2)    . In these terms, the IE SA did not propose to establish an
      infringement ofArticle 6(1)GDPR.

      697Meta IEArticle65Submissions,paragraphs9.8-9.10.Inaddition,Meta IE’sargumentthat“[turnover]isnota

      relevant consideration whendeterminingthe amount of the fine underArticle 83(2) GDPR”is not withinthe

      Adopted368. Inaddition, no infringement of Article 9(1) GDPR hasbeen found as the IE SA has not identified and

      separatelyassessed anyprocessing of specialcategoriesofpersonal databyMetaIEin thecontext of
      InstagramTermsof Use.

369. The IESA initsDraftDecision concludes thatMetaIEhasinfringed Article5(1)(a), Article 13(1)(c)and
      Article12(1)GDPRduetothelackoftransparencyinrelationtotheprocessing for whichArticle6(1)(b)

      GDPRhasbeenreliedon (Finding 3)     701.

      9.2.2   Summary ofthe objections raised bythe CSAs
370. The AT, DE,FR, IT, NO, andSE SAs       object tothe LSA’s failure totake actionwithrespect toone or
      more specific infringementstheydeem should have beenfound and askthe IESA toimpose a higher
      administrativefineas a resultoftheseadditionalinfringements.

      Objectionsrequesting the imposition of a fine for the additional infringement of Article 6(1)GDPR or

      Article6(1)(b) GDPR

371. TheDEandFR SAsaskfor theadministrative fine tobe increased          asa consequence ofthe proposed
      finding of an infringement of Article 6(1) GDPR704. The AT, NOandSE SAs argue that the fine should
      be increasedfollowing the finding of aninfringement ofArticle 6(1)(b) GDPR     .

372. The DE SAs state that the fact that Article 6(1) GDPR was infringed is not properly reflected in the

      calculationofthefine intheDraftDecision   706.TheDESAsarguethatinthecurrentcasetheprocessing
      of personal data was performed without a legal basis as consent of the data subjects would be

      required,whichwasnot given,andthatthe“DraftDecisionisinsofar not incompliancewithArticle83
      GDPR as it does not consider the additional infringement of Articles 5(1)(a), Art. 6(1), 9(1) when
      calculating the amount of the administrative fine”     . The DE SAs state that it is a highly serious
      infringement under Article 83(2)(a) GDPR considering that personal data of at least
      individuals were affected   .TheDE SAs also highlight thatthe fine imposed needs toaim toprevent
      further infringementsof theGDPR;first, itshould have “specialpreventive”effects,meaningthatthe
      amount imposedneeds tobe such that“itisnot tobeexpectedthatthespecificcontrollerwillcommit

      similar infringementsagain” byhaving“such anoticeableimpacton theprofitsoftheundertakingthat
      future infringementsofdata protectionlaw would not be ‘discounted’ into the processing performed

         AT SAObjection,pp.11-12;DESAs Objection,p.10and12;FRSAObjection,pp.9-10.;NOSAObjection,pp.
      703FRSAObjection,paragraph44;DESAs Objection,p.10.
      704DESAs Objection,pp.1-6andpp.9-10;FRSAObjection,paragraphs5-14,33and52;
         AT SAObjection,pp.11-12;NOSAObjection,pp.10-11;SESAObjection,pp.4-5.
      In addition, also theDE (DE SAs objection, p. 10), FI and NO (NO SA objection, p. 9) SAs (FI SA Objection,
      however, this aspect of theobjectionraisedby the DE, FI and NO SAs was deemed to be not relevant and

         DESAs Objection,p.10.
      707DESAs Objection,p.10.
      708DESAs Objection,p.10.

      Adopted      by the undertaking lightly”; secondly, it should have ‘’generalpreventive” effects by leading other

      controllersto“make asignificant effortto avoid similar violations” 709.

373. The FRSA considers thatsome violations arewronglynot included inthe DraftDecision        710andargues
      that “since it considers that breach of Articles 6 has been committed, which is added to the other

      breachesfound by the Irish data protection authority, the amount proposed by the latter should be
      accordinglyincreased”   71.TheFRSArecallsthatthesame approachofcumulating theamountsofthe
      fine hasbeenadoptedby theEDPBin points 324 to327 ofits Binding Decision1/2021             .

374. On risks posed by the Draft Decision, the DE SAs explain that the shortcoming of the Draft Decision
      would cause significant risks for the fundamentalrightsandfreedoms of the datasubjects, “because

      an effectiveenforcement oftheGDPR,which isthepreconditionfortheprotectionofthefundamental
      rights and freedoms of the data subjects, cannot be ensured’’    713. The DE SAs also point out that

      administrative fines shall in eachindividual case be effective,proportionate anddissuasive and both
      special andgeneralpreventive since these two“conceptsaim to protect the fundamentalrightsand
      freedom ofthe data subjectsby preventingfurther infringementsof the GDPR”          .Moreover,theDE
      SAs raisethat“thenon-compliance withone ofthecentralprovisions oftheGDPRwould not have any

      negativefinancial impacton theundertakingand therefore,fromaneconomicalpoint ofa view could
      beareasonable optionfor controllers’’  715.TheFRSAconsiders thatadoptingthe IESA'sDraftDecision

      asitstands“presentsarisktothefundamentalrightsand freedomsofthedata subjects,inaccordance
      with Article 4(24)of the GDPR”   716and“would lead to a levelling down of the levelof administrative
      fines imposed by European data protection authorities, thereby reducing the authorities' coercive

      power and, consequently, their ability to ensure effective compliance with the protection of the
      personaldata ofEuropean residents”    717.


375. The AT,NOand SE SAs, whichconsidered that theIE SA should have found aninfringement of Article

      6(1)(b)GDPR   71,askfor theadministrativefine tobeincreasedasa consequence ofthatinfringement.

376. The AT SA arguesthat “theadditional infringement [of Article 6(1)(b) GDPR]is not properlyreflected
      in the envisaged amount of the administrative fine” and that the IE SA’s Draft Decision is not in

      compliance withArticle83 GDPRinsofar asit does not consider the additionalinfringement of Article
      6(1)(b) GDPRwhencalculatingthe amount ofthe administrative fine      719.

      709DESAs Objection,p.10.
      713DESAs Objection,p.12.
         DESAs Objection,p.10.
      715DESAs Objection,p.12.
         AT SAObjection,pp.1-7;NOSAObjection,pp.10-11;SESAObjection,pp.2-3.
      719AT SAObjection,p.11.

      Adopted377. The NO SA statesthat anadministrative fine should be imposed for MetaIE’sprocessing of personal
      datainthecontext ofonline behaviouraladvertisingwithout avalidlegalbasis          . The NOSA analyses
      severalof the criteria listedin Article 83(2) GDPR in order to prove the need of the imposition of an
      administrative fine    . Specifically, the NO SA argues that an administrative fine of a substantial
      amount is needed, in light of the nature andgravityof the infringement (giventhat “the principle of
      lawfulness [...] is a fundamental pillar of the GDPR” and “processing personal data without a legal

      basis is a clear violation of the data subjects’ fundamental right to data protection because no one
      should have to tolerate processing of their personal data save for when it is legitimised by the
      legislators”   ), as well as the scope of the processing (“wide”, as ‘’all data subject activity may
      potentiallybeusedfor OBApurposes”),the number ofdatasubjects affectedinthe EEA(“hundredsof

      millions”) and the intangible damage suffered by them (Article 83(2)(a) GDPR), the high level of
      responsibility of Meta IE(Article 83(2)(d) GDPR),the categoriesof personal datainvolved (“of a very

      personal and private nature”, able to“revealintimate detailsofthe data subjects’ lifestyle, mindset,
      preferences,psychologicalwellbeinget cetera”)(Article83(2)(g)GDPR)andanadditionalaggravating

      factor(highlikelihood of contributiontodevelopment of‘’targetingalgorithmswhichmaybeharmful
      onanindividual andsocietallevel’’,Article83(2)(k)GDPR)     723.

