EDPB - Binding Decision 4/2022 - 'Meta (Instagram)': Difference between revisions

Revision as of 13:48, 25 January 2023

EDPB - Binding Decision 4/2022

Authority:	EDPB
Jurisdiction:	European Union
Relevant Law:	Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 9 GDPR Article 12 GDPR Article 13 GDPR Article 21 GDPR Article 24 GDPR Article 56 GDPR Article 58 GDPR Article 60 GDPR Article 65 GDPR Article 77 GDPR Article 79 GDPR Article 83 GDPR
Type:	Other
Outcome:	n/a
Started:	25.07.2022
Decided:	05.12.2022
Published:	11.01.2023
Fine:	n/a
Parties:	Belgian Instagram user (represented by noyb - European Centre for Digital Rights) Meta Platforms Ireland Limited
National Case Number/Name:	Binding Decision 4/2022
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	English
Original Source:	EDPB (in EN)
Initial Contributor:	LR

Following a referral under the Article 60 GDPR procedure, the EDPB issued a binding decision finding Meta IE’s processing of personal data for behavioural advertising to be unlawful.

English Summary

Facts

In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a user was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).

Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.

A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (APD), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.

Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.

Secondly, the use of the Instagram service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the data controller seeks to rely is invalid.

Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.

Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.

The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.

In response to the complaint Meta IE submitted, among others points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of Article 6(1)(a) GDPR. The company stated that it “does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use” (Para 41).

On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with Article 60(3) GDPR. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with Article 60(4) GDPR, to the Draft Decision. On 11 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.

Holding

Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR. The EDPB identified five issues in the case at hand, addressing each one in turn before issuing the Binding Decision.

Please note: When describing Issues 1-3, it is necessary to explain the proposals in the Irish DPA’s Draft Decision, in order to provide the context for the EDPB decision.

Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis/Unlawful Data Processing

This issue concerns whether Meta IE can rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”.

In its Draft Decision, the DPC – taking into account the complainant’s submissions, the EDPB guidelines and the framing of Article 6(1)(b) – acknowledged that “consideration of the meaning of the term ‘contract’ within a data protection context is required”. However, the DPC also asserted that an assessment of the terms “necessary” and “performance” is also required, and they “do not have competence to consider substantive issues of contract law, and, accordingly [their] analysis is limited to the specific contract entered into by the named data subject and Meta Ireland in respect of the Instagram service” (DPC - 87). The DPC took a broad approach in determining what is necessary for the performance of a contract based on what is “reflected in the terms of the precise contract between those parties” (DPC - 95). The DPC explained that, in their view, “the core of the service offered is premised on the delivery of personalised advertising” (DPC - 106) and proposed to conclude that “Meta Ireland may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision of the Instagram service, including through the provision of behavioural advertising” (DPC - 116).

Nine DPAs objected to this proposed conclusion from the DPC, and the matter was referred to the EDPB.

In its binding decision, the EDPB sought to emphasise "the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Instagram service" (99). With regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:

"The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model” (108).
"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR... Otherwise, the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not" (112).
"...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (119).

Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Instagram. Firstly, "Meta IE promotes... the perception that the main purpose of the Instagram service serves and for which it processes its users' data is to enable them to communicate with others" (120). The EDPB also takes into account Article 21(2) and (3) GDPR, "the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes." Because this right exists, "the processing cannot be necessary to perform a contract [as the] subject has the possibility to opt out from it at any time, and without providing any reason" (125). The EDPB continues, outlining the inherent risk of a finding in the DPC Decision that Meta IE can process personal data on the basis of Article 6(1)(b):

“...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of Article 6(1)(b) GDPR, pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject" (134). "As a result, owing to the number of users, market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the complainant and the millions of users of Instagram service in the EEA and affect the protection of hundreds of millions of people covered the GDPR" (135).

In light of all of the above, the EDPB directed the following:

“...behavioural advertising performed by Meta in the context of the Instagram service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Instagram service and is not an essential or core element of it" (136). "Meta has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data in the context of the Instagram terms of service and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Instagram Terms of Service for the purpose of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (137).

Accordingly, the EDPB instructed the DPC to “alter Finding 2 of its Draft Decision, which concludes that Meta IE may rely on Article 6(1)(b) GDPR in the context of its offering of the Instagram Terms of Use, and to include an infringement of Article 6(1) GDPR” (Para 137).

Issue 2 – On whether the LSA’s Draft Decision includes sufficient analysis and evidence to conclude that Meta IE is not obliged to rely on consent to process the Complainant’s personal data

In its Draft Decision, the DPC sought to consider whether clicking the “Agree to Terms” button constitutes or should be considered consent for the purposes of the GDPR. According to the DPC, this question consists of two parts, “first, whether clicking the ‘Agree to Terms’ button actually constitutes consent for the purposes of the GDPR and, second, whether the act of clicking ‘Agree to Terms’ necessarily must be considered consent for such purposes” (DPC - 34).

On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “as a matter of fact, Meta Ireland did not – and did not seek – to rely on consent as the legal basis for all processing” (DPC - 46).

Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasized that there is no hierarchy of legal bases for the processing of personal data under the GDPR, any implication otherwise would be “inherently problematic”, and “[no] one ground has normative priority over the others” (DPC - 51).

However, six DPAs raised objections to this proposed finding by the DPC. In its binding decision, the EDPB stated:

“The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (107). “[The DPC] cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve” (202).

As a result, the EDPB instructed the DPC to remove its proposed finding regarding consent as a basis for lawful processing. The EDPB also decided that the DPC shall carry out a new investigation into Meta IE’s processing operations in its Instagram service to determine if it processes special categories of personal data (Article 9 GDPR), and complies with the relevant obligations under the GDPR (Para 203).

Issue 3 – On the Potential Additional Infringement of the Principle of Fairness

During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. The DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Meta IE was not afforded the opportunity to be heard in response to a particularised area of wrongdoing” (DPC - 200). The matter was referred to the EDPB, who determined as follows:

"the principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too" (224).
"the concept of fairness stems from the EU Charter of Fundamental Rights" (225).
“Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject… [it] underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (225, 226).
"The combination of factors, such as the asymmetry of the information created by Meta IE with regard to the Instagram service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages the Instagram service users, limits their control over the processing of their personal data and undermines the exercise of their rights” (234).

Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (235).

Issue 4 – On the potential additional infringement of the principles of purpose limitation and data minimisation

During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision, on account of Meta IE’s failure to comply with the purpose limitation and data minimisation principles (239).

The Italian DPA argued that the DPC should not have confined its assessment to only the purpose of personalised advertising (while the Instagram service would actually be composed of several processing activities pursuing several purposes). Accordingly, the fact Meta IE inappropriately based its multifarious processing activities only on Article 6(1)(b) GDPR entails an infringement of the purpose limitation and data minimisation principles (240). Furthermore, “the failure to specify and communicate the purposes of the processing to the data subject creates a risk of artificially expanding the types of processing or the categories or personal data considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would nullify the safeguards afforded to data subjects under data protection law” (241). In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned.

In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it related to specific parts of the DPC’s Draft Decision and the DPC could have made a finding of an infringement of the principles of purpose limitation and data minimisation. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “substantial and plausible” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy Article 4(24) GDPR (Para 252).

Issue 5 – On Corrective Measures Other than Administrative Fines

In its Draft Decision, the DPC proposed the imposition of an order to bring processing in compliance with Articles 5(1)(a), 12(1) and 13(1) GDPR within three months of the date of notification of any final decision. This concerned the DPC’s finding that Meta had breached its transparency obligations under the GDPR, a conclusion which was not objected to by any DPAs and thus was not referred to the EDPB.

However, under the Article 60 GDPR process, a range of objections were made to the proposed order to bring Meta’s processing activities into compliance. These objections proposed: the imposition of corrective measures other than administrative fines (see “Issue 6” below and EDPB decision paras 255, 256); a temporary ban on processing (255); measures to remedy the infringement of Article 6(1)(b) GDPR (Para 257); and to delete any unlawfully processed data (259).

The EDPB considered the objections raised in accordance with Article 4(24) GDPR, assessing whether they are “relevant” and “reasoned”. The EDPB also considered the need for any corrective measures applied by a supervisory authority to be “appropriate, necessary and proportionate in view of ensuring compliance with the regulation” (Article 58(2) GDPR) (Para 280).

Having considered the objections, the EDPB instructed the DPC to include in its final decision an order for Meta IE to bring its data processing for behavioural advertising into compliance with Article 6(1) GDPR within 3 months (290). In addition, the EDPB notes that the order should be modified to reflect the EDPB’s finding that Meta IE is not entitled to rely on Article 6(1)(b) GDPR for this data processing (291). Furthermore, the EDPB instructed the DPC to amend its order regarding transparency obligations to include data processed for the purpose of behavioural advertising, and not just data processed pursuant to Article 6(1)(b) (Para 291).

Issue 6 – On the determination of the administrative fine

The EDPB considered the DPC’s assessment of the criteria in Article 83(2) GDPR in deciding whether to impose an administrative fine for the infringement of its transparency obligations under the GDPR (Paras 293 – 312). The EDPB also noted the objections raised by five DPAs, requesting a “significantly higher administrative fine with reference to the established infringements” (313). The EDPB found these objections to be relevant and reasoned in accordance with Article 4(24) GDPR and, after conducting its own assessment of the factors under Article 83(2) GDPR, found that the proposed fine “is not effective, proportionate and dissuasive, in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of doing business” (Para 364).

Therefore, the EDPB instructed the DPC to “set out a significantly higher fine amount for the transparency infringements identified, in comparison with the upper limit for the administrative fine envisaged in the Draft Decision” (366).

Furthermore, following a range of further objections by DPAs to the administrative fine proposed by the DPC, the EDPB instructed the DPC to impose an administrative fine for the additional infringement of Article 6(1) GDPR (440), and to take into account the additional infringement of the principle of fairness in Article 5(1)(a) GDPR in its adoption of corrective measures (446).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

BindingDecision4/2022onthedisputesubmittedby the

Irish SAon MetaPlatformsIrelandLimitedand itsInstagram
service(Art.65GDPR)

Adopted on 5December 2022

AdoptedTableof contents

1 Summaryofthe dispute.................................................................................................. 5

2 The right togoodadministration...................................................................................... 9

3 Conditionsfor adopting a binding decision........................................................................ 9

3.1 Objection(s)expressedby severalCSA(s)inrelationtoa Draft Decision.......................... 9
3.2 The IESA finds the objections totheDraftDecision not relevantor reasoned anddoes not

follow them.....................................................................................................................10
3.3 Admissibilityofthe case..........................................................................................10

3.4 Structure ofthe Binding Decision.............................................................................11

4 Onwhether the LSA should have foundaninfringement for lackofappropriate legalbasis.....11

4.1 Analysisbythe LSA inthe Draft Decision...................................................................11
4.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................14

4.3 Positionofthe LSA onthe objections........................................................................19

4.4 Assessment ofthe EDPB..........................................................................................20
4.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................20

4.4.2 Assessment onthe merits................................................................................24

5 Onwhether the LSA’sDraftDecisionincludes enoughanalysis andevidence toconclude that
MetaIE isnot obligedtorelyonconsent toprocessthe complainant’spersonaldata....................39

5.1 Analysisbythe LSA inthe Draft Decision...................................................................39

5.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................40
5.3 Positionofthe LSA onthe objections........................................................................44

5.4 Assessment ofthe EDPB..........................................................................................45

5.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................45

5.4.2 Assessment onthe merits................................................................................48
6 Onthe potentialadditionalinfringement ofthe principle offairness....................................54

6.1 Analysisbythe LSA inthe Draft Decision...................................................................54

6.2 Summaryofthe objectionraised bythe CSA ..............................................................55
6.3 Positionofthe LSA onthe objection .........................................................................56

6.4 Analysisofthe EDPB...............................................................................................56

6.4.1 Assessment ofwhether the objectionwasrelevant andreasoned..........................56

6.4.2 Assessment onthe merits................................................................................58
7 Onthe potentialadditionalinfringement of theprinciples of purpose limitationanddata

minimisation.......................................................................................................................63
7.1 Analysisbythe LSA inthe Draft Decision...................................................................63

2
Adopted 7.2 Summaryofthe objectionraised bythe CSAs.............................................................63

7.3 Positionofthe LSA onthe objection .........................................................................64

7.4 Analysisofthe EDPB...............................................................................................64

7.4.1 Assessment ofwhether the objectionwasrelevant andreasoned..........................64
8 Oncorrective measuresother thanadministrative fines.....................................................66

8.1 Analysisbythe LSA inthe Draft Decision...................................................................66

8.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................67

8.3 Positionofthe LSA onthe objections........................................................................69
8.4 Assessment ofthe EDPB..........................................................................................69

8.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................69

8.4.2 Assessment onthe merits................................................................................71

9 Onthe determinationofthe administrative fine................................................................77
9.1 Onthe determinationofthe administrative fine for the transparencyinfringements.......77

9.1.1 Analysisbythe LSA inthe Draft Decision............................................................77

9.1.2 Summaryofthe objectionsraisedbythe CSAs ....................................................82

9.1.3 Positionofthe LSA onthe objections.................................................................85
9.1.4 Assessment ofthe EDPB...................................................................................86

9.2 Onthe determinationofanadministrative fine for further infringements......................95

9.2.1 Analysisbythe LSA inthe Draft Decision............................................................95
9.2.2 Summaryofthe objectionsraisedbythe CSAs ....................................................96

9.2.3 Positionofthe LSA onthe objections...............................................................101

9.2.4 Analysisofthe EDPB......................................................................................101

10 Binding Decision......................................................................................................113

11 Finalremarks..........................................................................................................116

3
AdoptedTheEuropeanDataProtectionBoard

Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European
Parliamentandofthe Council of27 April2016 onthe protectionofnaturalpersonswithregardtothe
processing ofpersonal dataandonthe freemovement ofsuchdata,andrepealingDirective95/46/EC
1
(hereinafter“GDPR”) ,

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as
amendedby theDecision ofthe EEA joint Committee No154/2018 of 6 July 2018 , 2

HavingregardtoArticle 11 andArticle22 of itsRulesof Procedure (hereinafter“EDPBRoP”) , 3

Whereas:

(1) The main role of the European Data ProtectionBoard (hereinafter the “EDPB”) is to ensure the
consistent applicationof the GDPRthroughoutthe EEA.Tothiseffect,it follows from Article60 GDPR
that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory

authoritiesconcerned(hereinafter“CSAs”)inanendeavourtoreachconsensus, thattheLSA andCSAs
shall exchange all relevant information with each other, and that the LSA shall, without delay,
communicatethe relevantinformation onthe mattertothe other supervisory authoritiesconcerned.

The LSA shall without delaysubmit a draft decision to the other CSAs for their opinion and take due
account oftheir views.

(2) Where any of the CSAs expressed a reasoned and relevant objection on the draft decision in

accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the
relevantandreasonedobjection or considers thattheobjection isnot reasonedandrelevant,theLSA
shall submit this mattertothe consistency mechanism referredtoinArticle 63 GDPR.

(3)PursuanttoArticle65(1)(a)GDPR,theEDPBshallissueabindingdecision concerningallthematters

which are the subject of the relevant and reasoned objections, in particular whether there is an
infringement ofthe GDPR.

(4)The binding decision of theEDPBshall be adoptedby atwo-thirds majorityofthe membersofthe

EDPB, pursuant toArticle 65(2) GDPR inconjunction withArticle 11(4) EDPB RoP, within one month
after the Chair of the EDPB and the competent supervisory authority have decided that the file is
complete. The deadline may be extendedby a further month, taking into account the complexity of

the subject-matter upon decision of the Chair of the EDPB on own initiative or at the request of at
least one thirdof the membersofthe EDPB.

(5)InaccordancewithArticle65(3)GDPR,if,inspite ofsuchanextension, theEDPBhasnotbeenable

toadopt a decision within the timeframe,it shall do so withintwoweeks following the expiration of
the extensionby a simple majorityof itsmembers.

(6)InaccordancewithArticle 11(6)EDPB RoP, onlythe Englishtext ofthe decisionisauthentic asit is
the languageofthe EDPBadoptionprocedure.

1
2OJL119,4.5.2016,p.1.
References to “Member States”madethroughout this decision shouldbeunderstoodas references to “EEA
MemberStates”.
3EDPBRules ofProcedure,adoptedon25May2018.

4
Adopted HAS ADOPTED THEFOLLOWINGBINDINGDECISION

1 SUMMARYOF THE DISPUTE

1. This document contains a Binding Decision adopted by the EDPB in accordance with
Article65(1)(a) GDPR.Thedecisionconcerns thedispute arisenfollowing a draftdecision (hereinafter

“DraftDecision”)issuedbythe Irishsupervisory authority(“DataProtectionCommission”, hereinafter
the “IESA”,alsoreferredtointhis contextasthe “LSA”)andthe subsequent objections expressed by
a number of CSAs (“Österreichische Datenschutzbehörde” hereinafter the “AT SA”; “ Der

HamburgischeBeauftragtefürDatenschutzundInformationsfreiheit” alsoon behalfofother German
SAs 4, hereinafter the “DE SAs”;“AgenciaEspañola de Protección de Datos”,hereinafter the “ESSA”;
“Office of the Data Protection Ombudsman”, hereinafter the “FI SA”; “Commission Nationale de

l'Informatique et des Libertés", hereinafter the “FR SA”; “Hungarian National Authority for Data
Protection and Freedom of Information, hereinafter “HU SA”; “Garante per la protezione dei dati
personali", hereinafter the “IT SA”; “Autoriteit Persoonsgegevens”, hereinafter the “NL SA”;

“Datatilsynet”, hereinafter the “NO SA”; and “Integritetsskyddsmyndigheten”, hereinafter the “SE
SA”).

2. The DraftDecisionatissue relatestoa“complaint-basedinquiry” whichwascommencedbythe IESA
on 20 August 2018 into the Instagram social media processing activities (hereinafter “Instagram

service”) of Facebook IrelandLimited, a company established in Dublin, Ireland. The company has
subsequently changedits name to “Meta PlatformsIrelandLimited” andhereinafter it is referredto
as“MetaIE”.Any referencetoMetaIEinthis Binding Decisionmeansa referencetoeither Facebook

IrelandLimitedor MetaPlatformsIrelandLimited,asappropriate.

3. The complaint was lodged on 25 May 2018 with the Belgian supervisory authority (“Autorité de

protection des données”), hereinafter the “BE SA” by a data subject who requested the non-profit
NOYB-EuropeanCenterfor DigitalRights(hereinafter,“NOYB”)torepresentthemunderArticle80(1)
GDPR(bothhereinafterreferredtoasthe“Complainant”).TheComplainantallegeda violationofthe

right to data protection and especially infringements of “all the particular requirementsset out in
Article4(11),Article6(1)(a),Article7and/or Article9(2)(a)oftheGDPR”,byarguingthatthecontroller

relied on a “forced consent”, as well as alleging misrepresentations of the controller with regardto
consent and the legal basis for the processing, and consequently, an infringement of Article 5(1)(a)
GDPR 5.The complaint articulateditsrequests into a request toinvestigate,and a request to impose
6
correctivemeasures .

4Objections raised on behalf of theHamburg Commissioner forData Protectionand Freedom of Information,
the Bavarian StateOfficefor Data ProtectionSupervision, theBerlinCommissionerfor Data Protection and

FreedomofInformation,theBrandenburgCommissionerforDataProtectionandFreedomofInformation,the
Federal Commissionerfor Data Protection and Freedom of Information, the State Commissioner for Data
ProtectioninLowerSaxonyandtheStateCommissionerforDataProtectionNorthRhine-Westphalia.
5Complaint,paragraphs2.2.5.and2.3.2.
6 Within its request to investigatein paragraph 3.1 of theComplaint, theComplainant requested that a full
investigationbemadeto determine“which processingoperations the controllerengages in, in relation to the
data subject”, “for which purpose they are performed”, “on which legal basis for each specific processing

operationthecontrollerrelieson”,andtoacquire“acopyofanyrecordsofprocessingactivities”.Thecomplaint
alsorequested“that the results of this investigation[be] madeavailableto [them]”. As regards therequest to

5
Adopted4. On31 May2018,the BESA transferredthe complaint totheIESA. The IESA statedinits“Schedule to
the DraftDecision” 7thatitwassatisfied thattheIESA isthe LSA,withinthe meaningof theGDPR,for
MetaIE,ascontroller, for the purpose ofthe cross-border processing of personal datain the context
of theInstagramservice.

5. The following table presents a summary timeline of the events part of the procedure leading tothe

submission of the mattertothe consistency mechanism:

Thescope andlegalbasisofthe inquirywereset outinthenotice
20.08.2018 ofcommencementofinquiry thattheIESA sent tothe partieson

20August 2018.TheIESA commencedtheinquiry andrequested
information from thisdate.
InquiryReport stage:
20.08.2018-07.04.2021 • the IESA commenced workonthe draft inquiry report

• the IESA preparedadraftinquiryreportandissued it to
Meta IE andto the Complainant to allow them to make

submissions inrelationtothe draftinquiry report;
• MetaIE provided its submissions in relationto the draft

inquiry report;
• The Complainant provided its submissions in relation to
the draftinquiry report;

• Meta IE andthe Complainant were furnished with each
other’ssubmissions andthe finalreport wasprovided to

the decision-maker;
• The IESA issued a copyof itsfinalinquiry report toMeta

IEandthe Complainant.
• The IE SA issued a letter to Meta IE and to the
Complainant to confirm the commencement of the

decision-making stage.
The IE SA issued a Preliminary Draft Decision (hereinafter “the
23.12.2021
Preliminary Draft Decision”)(including a Schedule) to Meta IE
andtothe Complainant.
The Complainant provided submissions on the Preliminary Draft
04.02.2022 Decision to the IE SA (“Complainant’s Preliminary Draft

Submissionsdated4February2022” ).
Meta IE made submissions on the Preliminary Draft Decision to

the IESA (“Meta IE’sPreliminary DraftSubmissions”).
The IE SA shared its Draft Decisionwith the CSAs in accordance
01.04.2022
withArticle60(3) GDPR.

imposecorrectivemeasures,morespecifically,thecomplaintrequestedinparagraph3.2thattheSA“stopany
processing operationsthat are based on invalid consent by the data subject”, and in paragraph3.3 that an
“effective, proportionateanddissuasivefine”beimposed.
7IESAScheduletotheDraftDecisionof1April2022inthematterofTSA(throughNOYB)vMeta PlatformsLtd
(formerlyFacebookIrelandLimited)inrespectoftheInstagramService,paragraphs58-72.
8This documentismistakenlydated“11.06.2020”.

6

Adopted Between SeveralCSAs (AT,DE,ES,FI,FR,HU,IT,NL,NO,andSESAs)raised
objections in accordancewithArticle60(4)GDPR.

28 and29.04.2022

The IE SA issued a Composite Response setting out its replies to
01.07.2022
such objections and shared it with the CSAs (hereinafter,
“Composite Response”). The IE SA requestedthe relevant CSAs
to confirm whether, having considered the IE SA’s position in

relation to the objections as set out in the Composite
Memorandum,the CSAs intended tomaintaintheir objections.

In light of the arguments put forward by the IE SA in the
Composite Response, the DE, ES, FI, HU, NL, NO, and SE SAs),

confirmed to the IE SA that they maintain their remaining
objections .

The IE SA invited Meta IE to exercise its right to be heard in
08.07.2022 respect of the objections (and comments) that the IE SA

proposed to refer to the EDPB under Article 65(1) GDPR along
with the IE SA’s Composite Response and the communications

receivedfrom the CSAs in replytothe Composite Response.
Meta IE furnished the requested submissions (“Meta IE Article
09.08.2022 65 Submissionsof9August2022”).

The IE SA referred the matter to the EDPB in accordance with
11.08.2022 Article 60(4) GDPR, thereby initiating the dispute resolution

procedure under Article65(1)(a).

6. The IE SA triggered the dispute resolution process in the Internal Market Information system
(hereinafter“IMI”) on 11 August 2022 inaccordancewithArticle 60(4)GDPR.

7. The EDPBSecretariatassessed the completeness of the file on behalf of the Chair of the EDPBin line

withArticle11(2) EDPBRoPinorder toensure thatallthe necessarydocuments wereincluded inthe
file.