378. The SE SA arguesthat“theDraftDecisionis not in compliance withArticle 83 insofar asthe additional
      infringement of Article 6(1)(b) is not considered in calculating the administrative fine” and that “an

      administrative fine pursuant to Article 83 GDPR cannot be regarded as ‘effective, proportionate and
      dissuasive’ when the provision that the processing is based on, namely Article 6(1)(b) GDPR, was

      infringed and when this infringement is not properly reflected in the envisaged amount of the
      administrativefine” 724.TheSESAtakestheview thatthattheintentionalcharacteroftheinfringement
      (Article83(2)(b) GDPR)andthefinancialbenefitsgainedfrom theinfringement (Article83(2)(k)GDPR)

      must be found as aggravating factors   725. Astointentionality, the SE SA arguesthat the switch from
      consent toArticle6(1)(b)GDPRin2018 suggeststhisactwasdone withthe intentionof circumventing

      the new rights afforded to users by the GDPR when the processing relies upon consent, and that in
      anywaytheinfringement needstobe consideredasintentionalatleast asofthe moment ofadoption

      of the EDPB Guidelines on Article 6(1)(b) GDPR which “clearly gives doubt to the legality of the
      processing” 726.Astothefinancialbenefitsgained,theSE SAargues“MetaIrelandhasmadesignificant

      financial gain from being able to provide personal advertisementaspart ofa whole takeit or leaveit
      offer for its social media platform service” andthat due tothe unclear information provided todata

      subjects itcanbe reasonablyassumedthatmore datasubjectshave beenmisledintobeing subject to
      the processing 727. Lastly, the SE SA considers it would be appropriate to take into account Meta IE’s
      turnover for the calculationofthe fine inorder tomake it effective anddissuasive   728.

         TheNO SAalsohighlightsthat“[behaviouraladvertising]entailsprofiling,whichinherentlyconstitutesrisks
      forthe datasubjects’integrity”.

      Adopted379. Onrisks posed bythe DraftDecision, theAT SA arguesthat“should theDraft Decisionbe approvedin

      its current version, the risks for the fundamental rights and freedomsof data subjects lie in the fact
      that theactionenvisagedin relationto the controlleris likelyto fall short ofthe proportionalityand–

      above all– dissuasiveness requirementssetforthin Article83 GDPR”andthat“ignoring infringements
      of the GDPRwhencalculatingfines would lead to lesser compliance with the GDPRand ultimatelyto
      lesserprotectionofdatasubjectsinrelationtotheprocessing ofpersonaldata”        72.TheNOSA explains

      thatnot imposing afine for the lackof legalbasis createsthe risk thatthe violatedprovisions arenot
      respectedby MetaIEor other controllersand the LSA would not be able toeffectively safeguardthe

      data subjects’ rights, and that “in absence of corrective measures that create the appropriate
      incentivesfor [MetaIE]andothercontrollersto changetheir behaviour,the same or similar violations
      arelikelyto reoccurtothedetrimentofthecomplainantandotherdata subjects”             .TheSE SA argues
      the infringement of Article 6(1)(b) GDPR “is not properly reflected in the envisaged amount of the

      administrative fine,it shows controllers(MetaIreland included)thatenforcementoftheGDPRand its
      provisions is not effective.Thisthreatenscompliancewith the GDPRon a generallevel, seeing ashow

      non-compliance could be a viable option for controllers when the costs for compliance are greater.
      Given the proposed changed findings regarding legal basis, there are significant risks to the
      fundamental rights of data subjects if these does not also merits a substantive increase in fines to
      dissuade MetaIrelandand other controllers”      .

      Objectionsrequestingthe imposition of a fine for theadditional infringementof Article9 GDPR

380. The DE and FR SAs argue that, as the IE SA should have identified and separately assessed any
      processing of specialcategoriesofpersonaldataunder Article 9GDPRinthe contextofthe Instagram

      Terms of Use and that Meta IE processes the entire amount of data it holds, including special
      categoriesof data in breachof Articles6 and9 GDPR     732,the amount of the fine should be increased
      accordingly    .

381. The DE SAs state that “the infringement ofArticle 5(1)(a), Article 6(1)and Article 9(1) GDPR [...]also
      entailsanadministrativemeasureand a fine accordingtoArt.83(2)(5)GDPR”        734,andarguethatthese
      infringements are “serious”    . The FR SA considers that a breach of Article 9 GDPR is wrongly not
      included in the Draft Decision 736 and that the amount of the fine proposed by the LSA should be
      increased in light of the addition of such infringements to those already established  73. The FR SA

      recallsthatthe same approachof cumulatingthe amounts ofthe fine hasbeen adoptedbythe EDPB
      inpoints 324 to327 of the Binding Decision1/2021    73.

382. On risks posed by the Draft Decision, the DE SAs explain that the shortcoming of the Draft Decision

      would cause significant risks for the fundamentalrightsandfreedoms of the datasubjects, “because
      an effectiveenforcement oftheGDPR,which isthepreconditionfortheprotectionofthefundamental

      729AT SAObjection,p.12.
      733DESAs Objection,pp.7-8;FRSAObjection,paragraph30.
      734DESAs Objection,p.10.
      736DESAs Objection,p.10.

      Adopted      rights and freedoms of the data subjects, cannot be ensured’’     73. The DE SAs also point out that

      administrative fines shall in eachindividual case be effective,proportionate anddissuasive and both
      special andgeneralpreventive since these two“conceptsaim to protect the fundamentalrightsand
      freedom ofthe data subjectsby preventingfurther infringementsof the GDPR”           .Moreover,theDE
      SA raisesthat“thenon-compliance withone ofthecentralprovisions oftheGDPRwould not have any

      negativefinancial impacton theundertaking and therefore,fromaneconomicalpoint ofa view could
      beareasonable optionfor controllers’’   74.TheFRSAconsiders thatadoptingthe IESA'sDraftDecision

      asitstands“presentsarisktothefundamentalrightsand freedomsofthedata subjects,inaccordance
      with Article 4(24)of the GDPR”   742and“would lead to a levelling down of the levelof administrative
      fines imposed by European data protection authorities, thereby reducing the authorities' coercive

      power and, consequently, their ability to ensure effective compliance with the protection of the
      personaldataofEuropeanresidents”      743.

      Objections requesting the imposition of a fine for the additional infringement of Article 5(1)(a) and

      5(1)(b)-(c) GDPR

383. The IT SA arguesthat the fine should be increasedfollowing the finding of aninfringement of Article
                    744                                                  745
      5(1)(a) GDPR     , and of Article 5(1)(b) and Article 5(1)(c) GDPR    . As stated in Section 6.2 of this
      Binding Decision, the IT SA agrees to a large extent with the Draft Decision’s Finding 3 on the
      infringement ofArticle12(1), Article13(1)(c), andArticle5(1)(a)GDPRintermsoftransparency         746but

      itarguesthatMetaIEhasalsofailedtocomplywiththemoregeneralprincipleoffairnessunder Article
      5(1)(a) GDPR, which, in the view of the IT SA, entails separate requirements from those relating

      specifically to transparency747.Moreover,as analysedin Section 7.2,the IT SA statesthatthere is an
      additional infringement of points (b) and (c) of Article 5(1) GDPR on account of Meta IE’sfailure to
      comply withthe purpose limitationanddataminimisation principles         . The ITSA asks for afine tobe
      issued for those two additional infringements. With regardtoArticle 5(1)(a) GDPR, the IT SA argues

      thatthe finding of such infringement“should resultinto theimposition of the relevantadministrative
      fine asperArticle83(5)(a)GDPR”asfaras“theinfringementofthefairnessprinciple in additionto the

      transparencyone [...] should result into increasing the amount ofthe said fine substantiallybyhaving
      regardto the requirementthateach fine should be proportionate and dissuasive. Indeed,thegravity
      of the infringementwould be factually compounded”        .With referenceto Article 5(1)(b) andArticle
      5(1)(c) GDPR,theIT SA considers that “theinfringementof purpose limitation and data minimisation
      principles(...)should result into increasing the amount of the said fine substantially by having regard

      to the requirement that each fine should be proportionate and dissuasive. Indeed, the gravityof the
      infringementwould befactually compounded”       75.

      740DESAs Objection,p.12.
         DESAs Objection,p.10.
      741DESAs Objection,p.12.

      Adopted384. On the significance of risks posed by the Draft Decision, the IT SA arguesthat “the failure to find an

      infringement ofArticle5(1)(a) GDPRasfor the fairnessprinciple may becomea dangerousprecedent
      with a view to future decisions concerning other digital platform operators– more generally, other

      controllersthatrelyonthesamebusiness model–and markedlyweakenthesafeguardstobeprovided
      by way of the effective, comprehensive implementation of the data protection framework including
      thefairness ofprocessingprinciple”  751.Withreference toArticle5(1)(b) andArticle5(1)(c) GDPR,the

      ITSA addsthat,should theDraftDecision be approvedin itscurrent version, the infringement oftwo
      key principles of the whole data protection framework as introduced by the GDPR will not be

      punished, “which would seriously jeopardise the safeguards the data subjects (Instagram users) are
      entitledto” 752.

      9.2.3 Position ofthe LSA on theobjections

385. The LSA considers none of the objections requesting the imposition of a fine for the proposed
      additional infringements as meeting the threshold set by Article 4(24) GDPR     753. Given that these

      objections were premised upon the requirement for the Draft Decision to include findings of
      infringement of Article 6(1)(b), Article 9, Article 5(1)(a), 5(1)(b) and5(1)(c) GDPR,on which the IE SA

      expressed its disagreement – the IE SA does not consider the objections requesting exercise of a
      correctivepower in response tothese findings ofinfringement asbeing relevant andreasoned.

      9.2.4 Analysis ofthe EDPB   Assessmentof whethertheobjectionswererelevantandreasoned
386. The objections raised by the AT,DE,FR, IT,NO,and SE SAs concern“whethertheaction envisaged in
      theDraft Decisioncomplieswith theGDPR”         .

387. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe
      threshold of Article 4(24) GDPR  755. Meta IE rejects the objections in this section based on its view
      that the LSA has sole discretion to determine corrective measures   756. The EDPB responds to these

      arguments above (see Section 8.4.2) and is of the view that CSAs may ask for specific corrective
      measurestobe takenby the LSA, whetherthis concernsinfringements alreadyidentified in theDraft
      Decision or as a result of the one identified by the CSA in its objection      . Meta IE refutes the
      allegations of additional infringements put forward in the objections, and by consequence, any
      demands for increasing the administrative fine in relation them         . The EDPB recalls that the
      assessment ofadmissibility ofobjections and theassessment of themeritsare twodistinct steps      75.

388. The EDPB finds that the objections concerning the increase of the administrative fine in connection
      withthe additional infringement ofArticle 6(1)/6(1)(b) GDPRand/or Article 9 GDPRraisedby the AT,

      755Meta IEArticle65Submissions,Annex1,p.65.
      756Meta IEArticle65Submissions,Annex1,paragraphs1.31,2.21,5.18,7.15,9.22,and10.16.

         SeeMeta IEArticle65Submissions,paragraphs8.10-8.15,andmorespecificallyAnnex1,paragraphs1.33,

      Adopted      DE, FR, NO, and SE SAs stand in direct connection withthe substance of the Draft Decision, as they

      concerntheimposition ofa correctivemeasurefor anadditionalinfringement,whichwould be found
      as a consequence of reversing the conclusions in the Draft Decision also in scope of this dispute  76.

      Clearly, the decision on the merits of the demands to take corrective measures for a proposed
      additional infringement is affectedby the EDPB’sdecision on whether to reverse the findings in the
      DraftDecisionandwhether toinstruct theLSA toestablishadditionalinfringements.

389. The EDPBtakesnote of further argumentsput forwardbyMeta IEaiming todemonstrate the lackof
      relevance of these objections, specifically with regard to the objections raised by the ATSA         .
      However,theEDPBnotesthatMetaIEdisagreeswiththe contentofthese objections, whichconcerns

      itsmeritsandnot its admissibility.

390. If followed, these objections would lead to a different conclusion in terms of corrective measures
      imposed  762. Inconsequence, the EDPB considers the objections raised by the AT, DE, FR, NOand SE
      SAs in connection to imposing an administrative fine for the alleged breach of Article 6(1)/6(1)(b)

      GDPRand/or Article 9 GDPRtobe relevant.

391. Meta IE arguesthat the AT, NO, and SE SAs objections in relation to the need to increase the fine
      amount because ofthe allegedinfringement ofArticle 6(1)(b)GDPRlacksadequatereasoning asthey
      fail todemonstrate why Meta IE could not rely on Article 6(1)(b) GDPR      . According toMeta IE, the
      SE SA’sobjectionisalsobasedontheunfounded claimthatMetaIEintentionallysoughttocircumvent
      datasubjectrightsbyswitchingfrom consenttocontractualnecessityasthelegalbasisinMay2018               .
      Furthermore, Meta IE takes the view that the objections from the AT, DE, FR and NO SAs are not
      sufficiently reasoned astheyrefer tothe use of administrativefine as''generalpreventivemeasures''

      on controllers, thus speculating on potential future behaviour or intentions of unidentified
      controllers765. The EDPB understands that Meta IE disagrees with the reasoning provided in the

      objections, whichthusconcerns their meritsandnot their admissibility.

392. Inaddition, MetaIEarguesthattheFRSA’sobjectionis notreasonedbecause itdoes not substantiate
      “how a fine for the additional purportedinfringementswould be calculated, whether thisfine would
      needto be added to the proposed fine and how this would affect the overallfine”      .Meta IEfurther
      takesissue withthe AT SA’sobjection andarguesit has not put forwarda sufficiently reasonedbasis
      for itsobjection tochallenge theLSA’scalculationof thecriterialaiddowninArticle83(2) GDPR       767. In

      this respect, the EDPB recalls that CSAs are not required to engage in a full assessment of all the

      760AT SAObjection,p.11;DESAs Objection,p.2;FRSAObjection,paragraphs44and50;NOSAObjection,p.

      761SE SAObjection,p.4.
         Meta IEArticle65Submissions,Annex1,paragraph1.32.AccordingtoMeta IE,byreferringtothefactthat
      ‘’MetaIrelandis... theproviderofoneofthebiggestsocialmedianetworkintheworld’’,theAT SA‘’failsto
      762AT SAObjection,p.11;DESAs Objection,p.2;FRSAObjection,paragraph44and50;NOSAObjection,p.

      11;SE SAObjection,p.4.
      763Meta IEArticle65Submissions,Annex1,1.33,9.20,and10.17.
      764Meta IEArticle65Submissions,Annex1,10.17.
      765Meta IEArticle65Submissions,Annex1,paragraphs1.35,2.22,5.16and9.23.Meta IEaddsthat‘’inany

      event,wherea fineaslargeasthatcurrentlyproposedintheDraftDecisionisimposed,thereisnodoubtthat
      766Meta IEArticle65Submissions,Annex1,paragraph5.20.
      767Meta IEArticle65Submissions,Annex1,paragraph1.34.

      Adopted      aspects of Article 83 GDPR in order for an objection on the appropriate administrative fine to be

      considered reasoned.Itis sufficient tolayout whichaspect ofthe DraftDecisionthat,intheir view, is
      deficient/erroneous and why. Second, the EDPB recalls that the criteria listed in Article 83(2) GDPR

      are not exhaustive, thus it is entirely possible to argue an administrative fine is not “effective,
      proportionate and dissuasive” in the meaning of Article 83(1) GDPR without referring to a specific

      criterionlistedin Article83(2)GDPR.

393. The EDPBfinds thatthe AT,DE,FR, NOandSE SAsadequatelyargue whytheypropose amendingthe
      Draft Decision 768 and how this leads to a different conclusion in terms of administrative fine
      imposed   769.

394. Intermsof risks, Meta IEclaims the DraftDecision does not pose any risk, let alone a significant risk

      to fundamental rights, and argues the objections of the AT, DE ,FR, NO and SE SAs            770 fail to
      demonstratethe contrary,asrequired.