8. The EDPB Secretariatcontactedthe IESA on 23 and27 September 2022, asking for the transmission
via IMIof specified documents pertaining to the investigationconducted by the IE SA . The request

9ResponseoftheDESAs toCompositeResponsedated11July2022;ResponseoftheESSAto IESAComposite

Responsedated8July2022;ResponseoftheFI SAto CompositeResponsedated8July2022;Responseofthe
HU SAto CompositeResponsedated7July2022; ResponseoftheNLSA to CompositeResponsedated5July
2022;ResponseoftheNO SAto CompositeResponsedated11July2022;ResponseoftheSE SAto Composite
Responsedated8July2022
10TheInternalMarketInformation(IMI)istheinformationandcommunicationsystemmentionedinArticle17
oftheEDPBRules ofProcedure.
11Thefollowingdocumentswererequested:

Letter ofDPCto NOYBof23/11/2018outliningthescopeoftheinquiry.
NOYB's replytoDPCof03/12/2018outliningproceduralconcerns

7
Adopted was made to allow the EDPB to come to a fully informed decision on the objections raised by some
CSAs onthescope andconductofthe investigation.Fromthe schedule tothe DraftDecision,theEDPB
Secretariat concluded that both Meta IE and the Complainant were given access to the documents
requestedandinvited the IESA toconfirm thiswasindeed thecase.

9. The IE SA declined the request, as it considered that the materialalready provided as sufficient to

enable theEDPBtodeterminetheobjections referredtoit, asthe draft decisionprovidesinformation
about the scope of the inquiry commenced for the purpose of examining the complaint, the
procedural steps taken in the inquiry, the information that was collected during the course of the
inquiry process, the allegations that were put to the data controller, the submissions made by the

parties to the inquiry and the assessments and views of the IE SA. Further, the IE SA expressed its
concern over the possibility of the EDPB concluding its decision on the basis of materialwhich was
never put to the controller concerned as part of the formulation of any allegation of potential

wrongdoing.Finally, the IESA underlined that,inaccordancewithArticle11(2) ofthe EDPBRoP,they
would provide documentsthe Boarddeems necessary.

10. A matter of particular importance that was scrutinised by the EDPB Secretariat wasthe right to be
heard,asrequiredbyArticle 41(2)(a)ofthe CharterofFundamentalRights.Furtherdetailson thisare
provided in Section2 ofthis Binding Decision.

11. On 5 October 2022, the decision on the completeness of the file was taken, andit was circulatedby
the EDPBSecretariattoallthemembers ofthe EDPB.

12. TheChair ofthe EDPBdecided,incompliance withArticle65(3)GDPRinconjunctionwithArticle11(4)
EDPBRoP, to extendthe default timeline for adoption of one month by a further month on account

of thecomplexity ofthe subject-matter

DPC's replytoNOYBof16/01/2019
DPClettertoMeta of30/01/2019outliningviewsonthescope;
Meta IEresponsetoDPCof05/02/2019,raisingproceduralquestions;
DPC's responsetoMeta of08/02/2019;
Email exchangesbetweenDPCandMetaon08/02and15/02/2019regardingscopeandproceduralissuesraised
byNOYB;
Meta IE’s Submissionsof 22/02/2019includingMeta Submissionof28/09/2018(markedupcopy,ofwhichparts
Meta consideredoutofscopeofcomplaint);

DPClettertoNOYBof28/03/2019whichincludedanupdateonthescope;
Letter fromNOYBtotheIESAdated19April2019whichincludedfurthersubmissionsonthescope
NOYB's lettertoDPCof24/02/2020raisingproceduralissues;
DPC's replytoNOYBof23/03/2020;
DraftInquiryreportof20/05/2020;
DPClettertoNOYB of20/05/2020;
NOYB's responsetoDPCof03/06/2020;
NOYBsubmissionsontheDraftInquiryReportof19/08/2020;
Meta IE’s SubmissionsontheDraftInquiryReportof22/06/2020;

FinalInquiryreportof18January2021;
NOYB’s SubmissionsonthePreliminaryDraftDecisioninIN-18-08-05dated11June2021;
NOYB’s submissiontotheIESAcontainingtheGallupstudyinattachment.

8

Adopted 2 THE RIGHT TOGOOD ADMINISTRATION

13. TheEDPBissubject toArticle41 oftheEUCharterofFundamentalRights,inparticularArticle41(right
togoodadministration).This isalsoreflectedin Article11(1)EDPBRoP.Furtherdetailswere provided
inthe EDPBGuidelines on Article65(1)(a)GDPR 12.

14. The EDPB Decision “shall be reasoned and addressed to the lead supervisory authority and all the
supervisory authorities concerned and binding on them” (Article 65(2) GDPR). It is not aiming to

address directly anythird party. However, asa precautionarymeasure to address the possible need
for the EDPBtooffer the righttobe heardatthe EDPBleveltoMetaIE,the EDPBassessed if MetaIE
was offered the opportunity toexercise its right tobe heard in relationto the procedure led by the
LSA andthesubject matterofthe dispute tobe resolvedbythe EDPB.Inparticular,theEDPBassessed

ifallthe documents containingthe mattersoffactsandlaw used bythe EDPBtotake itsdecisionhad
beenpreviously sharedwithMetaIE.

15. The EDPBnotes thatMeta IEhas receivedthe opportunity to exercise itsright tobe heard regarding
allthedocuments containingthe mattersoffactsandoflawconsidered bythe EDPBinthecontext of
this decision and provided its writtenobservations 1, which have been shared withthe EDPB by the

LSA.

16. Considering that Meta IE has been already heard by the IE SA on all matters of facts and of law

addressed by the EDPB in its decision, the EDPB is satisfied that the Article 41 of the EU Charter of
FundamentalRightshas beenrespected.

17. TheEDPBconsidersthattheComplainantisnot likelytobe adverselyaffectedbythisBindingDecision,
andconsequently does not meetthe conditions tobe grantedaright tobe heardby the EDPBin line
with Article 41 of the EU Charter of Fundamental Rights, applicable case law, and Article 11 of the

EDPBRoP. This is without prejudice toany right tobe heardor other relatedrights the Complainant
mayhave before the competentnationalsupervisory authority(/-ies).

3 CONDITIONSFOR ADOPTING A BINDINGDECISION

18. The generalconditionsfor theadoptionof abinding decision bytheEDPBareset forthinArticle60(4)
andArticle 65(1)(a)GDPR 1.

3.1 Objection(s) expressed by several CSA(s) in relationto a DraftDecision

19. The EDPB notes that severalCSAs (AT, DE, ES, FI, FR, HU, IT, NL, NOandSE SAs) raised objections to
the DraftDecisionvia IMI.Theobjections were raisedpursuant toArticle 60(4)GDPR.

12
EDPB Guidelines 3/2021on theapplication of Article65(1)(a) GDPR, adopted on 13April 2021 (versionfor
13blicconsultation)(hereinafter,“EDPBGuidelinesonArt.65(1)(a)”),paragraphs94-108.
In particular, Meta IE Preliminary Draft Submissions dated 4 February 2022, Meta IE Article65 Submissions
dated9August2022.
14AccordingtoArt.65(1)(a)GDPR,theEDPBwillissuea bindingdecisionwhena supervisoryauthorityhasraised
a relevantandreasonedobjectiontoa draftdecisionoftheLSAandtheLSAhas notfollowedtheobjectionor
theLSAhas rejectedsuchanobjectionasbeingnotrelevantorreasoned.

9

Adopted 3.2 The IE SA finds the objections to the DraftDecision not relevantor reasoned and

does not follow them

20. On 1 July 2022, the IESA provided to the CSAs ananalysis of the objections raised bythe CSAs inthe
Composite Response.

21. The IE SA concluded that it would not follow the objections, as it did not consider them “relevant”

and/or “reasoned”,withinthe meaningofArticle 4(24)GDPRforthe reasonsset out inthe Composite
Response andbelow 15.

3.3 Admissibility of the case

22. The case at issue fulfils the elements listed by Article 65(1)(a) GDPR, since several CSAs raised
objections toadraftdecision oftheLSA (theIESA)withinthedeadline providedbyArticle60(4)GDPR,

and the IE SA has not followed objections or rejected them for being, in its view, not relevant or
reasoned.

23. The EDPBtakesnote of MetaIE’sposition that the currentArticle 65 GDPRdispute resolution should

be suspended due to pending preliminary ruling proceedings before the Court of Justice of the EU
(hereinafter,“CJEU”) 16.MetaIE refersin particulartocases C-252/21 and C-446/21 . Following its
assessment, the EDPBdecidestocontinueitsproceedingson thisArticle65 GDPR dispute resolution,

as there is no explicit legal basis for a stay of the dispute resolution procedure in EU law, nor are
existing CJEU rulings on the matter conclusive for the situation of the EDPB 19. Also, the EDPB takes

into consideration the data subjects’ right to have their complaints handled within a “reasonable
period”(Article 57(1)(f) GDPR),andtohave their case handledwithina reasonable time byEU bodies
(Article 41 Charter).Moreover,ultimatelythereareremediesavailable tothe affectedpartiesin case
20
of adiscrepancy betweenthe EDPBBinding DecisionandCJEU rulingsin the aforementionedcases .

24. Considering the above, inparticularthatthe conditions of Article65(1)(a) GDPRaremet,the EDPBis
competent to adopt a binding decision, which shall concern allthe matterswhichare the subject of

15TheIESAletterto theEDPBSecretariatdated11August2022.
16Meta IEArticle65Submissions,paragraphs3.4-3.8.
17Requestfora preliminaryrulingof22April2021,Meta PlatformsandOthers,C-252/21(hereinafter‘C-252/21

18erlandesgerichtDüsseldorfrequest’).
Requestfora preliminaryrulingof20July2021,Schrems,C-446/21(hereinafter‘C-446/21Austrian
ObersterGerichtshofrequest’).
19C-234/89Judgement of theCourt of Justiceof 28 February 1991, Delimitis, C-234/89, ECLI:EU:C:1991:91;C-
344/98 Judgement of theCourt of Justiceof 14December 2000, Masterfoods, C-344/98, ECLI:EU:C:2000:689.

These cases concerned proceedings beforethe national courts, where the parties faced the risk of being
confronted with a conflicting decision of the national judgethat could be seen as de facto nullifying the
Commission decision – a power which is retained by the CJEU. The current disputeresolutionprocedure
concernstheadoptionofanadministrativedecision,whichcanbesubjecttofulljudicialreview.
20In casean action forannulment is brought against theEDPB decision(s) and found admissible, theGeneral

Court/CJEUhastheopportunitytoinvalidatethedecisionoftheEDPB.Inaddition,andiftheGeneralCourt/CJEU
wereto deliveranyjudgmentinthetimebetweentheadoptionoftheEDPB’s Art.65decisionandtheadoption
theIESA’s finaldecision,theIESAmayultimatelydecidetorevisethefinalnationaldecisionittakesfollowing
the EDPB's binding decision - if the CJEU’s rulings givecauseto do so - in accordancewith theprincipleof
cooperation as elaborated by theCJEU in theC-453/00Judgement of theCourt of Justiceof 12 January2004,
Kühne&HeitzNV, ECLI:EU:C:2004:17.

10
Adopted the relevantandreasonedobjection(s), i.e.whetherthere isaninfringement ofthe GDPRor whether
the envisagedactioninrelationtothe controller or processor complieswiththe GDPR 21.

25. The EDPBrecallsthat itscurrent Decision is without anyprejudice toany assessments the EDPBmay
be called upon to make in other cases, including with the same parties, taking into account the

contentsof therelevant draftdecision and theobjections raised bythe CSA(s).

3.4 Structure of the Binding Decision

26. For eachof the objections raised, the EDPB decides on their admissibility, by assessing first whether
they can be considered as a “relevant and reasoned objection” within the meaning of Article 4(24)
22
GDPRasclarifiedinthe Guidelines on the conceptof a relevantandreasonedobjection .

27. Where the EDPB finds that anobjection does not meet the requirements of Article 4(24) GDPR, the

EDPBdoes not takeanyposition onthe meritof anysubstantialissues raisedbythat objectionin this
specific case.TheEDPBwillanalysethemeritsofthesubstantialissues raisedbyallobjections itdeems
23
relevantand reasoned .

4 ON WHETHER THE LSA SHOULD HAVE FOUNDAN INFRINGEMENT

FOR LACK OF APPROPRIATE LEGAL BASIS

4.1 Analysis by the LSA inthe DraftDecision

28. The IESA concludes thattheGDPR,the jurisprudence andthe EDPBGuidelinesdo not preclude Meta

IE from relying on Article 6(1)(b) GDPR as a legal basis to carry out the personal data processing
activitiesinvolved in the provision of its service tousers, including behavioural advertising insofar as
thatforms a core partof the service 2.Finding 2 reads“Ifind the Complainant’scase is not made out

that the GDPR does not permit the reliance by Meta Ireland on 6(1)(b) GDPR in the context of its
offeringofTermsofUse 25”

29. The IESA statesthatit does not have competence toconsider substantive issues ofcontractlaw and,
accordingly, its analysis is limited tothe specific contract enteredintoby the complainant andMeta
26
IEin respectof the Instagramservice .

27
30. The IESA understands the complainant’sallegationsas : being that,firstly,theyweregivena binary
choice: i.e. either acceptthe InstagramTermsof Use andthe associated DataPolicy byselecting the

21
Art. 65(1)(a) and Art. 4(24) GDPR. Some CSAs raised comments and not per se objections, whichwere,
therefore,nottakenintoaccountbytheEDPB.
22EDPB Guidelines 9/2020 ontheconcept of relevant and reasoned objection, version 2 adopted on 9 March
2021,(hereinafter,“EDPBGuidelinesonRRO”).
23SeeEDPBGuidelinesonArt.65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjectionraised,

whethertheobjectionmeetstherequirementsofArticle4(24)GDPRand,ifso,addressthemeritsoftheobjection
inthe bindingdecision.”)
24DraftDecision,paragraphs112and115.
25DraftDecision,Finding2,p.40.
26DraftDecision,paragraph84.
27
DraftDecision,paragraph10.

11
Adopted “accept”button,ordeletingtheirInstagramaccount ,lackofclarityonwhichspecific legalbasisMeta

IErelies onfor eachprocessing operation 29,andtheir concernon MetaIE’srelianceon Article6(1)(b)
todeliver the InstagramTermsof Use 30.

31. While the IE SA acknowledges that the EDPB considers in its Guidelines 2/2019 31 that, as a general

rule, processing for online behaviouraladvertising is not necessary for the performance of acontract
for online service under Article 6(1)(b) GDPR 32, in this particular case, having regardto the specific

terms of the contract andthe nature of the service provided and agreedupon by the parties, IE SA
concluded thatMetaIEmayinprinciple relyonArticle 6(1)(b)aslegalbasisofthe processing ofusers’

data necessary for the provision of its service, including through the provision of behavioural
advertisinginsofar asthisforms acorepartofthatserviceofferedtoandacceptedbyusers 33. Further,

the IE SA states that while the examples provided in any form of EDPB guidance are helpful and
instructive, theyare not necessarily conclusive of the position in any specific case andindeed do not
34
purport tobe .

32. The IE SA disagrees with what it defines as a “strict threshold of ‘impossibility’ in the assessment of
necessity” proposed by the complainant and the EDPB . By “impossibility”, IE SA refers to the

argument put forward that a particular term of a contract (here, behavioural advertising) is not
necessary to deliver an overall service or contract 36. The IE SA is of the view that “it is not for an

authority such as the Commission, tasked with the enforcement of data protection law, to make
assessmentsasto whatwillorwillnot maketheperformanceofa contractpossibleor impossible” and
that the generalprinciples set out in the GDPR andexplained by the EDPB in the guidelines must be

appliedon a case-by-case basis 37. TheIE SA considers thatArticle 6(1)(b)GDPRcannot be interpreted
as requiring that it is impossible to perform the contract without the data processing operations in

question 38.

33. TheIESA referstoMetaIE’spositionthatinthespecific contextoftheInstagramservice,personalised
advertising mayconstitute a distinguishing feature of said service which is an “exact rationale” and

one of the “essential elementsof the Terms of Use” for which the ordinary user would reasonably
expect their personal data to be processed so as to receive the Instagram service as advertised 39.

Further, the IE SA refers to Meta IE’ssubmission regarding whether the necessity test encompasses
an impossibility threshold, and Meta IE’sargument that were impossibility anaspect of necessity, it

28
DraftDecision,paragraph11.
29DraftDecision,paragraph17.
30DraftDecision,paragraph77.
31EDPB Guidelines2/2019ontheprocessingofpersonaldataunderArticle6(1)(b)GDPRinthecontextofthe

provision of onlineservices to data subjects Version 2.0, adopted on 8 October 2019 (hereinafter, “EDPB
Guidelines 2/2019onArticle6(1)(b)GDPR”).
32DraftDecision,paragraph113.
33DraftDecision,paragraph113.
34
DraftDecision,paragraph108.
35DraftDecision,paragraphs107and112.
36DraftDecision,paragraph107
37DraftDecision,paragraph108.
38
DraftDecision,paragraphs107-109and112.
39DraftDecisionparagraph109.

12
Adopted would not,inanycase operateasa“blanket prohibition”on relying onArticle(1)(b) GDPRasthe legal
40
basis for the processing inthis context .

34. The IESA considers personalised advertisinga corepart oftheservice offered toandacceptedbythe
users, having regardtothe specific termsofthe contractandthe nature of the service provided and
agreedupon by Meta IE and the user 41. The IE SA points out that the nature of the service being

offeredtoInstagramusersis setout intheTermsofUse whichdescribe theInstagramserviceasbeing
“personalised”andconnectsuserswithbrands, including bymeansofproviding “relevant”advertising
42
andcontent .

35. The IESA considers thisasthe Instagramserviceisadvertisedinthe TermsofUse asbeing predicated
onpersonalised advertising,anyreasonableuser wouldunderstand andexpectthatthisis partofthe

core bargainthatis being struckwithMeta IE,evenif theymight prefer thatthe market would offer
them betteralternativechoices 43.

36. The IE SA considers that as personalised advertising forms part of the core bargain struck between
Meta Ireland and Instagram users, any processing necessary for the delivery of such advertising is
44
deemedtofall within thescope ofArticle 6(1)(b) GDPR .

37. The IE SA thus concludes that MetaIE mayinprinciple rely on Article6(1)(b) GDPRasa legalbasis of
the processing of users’ datanecessaryfor the delivery ofa service basedon behaviouraladvertising
45
of thekind provided for under the contractbetweenMetaIEand Instagram’susers .

38. The IE SA clarified that, having regard to the scope of the complaint and its inquiry, the above

conclusion ought not tobe construed as an indication that all processing operations carried out on
users’ personal dataarenecessarily coveredbyArticle 6(1)(b) GDPR 46.

39. The IESA alsonotesthatotherprovisions ofthe GDPRsuchastransparencyacttostrictlyregulatethe

manner inwhich thisservice istobe deliveredandthe information thatshould be giventousers and
decides to address it separately in its Draft Decision .The IE SA considers that there have been
48
significant failings oftransparencyin relationtotheprocessing .

40. The IE SA considers that these failings of transparency, having regard to the specific terms of the

contract andthe nature of the service provided and agreedupon by the parties, do not, in principle
prevent Meta IEfrom relying on Article 6(1)(b) GDPRasa legalbasis of the processing of users’ data

40DraftDecisionparagraph109.
41
DraftDecision,paragraph104.
42DraftDecision,paragraph104.
43DraftDecision,paragraph105.
44DraftDecision,paragraph105.
45
46DraftDecision,paragraph111.
DraftDecision,paragraph114.
47DraftDecision,paragraph111.
48DraftDecision,p.71.

13
Adopted necessary for the provision of the Instagram service, including throughthe provision of behavioural
49
advertising insofar as thisforms acore part ofthatservice offered toandacceptedby users .

4.2 Summary of the objections raised by the CSAs

41. The AT, DE, ES, FI, FR, HU, NL, NO and SE SAs object to Finding 2 of the draft decision and the
assessment leadingup toit.

42. The AT, ES, FI,HU,NL, NOand SE SAs 50 consider that,theIE SAshouldhavefoundaninfringement
51
ofArticle 6(1)(b)oftheGDPR,inline withthe EDPB’sinterpretationofthisprovision . The DEandFR
SAs arguethatthe IESA should have found aninfringement ofArticle 6(1)GDPR . 52

43. TheDESAs,intheirobjection, furtherarguethattheIESAshouldfindaninfringementofArticle5(1)(a)
GDPR and make use of corrective powers of Article 58(2)(f) and (i) GDPR and order to erase the

unlawfully processedpersonaldata,impose abanof therespectiveprocessing ofdatafor the purpose
of behavioural advertising until a valid legal basis is in place and impose an administrative fine
53
pursuant toArticle 83 GDPR .

44. The FI SA, in itsobjection, also arguesthatthe finding thatMetaIEwasnot entitledtorelyon Article
6(1)(b) GDPR asa legalbasis for all the processing operations in the scope of the Instagram Service
should leadtotheconclusion thatcorrectivepowerspursuant toArticle58(2)GDPRmustbeexercised

to bring the processing operations of Meta IE intocompliance withthe GDPR 54. Furthermore, the FI
SA considers that this additional infringement should be properly reflected in the amount of the

administrative fine imposed pursuant toArticle83 GDPR 55.

45. The FR SA notes that reversing the findings concerning the infringements of Article 6(1) GDPR also
affects the scope of the corrective actions proposed by the IE SA, in addition to the administrative
56
fine .

46. The HU SA, inits objection, arguesthatinlight of the infringement,the legalconsequences of Article
58(2) (d) (order to bring processing operations into compliance) GDPR should be applied, and the
controller should be instructedtoindicateanother alternativelegalbasis . 57

47. The NOSA, initsobjection, alsoarguesthattheIESA should takeconcretecorrectivemeasures.More

specifically, theNOSAconsiders thattheIESA should orderMetaIEtodeletepersonaldataprocessed
under Article6(1)(b) GDPR,unlessthose datawerealsocollectedfor otherpurposes witha validlegal

basis, aswell asorder MetaIE toidentify a valid legalbasis for future online behaviouraladvertising

49DraftDecision,paragraph113.
50AT SAObjection, pp. 1-7;ES SAObjectionpp. 1-3;FI SAObjection pp. 2-7;HU SAObjectionpp. 2-4;NLSA

Objection,pp.1-12;NOSAObjection,pp.1-9;SESAObjection,pp.2-4.
51EDPBGuidelines02/2019onArticle6(1)(b)GDPR.
52DESAs Objection,pp.2-7,FRSAObjection,pp.2-7.
53DESAs Objection,p.10.
54
55FI SAObjection,paragraph23.
FI SAObjection,paragraph26.
56FRSAObjection,paragraph50.
57HUSAObjection,p.3.

14
Adopted or abstain from such processing activities and impose an administrative fine against Meta IE for
58
unlawfully processing personaldatain the contextof online behaviouraladvertising .

48. The AT,DE,ES,FI, FR,HU,NL,NOandSE SAs put forwardseveralfactualandlegalargumentsforthe
proposed change in legalassessment . Specifically they argue that Meta IE cannot rely on Article

6(1)(b) GDPRasa legalbasis toprocessanInstagramuser’sdatafor behavioural advertising.

49. Inaddition, in the context of their objection, the AT and FR SAs arguethat the factualbackground of
theDraftDecisiondoesnotincludeallrelevantfacts.Theyrequestamendingthefactualbackground
toinclude adefinition of“behaviouraladvertising” 60.TheATSAsuggestsmentioning alsothetechnical

possibilities Meta IEuses to conduct it, such ascollecting datafrom other groupservices, third-party
websites,apps,cookiesor similarstoragetechnologiesplacedontheuser’scomputerormobile device

and linking that data withthe user’s Instagram account 61. The AT SA alsosuggestsincluding the fact
thaton 25 May2018 MetaIE switcheditslegalbasistoprocessdata for behaviouraladvertising from
62
consent tocontractualperformance .

63
50. TheDEandNL SAs question thevalidityofthecontractbetweenMetaIEandtheInstagramservice’s
user togroundthesaidprocessing onArticle6(1)(b) GDPRinlightofthe transparencyissues identified
64
by the IE SA . The DE SAs question whether the parties reachedan agreement if the user did not
know that they would enter into a contract, because Meta IE did not clearly communicate in a
65
transparentmanner that the use of itsservices would inthe future be based on a contract .TheNL
SA arguesthat,asa generalrule, both partiesmust be awareof the substance of a contractin order
towillinglyenterinto it 66andconsiders that“theestablishedserious lackoftransparencyonbehalfof

thecontroller,leads, atthe veryleast, to a reasonable doubt whetherdatasubjectshave indeed been
able toenterinto a contractwiththecontrollerboth willingly and sufficientlyinformed" 67.TheDEand

NL SAs therefore considered that Meta IE’s statement that it relies on Article 6(1)(b) GDPR, in
combination with documents with general descriptions of the service provided, and the IE SA’s

reference to the controller’s right to choose its own legal basis to process data are insufficient to
acceptthe performanceof a contractasalegalbasis 68.

58NOSAObjection,p.9.
59AT SAObjection,pp.3-6;DESAs Objection,pp.2-9;ESSAObjection,pp.1-3;FI SAObjection,pp.3-7;FRSA
Objection, pp. 2-4; HU SA Objection, pp. 2-3; NL SA Objection, pp. 2-6; NO SA Objection, pp. 2-8; SE SA

60jection,pp.2-3.
AT SAObjection,pp.6-7;FRSAObjection,paragraph6.
61AT SAObjection,pp.6-7.
62AT SAObjection,p.7.
63
64DESAs Objection,p.3-4;NLSAObjection,pp.3-5.
InFinding3,theIESAstates that“InrelationtoprocessingforwhichArticle6(1)(b)GDPRisreliedon,Articles
5(1)(a), 12(1)and13(1)(c) GDPR have beeninfringed”. TheIE SAconsidered, among other, that “Meta Ireland
have not provided meaningful informationas to the processing operation(s) and/orset(s) of operations that
occurin the context of the Instagram service, eitheron basis of Article 6(1)(b) GDPRorany otherlegal basis.

Indeed,Iwouldgosofarastosaythatitisimpossiblefortheusertoidentifywithanydegreeofspecificitywhat
processing is carried out onwhat data, on foot ofthe specifiedlawful bases, in orderto fulfil these objectives”
(DraftDecision,par.185).
65DESAs Objection,p.4.
66
NLSAObjection,paragraph12.
67NLSAObjection,paragraph.17.
68DESAObjection,pp.3-4;NLSAObjection,paragraph7.

15
Adopted51. The DESAscontendthattheIESA iscompetent toassess thevalidityof contractsinthecontextofthe

GDPR,whichis aprerequisite for controllerstobase the processing ofpersonal dataonArticle 6(1)(b)
GDPR 69. Would that not be the case, the assessment of Article 6(1)(b) GDPR would practically be
70
deducted from Supervisory Authorities’ tasks provided for in Article 57(1)(a) GDPR . The DE andNL
SAs argue that the IE SA should assess whether a valid contract is in place as required under Article
6(1)(b) GDPR 7.

52. Without prejudice toany argumentsmade on the existence ofa valid contractabove,the AT, DE,ES,
72
FI,FR, HU,NL,NOandSE SAs arenot satisfied bythe assessment ofnecessity inthe DraftDecision .
They assert that the data processingfor the delivery ofpersonalisedadvertisingis objectively not

necessaryfortheperformanceofMeta IE’scontractwiththedatasubjecttodelivertheInstagram
service and it is not an essentialor core element of it. To highlight the unnecessity of behavioural

advertising toperform the contractwiththe Instagramuser,theAT,DE,NLandSE SAs arguethatthis
contract of providing personalised advertisement is a contract between Meta IE and a specific
advertiser, inwhich Meta IE would presumably have this obligationtowards the advertisers, yet not

towards Instagram users that are not partyto this contract 73. The DE SAs support this assertion by
pointing out that thereis no obligation tooffer personalised advertising to the user, andcontractual
74
sanctions for thefailure toprovide it,asitcanbe seenfrom the termsof use .The AT,DE,HU,FI,FR,
HU, NOand SE SAs consider, while referring tothe EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR,

that the business models tooffer “free” servicesand in return generate income by behavioural and
personalised advertisement, inter alia, to support the service, cannot be necessary to perform a
75
contract and fail to comply with data protection regulations . The DE, FR and HU SAs also cite the
EDPB Guidelines 8/2020 tounderscore that processing cannot be rendered lawful by Article 6(1)(b)
GDPR simply because such advertising indirectly funds the provision of the service and that while

personalisation of content, may, in certain circumstances, constitute an intrinsic and expected
element of certainonline services, Article 6(1)(b) GDPR in the context of targeting of social media

users ishardly applicable76.The AT,ESandSE SAs arguethatadvertisementscanstillbe displayed on
Instagramusing alternativemethodstobehaviouraladvertising not involving profiling andtracking 7.

The SE SA adds thatsome degreeof targetingforincreased relevanceis possible, such as geography,
languageandcontext 78.

53. Inaddition, theAT,ES,FI,FR,HU,NOandSE SAsargue,alsowhile referringtoEDPBGuidelines2/2019
on Article6(1)(b) GDPR,thattheIE SA should have consideredthe EDPB’sargumentthatbehavioural

69DESAs Objection,p.3.
70DESAs Objection,p.3.
71
72DESAs Objection,p.3;NLSAObjection,paragraph11.
AT SAObjection, p. 3;DE SAs Objection, pp 4-7;ES SAObjection, pp. 1-2;FI SAObjection, pp. 3-5;FR SA
Objection, pp. 3-4; HU SA Objection, pp. 1-3; NL SA Objection, pp. 4-8; NO SA Objection, pp. 5-6; SE SA
Objection,p.3.
73AT SAObjection,p.4;DESAs Objection,p.5;NLSAObjection,paragraphs12and19:SESAObjection,p.3.
74
DESAs Objection,p.5.
75EDPB Guidelines 2/2019 on Article6(1)(b) GDPR. AT SA Objection, p. 5;DE SAs Objection, pp. 6-7;HU SA
Objection,p.3;FI SAObjection,paragraphs13and16;FRSAObjection,paragraphs9and11;NOSAObjection,
pp.3and6-7;SESAObjection,p.3.
76
EDPB Guidelines 8/2020on the targeting of social media users, version 2.0, adopted on 13 April 2021,
paragraph49.DESAs Objection,p.6;FRSAObjection,paragraph11;HUSAObjection,p.3.
77AT SAObjectionp.4;ESSAObjection,p.2;SESAObjection,p.3.
78SESAObjection,p.3.

16
Adopted advertisingcannot be “necessary”withinthe meaningofArticle6(1)(b) GDPRwhilea datasubject can

object tothe processing of his/her personal data for direct marketing purposes at any time without
anyreason, inaccordancewithArticle 21(2)GDPR 7.

54. The AT, DE, FR, NO, NL and SE SAs also point out some argumentson data subjects’ expectations
abouttheprocessingoftheirpersonaldataforpersonalised advertising asanecessaryelementofthe
80
contract entered into between users and Meta IE . The AT, DE, NL, and SE SAs contend that data
subjects do not reasonably expect that their data is being processed for personalised advertising
81
simply because Meta IE briefly refers to it in the Instagram Terms of Use . The NO SA takes into
accounthow MetaIEmarketsitsInstagramplatformtowardspotentialusers(“Asimple,fun&creative
way to capture, edit & share photos, videos & messages with friends & family”) and considers that

Instagram users (including those with prior knowledge of data protection, technical means for
profiling or the ad tech industry) should not be deemed to reasonably expect online behavioural
82
advertising,especially tothe extentasit is carriedout byMetaIE .The FR andNOSAs consider that
the particularly massive and intrusive nature of the processing of the users’ data cannot meet the
83
reasonable expectationsofthe users . The AT, NLand SE SAs alsoconsider thatthe DraftDecision is
inconsistent infinding thatinformationon specific processing operationsshould have beenprovided,
linkedwithaspecific or lawfulbasis, anddescribedinanunambiguousmanner,while considering that

data subjects had a perspective or expectation or were well informed that their data was being
processed for behavioural advertising 84.

55. In addition to the arguments made above on the existence of a valid contract and the necessity of

behavioural advertising for the performance of that contract, severalSAs raise other considerations
intheir objections.

56. The NOSA arguesthatthe IESA’sinterpretationofArticle 6(1)(b)iscontrarytothe fairnessprinciple,
since data subjects face the dilemma of approving contractualtermspossibly entailing intrusive and

harmfulprocessing practices,andbeingexcludedfromservicesonwhichtheyaredefactodependent,
due toa lackof realisticalternativestothem 85.

57. On the risks posed by the Draft Decision, the AT, DE, ES, HU, FI, NL, NOand SE SAs explain that the
proposed interpretationof Article 6(1)(b) GDPRleads toa situation where dataprotectionprinciples

are either undermined or bypassed entirely with regards to data subjects using the Instagram
service86 .

79Seeparagraph52.ATSAObjection,p.4;ESSAObjection,p.2;FI SAObjection,paragraph19;FRSAObjection,

80ragraph11;HUSAObjection,p.3,NOSAObjection,p.7;SESAObjection,p.3.
ATSAObjection,p.4;DESAs Objectionp.5;FRSAObjection,paragraph9;NLSAObjection,paragraph19;NO
SAObjection,pp.7-8;SESAObjectionp.3.
81AT SAObjection,p.4;DESAs Objection,p.5;NLSAObjection,paragraph19;SESAObjection,p.3.
82NOSAObjection,p.8.
83
84FRSAObjection,paragraph18;NOSAObjection,p.8.
AT SAObjection,p.4;NLSAObjection,paragraph12;SESAObjection,p.3.
85NOSAObjection,p.5.
86AT SAObjection,p.6;DE SAs Objection,p.9;ES SAObjection,p.3; HU SAObjection,p.4;FI SAObjection,
paragraphs31-33;NLSAObjection,paragraph29;NOSAObjection,p.8;SE SAObjection,p.5.

17
Adopted58. Specifically, the AT, DE andNO SAs point tothe conditions of consent pursuant toArticle 7 GDPR as

being bypassed 87. The NL SA considers that the Draft Decision allows Meta IE to engage in online
behavioural advertising in a way that bypasses informed consent of data subjects 88. The NO SA

considers thatusers ‘wouldface a dilemma betweenapproving (though not by way ofvalid consent)
contractualterms possibly entailing intrusive and harmful processing practices, and being excluded

from services’,whichultimatelywould also‘adverselyaffect datasubjects’ freedomofexpression and
information’ 8. The FI, FR and NO SAs considered that the Draft Decision poses a risk to the

fundamentalrightsand freedoms of the individuals concerned, insofar asusing the legalbasis ofthe
contractforthe processing ofthepersonaldatafor personalised advertising,wouldpreventEuropean
90
users ofthe social networktohave control over theirdata .

59. Further,the AT SA sees therisk materialiseasin itsview Article25(2) GDPR(privacybydefault)is not
applied, “since Meta Ireland – at least in its contract – declares that behavioural advertising is
91
‘necessary’for thecontractualperformance” .

60. The DESAs argue theDraftDecision allowsMeta IEto“bypass the requirementsofa valid legalbasis
for the processing that cannot be based on contract performance” . The NL SA considers the Draft
93
Decisionlowers thethreshold for legalityofdataprocessing onthe basis ofArticle 6(1)(b) severely .
The NO SA considers thatthe DraftDecisionerodes the lawfulness principle, as in the DraftDecision

“it is not the legislation which sets the boundaries for lawfulness under Article 5(1)(a) GDPR, but
instead the individual contract”, whichis incompatible with Article 8 of the Charter of Fundamental
Rightsand Article5(1)(a)GDPR 94.

61. FR, HU,NL andSE SAs take the view that the DraftDecision, asit stands, sets adangerous precedent

contrarytotheGDPR . TheFRSAnotesthatitcouldbeunderstoodasreflectingthecommonposition
of the European supervisory authorities on this matter, since it is issued following the cooperation

procedure among SAs 96. Moreover, the AT, DE, FI, HU and SE SAsraise that this interpretation of
Article 6(1)(b) GDPR could essentially be used by every controller andtherefore endanger the rights

of nearlyevery datasubject withinthe EEA 97.

62. The DE SAs specify that the risks concern the complainant in person but it arguesthat there is alsoa
significant risk asregardthe fundamentalrightsand freedoms of allMetaIE’susers in the European
98
Union that their personal data are processed without any legalbasis ; the FI SA adds that the risks

87AT SAObjection,p.2and5;DESAs Objection,p.9;NOSAObjection,p.4.
88NLSAObjection,paragraph30.
89NOSAObjection,p.5.
90
FI SAObjection,paragraph35;FRSAObjection,paragraph34;NOSAObjection,p.8.
91AT SAObjection,p.6;
92DESAs Objection,p.9.
93NLSAObjection,paragraph30.
94
NOSAObjection,pp.2and8;
95FRSAObjection,paragraph35;HUSAObjection,p.3;NLSAObjection,paragraph31;SESAObjection,p.5.
96FRSAObjection,paragraph35.
97AT SA Objection, p 6;DE SAs Objection, p. 9;FI SAObjection, paragraph34;HU SAObjection, p. 3;SE SA

Objection,p.5.
98DESAs Objection,p.9.

18
Adopted include fundamental right andfreedom of data subjects whose personal data might be processed in
99
the future .

63. Finally, theAT,DE,FI,NLandNOSAs explainthattheDraftDecisioncreatesaloophole, allowingMeta

IE andany other controllers tomake lawful virtually anycollection and reuse of personal data by, as
long astheydeclare thatit isprocessed for the performance ofa contract 100.

4.3 Position of the LSA on the objections

64. The IE SA considers that the objections above are not relevant and/or not reasoned for the purpose

of Article60(4)GDPRanddecides not tofollow them 101.

65. The IESA contends thatabroad, directcompetencein contractlawtoassessthevalidityofcontracts
cannot be inferredfrom theGDPRtasksof supervisory authorities.Itarguesthat thisinference would

create a very extensive power for SAs to regulate private law, without an appropriate basis in EU
law 102.

66. The IE SA arguesthat the core or fundamental aspects of the Terms of Use, including behavioural
advertising processing, reflects the mutual expectations of the parties on contractualperformance.

TheIESA contendsthatareasonableuser wouldhave hadsufficient understandingthattheInstagram
service was provided on the basis of personalised advertising, based also on a “recognised public
103
awareness”of behaviouraladvertising asa form of processing .

67. Onthe necessityoftheprocessingtoperformthecontract,theIESAconsidersthatit doesnot adopt

amerelyformalapproachtoArticle6(1)(b)thatreliesonly onthetextualcontentof theTermsof Use.
The IESA statesthatit does not takethe view thatallwrittencontractualtermsarenecessaryfor the

performance of the contract. The IE SA contends that it focuses in its Draft Decision on the
fundamentalpurpose or core function ofthe contractthatis necessaryfor itsperformance 104.

68. The IESA arguesthatthe EDPBGuidelines2/2019 onArticle 6(1)(b)GDPR donot prohibit behavioural
advertising processing under Article6(1)(b) GDPRif it falls withinthe core or essentialaspects ofthe

service105.InrelationtoMetaIE’sprocessing of personal data,theIESA differs from the SAsin thatit
considers online behavioural advertising as necessary for the performance of the contract (as
106
described inthe InstagramTermsofUse) betweenInstagramandthedata subject .

69. The IE SA also disagrees with the interpretation of Article 21 GDPR making behavioural advertising
optional andnot indispensable 107. The IE SA arguesthatArticle6(1)(b) GDPRisnot limitedtoaspects
of contractual performance which are expressly mandatory and unconditional obligations of the

99
100I SAObjection,p.7.
AT SAObjection,p.5;DESAs Objection,p.9;FI SAObjection,paragraph32;NLSAObjection,paragraphs30-
31;NOSAObjection,p.2-3and7;SESAObjection,p.5.
101CompositeResponse,paragraphs51,57,77,85,88,95.
102CompositeResponse,paragraph51.
103
104CompositeResponse,paragraphs72and73.
CompositeResponse,paragraphs55and56.
105CompositeResponse,paragraphs84.
106CompositeResponse,paragraph71.
107CompositeResponse,paragraph74.

19
Adopted parties108. The IE SA contends that the CJEU has in the past held that processing which exceeds the
most minimal level of processing possible may be regardedas necessary, where it renders a lawful

objective “moreeffective”.The IE SA affirmsthat the necessityinthe context of Article6(1)(b) GDPR
cannot be assessed by referenceto hypotheticalalternative forms of the Instagramservice and that
109
it is not therole ofSAs toimpose specific business models on controllers .

70. The IE SA considers EDPB Guidelines as not binding on supervisory authorities, yet it acknowledges
that they should be taken into account 11. However, the IE SA arguesthat the EDPB has not been
provided with the legalpower to mandate that certaincategoriesof processing must be based on

consent, tothe exclusionofanyother legalbasesfor processing. The IESA’sviewis thatsuchapower
isproperlyexercisedfrom timetotimebythe EUlegislator,intheformofspecific legislativemeasures.

The IE SA is therefore not satisfied that the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR canbe
construedasabinding andspecific prohibition onprocessing for online behavioural advertisingonthe
basis of Article 6(1)(b)GDPR. The IE SA considers that under these Guidelines, where processing for

behavioural advertising is a distinguishing characteristicofthe service in question, it cansupport the
business objectives and interests of the controller and be based on Article 6(1)(b) GDPR. The IE SA

considers that to be the case regarding Meta IE’s processing with reference to the Instagram
service111.

71. The IE SA arguesthat compliance with GDPR transparencyobligations under Article 13(1)(c) GDPR
involves a separateand different legalassessment tothatrequired in Article6(1)(b) GDPR.TheIE SA

acknowledgesthatthe necessity test under Article 6(1)(b) GDPRmayrequire considering contractual
termsandother relevantinformation, andthatthe informationprovided under Article13(1)(c)GDPR
could, insome cases, inform a datasubject’sexpectationsastoacontractualservice.However,inthe

present case,theIESAconsiders thatthetransparencyinfringementsitproposes for itsDraftDecision
do not impactits findings on the legalbasis, as it considers thatthe expectationsand understanding
112
of thepartieson theTermsof Use include personalised advertising .

4.4 Assessment of the EDPB

4.4.1 Assessment of whether theobjections were relevant and reasoned
72. The objections raised by the AT, DE, ES, FI, FR, HU, NL, NOand SE SAs concern“whether there isan
infringementof theGDPR” 113.

73. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe
114
threshold of Article 4(24) GDPR . Meta IE’sprimaryargument isthat “it isnot open to the EDPB to
now decideon the lawfulness of Meta Ireland’sactualprocessing as the Objectionssuggest. Such an
115
assessment is not within the scope of the Inquiry as defined by the DPC .” In Meta IE’sview, “the
EDPBcannotexpand thescope oftheInquiryin themannersuggested bytheCSAs throughObjections

108CompositeResponse,paragraph74.
109CompositeResponse,paragraph76.
110
111CompositeResponse,paragraph78.
CompositeResponse,paragraphs82-83.
112CompositeResponse,paragraph87.
113EDPBGuidelinesonRRO,paragraph24.
114Meta IEArticle65Submissions,paragraph2.4andAnnexI,p.65.
115Meta IEArticle65Submissions,paragraph2.4.

20
Adopted thatarenotrelevanttothesubstanceoftheComplaint.”and“suchobjections‘oughttobedisregarded
in theirentiretybytheEDPB” 116.Inthiscontext,MetaIEcitesEDPBBinding Decision2/2022, adopted

on 28 July 2022 (hereinafter,“EDPBBinding Decision2/2022”), and in particular,theEDPB’sanalysis
of some of the objections in thatcase, which werefound to be not relevant or reasoned, due tothe

fact thatthese objections “fail[ed] to establish a direct connectionwith thespecific legaland factual
contentofthe draftdecision” 117.

74. Contraryto MetaIE’sposition on relevance, asdescribed above, objections canhave bearingon the
“specific legal and factual content of the Draft Decision”, despite not aligning with the scope of the
118
inquiry asdefined by anLSA .

75. In essence, Meta IE arguesthat CSAs may not, under any circumstance, express disagreement with
the scope of the inquiry asdecided by the LSA by wayof anobjection. The EDPB does not share this
readingof Article65 GDPR,asisexplicitly statedin theEDPBRROGuidelines 11.

76. Further,MetaIEstatesthat“severalCSAsnow propose toexpand thescopeoftheInquiryevenfurther

toincludemanyotherunrelatedissues.”andthatinthisregardMetaIE“agreeswiththeDPC’sposition
inthe Composite Memothat theseunrelatedissues raised bythe CSAs areirrelevantto theresolution
of thisInquiryand thatexpanding thescope of the Inquiryat thispoint would seriously infringe Meta

Ireland’sproceduralrightsunderbothIrishandEUlaw 120.”MetaIEalsoagreeswiththeIESA’sposition
in theComposite Response that“expanding the scope oftheInquiryat thispoint as theCSAs propose

would seriously infringe MetaIreland’slegitimateexpectations,rightto fair procedures(including the

116Meta IEArticle65Submissions,paragraph4.9.
117
InrespectofMeta IE’sargumentsinparagraph4.9ofitsArticle65Submissionsontheseobjectionsnotbeing
“relevant”,theEDPBrecallsthattheanalysisofwhethera givenobjectionmeets thethresholdsetbyArt.4(24)
GDPRis carriedoutonacase-by-casebasis.MetaIEreferstotheEDPB’sBindingDecision2/2022andspecifically
to theparagraphswheretheEDPBestablishedthatspecificobjections raisedbytheDE SAs andNOSAinthat
casewerenotrelevantandreasoned.Thereareseveraldifferencesbetweenthoseobjectionsandtheobjections

whichareanalysedinthissection.
Morespecifically,intheBindingDecision2/2022theobjectionsreferredtobyMetaIEdidnot“establishadirect
connectionwiththespecificlegalandfactualcontentoftheDraftDecision”(BindingDecision2/2022paragraphs
139,147,164)whereaseachCSAherehas madeseveralclearlinkswiththecontentoftheDraftDecision,asis
describedinparagraph77ofthisBindingDecision.
118
Meta IEdoes notconsiderthatanyoftheobjectionsarereasoned,as setoutintheirrepliestoeachofthe
objectionsinAnnex1.Meta IEArticle65Submissions,Annex1,pp.66-124.InrespectofMeta IE’sarguments
inparagraph4.9ofitsArticle65Submissionsontheseobjectionsnotbeingreasoned,theEDPBnotes thatthe
objections that werefound to benot relevant and/ornot reasoned in theBinding Decision 2/2022 did “not
provide sufficiently precise and detailed legal reasoning regarding infringement of each specificprovision in

question”,didnotexplainsufficientlyclearly,norsubstantiateinsufficientdetailhowtheconclusionproposed
couldbereached,ordidnotsufficientlydemonstratethesignificanceoftheriskposedbytheDraftDecisionfor
the rights and freedoms of thedata subjects or thefreeflow of data within theEU (BindingDecision 2/2022,
paragraphs140,148,165).Here,eachCSAprovidesa numberoflegalandfactualargumentsandexplanations
as towhyaninfringementforlackofappropriatelegalbasisistobeestablished,andadequatelyidentifiesthe

119kposedbytheDraftDecisionifitwasadoptedunchanged(paragraphs79-81ofthisBindingDecision).
“Forinstance,if theinvestigationcarriedoutbytheLSAunjustifiablyfailstocoversomeofthe issuesraised
bythecomplainantorresultingfromaninfringementreportedbyaCSA,arelevantandreasonedobjectionmay
beraisedbasedonthefailureoftheLSAtoproperlyhandlethecomplaintandtosafeguardtherightsofthedata
subject.”EDPBGuidelinesonRRO,paragraph.27.
120Meta IEArticle65Submissions,paragraph4.2.

21
Adopted rightto beheard)andrightsofdefence 121”.Despiteclaimingitthishasbeenexplained“clearly”inthe
Composite Response, MetaIE does not demonstrate in whichmanner its proceduralrightswould be
122
inevitably breached by the mere fact that the EDPB finds specific objections admissible .
Admissibility determines the competence of the EDPB,but not the outcome of the dispute between
the LSA and the CSAs. Likewise, MetaIE does not explainhow the mere actof considering the merits
123
ofadmissible objections inevitablyandirreparablybreachestheproceduralrightscitedbyMetaIE .
AcceptingMetaIE’sinterpretationwouldseverelylimit theEDPB possibilitytoresolve disputesarising
inthe one-stop-shop, andthus undermine the consistent applicationofthe GDPR.