395. More specifically, Meta IE considers that the DE and FR SAs’ objections focus on increasing the

      ‘’punitive impact’’ of the fine on Meta IE rather than demonstrating any significant risks to the
      fundamental rights of data subjects  771. In this regard, Meta IE argues the AT, DE, NO, and SE SAs’

      objections rest on unsubstantiated possible effect of the Draft Decision on the future behaviour of
      other controllers, instead of doing a case by case assessment under Article 83 GDPR   772.Inparticular,

      MetaIEclaimsthat,indoing so, the assessment made by these supervisory authoritiesis incorrectto
      the extentit only takesintoaccount financialcostsanddoes not consider reputationalcosts       773.

396. The EDPB recalls that any risk assessment addresses future outcomes which are to some degree
      uncertain 774. Contrary to Meta IE’s views, the objections reflect specifically on Meta IE’s future

      approachintheevent the DraftDecisionisadoptedasit standsandgobeyondproviding “speculative
      argumentbasedon theputativelackofa generalpreventiveimpactonothercontrollers”             775. TheEDPB

      also notes that the DE, FR, NL, NOandSE SAs    776considered both of the aspects that are entailedby
      dissuasiveness of the fine, i.e.specific deterrenceand generaldeterrence   777.

      768AT SAObjection,pp.11;DESAs Objection,p.10;FRSAObjection,paragraph50;NOSAObjectionpp.9-11;
      SE SAObjectionp.4.
      769AT SAObjection,pp.11-12;DESAs Objection,p.12;FRSAObjection,paragraphs44-45;NOSAObjection

      77013;SE SAObjection,p.4
         Meta IEArticle65Submissions,Annex1,paragraphs1.36-1.40,2.24-2.27,5.22-5.25,9.25-9.27,and10.18-
      771Meta IEArticle65Submissions,Annex1,paragraphs2.24and5.22.
      773Meta IEArticle65Submissions,Annex1,paragraphs1.38,2.255.23,9.26,and10.18.
         Meta IEArticle65Submissions,Annex1,paragraphs1.38,2.26,5.24,and10.19.Meta IEaddsthat,inany
         Meta IEArticle65Submissions,Annex1,paragraph10.18(SESA).
      776DESAs Objection,p.12(referringtothe‘’undertakinginquestion’’),FRSAObjection,paragraph47(referring
      to ‘’the controller’’); IT SA Objection pp.8-9 (referring to ‘’the controller’’); NL SA Objection, paragraph52
      (referringto the risks in relation to ‘’the illegal processing at hand’’);NO SA Objection, p.12 (referring to

      777TheCJEUhas consistentlyheldthata dissuasivefineisonethathasa genuinedeterrenteffect,

      Adopted397. The EDPB finds that the AT, DE, FR, NO, and SE SAs articulate an adverse effect on the rights and

      freedomsof datasubjectsifthe DraftDecisionis leftunchanged,by referringtoa failuretoguarantee
      a highlevelof protectioninthe EU for the rightsand interestsof the individuals   77.

398. Therefore,theEDPBconsiders the AT,DE,FR, NO, andSE SAsobjectionsconcerning the impositionof
      a fine for the alleged additional infringements of Article 6/6(1)(b) and/or Article 9 GDPR to be



399. With respect tothe objection raisedby the IT SA concerning the imposition of anadministrative fine

      for the infringement of the fairness principle enshrined in Article 5(1)(a) GDPR, the EDPB finds,
      contrarytoMetaIE’sviews     77, thatit standsin connection withthe substance of the DraftDecision,
      asit concerns the imposition of a correctivemeasure for anadditionalinfringement, whichwould be

      found asaconsequence ofincorporatingthefinding putforwardbythe objection.Clearly,thedecision
      on the merits of the demand to take corrective measures for a proposed additional infringement is

      affectedby the EDPB’sdecision onwhether toinstruct theLSA toinclude anadditionalinfringement.

400. If followed, the IT SA’s objection would lead to a different conclusion in terms of corrective
      measuresimposed     78. Taking note of Meta IE’sposition 781, the EDPB finds the objections raisedby
      the ITSA tobe relevant.

401. MetaIE arguesthe IT SA’s objection does not put forward reasonable doubt as tothe validityof the

      LSA’s calculation of the fine and claims there is no basis in the GDPR for suggesting that an
      administrativefine must havea ‘’generaldeterrenteffect’’   78.TheEDPBfindsthattheITSAadequately

      argueswhy theypropose amending the DraftDecisionandhow this leadstoa different conclusion in
      termsofadministrative fine imposed   783.


      778AT SAObjection,p.11-12;DESAs Objection,p.12;FRSAObjection,paragraphs47-48;NOSAObjection,p.
      12; SESAObjection,p.5.SeealsoEDPBGuidelinesonRRO,paragraph37.
      779Meta IEArticle65Submissions,paragraph7.13.AccordingtoMeta IE,theITSAobjectionsisnotrelevant

      giventhattheLSAhas notfoundanyinfringementofthefairness,purposelimitationanddata minimisation
      781Meta IE Article65 Submissions, paragraph 7.13. According to Meta IE, given theIE SA has not found any
      infringementofthefairnessprinciple,thereisnobasisfortheimpositionofa fineonthisground.EDPBalready

         Meta IEArticle65Submissions,paragraphs7.15-16.
      783TheITSAargues thatthefindingofsuchinfringement“shouldresultintoincreasingtheamountofthesaid

      Adopted402. MetaIEarguesthe objectionof theIT SA fails todemonstrate the riskposed by the DraftDecision,as
      required 784 and,indoing so, MetaIEdismisses the concernsarticulatedbythe ITSA ontheprecedent
      the DraftDecisionsetsfor othercontrollers     .

403. The EDPBfindsthattheITSA articulatesanadverse effectonthe rightsandfreedomsof datasubjects

      ifthe DraftDecision isleft unchanged, byreferringtoa failure toguaranteea highlevelofprotection
      inthe EU for the rightsandinterestsofthe individuals  78.

404. Therefore, the EDPB considers the IT SA’s objection concerning the imposition of a fine for the
      additionalinfringement of theprinciple of fairnessenshrined in Article5(1)(a) GDPRtobe reasoned.


405. The EDPB recallsits analysis of whether the objection raisedby the IT SA in respect of the proposed
      additionalinfringements ofArticle 5(1)(b) andArticle 5(1)(c)GDPRmeetsthe threshold set by Article

      4(24)GDPR(see Section7.4.1above).Inlight ofthe conclusion thatsuchobjection isnot relevantand
      reasoned, theEDPBdoes not need tofurtherexamine thislinked objection.   Assessmenton themerits
406. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a Binding Decision concerning all the

      matters which are the subject of the relevant and reasoned objections, in particular whether the
      envisagedactioninrelationtothe controller or processor complies withthe GDPR.Morespecifically,
      the EDPB needs to assess whether an administrative fine should be imposed for the additional

      infringementsof Article 6(1)GDPRandthe principle of fairnessunder Article 5(1)(a)GDPR.However,
      in light of its findings in Section 5.4.2 above, the EDPB does not need to examine the merits of the

      objections ofthe DEand FR SAs requesting the imposition of a fine for the allegedadditional breach
      of Article9 GDPR.

407. The EDPB recalls that the consistency mechanism may also be used to promote a consistent
      application of administrative fines 787 and that the objective pursued by the corrective measure
      chosen canbe tore-establish compliance withthe rulesor topunish unlawful behaviour (or both)        .
      The EDPB responds above toMeta IE’sposition that the LSA has sole discretion to determine which
      correctivemeasuresare appropriate(see Section 8.4.2).  Assessment of whether an administrative fine should be imposed for the infringement of
                 Article6(1) GDPR

      784Meta IEArticle65Submissions,paragraph7.18.
      785Meta IEArticle65Submissions,paragraph7.19.Onthis,theEDPBhassetoutitspositionaboveinSection
      theGDPR,the decisionofEDPBwillalsodiscusshowtheprinciplesofeffectiveness,proportionalityand
      deterrence areobservedintheadministrativefineproposedinthedraftdecisionofthecompetentsupervisory
      authority”). Seealsoaboveparagraph344.