77. The objections of the AT, DE, ES, FI, HU, FR, NL, NOandSE SAs all have a direct connection withthe

LSA Draft Decision and refer to a specific part of the Draft Decision, i.e. Finding 2. All of those
objections concern“whetherthereisaninfringementoftheGDPR”astheyarguethattheIE SA should
have found aninfringement ofArticle 6,6(1) or (1)(b) ofthe GDPR.Asthe LSA considered thatArticle

6(1)(b) of the GDPR wasnot breached, the objections entail a need of a change of the LSA decision
leading toadifferent conclusion. Consequently, theEDPBfinds thatthe AT,DE,ES, FI,HU,FR,NL,NO

andSE SAs objections relatingtothe infringement ofArticle 6,6(1) or 6(1)(b) GDPRarerelevant.

78. As regardsthe part of the DE SAs’ objection arguing that the IE SA should find an infringement of

Article5(1)(a)GDPRandimpose the erasureofunlawfully processed personaldataandthebanofthe
processing of data for the purpose of behavioural advertising until a valid legalbasis is in place, the
part of the FI SA objection asking that the infringement of Article 6(1) be properly reflected in the

amount ofthe administrative fine, aswellasthe partofthe NOSA objectionarguingthe IESA should
order MetaIE todelete personaldataprocessed under Article 6(1)(b) GDPR,aswell asorder MetaIE
to identify a valid legalbasis for future online behavioural advertising or from now on abstain from

such processing activities, the EDPB notes that these parts of the objections concern “whether the
envisaged action in relation to the controllercomplies with the GDPR.”These partsof the objections

are linked to the IE SA’s Finding 2 with regardto Article 6(1)(b) GDPR. Therefore, they are directly
connected with the substance of the Draft Decision and, if followed, would lead to a different
conclusion. Thus, theEDPBconsidersthatthesepartsoftheDE,FIandNOSAsobjectionsarerelevant.

79. The objections of the AT,DE,ES, FI, FR, HU,NL, NOand SE SAs on the finding of an infringement are
reasonedbecausetheyallinclude clarificationsand argumentson legal/factualmistakes inthe LSA’s

DraftDecisionthat require amending.More specifically, the AT,DE,ES, FI,HU,FR, NL, NOandSE SAs
provide detailedargumentstochallengetheDraftDecision’sconsiderationofbehaviouraladvertising

as a necessary,coreor fundamentalaspect of a contractleading to the need tochange the decision
and to find an infringement of Article 6(1)(b) GDPR 124. Some of them provide detailed arguments

121Meta IEArticle65Submissions,paragraph4.10,whereMeta IEmakes referencetoparagraphs32-33ofthe

CompositeResponse.
122Meta IEArticle65Submissions,paragraph4.10.
123TheEDPB fails to seehow, for instance, declaring anobjection admissiblebut rejecting it on merits could
impingeontheproceduralrights ofthecontrollerinvolvedintheunderlyingcase.
124AT SAObjection,pp.4-5;DESAs Objection,p.5-6,ESSAObjection,p.2,FI SAObjection,paragraphs16and
18,FRSAObjection,paragraphs8-9,HUSAObjection,p.3,NLSAObjection,paragraphs18-19;NOSAObjection,

p. 7,SE SAObjection,pp.3.

22
Adopted challengingthe validityofthe contractonwhichthe use ofArticle 6(1)(b)asa legalbasisdependsand
125
whichthe IESA accepts .

80. Some SAs recall,while referringtothe termsof the EDPBGuidelines 2/2019 on Article 6(1)(b) GDPR,

that it is the fundamental and mutually understood contractual purpose, which justifies that the
processing is necessary 12. This purpose is not only based on the controller’sperspective but also on

a reasonable data subject’s perspective when entering into the contract and thus on “the mutual
perspectivesandexpectationsofthepartiestothecontract”.TheAT,NL,andSESAscontendthatdata

subjects do not reasonably expect that their data is being processed for personalised advertising
simply because MetaIE briefly referstoit inthe InstagramTermsof Use 127. The FR and NOSAs also
support this finding and add that data subjects cannot be presumed tobe aware of the particularly

massive andintrusive natureof thisprocessing 128. SeveralSAs alsoconsider thatthe DraftDecisionis
inconsistent infinding thatinformationon specific processing operationsshould have beenprovided,

linkedwithaspecific or lawfulbasis, anddescribedinanunambiguousmanner,while considering that
data subjects had a perspective or expectation or were well informed that their data was being
129
processed for behavioural advertising .

81. The AT,DE,ES,FI,FR,HU,NL,NOandSE SAsobjectionsalsoidentify risks posedby theDraftDecision,

in particular an interpretationof Article 6(1)(b) that could be invoked by any controller and would
undermine or bypass dataprotectionprinciples, andthus endangerthe rightsof datasubjects within
130
the EEA .

82. MetaIE’scontends thatin terms of risk, the objections must “demonstratethe likelihood of a direct
negative impact of a certainsignificance of the Draft Decision on fundamental rights and freedoms
under the Charter and not just any data subject rights 131.” Meta IE thus adds a condition to Article
132
4(24)GDPR,whichis not supported bythe GDPR .

83. As regards the parts of the DE and NO SAs’ objections requesting the finding of an infringement of
Article 5(1)(a)GDPR,andthe partsofthe DE, FI andNOSAs’ objectionsrequesting specific corrective

measures under Article 58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the
imposition of an administrative fine, a ban of the processing of personal data for the purpose of
behavioural advertising, an order todelete personal data processed under Article 6(1)(b) GDPR and

anordertoidentifya validlegalbasisfor future online behaviouraladvertising ortoabstainfrom such
processing activities, the EDPB considers that these parts of the objections do not sufficiently

elaborate the legalor factualargumentsthat wouldjustify a change in the Draft Decisionleading to
the finding of an infringement of Article 5(1)(a) GDPR or to the imposition of the specific corrective

125DESAs Objection,pp.3-4;NLSAObjection,paragraphs7and10-12.
126ATSAObjection,p.4;DESAs Objectionpp.5-6;FRSAObjection,paragraphs9-11;NLSAObjectionparagraph

18;NOSAObjection,p.7-8;SESAObjection,p.3.EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs
32and33.
127AT SAObjection,pp.3-4;NLSAObjection,paragraph28,30-32;SESAObjection,p.3.
128FRSAObjection,paragraph18;ITSAObjection,paragraph2.6,NOSAObjection,pp.6-7.
129AT SAObjection,p.4;NLSAObjection,paragraph30;SESAObjection,p.3.
130
Seetheirdescriptionoftherisksinparagraphs57-63above.
131Meta IEArticle65Submissions,p.64.
132Article1(2)GDPRprovidesthattheGDPRitself“protectsfundamentalrightsandfreedomsofnaturalpersons
andinparticulartheirrighttoprotectionofpersonaldata”,whichdirectlystemsfromArticle8(1)oftheCharter.
Therefore,thereis noreasontodrawa distinctionbetweenthedata subjectrightsprotectedbytheGDPRand

thefundamentalrightsprotectedundertheCharterwheninterpretingArticle4(24)GDPR.

23
Adopted measures mentioned above. Likewise, the significance of the risk for the data subjects, which stems
from theIESA’sdecisionnottoconcludeontheinfringementofArticle5(1)(a)GDPRandnottoimpose
the requestedcorrectivemeasures, isnot sufficiently demonstrated.

84. Considering the above, theEDPBfinds that theobjections of the AT,DE,ES,FI,FR, HU,NL,NOandSE
SAs arerelevantand reasonedinaccordancewithArticle 4(24)GDPR.

85. However,thepartsofthe DEandNOSAs’ objectionsconcerning theadditionalinfringement ofArticle

5(1)(a) GDPR and the imposition of specific corrective measures, namely the imposition of an
administrative fine, a ban on the processing of personal data for the purpose of behavioural
advertising, an order to delete personal data processed under Article 6(1)(b) GDPR and anorder to

identify a valid legal basis for future behavioural advertising or to abstain from such processing
activitiesarenot reasonedanddo not meetthe threshold of Article4(24) GDPRSimilarly, the part of
the FI SA’s objection concerning the imposition of a specific corrective measure, namely an

administrative fine is not reasonedanddoes not meet the thresholdof Article4(24) GDPR.

4.4.2 Assessment on the merits
86. Inaccordancewith Article65(1)(a) GDPR,inthe context of a dispute resolution procedure, the EDPB

shall take a binding decision concerning all the matterswhich are the subject of the relevant and
reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.

87. The EDPBconsiders thatthe objections found tobe relevantand reasonedinthis subsection require
an assessment of whether the Draft Decision needs to be changed insofar as it rejects the
Complainant’s claim that the GDPR does not permit Meta IE’sreliance on Article 6(1)(b) GDPR to
133
process personal datainthe context of itsoffering of the InstagramTermsof Use .When assessing
the merits of the objections raised, the EDPB also takes into account Meta IE’s position on the
objections andits submissions.

MetaIE’sposition on theobjectionsand itssubmissions

88. Initssubmissions, MetaIEarguesthattheobjectionslackmerit.MetaIEconsidersthattheyarebased
134
on incorrect factualassumptions and are legallyflawed . Meta IE statesthat itsreliance on Article
6(1)(b) GDPRdoes not ‘bypass’ the GDPR.Norwould it,accordingtoMetaIE,jeopardise datasubject
rights, be limited to individually negotiatedagreementsor be affectedby Meta IE’spurported pre-
135
GDPRlegalbasis for processing conductedpre-GDPR .

89. Meta IE arguesthat there isa lack of factualmaterialandevidence on the issues on which the CSAs

raiseobjections, including onitsrelianceonArticle6(1)(b)GDPRforthe specific processing operations
it conducts in itsInstagramservice for the purposes of behaviouraladvertising 136. MetaIEnotes that
in its inquiry, the IE SA “only addresses the issue of whether Meta Ireland may in principle rely on

Article6(1)(b) GDPRforpurpose ofbehavioural advertising,but not theissue of whetherMetaIreland

133Theseobjections beingthoseoftheAT, DE, ES, FI,FR, HU, NL, NO andSE SAs arguingthattheIESA should
havefoundaninfringementofArticle6(1)(b),6(1)or6GDPR.
134Meta IEArticle65Submissions,paragraph2.4.
135
136Meta IEArticle65Submissions,paragraph2.5.
Meta IEArticle65Submissions,paragraph4.24and4.25.

24
Adopted may infact relyon Article6(1)(b) GDPR,which would have requireda detailedfactualassessment of

allof MetaIreland’sdata processing. 13“

90. At the same time, Meta IE contendsthat, toaddress the complaint, the IE SA did not have to reach
any conclusions as to whether the actual processing conducted by Meta IE to deliver behavioural
138
advertising based on Article 6(1)(b) GDPR was lawful. Meta IE supports the IE’sposition that “it
would not be appropriate to undertake substantial factualfindings for an open-ended assessment of
139
allprocessing operationsbyMetaIreland. ”

91. MetaIEthus agreeswiththe finding the IESA reachedon MetaIE’snot being precludedfrom relying
on Article 6(1)(b) GDPR for the processing of data necessary todeliver behavioural advertising upon

the IESA’sreviewof theInstagramTermsofUse andthe natureofthe Instagramserviceasdescribed
inthose terms 140.

92. Meta IE defends that Article 6(1)(b) GDPR can be relied on as a legal basis for behavioural
141
advertising . Meta IE arguesthat its application requires the assessment of whether a given data
processing operation, when properly investigated and analysed, is actually necessary for the
142
performanceof acontract .MetaIEnotesthattheprovision ofapersonalised experience,including
in the form of behavioural advertising, is “core” to the Instagram Service (as per the Terms of Use
143
whichgovernthe contractualrelationship betweenMetaIEandInstagramusers) .

93. MetaIEarguesthat the TermsofUse make clear that userswillbe shownadvertising personalisedto

their interests under the heading “Connecting you with brands, products, and servicesin ways you
careabout” 144.MetaIEsupports theDPC’sfinding, basedon itsreview ofthe InstagramTermsofUse

andthat Instagramis“promotedassuch”, that anaverage user whoacceptsthe TermsofUse would
have the expectationthat personalisation, including in the form of behavioural advertising, forms a

core andintegralpartof the InstagramofService 145.MetaIEbacks thisargumentwitha referenceto
a survey and a study conducted by a private entity and a digital industry association 146. Meta IE

considers that its compliance with the GDPR’s transparency obligations involves a separate and
different legalassessment from Article 6(1)(b) GDPR 14.MetaIE considers demonstratedin this case

that Meta IE and its users have a mutual expectationthat personalisation, including in the form of
behaviouralads, is core toitsTermsofUse 14.

94. MetaIE recallsthat the EDPB Guidelines2/2019 onArticle 6(1)(b) GDPRdonot categoricallyprohibit
149
reliance on Article 6(1)(b) GDPRfor behavioural advertising .MetaIE further adds, referring tothe

137Meta IEArticle65Submissions,paragraph4.23.
138Meta IEArticle65Submissions,paragraph2.3.
139Meta IEArticle65Submissions,paragraph4.23.
140
Meta IEArticle65Submissions,paragraphs2.3and4.7.
141Meta IEArticle65Submissions,paragraph6.4.
142Meta IEArticle65Submissions,paragraph6.7.
143Meta IEArticle65Submissions,paragraphs6.13and6.17.
144
Meta IEArticle65Submissions,paragraph6.18.
145Meta IEArticle65Submissions,paragraphs6.20and6.21.
146Meta IEArticle65Submissions,paragraph6.21.
147Meta IEArticle65Submissions,paragraph6.29.
148
Meta IEArticle65Submissions,paragraph6.29.
149Meta IEArticle65Submissions,paragraph6.34.

25
Adopted CJEU’sHuberjudgment,that“processingbeyond themost minimalrequiredto achievetheprocessing

purpose could still be deemed ‘necessary’ if it allowed the relevant processing purpose to be ‘more
effectively’achieved” 150.MetaIEsubmits thateven ifArticle 6(1)(b) GDPRrequiredthe processing to

be absolutely essential to perform the contract, it would be impossible to provide the Instagram
Service in accordance with the Term of Use without providing behavioural advertising 151. Meta IE
statesthat theEDPBmaynot dictatethe natureofthe services MetaIEprovides. MetaIE wouldview

this asa violation of Article16 of the Charter onthe freedom toconduct a business, enabling service
providers todetermine whatmeasurestotakein ordertoachieve theresult theyseek,basedon their

resources,abilities, andcompatibilitywithotherobligationsandchallengestheymayencounter inthe
exercise oftheir activity52.

95. Meta IE further arguesthat its reliance on the contractual necessity legal basis does not jeopardise
153
datasubject rights .MetaIEconsidersthatthesewould alsobeprotectedbycontractandconsumer
protection legislations in the EU Member States 15. Meta IE defends that the contractualnecessity
legalbasisis notlimitedtoindividually negotiatedagreementsandcanalsobe used for standardform

contracts 155. Meta IE further adds that it would be improper for CSAs and the EDPB to analyse the
validity of Instagram Terms of Use under applicable laws of contract or to draw inferences from
156
them .Inresponse towhat MetaIE considers mischaracterisationsin certainobjections of national
contractlawMetaIEprovidesexpertreportsonthevalidityofitsTermsofUsein10 MemberStates 15.

96. MetaIEconcludes its argumentsin support ofits relianceon Article6(1)(b) GDPRstating thatitspre-

GDPRlegalbasisfor dataprocessingdoesnot affectitsflexibilitytorelyonotherlegalbasespostGDPR
ifit complies withtherelevant requirements 158.MetaIEalsodistinguishes behavioural advertisingon
the Instagram Service from direct marketing pursuant to Article 21(2) GDPR and thus considers this

provision not applicable tobehaviouraladvertising 159.

TheEDPB’sassessment of themerits

97. The EDPB considers it necessaryto begin its assessment on the meritswith a general description of

the practice of behavioural advertising carried out in the context of the Instagram service before
determining whether the legal basis of Article 6(1)(b) GDPR is appropriate for this practice in the
present case, based on the InstagramTermsof Use and the nature of its products and features as

describedinthose terms.Therequestsfor preliminaryrulingsmade tothe CJEU inthe casesC-252/21
andC-446/21 towhichsome of thedocuments in thefile refer containhelpful descriptions of Meta’s

150
JudgementoftheCourtofJusticeof16December2008,HeinzHubervBundesrepublikDeutschland,
C-524/06,ECLI:EU:C:2008:724,(hereinafter‘C-524/06Huber’),paragraphs62and66.Meta IEArticle65
Submission,paragraph6.37.
151Meta IEArticle65Submissions,paragraph6.38.
152
Meta IEArticle65Submissions,paragraph6.25.
153Meta IEArticle65Submissions,paragraph6.8.
154Meta IEArticle65Submissions,paragraph6.8.
155Meta IEArticle65Submissions,paragraphs6.40-6.46.
156
157Meta IEArticle65Submissions,paragraphs6.43and6.44.
Meta IEArticle65Submissions,paragraphs6.44and6.45andAnnex2.
158Meta IEArticle65Submissions,paragraphs6.47-6.49.
159Meta IEArticle65Submissions,paragraphs6.50-6.57.

26
Adopted behavioural advertising practicesin the context of its Facebook services 160. Given that behavioural
advertising is also carried out in the context of the Instagram service, and given the similarities

betweenthe twoservices, relying onthe sameDataPolicy 16,the EDPBconsidersthatthese casesare
also useful in gaining an understanding of the practice of behavioural advertising in relationto the

Instagram service. Furthermore, in the request for a preliminary ruling in case C-252/21, it is
mentionedthatiftheCJEU answersthequestion 7positively (regardingthecompetenceofa Member

State nationalcompetition authoritytodetermine, when assessing the balance of interests whether
data processing andtheir terms comply withthe GDPR)thatthe questions 3 to5 must be answered
in relation to data from the use of the group’s Instagram service. 162 In addition, Meta IE makes

reference to both of these requests for preliminary rulings in its submissions, and therefore clearly
considers them relevanttothis case 16.

98. These requests for preliminaryrulings mention that Meta IE collectsdata on its individual users and
their activitieson and off its Facebook service via numerous means such as the service itself, other

servicesof the Metagroupincluding Instagram,WhatsAppandOculus, thirdpartywebsitesandapps
via integratedprogramming interfacessuchasFacebookBusinessToolsor via cookies, socialplug-ins,
164
pixels and comparable technologies placed on the internet user’s computer or mobile device .
According tothe descriptions provided, MetaIElinks these datawiththe user’s Facebookaccount to
enable advertisers totailor their advertising toFacebook’s individual users based on their consumer

behaviour, interests, purchasing power and personal situation. This may also include the user’s
physical location to display content relevant to the user’s location. Meta IE offers its services to its

160 C-252/21 Oberlandesgericht Düsseldorf request, pp. 6-7, available at:
https://curia.europa.eu/juris/showPdf.jsf?text=&docid=242143&pageIndex=0&doclang=en&mode=req&dir=&

occ=first&part=1&cid=644235and C-446/21 Austrian Oberster Gerichtshof request, paragraphs 2-3, 6-13, 15-
23, available at
https://curia.europa.eu/juris/showPdf.jsf?text=&docid=247308&pageIndex=0&doclang=EN&mode=lst&dir=&
occ=first&part=1&cid=766249;seealso thereferences to theserequests fora preliminary ruling in theAT SA
Objectionp.1-2.andMetaIEArticle65Submission,paragraphs3.4-3.9.
161
SeethesimilaritiesoftheInstagramandFacebookservicesdescribedintheData Policy.TheInstagramData
Policy refers to both “Facebook settings”and“Instagram settings”(“This policydescribes the informationwe
process to support Facebook, Instagram, Messengerand other products and features offered by Facebook
(Facebook Products orProducts). You can find additional tools andinformationin the FacebookSettings and
Instagram Settings.”) SectionI of this policy refers to the“Facebook products”when describing thekinds of

information collected for the processing. Instagram Data Policy of 22.05.2018, annex 2 of the Instagram
Complaint.Similarly,accordingtoInstagramTermsofUse“InstagramispartoftheFacebookCompanies,which
sharetechnology,systems,insights,andinformation-includingtheinformationwehaveaboutyou (...)inorder
toprovideservicesthatarebetter,safer,andmoresecure.WealsoprovidewaystointeractacrosstheFacebook
CompanyProductsthatyouuse,anddesignedsystemstoachieveaseamlessandconsistentexperienceacross

162FacebookCompanyProducts.”
Question3 reads “Canan undertaking, such as Facebook Ireland, which operates a digital social network
fundedbyadvertisingandofferspersonalisedcontentandadvertising,networksecurity,productimprovement
andcontinuous,seamlessuseofallofits groupproductsinits terms of service, justifycollectingdataforthese
purposesfromothergroupservicesandthird-partywebsitesandappsviaintegratedinterfacessuchasFacebook

Business Tools, orvia cookiesorsimilarstorage technologiesplacedonthe internet user’s computerormobile
device,linkingthosedatawiththeuser’sFacebook.comaccountandusingthem,onthegroundofnecessityfor
the performanceofthecontract underArticle6(1)(b)oftheGDPRoronthe groundofthepursuitoflegitimate
interestsunderArticle6(1)(f)oftheGDPR?”
163Meta IEArticle65Submissions,paragraphs3.2-3.9.
164C-252/21OberlandesgerichtDüsseldorfrequest,pp.6-7.

27
Adopted users free of chargeand generatesrevenue through this personalised advertising thattargetsthem,
inaddition tostaticadvertising thatis displayed toeveryuser in thesame way.

99. TheEDPBconsidersthatthesegeneraldescriptionssignalbythemselvesthecomplexity,massive scale
andintrusiveness ofthe behaviouraladvertisingpracticethatMetaIEconductsthroughthe Facebook

service, as well as off the Facebook service itself, through third party websites and apps which are
connected to Facebook.com via programming interfaces (“Facebook Business Tools”), including the
Instagram service 165. Furthermore, among the aspects described in the Instagram Terms of Use is

“Providing consistent and seamless experiencesacross other Facebook Company Products.” which
involves “shar[ing] technology,systems, insights, and information-including the information we have

about you.” It istherefore clear thatpersonal datais shared betweenFacebook companies (”We use
data from Instagramand otherFacebook Company Products,as wellas from third-partypartners,to
show you ads(...)”

100. These are relevant facts toconsider to assess the appropriateness of Article 6(1)(b) GDPR asa legal
basis for behavioural advertising and to what extent reasonable users may understand and expect

behaviouraladvertisingwhentheyaccepttheInstagramTermsofUseandperceive itasnecessaryfor
Meta IE to deliver its service66. Accordingly, the EDPB further considers that the IE SA could have

addedtoitsDraftDecisiona descriptionofbehaviouraladvertising thatMetaIEconductsthroughthe
Instagram service to appropriately substantiate its reasoning leading to its acceptance of Article
6(1)(b) GDPRasa legalbasis for thatpracticein accordancewiththe IESA’sduty tostatethe reasons
167
for anindividual decision .

101. Notwithstanding the EDPB’s considerations above, the EDPB considers that there is sufficient

information in the file for the EDPB to decide whether the IE SA needs to change its Draft Decision
insofar asitrejectsthecomplainant’sclaim thattheGDPRdoesnotpermitMetaIE’srelianceonArticle

6(1)(b) GDPRtoprocess personaldatain thecontextof itsoffering ofthe Instagramservice,basedon
itsTermsof Use.

102. As described above in section 4.1., the IE SA concludes in Finding 2 of its Draft Decision that the
Complainant’scasewasnotmadeout thattheGDPRdoesnotpermitthereliancebyMetaIEonArticle
6(1)(b) GDPRinthe contextof itsoffering of TermsofUse, neither Article6(1)(b) GDPRnor anyother

provision ofthe GDPRprecludesMetaIEfrom relyingonArticle6(1)(b) GDPRasalegalbasistodeliver

16C-252/21 Oberlandesgericht Düsseldorf request, pp. 6-7. Facebook Business Tools is also mentioned in

166tagram’sDataPolicy.
Inthesamevein,theAdvocateGeneralalsoprovidesa descriptionofbehaviouraladvertisinginhisOpinion
on the case C-252/21 Oberlandesgericht Düsseldorf request, see Opinion of the Advocate General on 20
September2022),ECLI:EU:C:2022:704,paragraphs9and10.
167SeeEDPBGuidelinesonArt.65(1)(a)GDPR,paragraph84andEDPBGuidelines2/2022ontheapplicationof
Article60GDPR(Version1.0,Adoptedon14March2022),para.111(stating:“[…]everydecisionthatisaimed
atlegalconsequencesneedstoincludeadescriptionofrelevantfacts,soundreasoningandaproperlegal

assessment.Theserequirementsessentiallyservethepurposeoflegalcertaintyandlegalprotectionofthe
partiesconcerned.Appliedtotheareaofdataprotectionsupervisionthismeansthatthecontroller,processor
andcomplainantshouldbeabletoacknowledgeallthereasonsinordertodecidewhethertheyshouldbring
thecase totrial. Havingregardtothedecisionmakingprocesswithinthecooperationmechanism,CSAs
likewiseneedtobeinthe positiontodecideonpossiblytakingactions(e.g.agreetothedecision,providetheir
viewsonthesubjectmatter)”).SeealsobyanalogyC-50/12PJudgementoftheCourtofJusticeof26

November2013,KendrionNVvEuropeanCommission,ECLI:EU:C:2013:771.

28
Adopted a service, including behavioural advertising insofar as that forms a core part of the service8. TheIE

SA considers that, having regardto the specific terms of the contract and the nature of the service
provided and agreedupon by the parties, Meta IE mayin principle rely on Article 6(1)(b) GDPR asa

legal basis of the processing of users’ data necessary for the provision of its Instagram service,
including throughtheprovision ofbehaviouraladvertisinginsofar asthisformsacorepartofitsservice

offeredtoand acceptedbyits users 169. TheIE SA considers the core of theservice offeredby MetaIE
ispremisedonthedeliveryofpersonalised advertising 170.TheIESAconsiders areasonableuser would
171
understand andexpect this having readthe Termsof Use . MetaIE supports this conclusion of the
IESA 172.

103. Toassess these claimsof the IESA andMetaIE,the EDPBconsiders it necessaryto recallthe general

objectives that the GDPRpursues, which must guide its interpretation,togetherwiththe wording of
itsprovisions and itsnormative context 173.

104. The GDPR develops the fundamentalright tothe protection of personal datafound in Article 8(1) of

the EU Charter of Fundamental Rights and Article 16(1) of the TFEU, which constitute EU primary
law 174.AstheCJEU clarified,“anEUact mustbe interpreted,asfaras possible, in such a wayasnot to

affectits validityand inconformitywithprimarylaw as a whole and, in particular,with theprovisions
oftheCharter.Thus,ifthewordingofsecondaryEUlegislation isopentomorethanoneinterpretation,

preference should be given to the interpretation which rendersthe provision consistent with primary
law ratherthantotheinterpretationwhichleadstoitsbeing incompatiblewithprimarylaw” 175.Inthe
faceofrapidtechnologicaldevelopments andincreasesinthescale ofdatacollectionandsharing,the

GDPRcreatesa strongand more coherentdata protectionframeworkinthe Union, backedbystrong
enforcement,andbuilt ontheprinciple thatnaturalpersonsshould havecontroloftheirownpersonal

data 176.Byensuringa consistent,homogenous andequivalent highlevelofprotectionthroughoutthe
EU, the GDPR seeks to ensure the free movement of personal data within the EU 177. The GDPR

acknowledgesthattherighttodataprotectionneedstobe balancedagainstotherfundamentalrights
and freedoms, such as the freedom to conduct a business, in accordance with the principle of

proportionality andhas these considerations integratedinto itsprovisions 178. The GDPR,pursuant to
EU primary law, treatspersonal data as a fundamental right inherent to a data subject and his/her
179
dignity,andnot asacommoditydatasubjectscantradeawaythroughacontract .TheCJEUprovided

168DraftDecision,paragraphs112and115.Finding2reads:“IfindtheComplainant’scaseisnotmadeoutthat
theGDPRdoesnotpermitthereliancebyMetaIrelandon6(1)(b)GDPRinthecontextofitsofferingofTermsof

169.”
DraftDecision,paragraph113.
170DraftDecision,paragraph104.
171DraftDecision,paragraph105.
172Meta IEArticle65Submissions,paragraphs6.21and6.30.
173
Judgementof theCourtof Justiceof 1 August2022, Vyriausioji tarnybinės etikos komisija, CaseC-184/20,
ECLI:EU:C:2022:601,(hereinafter‘C-184/20Vyriausiojitarnybinėsetikoskomisija’),paragraph121.
174Recitals1and2GDPR.
175JudgementoftheCourtofJusticeof21June2022,Liguedesdroitshumainsv.Conseildesministres,C817/19,

ECLI:EU:C:2022:491, (hereinafter ‘C-817/19 Liguedes droits humains'), paragraph 86;andudgement of the
CourtofJusticeof2February2021,Consob,C-481/19,ECLI:EU:C:2021:84,paragraph50andthecase-lawcited.
176Article1(1)(2)andRecital6and7GDPR.
177Article1(3)andRecitals9,10and13GDPR.
178
Recital4GDPR.
179EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph54.

29
Adopted additionalinterpretativeguidancebyassertingthatthe fundamentalrightsofdatasubjectstoprivacy
180
andthe protectionoftheir personal dataoverride,asa rule, acontroller’seconomic interests .

105. The principle of lawfulness of Article 5(1)(a) andArticle 6 GDPRis one of the main safeguardstothe
protection of personal data. It follows a restrictive approach wherebya controller may only process

the personal data of individuals if it is able to rely on one of the bases found in the exhaustive and
restrictivelists of thecases inwhichthe processing ofdatais lawfulunder Article6 GDPR 181.

106. Theprinciple oflawfulnessgoeshandinhandwiththeprinciplesoffairnessandtransparencyinArticle
5(1)(a)GDPR.The principle of fairness includes, inter alia,recognising the reasonable expectationsof

the data subjects, considering possible adverse consequences processing may have on them, and
having regard to the relationship and potential effects of imbalance between them and the

controller 182.

183
107. The EDPB agreeswiththe IESA and MetaIE thatthere is no hierarchybetweenthese legalbases .
However,thisdoes not meanthata controller,asMetaIEinthe presentcase, hasabsolute discretion

tochoose thelegalbasis thatsuitsbetteritscommercialinterests.Thecontroller mayonlyrelyonone
ofthe legalbases establishedunder Article6 GDPRifit isappropriatefor theprocessing atstake 184.A

specific legalbasis willbe appropriateinsofar asthe processing canmeet itsrequirements set bythe
GDPRand fulfil the objective of the GDPRtoprotect the rightsand freedoms of naturalpersons and
185
in particulartheir righttothe protectionof personaldata .The legalbasis willnot be appropriateif
its applicationto a specific processing defeatsthis practicaleffect “effet utile” pursued by the GDPR
and Article 5(1)(a) andArticle 6 GDPR 186.These criteria stem from the content of the GDPR andthe

interpretationfavourabletotherightsofdatasubjectstobe giventheretodescribedinparagraph104
above 187.

108. The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for

complying with the Regulation’s principles, including the processing of data in a lawful, fair and
transparentmanner,andanyobligationsderivedtherefrom 188.Thisobligationappliesevenwherethe

180
Judgement of the Court of Justice of 13 May 2014, Google Spain SL, C-131/12, ECLI:EU:C:2014:317,
paragraphs97and99.
181Judgementof theCourtof Justiceof 11 December 2019, TK v Asociaţia deProprietari blocM5A-ScaraA, C
708/18,ECLI:EU:C:2019:1064,(hereinafter‘C708/18TKvAsociaţiadeProprietari'),paragraph37.
182
183See, Recital39GDPRandEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs11and12.
DraftDecisionparagraph48andMeta IEArticle65Submissionparagraph5.10.
184As mentionedintheEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph18,theidentificationofthe
appropriatelawful basis is tied to the principles of fairness and purposelimitation. It will be difficult for

controllerstocomplywiththeseprinciplesiftheyhavenotfirstclearlyidentifiedthepurposesoftheprocessing,
orifprocessingofpersonaldatagoesbeyondwhatisnecessaryforthespecifiedpurposes.SeealsoSection6of
this BindingDecisiononthepotentialadditionalinfringementoftheprincipleoffairness.
185C708/18 TK v Asociaţia deProprietari, paragraph 37.
186See C-524/06Huber, paragraph 52 on theconcept of necessity being interpreted in a mannerthat fully

reflects theobjectiveof Directive95/46). On theimportanceof considering thepractical effect (effet utile)
soughtbyEUlawinits interpretation,seealsoforinstance:C-817/19Liguedes droitshumains,paragraph195
and Judgement of the Court of Justice of 17 September 2002, Muñoz and Superior Fruiticola, C 253/00,
ECLI:EU:C:2002:497,paragraph30.
187
Article1(1)(2)and(5)GDPR.
188 Article5 (2) GDPR “Principle of accountability”of data controllers;seealso C-252/21Oberlandesgericht
Düsseldorfrequest,OpinionoftheAdvocateGeneralon20September2022,ECLI:EU:C:2022:704,paragraph52.

30
Adopted practical application of GDPR principles such as those of Article 5(1)(a) and Article (5)(2) GDPR is

inconvenient or runs counter to the commercial interests of Meta IE and its business model. The
controller is alsoobliged tobe able todemonstratethatit meetsthese principles andany obligations
derivedtherefrom,such asthatit meetsthe specific conditions applicable toeachlegalbasis 18.

109. The first condition to be able to rely on Article 6(1)(b) GDPR as a legal basis to process the data

subject’s data is that a controller, in line with its accountabilityobligations under Article 5(2) GDPR,
has to be able to demonstrate that (a)a contract exists and (b) the contract is valid pursuant to
190
applicable nationalcontractlaws .

110. Boththe IE SA and Meta IE consider that the Terms of Use make up the entire agreement between

the InstagramuserandMetaIE andthatthe Data Policyissimply acompliance document settingout
information tofulfil the GDPRtransparencyobligations 191. The IE SA thus considers thatthe contract
192
for which theanalysis based onArticle 6(1)(b) GDPRtakesplace,is the TermsofUse .

111. The IE SA and Meta IE argue that the GDPR does not confer a broad and direct competence to
supervisory authoritiestointerpret or assess the validityof contracts 193.

112. TheEDPBagreesthatSAsdonot haveunder theGDPRabroadandgeneralcompetenceincontractual
matters.However,theEDPBconsidersthatthesupervisory tasksthatthe GDPR bestowsonSAsimply

a limitedcompetencetoassess acontract’sgeneralvalidityinsofar asthisis relevanttothe fulfilment
of their tasks under the GDPR.Otherwise,the SAs would see their monitoring andenforcement task

under Article 57(1)(a) GDPR limited to actions such as verifying whether the processing at stake is
necessary for the performance of a contract (Article 6(1)(b) GDPR), and whether a contract with a
processor under Article 28(3)GDPRanddataimporter under Article 46(2)GDPRincludes appropriate

safeguardspursuant totheGDPR.PursuanttotheIESA’sinterpretation,theSAswouldthusbe obliged
toalwaysconsider a contractvalid, evenin situations where it is manifestly evident that it is not, for

instance because there is no proof of agreement betweenthe two parties, or because the contract
does not comply with its Member State’srules on the validity, formation or effect of a contract in
194
relationtoachild .

113. As theDE andNL SAs 195argue,the validityof the contractfor the InstagramservicebetweenMetaIE

andthe complainant is questionable, giventhe strong indications thatthe Complainant wasunaware
ofenteringintoa contract,and(astheIE SA establisheswithitsFinding 3 ofitsDraft Decision)serious

transparency issues in relation to the legal basis relied on. In contract law, as a general rule, both
parties must be aware of the substance of the contract and the obligations of both parties to the

contractinorder towillingly enterinto suchcontract.

189EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph26.
190EDPBBindingDecision2/2022,paragraph84.
191DraftDecision,paragraphs72and73.
192
193DraftDecision,paragraph73.
CompositeResponse,paragraph51;DraftDecision,paragraph95,Meta IEArticle65Submissions,paragraph
6.43.
194Article8(3)GDPR.
195DESAs Objection,p.4andNLSAObjection,paragraph11.

31
Adopted114. Notwithstanding thepossible invalidity ofthe contract,theEDPB,referstoitsprevious interpretative

guidance on this matter to provide below its analysis on whether behavioural advertising is
objectively necessaryfor Meta IE toprovide its Instagram service tothe user based on its Terms of
196
Use andthe natureof the service .

197
115. The EDPBrecalls that for the assessment of necessity under Article 6(1)(b) GDPR,“[i]t is important
to determinethe exact rationale ofthe contract, i.e. itssubstance and fundamentalobjective, asit is
198
against thisthat it will be testedwhetherthedata processing is necessaryfor its performance” .As
the EDPBhaspreviously stated,regardshould be giventotheparticular aim, purpose, or objective of
theservice and,for applicabilityofArticle6(1)(b) GDPR,itisrequiredthatthe processing isobjectively

necessaryfor apurpose andintegraltothe delivery ofthatcontractualservice tothe datasubject 199.

116. Moreover,the EDPB notesthat the controller should be able tojustify the necessityof its processing
byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose.Thisdepends notonly

onthecontroller’sperspective,but alsoonareasonabledatasubject’sperspective whenenteringinto
the contract 200.

117. The IE SA accepts the EDPB’s position that, as a general rule, processing of personal data for
201
behavioural advertising is not necessary for the performance of a contract for online services .
However, the IE SA considers that in this particular case, having regardto the specific terms of the

contract and the nature of the Instagram service provided and agreedupon by the parties, Meta IE
mayin principle rely on Article 6(1)b) GDPRtoprocess the user’sdata necessary for the provision of
itsservice, including throughthe provision ofbehaviouraladvertising insofar asthisforms acore part

of thatservice offeredtoandacceptedby users 202.

118. The IE SA views behavioural advertising as “the core of both Meta Ireland’sbusiness model and the
bargainstruckbetweenMetaIrelandand Instagram users ” 20.Insupport ofthis consideration, theIE

SA refers to the ”first and sixth clauses” of “the specific contract entered into between Meta IE and
Instagramusers” 20.The IE SA considers thatfrom the textofthese “clauses” it is “clearthatthe core
205
of theservice offered byMeta Irelandis premised on the deliveryofpersonalised advertising. ”The
IESAconsiders thatthisposition issupportedbythefactthat“theTermsofUsedescribetheInstagram

service as being ‘personalised’ and connects users with brands, including by means of providing
‘relevant’ advertising and content.” Based on this, the IE SA is of the view that “It is clear that the

Instagram service is advertised as offering a 'personalised' experience, including by way of the
advertisingit deliversto users 20.”The IE SA considers thatasthe Instagramservice is“advertised”in

its Terms of Use “as being predicated on personalised advertising (...) any reasonable user would

196
EDPBGuidelines2/2019onArticle6(1)(b)GDPR.
197SeeBindingDecision2/2022,paragraph89.
198WP29Opinion6/2014onthenotionoflegitimateinterests,p.17
199EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph30.
200
SeeBindingDecision2/2022,paragraph90.
201EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph52.DraftDecision,paragraph113.
202DraftDecision,paragraph113.
203DraftDecision,paragraph102andFinding2.
204
DraftDecision,paragraph103.
205DraftDecision,paragraph104.
206DraftDecision,paragraph104.

32
Adopted expectand understand thatthisis partof thecorebargain that isbeing struck(...)”butacknowledges
207
that“usersmay preferthatthemarket offeralternativechoices .”

119. On thisissue, the EDPBrecallsthatthe concept of necessity hasits ownindependent meaning under
EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU
instrument,inthiscase,the GDPR 20.Accordingly,theconceptofnecessityunder Article6(1)(b)GDPR

cannot be interpretedin a way that undermines this provision and the GDPR’sgeneralobjective of
protecting the right to the protection of personal data or contradictsArticle 8 of the Charter 209. On

the processing of data in the Facebook services, Advocate General Rantos supports a strict
interpretationofArticle6(1)(b)GDPRamongotherlegalbases,particularlytoavoidanycircumvention
210
of the requirement for consent . Given the similarities between the Facebook and Instagram
services, as explained above in paragraph97, and the fact thatthis case mayconcernthe legalbasis
211
for processing of personaldatafor theInstagramservice .

120. As the IE SA states in its Draft Decision, “Instagram is a global online social network service which

allows registeredusersto communicate with other registered users through messages, audio, video
calls and video chats, and by sending images and video files 212.” Meta IE promotes among its

prospective andcurrentusers the perception thatthe mainpurpose of the Instagramservice andfor
which it processes its users’ data is to enable them to share content and communicate with others.

MetaIE presentsits Instagramserviceon its “About”page ofits website asa platform which “give[s]
people the power to build communityand bring[s] the world closer together 213.” At the beginning of

itsTermsof Use, MetaIE presentsits mission for the Instagramservice as“To bring you closer to the
people and things you love 214.” The description of the aspects of the service includes “Offering
personalizedopportunitiesto create,connect,communicate.”

121. The fact thatthe Termsof Use do not provide for any contractualobligationbinding MetaIE tooffer

personalised advertising to the Instagram usersand any contractualpenaltyif Meta IE fails to do so
shows that, at least from the perspective of the Instagram user, this processing is not necessary to
215
perform the contract .Providingpersonalised advertisingtoitsusers maybe anobligationbetween

207DraftDecision,paragraph105.
208Seeparagraphs 103-104 aboveon theprinciples guiding theinterpretationof theGDPR and its provisions.
The CJEU also stated inHuber that “what is at issue is a concept [necessity] which has its own independent

meaninginCommunitylawandwhichmustbeinterpretedinamannerwhichfullyreflectstheobjectiveofthat
Directive, [Directive95/46],aslaiddowninArticle1(1)thereof”.C-524/06Huber,paragraph52.
209Article1(2)GDPR.
210C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,

ECLI:EU:C:2022:704, paragraph51. (TheEDPB refers to theAdvocateGeneral’s Opinionin its Binding Decision
as anauthoritativesourceofinterpretationtounderlinetheEDPB’s reasoningontheprocessingofdata inthe
FacebookService,withoutprejudicetothecase-lawthattheCJEUmaycreatewithitsfuturejudgmentsonthe
Cases C-252/21andC-446/21).
211Paragraph97andfootnote161ofthisBindingDecision.
212
DraftDecision,paragraph5.
213https://about.instagram.com/
214BoththeIESAandMeta IEconsidertheInstagramTermsofUseasconstitutingtheentirecontractbetween
Meta IEandtheInstagramusers(seeparagraphs92,110and118ofthisBindingDecision).
215
TheInstagramTerms ofUseareformulatedinone-sidedtermsasfollows:“TheseTermsofUse governyour
useofInstagramandprovideinformationabouttheInstagramService(...).“Whileunderthefirstheadingofthe
Terms of Use(“The InstagramService”), Instagram announces that it “provide[s]“theInstagram service. After
describing theaspects of theserviceandreferencing theData Policy, theInstagram Terms of Useincludea

33
Adopted MetaIEand thespecific advertisersthatpay for MetaIE’stargeteddisplayoftheir advertisementsin
the Instagram service to Instagram users, but it is not presented as an obligation towards the

Instagramusers.

122. Nor does MetaIE’sbusiness model ofoffering services, at nomonetarycost for the user togenerate
income bybehaviouraladvertisementtosupport itsInstagramservicemakethisprocessing necessary

to perform the contract. Under the principle of lawfulness of the GDPR and its Article 6, it is the
business model which must adapt itselfand comply withthe requirementsthat the GDPRsetsout in
generalandfor eachof the legalbasesand not the reverse.Asthe Advocate GeneralRantosstressed

recently in his opinion on Meta IE’s processing in Facebook, based on Article 5(2) GDPR, it is the
controller (Meta IE) in this case who is responsible for demonstrating that the personal data are
216
processed inaccordancewiththe GDPR .

123. As the EDPBprovided in itsguidance, “Assessing what is ‘necessary’involves a combined,fact-based

assessment ofthe processing‘fortheobjectivepursued and of whetheritisless intrusivecomparedto
other options for achieving the same goal’. If there are realistic, less intrusive alternatives, the

processingisnot‘necessary’.Article6(1)(b)willnotcoverprocessing which isusefulbutnot objectively
necessary for performing the contractualservice or for taking relevant pre-contractualsteps at the
requestofthe data subject,evenif it isnecessaryfor thecontroller’sotherbusiness purposes. 21”

124. On the question of whether here there are realistic, less intrusive alternatives to behavioural
218
advertising that make this processing not “necessary” , the EDPB considers that there are. The AT
and SE SAs mention as examplescontextualadvertising based on geography, language andcontent,
whichdonotinvolve intrusive measuressuchasprofiling andtrackingofusers 219.Inhis recentopinion

on Facebook, Advocate General Rantos also refers to the Austrian Government’s “pertinent”
observation that in the past, Meta IE allowed Facebook users to choose between a chronological

presentationandapersonalised presentationof newsfeedcontent,which, inhis view, provesthatan
alternativemethodis possible 220. Byconsidering the existence ofalternativepracticestobehavioural

advertising thataremore respectfulofthe Instagramusers’righttodataprotection, theEDPB,asthe
Advocate General did in relation to Facebook users, aims to assess if this processing is objectively

sectionwhichisheadedwith“YourCommitments”.WhileInstagramitselfonly“offers”variousservices,itmakes
clear that theInstagram Terms of Useunilaterallyimposeduties andobligations on theuser. Otherwise, the
usermayfacesuspensionorterminationoftheiraccount,asdescribedunder“ContentRemovalandDisabling

orTerminatingYourAccount”oftheInstagramTerms ofUse.No(contractual)sanctionsappeartoapplyinthe
event thatMeta IEfailstoprovideorpoorlyperformsoneormoreoftheseservices.
216C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,
ECLI:EU:C:2022:704,paragraph52.
217EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph25.
218In Schecke, theCJEU held that, when examining thenecessity of processingpersonaldata, thelegislature

needed to take into account alternative, less intrusive measures. Judgement of the Court of Justice of 9
November2010,VolkerundMarkusScheckeGbR,C-92/09andC93/09,ECLI:EU:C:2010:662,(hereinafter‘Case
C-92/09andC93/09Schecke’),paragraph52.This was repeated by theCJEUintheRīgas casewhereitheld that
“As regardstheconditionrelatingtothenecessity ofprocessingpersonaldata,itshouldbeborneinmindthat

derogationsandlimitationsinrelationtotheprotectionofpersonaldatamustapplyonlyinsofarasis strictly
necessary”. Judgement of theCourt of Justiceof 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības
policijas pārvaldev Rīgas pašvaldības SIA‘Rīgas satiksme’, C13/16,ECLI:EU:C:2017:336,parag30..
219AT SAObjection,p.5;SESAObjection,p.3.
220C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,
ECLI:EU:C:2022:704,footnote80.

34
Adopted necessary to deliver the service offered, as perceived by the Instagramuser whose personal data is
processed, and not todictate the nature of Meta IE’s service or impose specific business models on

controllers, as Meta IE and the IE SA respectively argue 22. The EDPB considers that Article 6(1)(b)
GDPR does not cover processing which is useful but not objectively necessary for performing the
222
contractualservice,even ifit is necessaryfor the controller’sotherbusiness purposes .

125. The EDPBconsiders thatthe absolute right available todatasubjects, under Article 21(2)(3) GDPRto
object to the processing of their data (including profiling) for direct marketing purposes further
supports its consideration that, as a generalrule, the processing of personal data for behavioural

advertising is not necessaryto perform a contract.The processing cannot be necessary toperform a
contractif adata subject has the possibility toopt out from it atany time,andwithout providing any

reason.

126. The EDPB finds that a reasonable user cannot expect that their personal data is being processed for

behaviouraladvertising simply becauseMetaIEbrieflyreferstothisprocessing in itsInstagramTerms
of Use (which MetaIEandthe IE SA consider asconstituting the entiretyofthe contract),or because

ofthe“widercircumstances”or“recognisedpublic awarenessofthisformofprocessing” derivedfrom
its “widespreadprevalence ofOBA processing” to which the IE SA refers 22. Behaviouraladvertising,
asbriefly described inparagraph98 above, isa set of processing operations ofpersonal dataof great

technical complexity, which has a particularly massive and intrusive nature. In view of the
characteristicsofbehaviouraladvertising,coupledwiththeverybriefandinsufficient informationthat

Metaprovides about it in the InstagramTermsof Use andDataPolicy (a separatedocument thatthe
IESAandMetaIEdonotevenconsider partofthecontractualobligations),theEDPBfindsit extremely
difficult toargue thatanaverageuser canfully graspit,be awareof itsconsequences and impact on

their rights to privacy and data protection, and reasonably expect it solely based on the Instagram
Termsof Use. The EDPB recallsits Guidelines 2/2019 on Article6(1)(b) GDPR,inwhich it arguesthat

the expectations of the average data subject need to be consider in light, not only of the terms of
service but also the way this service is promoted to users 22. Advocate General Rantos expresses

similar doubts where he says in relationto Facebook behavioural advertising practices“Iam curious
as to what extenttheprocessing might correspond to the expectationsof an average user and, more
generally, what ‘degree of personalisation’ the user can expect from the service he or she signs up
225
for” and adds in a footnote that he does not “believe that the collection and use of personal data
outside Facebook are necessary for the provision of the services offered as part of the Facebook
226
profile” .