      Adopted408. The EDPB recallsits conclusion in this Binding Decision on the infringement of Article 6(1) GDPR    789

      and that the objections raised by the AT, DE, FR, NOand SE SAs found to be relevant and reasoned
      requestedthe IESA toexercise itspower toimpose anadministrative fine       790.

409. The EDPBtakesnote of MetaIE’sviewsthat,evenifaninfringement isfound, the appropriatecourse
      would be to refer the matter back to the LSA to determine whether to impose any appropriate

      correctivemeasures   791,andthattheLSA hassole competenceanddiscretionregardingtheamountof
      the fine792. The EDPB responds toMeta IE’sargument that the LSA has sole discretion todetermine

      the appropriatecorrectivemeasures inthe event ofa finding ofinfringement above in Section8.4.2.

410. The EDPBconcurs thatthe decision toimpose anadministrativefine needs tobe takenon a case-by-
      case basis in light ofthe circumstancesand is not anautomaticone    793. Inthe case athand, however,

      the EDPBagreeswiththe reasoning put forwardby theAT, DE, FR, NOandSE SAsintheir objections.
      The EDPB reiterates that lawfulness of processing is one of the fundamental pillars of the data
      protectionlaw and considers that processing of personal data without anappropriate legalbasis isa

      clearandserious violationof the datasubjects’ fundamental righttodataprotection       794.

411. Several of the factors listed in Article 83(2) GDPR speak strongly in favour of the imposition of an
      administrative fine for the infringement of Article6(1)GDPR.

      Thenature,gravityand duration of theinfringement(Article83(2)(a) GDPR)

412. Asmentionedabove andoutlined below        795,the natureandgravityoftheinfringementclearlytipthe

      balance infavour of imposing anadministrativefine.

413. Withrespecttothe scopeofprocessing,theEDPBnotestheIESA’sassessment thatthepersonaldata
      processing carriedout by MetaIEon thebasis of Article6(1)(b) GDPRis extensive,adding that“Meta

      Irelandprocessesavarietyofdatain ordertoprovideInstagramuserswitha‘personalised’experience,
      including byway ofserving personalised advertisements.Theprocessing is centralto and essentialto
      thebusiness modeloffered[...]’’     .

      791Meta IEArticle65Submissions,paragraph8.13
      792Meta IEArticle65Submissions,paragraph9.2,10.4,
      793EDPB Guidelines onAdministrativefines, p. 6 (“Like all corrective measures in general, administrative fines

      should adequately respond to the nature, gravity and consequences of the breach, and supervisory authorities
      must assess all the facts of the case in a mannerthat is consistent andobjectively justified. The assessment of
      whatis effective, proportionalanddissuasiveineachcasewillhaveto alsoreflect the objectivepursuedbythe
      corrective measure chosen, that is either to re-establish compliance with the rules, or to punish unlawful
      behaviour(or both)”), p. 7 (“The Regulation requires assessment of each case individually”;“Fines are an

      are encouraged to use a considered and balancedapproach in theiruse of corrective measures, in order to
      achieve both an effective and dissuasiveas well as a proportionate reactionto the breach. The point is to not


      Adopted414. Inthisrespect,theEDPBalsorecallsthattheinfringementatissuerelatestotheprocessingofpersonal
      dataof asignificant numberofpeople     797andthatthe impacton them hastobe considered.

415. Thoughthe damageis very difficult toexpress intermsof a monetaryvalue, it remainsthe case that
      data subjects have been faced with data processing that should not have occurred (by relying

      inappropriately on Article 6(1)(b) GDPR as a legal basis as established in Section 4.4.2). The data
      processing in question - behavioural advertising - entails decisions about information that data

      subjects are exposed to or excluded from receiving. The EDPB recalls that non-material damage is
      explicitly regardedasrelevant in Recital75 and thatsuch damagemay result from situations “where
      data subjectsmight bedeprivedoftheirrightsand freedomsor preventedfromexercisingcontrolover

      their personaldata”. Given the nature and gravityofthe infringement of Article 6(1)(b) GDPR, a risk
      of damage caused todata subjects is, in such circumstances, consubstantial with the finding of the

      infringement itself.

      Theintentionalor negligentcharacterofthe infringement(Article83(2)(b) GDPR)

416. The SE SA arguesthe infringement of Article 6(1)(b) GDPRshould be considered intentionalon Meta
      IE’spart,whichis anaggravatingfactor    798.

417. The EDPBtakesnote ofMetaIE’sposition thatit did not actintentionally withtheaim toinfringe the
      GDPR,nor wasnegligent- but “has reliedon what it has consistentlyconsidered in good faith to be a

      valid legalbasis for thepurpose ofprocessing ofpersonal data for behaviouraladvertising andwhich
      now requiresescalation to theEDPBfor resolution”   799.Beforeaddressing eachofthe elementsofthis
      claim, the EDPB first notes that establishing either intent or negligence is not a requirement for

      imposing a fine, but deserves “due regard”. Second, contrary to what Meta IE implies, the mere
      circumstancethat a dispute betweenthe LSA and the CSAs hasescalatedtothe EDPBdoes not serve

      asevidence thata controller actedingoodfaithwithrespect tothe disputedissues. First, the dispute
      arisesonly (long)afterthe controllerhas decidedonitscourse of action,andthereforecannot inform
      it. Second, a dispute may simply bring to light that an LSA has decided to challenge a position

      commonly held by(a majorityof) theCSAs.

418. The EDPB Guidelines on calculation of fines confirm that there are two cumulative elements on the
      basis of which aninfringement canbe considered intentional: the knowledge of the breach andthe
      willfulness inrelationtosuchact  800.Bycontrast,aninfringementis “unintentional”whentherewasa

      breachofthe dutyof care,withouthaving intentionally causedthe infringement.

419. The characterisation of an infringement as intentional or negligent shall be done on the basis of

      objective elements of conduct gatheredfrom the facts of the case   801. It is worthnoting the broader

      797DraftDecision,paragraph253,theInstagramserviceisprovidedtoa significantportionofthepopulationof
      theEEA. This aspectwasalsohighlightedbytheobjectionsraisedbytheNOSA(NOSAObjection,pp.10-11)
      andDESAs (DESAs Objection,pp.9and11).
         Meta IEArticle65Submissions,paragraph8.28.
      800 The EDPB Guidelines on calculation of fines, paragraphs 56, referring to the EDPB Guidelines on

      Adopted      approachadopted withrespect to the concept of negligence,since it also encompasses situations in
      which the controller or processor has failedtoadopt the requiredpolicies, whichpresumes a certain
      degree of knowledge about a potential infringement         . This provides an indication that non-
      compliance insituations inwhichthe controlleror processor should have beenawareofthepotential
      breach(inthe exampleprovided, due tothelackofthenecessarypolicies) mayamount tonegligence.

420. The SE SA arguesthatMetaIE “hascontinued to relyon Article6(1)(b) for theprocessing, despite the

      aforementioned[EDPB Guidelines2/2019 on Article 6(1)(b) GDPR]– which clearlygives doubt to the
      legalityoftheprocessing–which werefirstadoptedon9 April2019and madefinalon 8October2019.
      Theinfringement must inall casesbeconsidered intentionalfromthat laterdate”      803.

421. The EDPB recalls that even prior to the adoption EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR,

      therewereclearindicatorsthatspoke againstrelyingon contractaslegalbasis. First, inWP29 Opinion
      02/2010 on online behavioural advertising, only consent - asrequired by Article 5(3) of the ePrivacy
      Directive-is put forwardaspossible legalbasis for thisactivity.As Article6 GDPRresembles Article7

      ofthe DataProtectionDirectivetoalargeextent,WP29 Opinion 02/2010 remaineda relevantsource
      onthismatterfor controllerspreparingfor theGDPRtoenter intoapplication. Second, WP29 Opinion

      06/2014 onthenotion oflegitimateinterestsexplicitlystatesthat“thefactthatsomedata processing
      is covered by a contract does not automatically mean that the processing is necessary for its
      performance.Forexample,Article7(b)is nota suitable legalground for building a profile ofthe user’s

      tastes and lifestyle choices based on his click-stream on a website and the items purchased. This is
      because the data controller has not been contracted to carry out profiling, but rather to deliver

      particular goods and services, for example. Even if these processing activities are specifically
      mentionedin the small print of the contract, thisfact alone does not make them ‘necessary’ for the
      performanceofthecontract”    804.