127. The EDPB notes that the mission of the Instagram service, as expressed in its Terms of Use, is

formulated in a vague and broad manner (“To bring you closer to the people and things you love.”)
When using the Instagram service, a user is primarily confronted with the possibility of viewing

221Meta IEArticle65Submissions,paragraph6.25andCompositeResponse,paragraph76.Ontherelevanceof
this OpinionforassessingInstagram’srelianceonArticle6(1)(b)GDPR,seeparagraph97ofthisBindingDecision.
222EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph25.
223
224CompositeResponse,paragraphs72and73.
EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph57.
225C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,
ECLI:EU:C:2022:704,paragraph56.
226Ibid,footnote81.OntherelevanceofthisOpinionforassessingInstagram’srelianceonArticle6(1)(b)GDPR,
seeparagraph97ofthisBindingDecision.

35
Adopted photographs andvideos by people or organisationsthat theyfollow, as wellas sharing such content
withtheirfollowers. Thisis acknowledgedbythe IE SA whichprovidesthe following descriptionofthe

Instagram service in its Draft Decision: “Instagram is a global online social network service which
allows registeredusersto communicate with other registered users through messages, audio, video
calls andvideo chats,and bysendingimages and video files 22.”

128. Based on the considerations above, the EDPB considers that the main purpose for which users use

InstagramandacceptitsTermsofUse istosharecontentandcommunicatewithothers,nottoreceive
personalised advertisements.

129. Meta IE infringed its transparencyobligations under Article 5(1)(a), Article 12(1) and Article 13(1)(c)
GDPR by not clearly informing the complainant and other users of the Instagram Service specific

processing operations, thepersonaldataprocessed inthem,thespecific purposes theyserve, andthe
legal basis on which each of the processing operations relies, as the IE SA concludes in its Draft
Decision 228. The EDPB considers that this fundamental failure of Meta IE to comply with its

transparencyobligations contradictsthe IESA’sfinding thatInstagram userscouldreasonably expect
online behaviouraladvertising asbeing necessaryfor the performanceof their contract(asdescribed
229
inthe InstagramTermsof Use)withMetaIE .

130. The EDPBrecallsthat “controllersshould make sure to avoid anyconfusion as to what the applicable

legalbasis is” andthatthis is“particularlyrelevantwheretheappropriatelegal basis isArticle6(1)(b)
GDPRand a contractregardingonlineservicesisenteredintobydatasubjects”,because “[d]epending

on the circumstances, data subjects may erroneously get the impression that they are giving their
consent in line with Article 6(1)(a) GDPR when signing a contract or accepting termsof service” 23.
Article6(1)(b) GDPRrequires theexistence, validityof acontract,andthe processing being necessary

toperform it.These conditions cannot be metwhere one of theParties(in thiscase the datasubject)
is not provided withsufficient informationtoknow thattheyaresigning a contract,theprocessing of

personal data that it involves, for which specific purposes and on which legal basis, and how this
processing is necessaryto perform the services delivered. These transparencyrequirements are not
only anadditionalandseparateobligation,asthe IESA seemstoimply, but also anindispensable and
231
constitutive partof the legalbasis .

131. The risks to the rights of data subjects derived from this asymmetry of information and an
inappropriate relianceon this legalbasis arehigher in situations suchas inthe present case,in which
the Complainant and other Instagram users face a “take it or leave it” situation resulting from the

standardcontract pre-formulated by Meta IE andthe lackof few alternative services in the market.
The EU legislator hasregularlyidentified and aimedtoaddress withmultiple legalinstruments these

risks andtheimbalance betweenthepartiestoconsumer contracts.Forexample,Directive93/13/EEC

227
DraftDecision,paragraph5.
228DraftDecision,paragraphs184and185andFinding3,whichreads“InrelationtoprocessingforwhichArticle
6(1)(b)GDPRisreliedon,Articles5(1)(a),12(1)and13(1)(c)GDPRhavebeeninfringed.”
229DraftDecision,paragraph105andFinding2.
230EDPBBindingDecision1/2021,paragraph214andEDPBGuidelines2/2019onArticle6(1)(b),paragraph20.
231
DraftDecision,paragraph111.

36
Adopted on unfair termsinconsumer contracts 232mandates,asthetransparencyobligationsunder the GDPR,
233
the use of plain, intelligible language in the terms of the contracts offered to consumers . This
Directiveeven provides that where there is a doubt about the meaning of a term,the interpretation
most favourable tothe consumer shall prevail 234.Processing ofpersonal datathatisbasedon whatis

deemedtobeanunfairtermunder thisDirectivewillgenerallynot beconsistent withthe requirement
under Article 5(1)(a)GDPRthatthe processing islawfuland fair 23.

132. AdvocateGeneralRantosconcludesinreferencetoMetaIEthatthefactthatanundertakingproviding

a social network enjoys a dominant position in the domestic market for online social network for
privateusers “doesplay arole intheassessment ofthefreedomofconsentwithin themeaning ofthat
provision, which it is for the controller to demonstrate, taking into account, where appropriate, the

existenceofa clearimbalance ofpowerbetweenthedata subjectand the controller,anyrequirement
for consent to theprocessing of personaldata other thanthose strictlynecessaryfor the provision of

the servicesin question, the need for consent to be specific for each purpose of processing and the
needtopreventthewithdrawalofconsentfrom being detrimentaltouserswho withdrawit 236.”Inline

withthe logic of this argument,the EDPBconsiders that the dominant position of MetaIE also plays
an important role in the assessment of Meta IE’sreliance on Article 6(1)(b) GDPR for its Instagram
service and its risks to data subjects, especially considering how deficiently Meta IE informs the

Instagramusersofthe datait strictlyneeds toprocesstodeliver the service.

133. Giventhat the mainpurpose for whicha user uses Instagramservice is toshare andreceive content,
andcommunicate with others 237,and thatMetaIE conditions their use tothe user’s acceptanceofa

contract andthe behavioural advertising theyinclude, the EDPB cannot see how a user would have
the option of opting out of a particularprocessing which is partof the contractasthe IE SA seemsto
argue 23.Theusers’ lackof choice in thisrespect would ratherindicate thatMetaIE’srelianceon the

contractualperformance legal basis deprives users of their rights, among others, to withdraw their
consent under Articles6(1)(a) and7 and/or to object tothe processing of their databased on Article

6(1)(f) GDPR.

134. The EDPB agreeswiththe AT, DE, ES, FI, FR, HU, NL, NOandSE SAsthat there is a risk thatthe Draft
Decision’s failure to establish Meta IE’sinfringement ofArticle 6(1)(b) GDPR, pursuant tothe IE SA’s
interpretationof it, nullifies thisprovision andmakeslawful theoreticallyanycollection andreuse of
239
personal data in connection with the performance of a contract with a data subject . Meta IE
currentlyleaves the complainant and other users of the Instagramservice witha single choice. They

may either contract awaytheir right to freely determine the processing of their personal data and

232A contractual term that has not been individually negotiated is unfairunder theDirective93/13/EEC “if,
contrarytotherequirementofgoodfaith,itcausesasignificantimbalanceintheparties’rightsandobligations
arisingunderthecontract,tothedetrimentoftheconsumer”Article3(1).
233
Articles4(2)and5Directive93/13/EEC.
234Article5Directive93/13/EEC.
235EDPBGuidelines2/2019onArticle6(1)(b)GDPR,footnote10.
236C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,
ECLI:EU:C:2022:704, Conclusion, paragraph78 (4). On therelevanceof this Opinion forassessing Instagram’s

relianceonArticle6(1)(b)GDPR,seeparagraph97ofthisBindingDecision
237Seeparagraphs127-128ofthisBindingDecision.
238CompositeResponse,paragraph69.
239AT SAObjection,pp.5-6;DESAs Objection,p.9;ESSAObjection,p.3;FI SAObjectionparagraphs31-35;FR
SAObjection,paragraphs34-35;HUSAObjection,p.4;NL SAObjection,paragraphs30-31;NOSAObjection,

p. 8;SE SAObjection,p.5.

37
Adopted submit toitsprocessing for the obscure, andintrusive purpose of behaviouraladvertising,whichthey
can neither expect, nor fully understand based on the insufficient information Meta IE provides to
them. Or, they maydecline accepting Instagram Terms of Use and thus be excluded from a service

thatenablesthemtocommunicate,sharecontentwithandreceivecontent from millionsofusersand
for whichtherearecurrentlyfew realisticalternatives. Thisexclusionwouldthus alsoadverselyaffect

their freedom of expression andinformation.

135. This precedent could encourage other economic operatorstouse the contractualperformance legal

basis of Article 6(1)(b) GDPR for all their processing of personal data. There would be the risk that
some controllers argue some connection between the processing of the personal data of their
consumers and the contractto collect,retainandprocess asmuch personal datafrom their users as

possible and advance their economic interests at the expense of the safeguards for data subjects.
Some of the safeguards from whichdata subjects would be deprived due to aninappropriate use of
Article 6(1)(b) GDPR as legal basis, instead of others such as consent (Article 6(1)(a) GDPR) and

legitimate interest (Article 6(1)(f) GDPR), are the possibility to specifically consent to certain
processing operations and not to othersand tothe further processing of their personal data (Article

6(4)GDPR);theirfreedom towithdrawconsent (Article7 GDPR);theirrighttobe forgotten(Article17
GDPR);and the balancing exercise of the legitimateinterests of the controller againsttheir interests
or fundamental rightsandfreedoms (Article 6(1)(f) GDPR).As a result,owing tothe number of users

of the Instagramservice,the marketpower, andinfluence ofMeta IEand itseconomically attractive
business model, the risks derivedfrom the currentfindings ofthe DraftDecisioncould gobeyond the
Complainant andthe millions of usersof Instagramserviceinthe EEAandaffect theprotectionofthe
240
hundreds of millions of people coveredbythe GDPR .

136. TheEDPBthusconcurswiththeobjections oftheAT,DE,ES,FI,FR,HU,NL,NOandSESAs 241toFinding

2 of the Draft Decision in that the behaviouraladvertising performedby Meta IE in the context of
theInstagramserviceisobjectivelynotnecessaryfortheperformanceofMetaIE’sallegedcontract
with datausersfortheInstagramserviceandisnotanessentialorcoreelementofit.

137. Inconclusion, theEDPBdecides thattheMetaIEhas inappropriatelyreliedonArticle 6(1)(b) GDPRto

process thecomplainant’spersonaldatainthe contextofInstagramTermsofUse andthereforelacks
a legalbasis toprocess these datafor thepurposes ofbehavioural advertising.MetaIE hasnot relied
onany otherlegalbasistoprocess personaldatain thecontext ofthe InstagramTermsofUse for the

purposes of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by
unlawfully processing personal data. The EDPB instructs the IE SA to alter its Finding 2 of its Draft
Decision which concludes thatMeta IEmay relyon Article 6(1)(b) GDPR inthe contextof its offering

240In theDraft Decision, theIE SAquotes Meta IE’s submissions dated 28September 2018, inwhichit states

that it “provides the Instagram service to hundreds of millions of users across the European region.”Draft
Decision, paragraph 223. In its submissions onthePreliminary Draft Decision, Meta IE stated that thecorrect
figureformonthlyactiveaccountsfortheInstagramServiceasof31August2018(thedateofcommencement
of the Inquiry)is approximately , whileclarifying that this numberrepresents activeaccounts on
Instagramratherthanuniqueusers andthus doesnotrepresentthenumberofuniqueusers.Thisfiguredoes
notincludeUK-basedaccountsasMetaIEconsideredaccountsinthatterritorywerenotrelevantfortheInquiry.
TheIE SA does not sharethis view, on thegrounds that theGDPRwas applicablein theUK at thedateof the

241plaint.Meta IE’sReponsetothePreliminaryDraftDecision,paragraph14.13.DraftDecision,paragraph223.
AT SAObjection,pp.4-5;DESAs Objection,p.5-6,ESSAObjection,p.2,FI SAObjection,paragraphs16and
18,FRSAObjection,paragraphs8-9,HUSAObjection,p.3,NLSAObjection,paragraphs18-19;NOSAObjection,
p. 7,SE SAObjection,pp.3.

38
Adopted of the Instagram Terms of Use and to include an infringement of Article 6 (1) GDPR based on the
shortcomings thatthe EDPBhasidentified.

5 ON WHETHER THE LSA’S DRAFT DECISION INCLUDESENOUGH

ANALYSIS ANDEVIDENCE TOCONCLUDE THAT METAIE ISNOT

OBLIGEDTORELY ON CONSENT TOPROCESSTHE COMPLAINANT’S

PERSONAL DATA

5.1 Analysis by the LSA inthe DraftDecision

138. The IESA concludes asamatteroffact,initsDraftDecisionthatMetaIEdidnot rely, anddidnot seek
242
torely,onthe complainant’sconsent toprocesspersonaldatain connectionwiththeTermsofUse
andis not legallyobligedtorelyon consent todo so 24.

139. The IE SA acceptsthatMetaIE never sought to obtainconsent from users throughthe clicking ofthe
“Agreeto Terms”button,based alsoon MetaIE’sconfirmationthereto 244.

140. TheIESA distinguishes betweenagreeingtoacontract(whichmayinvolve theprocessing ofdata)and

providing consent to personal data processing specifically for the purposes of legitimising that
personaldataprocessing under theGDPR 245.TheIESA observes that,asnotedbythe EDPB,theseare
entirelydifferent conceptswhich “havedifferent requirementsandlegal consequences” 246.

141. The IESA alsoemphasises that thereis no hierarchybetweenthe legalbasis thatcontrollers mayuse
247
to process personal data under the GDPR . The IE SA further arguesthat neither Article 6(1) GDPR
nor any other provision in the GDPR require that the processing of data in particular contexts must
necessarily be based on consent 248. The IE SA argues the GDPR does not provide that the specific

nature and content of a contract, freelyentered into by two parties, requires a higher categoryor
“default” legal basis. The IE SA includes reference to the EDPB Guidelines 2/2019 on Article 6(1)(b)

GDPR whichassert that where data processing is necessary to perform a contract, consent is not an
appropriatelawful basison whichtorely 249.

142. The IE SA considers Article 7 GDPR andits conditions do not in andof themselves indicate the legal
basis on which a controller should rely on in a particular context. The IE SA contends that these

conditions would only be relevant where the controller relies upon consent as the legal basis for its
processing, whichit views asnot being the case for the processing of databy MetaIEinquestion 25.

242DraftDecision,paragraphs43and60.
243DraftDecision,paragraphs59-60.
244DraftDecision,paragraphs40and42,aswellas56.
245
246DraftDecision,paragraph52.
DraftDecision,paragraph47.
247DraftDecision,paragraphs48-50.
248DraftDecision,paragraph50.
249DraftDecision,paragraph52.
250DraftDecision,paragraph57.

39
Adopted 5.2 Summary of the objections raised by the CSAs

143. The AT,DE,ES,FI,FRandNL SAsobject tothe assessment inthe DraftDecisiononconsent, leadingto

Finding 1 of the IE SA25. These SAs put forwardseveral factualandlegalargumentsfor the changes
theypropose tothe DraftDecision.

144. The SE SA holds that ifthe EDPBweretofindthat theprocessing canrely onArticle6(1)(b) GDPR,the

investigationneedstoencompass whetherspecialcategoriesofpersonal datapursuanttoArticle9(1)
GDPRareprocessed, since the performance ofacontractis not anexemption pursuant toArticle9(2)
GDPR.Since the SE SA presents itsobjection as being contingent on whetherthe EDPB finds thatthe

data processing in Instagram, basedon itsTerms of Use, can relyon Article 6(1)(b) GDPR 252andthe
EDPBfindsthatMetaIEinappropriatelyreliedonArticle6(1)(b)GDPR(see aboveinSection4.4.2),the

SE SA objectionis no longerapplicable.

Argumentson thefinding ofthe LSA thatMetaIEis not legallyobliged torelyon consent

145. TheAT,DEandNL SAsconsider thattheIESA hasnotincluded enoughanalysis,evidence andresearch
in the DraftDecision toconclude thatMetaIE is not legallyobliged torely onconsent toprocess the
253
complainants’ data .

146. The AT SA points out that the IE SA limits its facts and its legal assessment to the generalquestion

whether Article 6(1)(b) GDPR canbe used aslegalbasis, specifically for behavioural advertising. The
Draft Decisiondoes not clarify which data categoriesare being used for behavioural advertising and

where Meta IE relies on Articles 6(1)(a) and 6(1)(b) GDPR for behavioural advertising. Also
unaddressed is, if and to which extent Meta IE relies on Article 9(2)(a) GDPR for behavioural

advertisingasfarassensitive dataareconcernedandwhetherMetaIErespectedtheGDPRconditions
(for example,Article7GDPR)whenobtainingtheconsentpursuant toArticle6(1)(a)andArticle9(2)(a)
GDPR. The AT SA argues that the Draft Decision did not address the part of the complaint on the

differences between“consent”and“contractualperformance”andregardingArticle9 GDPR 254.

147. EventhoughtheDESAssharetheIESA’sfinding thatMetaIEdidnotrelyonconsent for theprocessing
of dataasdescribedin theInstagramTermsof Use,the DESAs objectsagainstthe IE SA’sassessment

that in the specific case at issue Meta IE was not legally obliged to obtain consent from the
Complainant 25. TheDE SAsfurther add, alsoin relationtothe potentialuse of Article6(1)(f) GDPRas
a legalbasis, that further investigations on the specific processing activities, purposes and their risks

for rights and freedoms of the Complainant would be necessary to conclude an assessment on the
applicable legalbasis25.

148. The NL SA notes itsview thatthereis lackof anysubstantive investigationintowhat kind of personal
257
data is being processed besides relying on information submitted by the controller . The NL SA

251AT SAObjection,p.9-11;DESAObjection,p.2-9;ESSAObjection,p.2-3;FI SAObjection,paragraphs36-44;
FRSAObjection,paragraphs21-31;NLSAObjection,paragraphs20-27.
252SESAObjection,p.3-4.
253
254AT SAObjection,p.10;DESAObjection,p.7-9;NLSAObjection,paragraph21.
AT SAObjection,p.10.
255DESAs Objection,p.7-8.
256DESAs Objection,p.8-9.
257NLSAObjection,paragraph25.

40
Adopted considers that thereare clearindications that consent is legallyrequiredfor (partsof) the processing

operationsof the controller,and thatthe IESA couldthus draw adifferent conclusion on the basis of
further inquiries andanalysis258. The NL SA considers that the DraftDecision should be amendedifa
259
further inquiry bythe IESA establishes thattherelianceon consent asa legalgroundismandatory .

149. Inaddition, the DE andFR SAs consider thateven if MetaIEhad reliedon consent, it would not have

met the requirements of Article 7(1) GDPR asbeing “freely given”, as it is conditional on the use of
their services asa whole (“take it or leave it”). Nor would consent meet the requirements of Article

7(2)GDPRsince, asthe IE SA finds, informationon theprocessing ofdataasdescribedinthe Termsof
Use, is not provided in a concise, transparent, intelligible and easily accessible form, using clear and
260
plainlanguage .

Argumentson thepossible breachoftheobligation to relyon consent to processspecialcategoriesof
personaldata(Article9 GDPR)

150. TheAT,DE,ES,FI,FRandNLSAs consider thattheIESAshould haveidentifiedandseparatelyassessed

anyprocessing ofspecialcategoriesofpersonal dataunder Article9GDPRinthe contextofInstagram
Termsof Use 26.The DESAs conclude that MetaIEprocesses the complainant’sspecialcategoriesof
262
datainbreachofArticle9(1)GDPR .TheAT,ES,FI,FRandNLSAs taketheview thattheIESAshould
broaden the scope of its investigation and examine whether the conditions for the processing of
specialcategoriesof personaldatahave been metby MetaIE 263.

151. The AT, ES, FI, FR andNL SAs consider thatthe factualbackground of the DraftDecision misses facts

on whether Meta IE relies on Article 9(1)(a) GDPR to process special categoriesof personal data for
the purpose of behaviouraladvertising andwhether MetaIErespectsthe requirementsof the GDPR,
264
such asthose of Article7, inobtaining consent tothatend .

152. The FR and NL SAs argue that the data that Meta IE processes may include special categories of
personal data under Article 9 GDPR 26. The DE SAs contend that nothing indicates that Meta IE
266
excludes these categoriesofdatafrom its processing for advertisingpurposes .

153. The FR SA notes thatInstagramusers canprovide various sensitive data about themselves, including

their sexual orientation, religious views and political opinions in the description of their profile. The
FR SA considers thatthe IESA cannot simply statethatithasno evidence thatMetaIE processessuch

data in the context of the Instagram service. Inorder todeal with the complaint, the FR SA asks for

258
NLSAObjection,paragraph25.
259NLSAObjection,paragraph25.
260DESAs Objection,p.8;FRSAObjection,paragraphs24-29.
261AT SAObjection,p.9-10;DESAs Objection,p.7;ES SAObjection,p.2-3;FI SAObjection,paragraphs36-38,

41;FRSAObjection,paragraphs30-31;NLSAObjection,paragraphs24-26.
262DESAs Objection,p.7,10.
263AT SAObjection,p.9;ESSAObjection,p.2-3;FI SAObjection,paragraphs41-42;FRSAObjection,paragraph
31;NLSAObjection,paragraph25.
264
AT SAObjection,p.9;ESSAObjection,p.2-3;FI SAObjection,paragraph41;FRSAObjection,paragraph30;
NLSAObjection,paragraph25.
265FRSAObjection,paragraph30;NLSAObjection,paragraph24.
266DESAs Objection,p.7.

41
Adopted further investigation,in particularitasks the LSA toexaminewhether sensitive dataare processedby
267
the controller and,if so, whetherone ofthe conditions ofArticle 9(2)GDPRismet inthis case .

154. The NL SA argues that there is strong indication that some data processed in the context of the
Instagram service actuallybelongs toa specialcategoryof data considering “photographsand other

images that are, or were, potentiallyprocessed with use of facial recognition technology and other
artificial intelligence technologies in the context of Facebook services”68. The NL SA highlights that

according tothe CJEU ruling in case C-136/17 the mereindexing of certaindata could alreadysuffice
toconclude thatArticle9 GDPRapplies 26.

155. The DE and NL SAs recall that only consent may be used in this context among the exceptions that
Article9 (2)GDPRlaysdowntothegeneralprohibition ofprocessing specialcategoriesofdata 27.The

FI SA recallsthatthe performance ofa contractisnot anexceptionpursuant toArticle9(2) GDPR 271.

Argumentson othertypesofdatarequiring consent

156. TheNLSA identifiesasanotherindicator contradictingtheIESA’sconclusionthatthereisnoobligation
toseek consent the fact that the controller processes a significant amount of personal datathat has

beencollectedthroughcookies for online advertising purposes and oflocationdata 27.

Risks

157. Ontherisks posed bytheDraftDecision,the DESAsconsider that,asthesubject ofthe complaintwas

the processing as described in the Instagram Terms of Use there is also a significant risk for the
fundamental rights and freedoms of all Instagram users in the European Union that their personal
273
data, including data of special categories are processed without any legal basis . The AT SA also
considers thatthe compliance ofMetaIE withthe GDPRruleson the processing of specialcategories
ofdatagoesbeyond thecase atstakeandaffectshundreds ofmillions ofdatasubjectswithintheEEA,

asMetaIEis the provider of the biggestmedia networkinthe world 274.

158. The AT,DE,FI,FRandNL SAsarguethatthe IESA’sconclusion thatconsent is not requiredaffectsthe
rightsofdatasubjects andtheir controlover theirpersonal data 275.

159. The AT SA argues that the first risk is that the data subject’s right to lodge a complaint with a

supervisory authority pursuant to Article 77(1) GDPR becomesineffective because the IE SA did not
handle the complaint in its entire scope, including sensitive data pursuant to Article 9 GPDR. The AT

267FRSAObjection,paragraph30.
268NLSAObjection,paragraph25.
269NLSAObjection,paragraphs26.
270
DESAs Objection,p.7;NLSAObjection,paragraph24.
271FI SAObjection,paragraph40.
272NLSAObjection,paragraphs22-23,27.
273DESAs Objection,p.9.
274
AT SAObjection,p.9.
275ATSAObjection,p.11;DESAs Objection,p.9;FI SAObjection,paragraph43;FRSAObjection,paragraph34;
NLSAObjection,paragraphs30-31.

42
Adopted SA argues that this is not in line with the CJEU ruling in case C-311/18, which provides that the
276
supervisory authoritymust handle complaints withalldue diligence .

160. The FR SA arguesthat the DraftDecision poses a risk tothe fundamental rightsandfreedoms of the
individuals concerned, according to Article 4(24) GDPR, insofar as the legal basis of contractual
performance toprocessthe personal dataofInstagramuserstosend them targetedadvertisingdoes

not allow the Europeanusers tohave controlover thefate of their data 277.TheFR SA alsonotes that
since the DraftDecisionwillbe takenat theendof acooperationprocedure andmade public, it could

be interpreted as reflecting the common position of the European supervisory authorities on this
issue, andsetting aprecedent for acceptingthatacompany mayuse the legalbasisof the contractto

process itsusers’ datafor targetedadvertisingpurposes whensuch processing isparticularlymassive
andintrusive 278.

161. The NLSA specifies theprotectionsfrom whichthe datasubjectswould be depriveddue totheIESA’s
conclusion thatconsent is not required, such asthe right todataportability(Article 20(1) GDPR);the

possibility tospecifically consent tocertainprocessing operations andnot toothersandtothefurther
processing of personal data (Article 6(4) GDPR); the freedom to withdraw consent (Article 7 GDPR)
279
andthe subsequent right tobe forgotten .

162. TheAT,DE,FIandNLSAsnote asanadditionalriskthatsensitive personaldatafallingwithinthe scope
of Article9 GDPRis processedwithout meeting therequirementsof Article9(2) GDPR 280.

163. The FI SA highlights that the will of the legislator has been to protect the Article 9 GDPR special
categorydatawitha duty ofcare andifthere is anyreasonable doubt thatMetaIE hasno legalbasis

for processing operations of such sensitive data of the Instagram users, the said claim needs to be
properly investigated or otherwise the lack of investigation would negatively affect hundreds of
281
millions ofInstagramuserswithintheEEAandundermine theirrighttoprivacyanddataprotection .

164. The NL SA underlines the risk that allowing the bypassing of legal provisions requiring consent to
process datacreateslegaluncertaintythathampersthe freeflow of personaldatawithinthe EU 282.

165. TheNL SA alsoarguesthatnotassessing theprocessing inasufficiently thoroughmannercould create
a precedent for controllers to exclude from their privacy policies or terms of service processing

operationsthatmustbebasedonconsent.Thiswouldrisk leavingdatasubjectswithareduceddegree
of transparency 28.

276
AT SAObjection,p.10-11.
277FRSAObjection,paragraph34.
278FRSAObjection,paragraph35.
279NLSAObjection,paragraph33.
280
281AT SAObjection,p.11;FI SAObjection,paragraph43;DESAs Objection,p.9;NLSAObjection,paragraph33.
FI SAObjection,paragraph43.
282NLSAObjection,paragraph33.
283NLSAObjection,paragraph30.

43
Adopted 5.3 Position of the LSA on the objections

166. The IESA considers theobjections not reasonedanddoes not follow them 284.

167. The IE SA argues that the scope of the inquiry is appropriate and relatesto the issues raised in the
complaint. It also argues that finding of additional infringements which have not been fully

investigatedor put to the controller would impose a risk of procedural unfairness by depriving the
controller of itsrighttobe heardin response toaparticularisedallegationof wrongdoing 285.

168. The IE SA notes that it hasdiscretion to determinethe frameworkof the inquiry, taking into account

the scope of the writtencomplaint aslodged. The IE SA arguesthat it would not have been possible
to assess each discrete processing operation by Meta IE, without first resolving the fundamental
dispute between the parties on the interpretationof Article 6(1) GDPR. The IE SA considers that it

would have beeninappropriate and disproportionate for it toundertake anopen-ended assessment
of all of Meta IE’s processing operations related to the Instagram Terms of Use to handle the
286
complaint .

169. The IESA arguesthatitsanalysis of Article6(1)(b) GDPRdoes not preclude the possibility thatcertain

discrete processing operations by Meta IE mayfall outside the scope of Article 6(1)(b) GDPR. The IE
SA finds it reasonable andpracticaltosetthe scope of theinquiry, focusing onthe principledissues of
287
dispute, which itconsiders asnot prejudicing the operationof more specific data protectionrules .

170. The IESA considers that thereference toArticle 9 GDPRprocessing by MetaIE isanelement of what
it viewsasthe Complainant’sfundamentalallegation,i.e.thattheagreementtotheTermsof Usewas
a form ofGDPRconsent toprocessing ofpersonal data,including consent tothe processing of special

categoriesof data. The IE SA argues that since the scope of its inquiry addresses this issue, it is not
necessaryfor ittoalsoconduct anindiscriminate andopen-ended assessment ofMetaIE’sprocessing
288
thatmayotherwise fallwithin thescope of Article9 GDPR .

171. The IE SA notes that under Irish national law, there would be a very significant risk of procedural

unfairness to Meta IE if the IE SA assumed, without any further factualexamination, that Meta IE
unlawfully processes specialcategoriesof personaldata 289.

172. According totheIESA, the CSAs objectingtothe DraftDecisionintendtomaximise the complainant’s
rightsbyrequiring consent-based processing for certainprocessing operationsandthus prioritising it

over other legalbasis. The IESA considers thatveryextensive dataprotectionrightsalsoapply under
the GDPRwhere theprocessing is basedon Article 6(1)(b) or Article6(1)(f) GDPR.The IESA contends

that the variationin the extent of data subject rights and protections, depending on the applicable
legal basis, is an inherent element of the legislative scheme of the GDPR. The IE SA considers that
Article 6 GDPR does not provide thatthe “appropriate”datasubject rightsdetermine the legalbasis

for processing. The IE SA notes that separate tothe user’s acceptance of the Terms of Use, Meta IE

284
285CompositeResponse,paragraphs36and48.
CompositeResponse,paragraph97.
286CompositeResponse,paragraph26.
287CompositeResponse,paragaraph27.
288CompositeResponse,paragraph28.
289CompositeResponse,paragraphs32-33.

44
Adopted relies on different “acts” of consent for specific aspects of the service, including personalised
advertising basedon users’ off-Instagramactivities.Inthis regard,theIESA statesthatthe complaint

in this case was about the agreement to the Terms of Use and the processing it entails once
accepted 290.

173. The IE SA arguesthat the objections are inconsistent withthe principle of legalcertainty, ascitedin

Recital7 GDPR. The IE SA indicates that it is not satisfied that the GDPR requires the limitation of
processing for thepurposes ofbehaviouraladvertisingtosituationswhereprocessing isbasedondata
subject consent 29. The IE SA contends that interpretative approach of the CSAs raising objections

would result in the arbitraryapplicationofmore restrictive dataprotectionrules for reasons thatare
not found in the GDPR. The IE SA also states that this approach does not take due account of the

extensive data protectionrightswhich apply toalllegalbases under theGDPR.The IESA assertsthat
it is not open tothe supervisory authoritiestocreateadditional binding limitationson the applicable
legal basis for the processing of data for behavioural advertising. The IE SA states that it is the
292
legislator,not the supervisory authorities, whichhasdefined the conditions for lawfulprocessing .

5.4 Assessment of the EDPB

5.4.1 Assessment of whether theobjections were relevant and reasoned
174. The EDPBresponds toMetaIE’sprimaryargumentstothe contraryin Section4.4.1above 29.

175. The AT,DE,ES, FI, FR andNL SAsobjectionsanalysedinthis sectionhave a directconnection withthe
Draft Decision and refer to a specific part of the Draft Decision, i.e. Finding 1. The AT, DE, ES, FI, FR

andNLSAs arguethattheIESAhasnot carriedout enoughinvestigationandlegalanalysis intheDraft
Decisiontoconclude thatMetaIEisnot legallyobligedtorelyonconsent toprocessthe complainants’
294
data . According to these CSAs, the IE SA should have identified and separately assessed any

290CompositeResponse,paragraphs46.
291CompositeResponse,paragraph47.
292
CompositeResponse,paragraph47.
293Meta IEarguesthat“ObjectionswhichraisematterswhicharenotwithintheDefinedScopeofInquiryarenot
‘relevantandreasoned’withinthemeaningofArticle4(24)GDPR”andsuchobjections“oughttobedisregarded
intheirentiretybytheEDPB”.TheEDPBdoes notsharethisunderstanding,asexplainedabove.Seeparagraphs
73-75ofthisBindingDecisionabove.Inparticular,theEDPBrecallsthattheanalysisofwhethera givenobjection

meets thethresholdsetbyArt.4(24)GDPRiscarriedoutona case-by-casebasis.Morespecifically,incontrast
to the objections referred to by Meta IE that did not “establisha direct connectionwith the specificlegal and
factual content of the Draft Decision”(Binding Decision2/2022paragraphs 139, 147, 164) here, each CSAhas
madeseveralclearlinkswiththecontentoftheDraftDecision,asisdescribedinparagraphs143,145-147and
150-151ofthisBindingDecision.Moreover,whiletheobjections referencedbyMeta IEinparagraph4.9ofits

Article65submissions werefound not to berelevant and/or reasoned intheBindingDecision 2/2022 as they
did “not provide sufficiently precise and detailed legal reasoning regarding infringement of each specific
provisioninquestion”,didnotexplainsufficientlyclearly,norsubstantiateinsufficientdetailhowtheconclusion
proposedcould bereached, or didnot sufficiently demonstratethesignificanceof theriskposed bytheDraft
DecisionfortherightsandfreedomsofthedatasubjectsorthefreeflowofdatawithintheEU(BindingDecision

2/2022,paragraphs140,148,165),asregardstheobjections analysedinthis section,theAT, DE, FI,FR andNL
SAs providea numberof legal and factual arguments and explanations as to why an infringement forlack of
appropriatelegalbasisistobeestablished,andadequatelyidentifytheriskposedbytheDraftDecisionifitwas
adoptedunchanged(paragraphs145-165ofthisBindingDecision).
294AT SAObjection,p.9;DESAs Objection,pp.8-9;ESSAObjection,pp.2-3;FI SAObjection,paragraphs36-37;
FRSAObjection,paragraph30;NLSAObjection,paragraph21.

45
Adopted processing ofspecial categoriesofpersonal datain InstagramTermsof Use 29.The NL SA arguesthat

processing operationsconcerning locationdataandthe use oftrackingtechnologieson users devices
should have investigatedandassessed bythe IESA aswell 29.The AT, FI,FR andNL SAs consider that

the IE SA should broaden the scope of its investigationand examine whether the conditions for the
processing ofspecialcategoriesofpersonaldatahavebeenmetbyMetaIEinrelationtotheInstagram
297
service . The DE, FR and NL SAs argue that the data that Meta IE’sprocesses may include special
categoriesofpersonaldataunder Article 9 GDPR 298.Theycontendthatnothing indicatesthatMetaIE

excludes these categoriesof datafrom itsprocessing for advertising purposes. The AT,DE,ES, FI and
FR SAs highlight thatthe issue falls within the remitof the complaint since the complainant allegeda
potentialviolationof Article9 GDPRandshould thereforebe investigatedandassessed bythe LSA 29.

The AT, DE, ES, FI and FR SAs challenge the reasoning underling the conclusion reached by the LSA.
This assessment could lead to a different conclusion insofar as the IE SA would fully cover the

complaint and include factsanda legalassessment on the Instagram’sservice processing operations
towhich Article6(1)(a), Articles7 and9 GDPRmayapply, whichmayrevealaninfringement byMeta

IE300.

176. Consequently, the EDPB finds that the AT, DE, ES, FI, FR andNL SAs objections relating toFinding 1,
whichstatesthatMetaIEisnot requiredtorelyonconsent todeliver theInstagramTermsofUse and
301
itsunderlying reasoning,are relevant .

177. The AT, DE, FI, FR and NL SAs objections are reasoned because they include clarifications and
argumentsonlegal/factualmistakesinthe LSA’sDraftDecisionthatrequire amending.TheAT,DE,FI,
FR and NL SAs consider that the IESA should have identified and separatelyassessed any processing

of special categories of personaldata under Article 9 GDPR in the context of Instagram Terms of
Use 302. Inparticular, the DE, FR andNL SAs argue that the data that Meta IE processesmayinclude

special categories of personal data under Article 9 GDPR and that nothing indicates that Meta IE
excludes these categoriesof data from its processing for advertising purposes 303. The AT, DE, ES, FR

and NL SAs recallthat only consent maybe used in this context among the exceptionsthat Article 9
(2) GDPR lays down to the generalprohibition of processing special categoriesof data 304.The FI SA

recalls that EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR state that the WP29 has observed that
Article9(2)GDPRdoesnot recognise “necessaryfor theperformanceofa contract”asanexceptionto
305
the general prohibition to process special categories of data . The NL SA identifies as another

295
AT SAObjection,p.9;DESAs Objection,p.7;FI SAObjection,paragraph37;FRSAObjection,paragraph30;
NLSAObjection,paragraph25.
296NLSAObjection,paragraphs22-23and27.
297AT SA Objection, p. 9; FI SA Objection paragraph41;FR SA Objection, paragraph30;NL SA Objection,

298agraph25.
DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraphs24-25.
299AT SAObjection,p.9;DE SAs Objection,p.7;ES SAObjection,p.2;FI SAObjection,p.42;FRSAObjection,
paragraph30.
300SeeEDPBGuidelinesonRRO,paragraph15andEDPBGuidelinesonArticle65(1)(a)GDPR,paragraphs40and

Sub-sections4.2,4.2.3-4.2.5.
301Seeparagraphs143,145and150ofthisBindingDecision.
302AT SAObjection,p.9;DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraph25.
303DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraphs24-25.
304
AT SAObjectionpp.9-10;DESAs Objection,p.7;ESSAObjection,p.2-3;FRSAObjection,paragraph31;NL
SAObjection,paragraph24.
305FI SAObjection,paragraph40.

46
Adopted indicator contradictingthe IE SA’sconclusion thatthere isno obligationto seekconsent the factthat

thecontroller processesasignificant amountofpersonaldatathathasbeencollectedthroughcookies
for online advertising purposes and of location data 306. The NL SA also arguesthat the IE SA should

have investigated more into the safeguards that are implemented by the controller to address the
specific interests of children307. Lastly, the NL SA states that the information shared by users on

Instagrammaycontainpersonaldataconcerningthehealthofindividual usersandmentionstheruling
of the CJEU in case C-136/17 stating that the mere indexing of certaindata could already suffice to
308
conclude thatArticle9 of the GDPRapplies .

178. Onthe risks posed by the DraftDecision,the AT,DE,FI,FR andNL SAs explainthatthe IE SA’sFinding

1 providing that consent isnot requiredputs at risk the rightsof datasubjects and their controlover
their personal data 309.The AT SA mentions the risk thatthe data subject’sright tolodge a complaint

with a supervisory authority pursuant to Article 77(1) GDPR becomes ineffective because the IE SA
does not handle it initsentirescope, including specialcategoriesofdataunder Article9 GDPR 310.The

FR SA arguesthat the Draft Decision could set a precedent for accepting the use of the contractual
performance legalbasis to process users’ data for targetedadvertising purposes, which it views as
311
particularlymassive and intrusive . The NL SA specifies thatthe datasubjects could be deprived of
the following protections derived from the use of consent: the rightto dataportability (Article 20(1)

GDPR);thepossibility tospecificallyconsent tocertainprocessing operationsandnot toothersandto
the furtherprocessing ofpersonal data(Article6(4) GDPR);thefreedom towithdrawconsent (Article
312
7 GDPR) and the subsequent right to be forgotten . The AT, DE, FI and NL SAs also note as an
additional risk that special categoriesofpersonal data falling within the scope of Article 9 GDPR are
processed without meeting the requirementsof Article 9 (2) GDPR 313.TheNL SA alsounderlines the

data protection deficits that are foreseeable with a switch from consent tocontract legal basis and
the risk that this conclusion would create legaluncertainty that hampers the free flow of personal

data within the EU 314. The NL SA further adds the risk that the decision could create by setting a
precedent for controllers to exclude from their privacy policies or terms of service processing

operations based on consent, thus undermining the principle of transparency 31.The ES SA does not
describe any riskon thisspecific topic in theirobjection316.

179. On the basis of the above considerations, the EDPBfinds that the objections raised bythe AT, DE,FI,

FR and NL SAs concerning the conclusions in the Draft Decision about the fact that Meta IE is not
obliged to relyon consent toprocess the complainant’sdata, are relevant and reasonedobjections

under Article 4(24)GDPR.

306
307NLSAObjection,paragraphs22-23and27.
NLSAObjection,paragraph34.
308NLSAObjection,paragraph26.
309AT SA Objectionpp. 10-11;DE SAs Objection, p. 9;FI SAObjection, pp. 9-10;FR SAObjection, p. 7;NLSA
Objection,p.9-11.
310
AT SAObjection,p.10.
311FRSAObjection,paragraph35.
312NLSAObjection,paragraph33.
313AT SAObjection,p.11;DESAs Objection,p.9;FI SAObjection,paragraph43;NLSAObjection,paragraph33.
314
NLSAObjection,paragraphs32-33.
315NLSAObjection,paragraph30.
316ESSAObjection,p.3.

47
Adopted180. However,thepart ofthe NLSA objection asking the IESA toinclude in itsDraftDecisiontheelements
concerning the need torely on consent for the placing of tracking technology on end users devices
317
under ePrivacylegislationfalls outside thescope of theEDPB’smandate .

181. Finally, theEDPBconsidersthattheobjection raisedby theESSA regardingthepotentialinfringement

of Article 9 GDPR is not sufficiently reasonedwith reference tothe significance of the risks posed by
the Draft Decision at stake and, therefore, the objection of the ES SA does not meet the threshold

provided for by Article4(24) GDPR.

5.4.2 Assessment on the merits
182. Inaccordance withArticle 65(1)(a) GDPR, inthe context of a dispute resolution procedure the EDPB

shall take a binding decision concerning all the matterswhich are the subject of the relevant and
reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.

318
183. TheEDPBconsidersthattheobjectionsfound toberelevantandreasonedinthissubsection require
anassessment of whether the DraftDecision needs to be changedon its Finding 1, which concludes
thatMetaIEhas(a)notsought torelyonconsent toprocess personaldatatodeliver the TermsofUse

and (b) is not legallyobliged to rely on consent in order todo so. When assessing the merits of the
objections raised, the EDPB also takes into account Meta IE’s position on the objections and its

submissions.

MetaIE’sposition on theobjectionsand itssubmissions

184. Inits submissions, MetaIE supports the IESA’s conclusion thatMeta IE does not rely on consent for
the purposes of behaviouraladvertising andis not requiredtorelyon it 31.

185. Meta IE states that it does not seek or rely on consent as its legalbasis for purposes of processing
personal data to provide behavioural advertising, except in limited circumstances where Meta IE
320
separately obtains consent, yet not through users’ acceptance the Terms of Use . Meta IE claims
that it explains in its DataPolicy todata subjects thatMeta IE relieson consent under Article 6(1)(a)
GDPR“[f]orusing datathatadvertisersandotherpartnersprovideusabout[users’]activityoffofMeta

Company Products, so we can personalise ads we show [them] on Meta Company Productsand on
websites, apps and devices that use our advertising services” and that it has a separate process for

obtaining this consent in amanner thatsatisfies the requirementsof Article4(11) andArticle7 GDPR
andwhich is “entirelyseparate from any interactionby userswith the TermsofUse or DataPolicy, is
not part of the Complaint and has not beenexamined” inthe IESA’s inquiry 321. Meta IEsubmits that

the Complaint is limitedto the question of whether MetaIE seeks forcedconsent todata processing
throughacceptance ofthe Termsof Use. Meta IE thenasserts that since it does not seek, obtain, or

relyon consent asa legalbasis under Article 6(1)(a) GDPRtoprocess user data via acceptanceofthe

317NLSAObjection,paragraphs7-8.
318
Theseobjections beingthoseoftheAT, DE, FI,FR andNLSAs,disagreeingwiththeIESA’s Finding1,which
states thatMeta IEis notrequiredtorelyonconsenttodelivertheInstagramTermsofUseandits underlying
reasoning.
319Meta IEArticle65Submissions,paragraphs5.2and5.6.
320Meta IEArticle65Submissions,paragraph5.4.
321
Meta IEArticle65SubmissionsFootnote61andparagraph6.27.

48
Adopted Terms of Use, the inquiry should end there and all unrelatedassertions in the objections should be
322
disregarded .

186. Meta IE allegesthat some CSAs suggest that behavioural advertising must in all cases be based on
consent, andin doing so, the CSAs suggest anapproachthatmandatesMetaIE torelyonconsent for
323
“itsdataprocessingfor purposesofbehaviouraladvertising (or anyotherpurpose)” .MetaIEagrees
with the IE SA’s assertion that any approachlimiting the legalbasis on which a controller could rely
324
would not be consistent withthe principle of legalcertainty .MetaIEconsiders thatthe GDPRwas
drafted in a way that protects data subjects while affording flexibility to controllers and that its
applicationishighlydependent onfactsandcircumstancesunderlying therelevantprocessing andthe

natureof the service providers 325. MetaIEcontends thatthe GDPRcontainsno expressreferencesto
behavioural advertising and establishes no specific limitations on the available legalbasis for such

processing; it is technology neutral and does not include specific derogations or rules for any one
specific industry32.

187. Withregardtotheconsiderationthatconsentasalegalbasisprovides moreextensive dataprotection

rights, Meta IE argues that in defining the conditions for lawful processing, the EU legislature has
ensured that appropriate data protection rightswould be afforded to data subjects no matter what
327
legalbasisis reliedon andextensive dataprotectionrightsapplytoalllegalbases .MetaIEsupports
the IESA’s view thatArticle 6(1)GDPR doesnot require legalbasestobe determinedby referenceto
328
the applicable datasubject rightsfor eachbasis .

EDPB’sassessment on themerits

188. The EDPB notesthat the IE SA’s Draft Decision submitted via the Article 60 GDPR procedure results
from an inquiry that the IE SA conducted based on a complaint from a data subject and Instagram
329
user . The BE SA forwarded this complaint to the IE SA as LSA in the case, given Meta IE’s main
establishment in Ireland.

189. In this complaint, the Complainant alleges that Meta IE violated Articles 5, 6, 7 and 9 GDPR. The

Complainant arguesthatit is unclear to whatthe datasubject has consented when the data subject
agreedtoInstagramTermsofUse andPrivacyPolicy 33. Morespecifically, the Complainant points out
that it remains unclear which exact processing operations the controller chooses to base on each

specific legalbasisunder Articles6 and9 GDPR 33.TheComplainant arguesthatthe Termsof Use and
PrivacyPolicy alsoinclude specialcategoriesofdataunder Article9(1)GDPRbecausethedatasubject,

as an Instagram user, has interactedwith various groups and individuals, which would accordingly
reveal the data subject’s political affiliation, sexual orientation, health condition, etc 332. The

322
Meta IEArticle65Submissions,paragraph5.8.
323Meta IEArticle65Submissions,paragraph5.2.
324Meta IEArticle65Submissions,paragraph5.14.
325Meta IEArticle65Submissions,paragraph5.15.
326
Meta IEArticle65Submissions,paragraph5.15.
327Meta IEArticle65Submissions,paragraph5.16.
328Meta IEArticle65Submissions,paragraphs5.16-5.17.
329DraftDecision,paragraph3;ScheduletotheDraftDecision,paragraphs12and19.
330
Complaint,p.1-2.
331Complaint,p.1-2.
332Complaint,p.1-2.

49
Adopted Complainant claims that the controller also allows to target such information for advertisement 333.

The Complainant considers that it would be necessary for the SA toinvestigate the concrete subject
of the allegedconsent and the legalbasis for allprocessing operations andto request the record of
334
processing activitiesunder Article30(4)GDPR .