422. Itstems from the above thatMetaIE had(or should have had)knowledge about the infringement of

      Article 6(1)(b) GDPR. However, this mere element is not sufficient to consider an infringement
      intentional, asstatedabove, since the “aim” or “wilfulness” of the actionshould be demonstrated.

423. TheEDPBrecallsthatthathavingknowledge ofaspecific matterdoesnotnecessarily implyhavingthe
      “will” to reacha specific outcome. This is in fact the approach adopted in the EDPB Guidelines on

      calculation of fines and WP29 Guidelines on Administrative Fines, where the knowledge and the
      “wilfulness” are considered two distinctive elements of the intentionality  805. While it may prove
      difficult todemonstrateasubjective element suchasthe “will” toactina certainmanner,thereneed
      tobe some objective elementsthatindicate theexistence of such intentionality      .

424. TheEDPBrecallsthattheCJEU hasestablisheda highthreshold inorder toconsider anactintentional.
      Infact,evenincriminalproceedingstheCJEU hasacknowledgedtheexistenceof“seriousnegligence”,

      802The EDPB Guidelines on calculation of fines, paragraph 56 (Example4) quote the EDPB Guidelines on
      Administrative Fines, which mention, among the circumstances indicative of negligence, “failure to adopt

      805EDPBGuidelinesoncalculationoffines,paragraph56,andEDPBGuidelines onAdministrativeFines,p.11.


      Adopted      ratherthan“intentionality”when“thepersonresponsible commitsapatentbreachofthedutyofcare
      whichhe should have andcould have compliedwith in view ofhis attributes,knowledge,abilitiesand
      individual situation”   . In this regard, while the EDPB confirms that a company for whom the
      processing of personal data is at the core of its business activities is expected to have sufficient
      measures in place for the safeguard of personal data   80, this does not, however, per se change the

      natureof the infringement from negligenttointentional.

425. Inthisregard,theSESA putsforwardthatMetaIEbaseditsprocessing ofpersonalised advertisement

      on consent until the GDPR came intoforce on 25 May2018, and at this time switchedto relying on
      Article6(1)(b) GDPRfor the processing inquestion instead. Thetiming andthe logisticsfor thisswitch

      suggeststhis act wasdone withthe intention of circumventing the new rights of users under Article
      6(1)(a) GDPR. The SE SA adds that “[the] proposed finding of infringement concerning information
      deficitsabout the processing, namelyonwhat legal basis it is based, furthersupports thisconclusion,

      since it goes to show that MetaIrelandwas aware ofthe questionable legalityof thatbasis and tried
      to concealthe infringementto avoidscrutinybysupervisory authoritiesand data subjects”     809.

426. The EDPB considers the timing of the changes made by Meta IE toits Instagram Termsof Use asan
      objective element, however this alone does not indicate intention. Around this time period, many

      controllers updated their data protection policies. The objection suggests that the conclusion on
      intentionalityiscorroboratedbythe shortcomingstothetransparencyobligations.Inthe EDPB’sview,

      toindicate intentioneither.

427. Therefore,on the basis of the available information, the EDPBis not able to identify awill of MetaIE

      toactinbreachofthe lawasit cannotbe concluded thatMetaIEintentionallyactedtocircumvent its

428. Therefore,theEDPBconsidersthattheargumentsputforwardbytheSE SA donotmeetthethreshold
      to demonstrate the intentionality of the behaviour of Meta IE. Accordingly, the EDPB is of the view

      thatthe DraftDecisiondoes not needtoinclude thiselement.

429. At the same time, the EDPB notes that, even establishing that the infringement was committed

      negligently,acompanyfor whom theprocessing ofpersonaldataisatthecoreofitsbusiness activities
      should have inplace sufficient proceduresfor ensuring compliance withthe GDPR     810.

430. The EDPBdoesnot acceptMetaIE’sclaimof“good faith”,butis oftheview thatMetaIEwascertainly
      seriously negligent in not taking adequate action, within a reasonable time period, following the

      adoption of the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR on 9 April 2019. Even before that
      date, the EDPB considers there was at the very least negligence on Meta IE’s part considering the

      contentsof WP29 Opinion 02/2010 on online behaviouraladvertising andWP29 Opinion 06/2014 on
      the notion of legitimateinterests(see paragraph421 of this Binding Decision), whichmeans MetaIE
      had (or should have had) knowledge about the infringement of Article 6(1)(b) GDPR, giventhe fact

      of Independent Tanker Owners (Intertanko) and Others v. Secretary of State for Transport, C-308/06,

      Adopted      thatprocessing ofpersonal dataisat thecore of itsbusiness practices,andtheresources availableto

      MetaIEtoadaptits practicesso astocomply withdataprotectionlegislation.

      The degree of responsibility of the controller taking into account technical and organisational
      measuresimplementedpursuantto Articles25 and 32(Article83(2)(d) GDPR)

431. The EDPB considers the degree of responsibility of Meta IE’spart to be of a high level, on the same
      grounds asset inthe DraftDecisionwithregardstothe transparencyinfringements             .

      Thefinancial benefit obtainedfrom the infringement(Article83(2)(k) GDPR)

432. TheSE SA arguesMetaIEgainedfinancialbenefitsfrom theirdecision torelyoncontractaslegalbasis
      for behavioural advertising,rather thanobtaining consent from the users of Instagram     812.While not

      providing an estimate of its size, the SE SA considers the existence of financial benefit sufficiently
      provenonthe basisof“theself-evidentfactthatMetaIrelandhasmadesignificant financialgain from

      being able to provide personal advertisement aspart of a whole take it or leave it offer for its social
      mediaplatform service,as opposed to establishing a separate legalbasis for it.Byalso being unclear
      in the informationto data subjects, it is a reasonable assumption that more data subjectshave been

      misled into being subject to the processing, thus increasing the financial benefits gained by Meta
      Irelandpursuant to personaladvertisement”     813.

433. As explicitly statedin Article 83(2)(k) GDPR, financialbenefits gaineddirectly or indirectly from the

      infringement can be considered an aggravating element for the calculation of the fine. The aim of
      Article 83(2)(k) GDPRis toensure that the sanctionapplied is effective,proportionate and dissuasive
      ineachindividual case     .

434. Inparticular,in view of ensuring fines that areeffective, proportionate and deterrent,andin light of

      common acceptedpracticeinthe fieldof EU competitionlaw         81,whichinspired the fining framework
      under the GDPR, the EDPB isof the view that, whencalculating the administrative fine, supervisory

      authorities could take account of the financial benefits obtained from the infringement, in order to
      impose a fine thataim at“counterbalancing thegains from theinfringement”       816.

435. When applying this provision, the supervisory authorities must “assess all the facts of the case in a
      manner that is consistent and objectively justified”        . Therefore, financial benefits from the
      infringement could be an aggravating circumstance if the case provides information about profit
      obtainedasa result of theinfringement of the GDPR     818.

      811DraftDecision,paragraph240.Inthisrespect,theEDPBnotes thatthehighdegreeofresponsibilityofMeta

      817 EDPB Guidelines on Administrative Fines, p. 6 (emphasis added), quoted in Binding Decision 1/2021,

      Adopted436. In the present case, the EDPB considers that it does not have sufficiently precise information to
      evaluatethe specific weightofthe financialbenefit obtainedfrom the infringement.

437. Nonetheless, the EDPBacknowledgesthe needtoprevent thatthe fineshave littletono effectifthey
      are disproportionally low compared to the benefits obtained with the infringement. The EDPB

      considers thattheIESAshould ascertainifanestimationofthefinancialbenefit fromtheinfringement
      ispossible inthis case.Insofar asthisresultsin theneedtoincrease theamount of thefine proposed,
      the EDPBrequeststhe IESA toincrease the amount of thefine proposed.

      Competitiveadvantage -otherfactor (Article83(2)(k) GDPR)

438. The NOSA identifies anaggravatingfactorinthat“thatthe unlawfulprocessing ofpersonaldata in all

      likelihood hascontributedtothedevelopmentofalgorithmswhich maybe harmfulon an individualor
      societal level, andwhich may have considerable commercialvalue to [Meta IE]. The algorithms may
      have contributedto giving[MetaIE]acompetitiveadvantage vis-à-vis its competitors”     81.

439. Onprinciple, the EDPBagreesthatacompetitive advantagecouldbe anaggravatingfactorifthe case
      provides objective information thatthis wasobtained asa result of the infringement of the GDPR     .
      In the present case, the EDPB considers that it does not have sufficiently precise information to
      evaluate the existence of a competitive advantage resulting from the infringement. The EDPB

      considers that the IESA should ascertainif anestimation ofthe competitive advantagederived from
      the infringement is possible in this case.Insofar asthis results inthe need toincrease the amount of
      the fine proposed, the EDPBrequeststhe IESA toincrease the amount of thefine proposed.


440. Takinginto accountthe nature andgravityofthe infringement aswellasother aspectsinaccordance
      with Article 83(2) GDPR, the EDPB considers that the IE SA must exercise its power to impose an

      additionaladministrative fine. Also, covering this additionalinfringement witha fine would be in line
      with the IE SA’s (proposed) decision toimpose administrative fines in this case for the transparency
      infringements relating to processing carried out in reliance on Article 6(1)(b) GDPR     . The EDPB
      underlines that, in order to be effective, proportionate and dissuasive, a fine should reflect the
      circumstances of the case. Such circumstances not only refer to the specific elements of the

      infringement,but alsothose ofthe controller or processor whocommittedthe infringement,namely
      itsfinancialposition.  Assessmentof whetheranadministrativefineshouldbeimposedfor theinfringementofthe
                 fairnessprincipleunderArticle5(1)(a) GDPR

441. The EDPBrecallsits conclusion in thisBinding Decision onthe infringement byMetaIEof the fairness
      principle under Article 5(1)(a)GDPR 822andthatthe objection raisedbythe ITSA, which wasfound to


      Adopted      be relevant and reasoned, requested the IE SA to exercise its power to impose an administrative

442. The EDPBtakesnote of MetaIE’sviewsthat it would not be appropriatefor the EDPBtoinstruct the

      LSA to take corrective measures in relation to the additional infringement of the fairness principle
      under Article5(1)(a)GDPRconsidering thatthisissue does not fallwithinthescope ofthe Inquiry.The
      EDPBresponds tothese argumentsabove inSection6.4.2           .

443. The EDPB recallsthat the decision to impose an administrative fine needs tobe takenon a case-by-
      case basis in light of the circumstances andis not an automatic one     . Inthe same vein, the EDPB’s
      assessment ofMetaIE’scompliance withthe principle of fairnessis carriedout bytakinginto account

      the specificities of the case, ofthe particular social networking service at handand of the processing
      of personaldatacarriedout,namelyfor thepurpose of online behaviouraladvertising        826.

444. As previously established, the principle of fairness under Article 5(1)(a) GDPR, althoughintrinsically
      linked tothe principles oflawfulness andtransparencyunder thesame provision, hasanindependent
      meaning     . It underpins the whole data protection framework and plays a key role for securing a
      balance ofpower in thecontroller-data subject relationship  828.

445. Considering the EDPB’sfindingsin Section6.4.2thatMetaIEhasnot compliedwithkeyrequirements
      ofthe principle offairness asdefinedbythe EDPB,namelyallowing for autonomyofthe datasubjects

      as tothe processing of their personal data, fulfilling data subjects’ reasonable expectation, ensuring
      power balance,avoiding deceptionandensuring ethicalandtruthfulprocessing, aswellastheoverall
      effect of the infringement by Meta IE of the transparencyobligations and of Article 6(1) GDPR, the

      EDPBreiteratesitsview thatMetaIEhasinfringed theprinciple offairness under Article5(1)(a)GDPR
      andagreeswiththeITSA thatthisinfringement should be adequatelytakenintoaccount bythe IESA

      in the calculationofthe amount ofthe administrative fine tobe imposed following the conclusion of

446. Therefore,theEDPBinstructstheIESAtotakeintoaccounttheinfringementbyMetaIEofthefairness
      principle enshrined inArticle5(1)(a) GDPRasestablished above whenre-assessing the administrative

      fines for the transparencyinfringements andthe determinationof the fine for the lack oflegalbasis.
      If, however, the IE SA considers an additional fine for the breach of the principle of fairness is an

      appropriatecorrectivemeasure,the EDPBrequeststhe IE SA toinclude thisinitsfinaldecision. Inany
      case,the IESA must take into account the criteriaprovided for by Article83(2) GDPRand ensuring it
      is effective,proportionate anddissuasive inline withArticle 83(1)GDPR.

      824Meta IEArticle65Submissions,paragraph8.15.

      Adopted      10 BINDINGDECISION

447. Inlightof theabove, andinaccordancewiththetaskof theEDPBunder Article 70(1)(t)GDPRtoissue
      binding decisions pursuant to Article 65 GDPR, the EDPB issues the following Binding Decision in

      accordancewithArticle65(1)(a) GDPR.

448. The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in

      accordancewithArticle65(2) GDPR.

      On the objections concerning whether the LSA should have found an infringement for lack of

449. The EDPBdecidesthattheobjections ofthe AT,DE,ES,FI,FR,HU,NL,NO, andSE SAs regardingMeta

      IE’sreliance onArticle 6(1)(b) GDPRin thecontext of itsoffering of the InstagramTermsof Use meet
      the requirementsofArticle 4(24)GDPR.

450. Onthepartsofthe DESAs’objectionrequesting thefinding ofaninfringementofArticle5(1)(a)GDPR,

      and the partsof the DE andNO SAs objections requesting specific correctivemeasures under Article
      58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the imposition of an
      administrative fine, a ban of the processing of personal data for the purpose of behavioural
      advertising, anorder to delete personal data processed under Article 6(1)(b) GDPR, andan order to

      identify a valid legal basis for future behavioural advertising or to abstain from such processing
      activities, the EDPB decides that these partsof their objections do not meet the threshold of Article
      4(24)GDPR.Similarly,thepartofthe FISA objection concerningthe imposition ofa specific corrective

      measures, namely anadministrative fine is not reasoned anddoes not meet the threshold of Article

451. The EDPB instructsthe IESA to alterits Finding 2 of itsDraftDecision, which concludes that MetaIE

      mayrelyonArticle6(1)(b)GDPRinthecontextofitsoffering ofInstagramTermsofUse,andtoinclude
      aninfringement of Article 6(1) GDPR,basedon the shortcomings that the EDPBhas identified in this
      Binding Decision.

      On theobjectionsconcerningwhethertheLSA’sDraftDecisionincludessufficientanalysis andevidence
      to concludethat MetaIEis not obliged to relyon consentto processtheComplainant’spersonal data

452. The EDPB decidesthat the objections of the AT,DE, FI,FR, andNL SAs regardingthe LSA’sFinding 1
      thatMetaIEisnot legallyobligedtorelyon consent toprocesspersonal datatodeliver the Instagram

      TermsofUse meetthe requirementsofArticle 4(24)GDPR.

453. On the part of the NL SA objection asking the IE SA to include in its Draft Decision the elements
      concerning the need torely on consent for the placing of tracking technology on end users devices

      under ePrivacy legislation, the EDPB decides that this part falls outside the scope of the EDPB’s
      mandate.The objection raisedby the ESSA regardingthe potentialinfringement of Article9 GDPRis
      not sufficiently reasoned and, therefore, the EDPB decides that the objection of the ES SA does not
      meetthe threshold provided for by Article4(24) GDPR.

454. The EDPBinstructs the IE SA toremove from its DraftDecisionits conclusion on Finding 1. The EDPB
      decides that the IE SA shall carry out a new investigationinto Meta IE’sprocessing operations in its

      Adopted      Instagramservicetodetermineifit processesspecialcategoriesofpersonaldata(Article9GDPR),and

      complies with the relevant obligations under the GDPR to the extent that the investigation
      complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding
      Decision; and,basedon theresults ofthisinvestigation, issue anew draftdecision inaccordancewith
      Article60(3) GDPR.

      Onthe objectionconcerningthepotentialadditional infringementof theprinciple offairness

455. TheEDPBdecidesthattheobjectionofthe ITSAregardingtheinfringementbyMetaIEofthe principle
      of fairnessunder Article5(1)(a)GDPR,meetsthe requirementsof Article4(24) GDPR.

456. The EDPBinstructs the IE SA to find in itsfinal decision anadditionalinfringement of the principle of
      fairness under Article 5(1)(a)GDPRbyMetaIE.

      On the objection concerning the potential additional infringement of the principles of purpose

457. On the objection by the IT SA concerning the possible additional infringements of the principles of
      purpose limitation and data minimisation under Article 5(1)(b) and (c) GDPR, the EDPB decides this

      objection does not meetthe requirementsofArticle 4(24)GDPR.

      Onthe objectionsconcerningcorrectivemeasuresotherthan administrativefines

458. The EDPB decidesthat the objections of the AT and NL SAs requesting additional and/or alternative

      specific correctivemeasurestobe imposed meet the requirementsofArticle 4(24)GDPR.

459. The EDPBinstructsthe IESA toinclude inits finaldecision anorder for MetaIEtobring its processing
      of personal data for the purposes of behavioural advertising in the context of the Instagram service

      intocompliance withArticle 6(1)GDPRwithinthree months.

460. TheEDPBalsoinstructstheLSA toadjust itsorder toMetaIEtobring InstagramDataPolicyandTerms

      of Use into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR within three
      months, torefernot only toinformationprovided ondataprocessedpursuant toArticle6(1)(b)GDPR,
      but also to data processed for the purposes of behavioural advertising in the context of Instagram
      service (toreflect thefinding of theEDPBthat for thisprocessing thecontroller cannot relyon Article

      6(1)(b) GDPR).

      On the objections concerning the determination of the administrative fine for the transparency


461. The EDPBdecidesthatthe objections oftheDE,FR,IT,NL,andNOSAsregardingthedeterminationof
      the administrative fine for the transparencyinfringements, meet the requirements of Article 4(24)

462. The EDPBconsiders thatthe Final Decisiondoes not needtorefer tothe infringementsby WhatsApp
      IrelandLimited,as established in DecisionIN-18-12-2, as anaggravatingfactorunder Article 83(2)(e)
      GDPRfor the calculationofthe fine.

463. The EDPB instructs the IE SA to modify its Draft Decision to elaborate on the manner in which the
      turnover of the undertakingconcernedhas beentakenintoaccount for the calculationofthe fine, as

      Adopted      appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Article


464. The EDPB considers that the proposed fine does not adequatelyreflect the seriousness and severity
      of the infringements nor has a dissuasive effect on Meta IE. Therefore, the fine does not fulfil the

      requirement ofbeing effective,proportionate anddissuasive inaccordance withArticle83(1) and(2)
      GDPR. Inlight ofthis, the EDPB directsthe IE SA toset out a significantly higher fine amount for the
      transparencyinfringementsidentified, incomparison withthe upper limit for the administrative fine

      envisaged in the Draft Decision. In doing so, the IE SA must remain in line with the criteria of
      effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR in its overall
      reassessment of the amount ofthe administrative fine.

      Onthe objectionsconcerningtheimposition ofan administrativefine for the lackoflegal basis

465. The EDPBdecidesthattheobjections of theAT,DE,FR,NO,andSE SAs regardingthe impositionofan
      administrative fine for the infringement ofArticle 6(1)or Article 6(1)(b)GDPRmeetthe requirements
      of Article4(24)GDPR.

466. Inrelation tointentionality under Article 83(2)(b) GDPR, the EDPB considersthat the argumentsput
      forwardby the SE SA in their objection do not containsufficient objective elementsto demonstrate

      the intentionalityofthe behaviour ofMetaIE.

467. Regarding the possible financial benefit obtained from the infringement as well as the competitive
      advantage (Article 83(2)(k) GDPR), the EDPB instructs the IE SA to ascertain if an estimation of the

      financial benefit from the infringement is possible in this case. Insofar as further estimation of the
      financialbenefit from the infringement is possible in thiscase and resultsin the needto increasethe
      amountofthefine proposed, theEDPBrequeststheIESAtoincreasetheamount ofthefineproposed.

468. The EDPB instructs the IE SA to cover the additional infringement of Article 6(1) GDPR with an
      administrative fine which is effective, proportionate and dissuasive in accordance with Article 83(1)
      GDPR. Indetermining the fine amount, the IE SA must give due regardto all the applicable factors

      listed in Article 83(2) GDPR, inparticular the nature and gravityof the infringement, the number of
      datasubjects affectedand theseriously negligentcharacteroftheinfringement.

      On the objection concerning the imposition of an administrative fine for the infringement of the
      fairness principleunder Article5(1)(a) GDPR

469. The EDPBdecidesthatthe objectionofthe ITSA regardingtheimposition ofanadministrative fine for
      the infringement ofArticle 5(1)(a)GDPRmeetsthe requirementsof Article4(24) GDPR.

470. TheEDPBinstructstheIESA tofactortheadditionalinfringementoftheprinciple offairnessenshrined
      in Article5(1)(a) GDPRintoits adoptionof appropriate correctivemeasures. Inthisrespect,the IE SA
      is instructed totake due account of this infringement when re-assessing the administrative fines for

      the transparency infringements and the determination of the fine for the lack of legal basis. If,
      however, the IE SA considers an additional fine for the breach of the principle of fairness is an
      appropriatecorrectivemeasure,the EDPBrequeststhe IE SA toinclude thisinitsfinaldecision. Inany

      case,the IESA must take into account the criteriaprovided for by Article83(2) GDPRand ensuring it
      is effective,proportionate anddissuasive inline withArticle 83(1)GDPR.

      Adopted      On the objection concerning the imposition of an administrative fine for the infringement of Article
      5(1)(b) and(c)GDPR

471. The EDPBdecidesthatit doesnot needtoexamine theobjectionof theITSA regardingthe imposition

      of anadministrative fine for the infringement ofArticle 5(1)(b) andArticle5(1)(c) GDPR.


472. ThisBinding Decision isaddressed tothe IESA andtheCSAs. TheIE SA shalladopt itsfinal decision on
      the basis ofthis Binding Decisionpursuant toArticle 65(6)GDPR.

473. Regardingtheobjections deemednot tomeetthe requirementsstipulatedby Article4(24)GDPR,the
      EDPB does not take any position on the merit of any substantial issues raised therein. The EDPB

      reiteratesthatitscurrentdecisioniswithoutanyprejudice toanyassessments theEDPBmaybecalled
      upon tomake inother cases, including withthesame parties,taking intoaccount the contentsofthe
      relevantdraft decision andthe objections raisedby the CSAs.

474. According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding
      Decision without undue delayandat the latestby one monthafter the Boardhas notified itsBinding


475. The IESA shall inform the Boardof the datewhen itsfinal decision is notified tothe controller or the
      processor    . This Binding Decisionwill be made public pursuant toArticle 65(5)GDPRwithout delay
      afterthe IESA hasnotified itsfinaldecision tothe controller 830.

476. The IESA will communicateits finaldecision tothe Board    831.PursuanttoArticle 70(1)(y) GDPR,theIE
      SA’sfinal decision communicatedtothe EDPBwillbe included in the registerofdecisions whichhave

      beensubject totheconsistency mechanism.

      For the EuropeanDataProtectionBoard

      The Chair

      (Andrea Jelinek)

         Art. 65(6)GDPR.
      830Art. 65(5)and(6)GDPR.
      831Art. 60(7)GDPR.