190. Basedon the scope ofthe IE SA’sinvestigationinto this complaint,the EDPB considers thatthe IE SA

decidedtolimit thescope of itsDraftDecisiontothe following legalissues:

o Issue 1 – Whether clicking on the “Agree to Terms” button constitutes or must be
consideredconsent for thepurposes oftheGDPRand,ifso,whetheritis validconsent

for the purposes ofthe GDPR.

o Issue 2 – Whether Meta IE could rely on Article 6(1)(b) GDPR as a lawful basis for
processing ofpersonal datainthe context ofTermsofUse and/or DataPolicy.

o Issue 3 – Whether Meta IE provided the requisite information on the legal basis for
processing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent
335
manner.

191. The IESA arguesthatit hasdiscretion todetermine the frameworkofthe inquiry takinginto account
the scope of the written complaint as lodged 33. The IE SA considers that it would not have been

possible to undertake anassessment of eachdiscrete processing operation by Meta IE without first
resolving the fundamentaldispute betweenthe partieson the interpretationof Article6(1) GDPR 337.
Inrelationtothe processing ofArticle 9 GDPRcategoriesof data,the IESA considers thatthe inquiry

has addressedthe fundamental issue of principle onwhich the complaint depends, andthis makesit
unnecessarytoconduct anindiscriminate andopen-endedassessment ofprocessing falling withinthe
338
scope ofthis Article .The IESA thus concludes thatMetaIE has(a)not sought torelyon consent in
order to process personal data to deliver the Terms of Use and (b) is not legally obliged to rely on
339
consent inorder todoso, basedonthe submissions of thePartiesandInstagramTermsofUse .The
IESA warnsCSAs onthe legalrisks derivedfrom asking throughthe objections toexpandthematerial

scope of the inquiry and thus cover infringements outside of the complaint and Draft Decision that
the IE SA has not investigated(pursuant to itsown decision tolimit the scope of the inquiry) andput
toMetaIE 340.

192. The EDPBnotesthattheComplaint makesplaintheconfusion oftheInstagramuserover whichofthe

user’sspecialcategoriesof dataareprocessed, for whichpurposes andonwhich basis.

193. The Instagram Terms of Use themselves note in general terms “Providing our Service requires
collecting and using your information. The Data Policy explains how we collect, use, and share

333
Complaint,p.4.
334Complaint,p.7and16.
335DraftDecision,paragraph30.
336CompositeResponse,paragraph26.
337
338CompositeResponse,paragraph26.
CompositeResponse,paragraph28.
339DraftDecision,paragraph60;Finding1.
340CompositeResponse,paragraphs30-33and35.

50
Adopted information across the Facebook Products” 341 (service which includes “Offering personalized

opportunitiestocreate,connect,communicate,discover,andshare”and“Connectingyouwithbrands,
products,andservicesinwaysyoucareabout” 342).The InstagramTermsofUse include a referenceto
343
a separate document “the DataPolicy” , which lists under the heading “Things you and others do
andprovide”:“Datawithspecialprotections:You canchoose to provide information in your Facebook

profile fields or Life Events, about your religious views, political views, who you are ‘interested in’ or
your health. Thisand other information (such as racialor ethnic origin, philosophical beliefs or trade
344
union membership) is subject to special protectionsunder EU law” . The Data Policydescribes the
purposes for which these data areprocessed in verygeneraltermssuch as“Provide,personalize and
improve ourproducts” and“toselectand personalizeads, offersand othersponsored contentthatwe

show you” 345 with no specific reference tothe specific processing operations and categoriesof data
eachpurpose wouldcover. MetaIEthusseems toacknowledgein itsDataPolicy 346thatituses special

categoriesof data for behavioural advertising purposes, without specifying the “special protections
under EU law” that it would apply to such processing. Meta IE only includes a generalreference to

consent amongotherlegalbasisinthe samepage 347,whichincludesalink toaseparatefacebook.com
page mentioning the use of consent on data with special protection and referring to the Instagram
348
Settings .

194. The IE SA finds that the way in which Meta IE provides, in relation to processing for which Article
6(1)(b) GDPR is relied upon, this information and the lack of information on the specific processing

operations, the data involved, their purposes and legal basis constitute an infringement of
transparencyobligations under the GDPR(Article5(1)(a), Article12 (1), andArticle13(1)(c) GDPR) 349.
The IE SA considers the complaint inthis case tobe limitedtothe Termsof Use and the processing it

entailsonce accepted 350.Inthese circumstances,the IESA acceptsatfacevalue MetaIE’ssubmission
on its reliance on different “acts” of consent for discrete aspectsof the service separatelyfrom the

user’sacceptanceof theTermsof Use 35. The IESA does not engageintoanyfurther examinationor
verificationonhow consent issought inthe caseof processing carriedout toprovide discreteaspects

of the service. The IE SA also does not examine or verify whether special categoriesof data under
Article 9 GDPR are processed in the context of the Instagram service and, if so, whether they are

subject tothese “acts”of consent andthus effectivelytreatedoutside the scope ofthe Termsof Use

341InstagramTermsofUse,Section“TheDataPolicy”.
342InstagramTermsofUse,Section“TheInstagramService”.
343The document is titled as “Instagram Data Policy”, howeverit is explainedinits chapeauthat “[t]his policy

describes the information we process to support Facebook, Instagram, Messengerand other products and
featuresofferedbyFacebook(FacebookProductsorProducts)”.
344InstagramDataPolicy,Section“Thingsyouandothersdoandprovide”.
345 Instagram Data Policy, Section “How do we use this information? -Provide, personalize and improve our

346ducts”.
Instagram Data Policy, Section “Things you andothers do and provide” and Section“How do we use this
information?-Provide,personalizeandimproveourProducts”.
347Data Policy,Section“Whatisourlegalbasisforprocessingdata?”.
348Facebookwebsitehttps://www.facebook.com/about/privacy/legal bases.
349
DraftDecision,Finding3.
350 The IE SA mentions in its Scheduleto the Draft Decision, paragraphs 134-135“My view is that [...] the
Complaint even taken at its height quite clearly only concerns data processing arising out of the act of
acceptance.Onthisbasis,Idonotacceptthattheprocessingofsensitivecategoriesofpersonaldataonthebasis

ofArticle 9GDPRconsentfallswithinthescopeofthisInquiry.ThereisnoevidencethatMetaIrelandprocesses
specialcategorydataatallinrespectoftheInstagramservice”.
351CompositeResponse,paragraph46.

51
Adopted and the legalbasis of Article 6(1)(b) GDPR on which the Terms of Use purportedly rely, or whether
some special categoriesof personal data, as defined by the GDPR and EU case-law 352, are treated

under the InstagramTermsof Use.

195. The CJEU assertedrecentlythatthe purpose ofArticle9(1)GDPRis toensure anenhancedprotection
of data subjects for processing, which, because of the particular sensitivity of the data processed, is

liable to constitute a particularly serious interference with the fundamental rights to respect for
private life and to the protection of personal data, guaranteedbyArticles7 and 8 of the Charter 353.
TheCJEU adoptsawide interpretationoftheterms“specialcategoriesofpersonaldata”and“sensitive

data” that includes data liable indirectly to reveal sensitive information concerning a natural
person 354. Advocate GeneralRantosreiteratesthe importance for the protectionof data subjects of

Article 9 GDPR andapplies the same interpretationto the dataprocessing insocial network services
for behavioural advertising bystatingthat “theprohibition on processing sensitive personaldata may
include theprocessing ofdatacarriedout byan operatorof an online socialnetworkconsisting in the

collectionofauser’sdatawhenhe or she visits otherwebsitesor apps or enterssuch data into them,
the linking of suchdata to the user account on the social networkand the use of such data,provided

thattheinformation processed,consideredin isolation or aggregated,makeitpossible toprofile users
on the basis of the categories that emerge from the listing in that provision of types of sensitive
personaldata” 35.

196. Therefore,theGDPRandthecase-lawpayespecialattentiontotheprocessing orpotentialprocessing

of special categories of personal data under Article 9 GDPR to ensure the protection of the data
subjects. In this connection, the Complainant allegesin the Complaint, among others, a violation of
Article 9 GDPRand expressly requeststhe IESA toinvestigateMeta IE’sprocessing operations inthe

context of the Instagram service covered by this Article 356. In a subsequent submission on the
Preliminary DraftDecision, the Complainant criticisesthe scope thatthe IE SA decided togive tothe

Complaint anditslackofinvestigationofMetaIE’sprocessingactivitiesandallegesthattheIESAfailed
to give due consideration to processing under Article 9 GDPR and other cases in which it relies on
357
consent .

197. Inthe present case,theIESA limiteditsfactsandlegalassessment inthe DraftDecisiontothegeneral

question of whether Meta IE has (a) sought to rely on consent in order to process personal data to
deliver the Termsof Use and (b) if it is legallyobliged to relyon consent in order todo so. The IE SA

categoricallyconcludes on these questions. At the same time, the IE SA acknowledgesa serious lack
of transparency by Meta IE, as regards the information provided concerning the processing being
carriedout in reliance on Article 6(1)(b) GDPR and does not clarify which data categoriesare being

processed for behaviouraladvertising,if MetaIEprocesses specialcategoriesofdata,andifit does, if

352
SeeArticle9GDPRandC-184/20Vyriausiojitarnybinėsetikoskomisija.
353C-184/20 Vyriausiojitarnybinės etikos komisija, paragraph126.
354C-184/20 Vyriausiojitarnybinės etikos komisija, paragraph127.
355C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,

356I:EU:C:2022:704,paragraph46.
Complaint,p.1-3,7,16.
357DraftDecision,paragraphs28-29;Complainant’sSubmissiononPreliminaryDraftDecisionininquiryIN-18-
5-5 of 11 June2021, pp. 11-13(ina letter to theIE SAof 4 February 2022p. 2 theComplainant explains that
their submissions in IN-18-5-5on facebook.com shouldbe considered as their submissions in IN-18-5-7on
Instagramandallreferencesshouldbereadaccordingly).

52
Adopted MetaIE complies withthe conditions of Article 9 GDPRand othersrelevant tothe application of this
provision (for example,Articles6(1)(a) andArticle7 GDPR).

198. By deciding not to investigate, further to the Complaint, the processing of special categories of
personal data in the context of the Instagram service, the IE SA leaves unaddressed the risks this

processing poses for the Complainant and for Instagram users. First, there is the risk that the
Complainant’sspecialcategoriesof personaldataareprocessed withinthe Instagramservice tobuild
intimate profiles of them for behavioural advertising purposes without a legalbasis and ina manner

not compliant with the GDPR and the strict requirements of its Article 9(2) GDPR and other GDPR
provisions relevant thereto. Second, there is also the risk that Meta IE does not consider as special
358
categoriesof personal data (in line with the GDPR and the CJEU case-law ) certain categoriesof
personaldatait processes andconsequently, thatMetaIEdoes not treatthemaccordingly.Third,the
Complainant and other Instagram users whose special categoriesof are processed may be deprived

of certainspecial protections derived from the use of consent, such as the possibility tospecifically
consent tocertainprocessing operations andnot toothersand tothe further processing of personal

data(Article 6(4)GDPR);thefreedom towithdraw consent (Article 7 GDPR)andthe subsequent right
to be forgotten 359. Fourth, given the great size and dominant market share of Meta IE in the social
media market, leaving unaddressed its current ambiguity in the processing of special categoriesof

personal data, and its limited transparency vis-à-vis Instagram users, may set a precedent for
controllers to operate in the same manner and create legaluncertaintyhampering the free flow of
personal datawithinthe EU.

199. The EDPB further considers, also in view of these risks to the Complainant and to other Instagram
users, thatthe IE SA did not handle the Complaint withalldue diligence 36.The EDPBsees thelackof

anyfurtherinvestigationintothe processing ofspecialcategoriesofpersonaldataasanomission, and
in the present case finds it relevant that the Complainant allegedinfringements of Article 9 GDPR in
361
the Complaint . The EDPB contends that inthe present case, the IE SA should have verified on the
basis of the contract and the data processing actually carried out on which legal bases each data
processing operationatissue relies.

200. The EDPB alsohighlights that bylimiting excessively the scope of its inquiry despite the scope of the
complaint in this cross-border case and systematically considering all the objections raised by CSAs

not relevantand/or reasonedandthusdenying theirformaladmissibility, the IESA asLSA inthiscase,
constrains the capacityof CSAs to act and tackle the risks to data subjects in sincere and effective

cooperation. Asruledby theCJEU, the LSA must exercise itscompetence withina frameworkof close
cooperationwithothersupervisory authoritiesconcernedandcannot“eschewessentialdialoguewith

358See C-184/20 Vyriausioji tarnybinėsetikos komisija and more recently on the processing in Facebook:
C-252/21Oberlandesgericht Düsseldorf request, Opinion of the AdvocateGeneral on 20 September 2022,
ECLI:EU:C:2022:704,.
359
Art. 17GDPR.
360JudgementoftheCourtofJusticeof16July2020,DataProtectionCommissionervFacebookIrelandLimited
and MaximillianSchrems, C-311/18, ECLI:EU:C:2020:559, (hereinafter ‘C-311/18, Schrems II'), paragraph109;
Judgement of the Court of Justiceof 6 October2015, Schrems, C-362/14, ECLI:EU:C:2015:650, paragraph63;
Judgement of the Court of Justice of 4 April 2017, European Ombudsman v Staelen, C-337/15,
ECLI:EU:C:2017:256,paragraphs12,34,43,114.
361
Complaint,p.1-3,7,16.

53
Adopted 362
and sincereandeffectivecooperationwiththeothersupervisoryauthoritiesconcerned” .Thelimited
scope the IESA gavetotheinquiry anditsconsideration ofalltheobjections made asinadmissible for
being not relevant or reasoned also impairs the EDPB’scapacityto conclude on the matterpursuant

to Article 65 GDPR and thus ensure a consistent application of EU data protection law, especially
considering thatthe complaint wasintroducedmore thanfour yearsago.

201. As a result of the limited scope of the inquiry and the fact that the IE SA did not verify and assess in
the DraftDecisionMetaIE’sprocessing ofspecial categoriesofpersonal datainitsInstagramservice,

the EDPBdoes not have sufficient factualevidence on MetaIE’sprocessing operationstoenable it to
make a finding on any possible infringement by Meta IE of its obligations under Article 9 GDPR and
other GDPRprovisions relevantthereto.

202. Inconclusion, the EDPB decides thatthe IE SA cannot categoricallyconclude at this stagethroughits
Finding 1 that Meta IE isnot legallyobliged to rely on consent toprocess personal data tocarryout

the personal data processing activities involved in the delivery of the Instagram Service, including
behavioural advertising as set out in the Instagram Terms of Use without further investigating its

processing operations, the categoriesof data processed (including to identify special categories of
personal datathatmaybe processed), andthe purposes theyserve.

203. The EDPBinstructs the IE SA toremove from its DraftDecisionits conclusion on Finding 1. The EDPB
decides that the IE SA shall carry out a new investigationinto Meta IE’sprocessing operations in its
Instagramservicetodetermineifit processesspecialcategoriesofpersonaldata(Article9GDPR),and

complies with the relevant obligations under the GDPR, to the extent that this new investigation
complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding
Decision,andbasedontheresultsofthisinvestigation,issue anew draftdDecisioninaccordancewith
363
Article60(3) GDPR .

6 ON THE POTENTIALADDITIONAL INFRINGEMENTOFTHE

PRINCIPLE OF FAIRNESS

6.1 Analysis by the LSA inthe DraftDecision

204. TheIESA initsDraftDecisionaddresses theComplainant’sallegationsthattheunclearandmisleading
nature of the InstagramTermsof Use andDataPolicy, togetherwiththe mode of acceptanceofthe

Terms of Use, have made Instagram users believe that all processing operations were based on
consent under Article 6(1)(a) GDPR and thus constituted a breach of the Meta IE’s transparency
obligations under Articles 5(1)(a)and 13(1)(c) GDPR 364. The IE SA analyses the submissions provided
365
by the Meta IE and, noting the Complaint’s focus on the alleged“forced consent” , concludes that
Meta IE has breached Article 5(1)(a), Article 13(1)(c) and Article 12(1) GDPR due to the lack of

362JudgementoftheCourtofJusticeof15June2021,FacebookIrelandLtdvGegevensbeschermingsautoriteit,
C-645/19, ECLI:EU:C:2021:483, (hereinafter ‘C-645/19 Facebook v Gegevensbeschermingsautoriteit),
paragraphs53and63.
363EDPBGuidelinesonArticle65(1)(a)GDPR,Section4.2.3andparagraph85.
364
365DraftDecision,issue3,paragraphs116-196,inparticulartheconclusioninparagraph196.
Seealsoparagraph3ofthisBindingDecision

54
Adopted transparencyin relationtothe processing for whichArticle 6(1)(b) GDPRhasbeenreliedon 366. TheIE

SA explains that,while aninfringement of Article 5(1)(a) GDPRdoes not necessarily or automatically
flow from findings of infringement under Articles 12 and/or 13 GDPR, there is an important link

between these provisions 367. Nevertheless, the IE SA takes the view that “[t]he factual question of
whetherthedatasubject was misled asto the legalbasis isthereforepart ofthe broaderquestion as

to whether there was compliance with transparency requirements and should not be considered in
isolation ofthis broaderissue” 368. The IE SA points out thatArticle 5(1)(a)GDPRlinks transparencyto
369
the overallfairness of the activitiesof the controller and concludes on the breachofthis provision
inrelationtothe infringement ofthe transparencyobligations 370.

6.2 Summary of the objection raisedby the CSA

205. The IT SA objects tothe scope of Finding 3 of the DraftDecision andtothe assessment leading up to
it.The ITSA agreestoalargeextent withthe Draft Decision’sFinding 3 on theinfringement of Article
371
12(1), Article13(1)(c),andArticle5(1)(a)GDPRintermsoftransparency .However,theITSA argues
thatMetaIEhasalsofailedtocomply withthemore generalprinciple offairnessunder Article5(1)(a)
GDPR, which, inthe view of the IT SA, entails separate requirementsfrom those relating specifically

totransparency 37.

206. According to the IT SA, the relationship between Meta IE and Instagram users is markedly and
significantlyunbalanced 373andaninfringement of the fairnessprinciple resulted, first ofall, from the

misrepresentation of the legal basis for processing by the controller 374, considering that “Meta
presenteditsserviceto usersin a misleading manner”and“withouttaking dueaccount ofusers’ right

tothe protectionoftheirpersonaldata” 375. TheITSA arguesthat“thecontrollerleavesitsusersinthe
dark as theyare expected to tellor actually ‘figure out’, from time to time, the possible connections
376
betweenpurposesought, applicable legalbasis and relevantprocessing activities” .

207. Secondly, such infringementalsostemsfrom the“high-leveland all-encompassing referencetoArticle
6(1)(b) GDPRas relied upon to enable the massive collection of personaldata [...]and theirreuse for

multifarious,distinct purposes”,considering the“pervasiveaswellasprolongedanalysis of[theusers’]
online behaviour” amounting toa disproportionate interference withtheir private lives comparedto
377
the pursuit of freedom of enterprise .

208. The IT SA thus considers that the IE SA should have found an infringement of the fairness principle
under Article 5(1)(a) GDPR, inaddition to the infringement of the transparencyobligations derived

366DraftDecision,paragraphs180-196.
367DraftDecision,paragraph191.
368
DraftDecision,paragraph25.
369DraftDecision,paragraph193.
370DraftDecision,paragraphs191-196andFinding3.
371ITSAObjection,p.4-5.
372
ITSAObjection,p.5.
373ITSAObjection,p.5.
374ITSAObjection,p.5.
375ITSAObjection,p.5.
376
ITSAObjection,p.6.
377ITSAObjection,p.6.

55
Adopted from this provision, without any need for supplementary investigations 378. According to the IT SA,

should the objection be followed, it would also impactthe exercise of by correctivepowers by the IE
SA, i.e.themeasurestobe imposed on thecontroller in order tobring the processing into conformity
379
withthe GDPR .

6.3 Position of the LSA on the objection
380
209. The IESA does not consider the ITSA objection tobe relevantandreasonedanddoes not follow it .
The IE SA examines it together with the other objections relating to the scope and conduct of the

inquiry andcontends thatintroducing novel issues not raisedby the Complainant or otherwise put to
the partieswould represent a significant departureintermsof thescope of theinquiry 381.

210. TheIESA highlightsthelegalconsequences thatwouldflow from makingmaterialchangesconcerning
infringementsoutside of the Complaint andDraftDecision, namelythe likelihood thatMetaIEwould

succeed in arguing before the Irish Courts that it has been denied an opportunity to be heard on
additional and extraneousfindings that are adverse toit 382. The IE SA’s concernarose from the fact

that,accordingtothe IESA, MetaIEwasnever invitedtobe heardinresponse toanallegationthatit
hadinfringedthe fairnessprinciple set out inArticle5(1)(a)GDPR.TheIESA notes,in thisregard,that

a respondent has the rightto be heardin response tothe particularsof the case being made against
it and that this is a core element of a fair procedure pursuant to Irish law. The IE SA takes the view

thatexpandingthe materialscopeofthe inquiryis neithernecessary,nor couldbe reconciledwiththe
controller’srighttoa fair procedure 38.

6.4 Analysis of the EDPB

6.4.1 Assessment of whether theobjection was relevant and reasoned
384
211. The ITSA objectionconcerns “whetherthereisan infringementoftheGDPR” .

212. The EDPBtakesnote of MetaIE’sview thatthe objections categorisedby the IE SA asrelatingtothe

scope andconduct of the inquiry, among whichthe ITSA objectionregardingthe infringement ofthe
fairness principle, are “irrelevant to the resolution of this Inquiry” and, if accepted, would seriously
385
infringe Meta IE’sproceduralrightsunder both Irish and EU law . According toMeta IE, “the EDPB
cannot expand the scope ofthe Inquiryin the manner suggested bythe CSAs through Objectionsthat

are not relevantto thesubstance of the Complaint” andin relationtothis MetaIEreferstothe EDPB
Binding Decision2/2022 386.

378ITSAObjection,p.5-6.
379ITSAObjection,p.1.
380CompositeResponse,paragraph36.
381
CompositeResponse,paragraph29.
382CompositeResponse,paragraphs31-32.
383CompositeResponse,paragraph35.
384EDPBGuidelinesonRRO,paragraph24.
385
Meta IE Article65 Submissions, paragraph 4.2and paragraphs 4.10 to 4.20 regarding the right to fair
procedure,aswellasMeta IEArticle65Submissions,Annex1,paragraph7.7.
386Meta IEArticle65Submissions,paragraph4.9.Inparticular,Meta IEreferstoparagraphs139,140,147,148,
164,and165oftheEDPBBindingDecision2/2022.

56
Adopted213. Meta IE further contends that the IT SA objection is not reasoned as it provides broad and
387
unsubstantiatedallegationswithout presentingfactsor evidence in thisregard andfailstoaddress
the significance ofthe risk tofundamentalrightsandfreedomsposed by the DraftDecision 388.

214. Asitwaspreviously explained,theEDPBdoesnotshare theunderstanding thatCSAsmaynot disagree
389
withthescope ofthe inquiry asdecidedbythe LSA bywayofanobjection .The EDPBrecallsthatan
objection could go as far as identifying gaps in the draft decision justifying the need for further

investigation by the LSA, for example in situations where the investigation carried out by the LSA
unjustifiably fails to cover some of the issues raised by the complainant 390. In this regard, the EDPB
observes that,in theircomplaint, the Complainant allegesthat the informationprovided in MetaIE’s

PrivacyPolicy“isinherentlynon-transparentandunfair withinthemeaningofArticles5(1)(a)and 13(c)
GDPR” 39. Inaddition, the Complainant alleges that “Asking for consent to a processing operation,

whenthe controllerreliesin fact on another legalbasis is fundamentally unfair, misleading and non-
transparentwithin themeaning ofArticle5(1)(a) oftheGDPR” 39.Therefore,theEDPBdisagreeswith

the IE SA’s finding that assessing Meta IE’s compliance with the principle of fairness would amount
addressing matters“whichfall outside ofthescope of theunderlying complaint” 39.

215. The EDPB notes that the IT SA agreeswiththe IE SA’sfinding with regardtothe infringement of the
394
principle of transparencyunder Article5(1)(a) GDPR .Asthis finding is not subject toa dispute, the
EDPBwillnot examine this matter.

216. After analysing the IT SA objection, the EDPB finds that the objection is relevant, as it refers to a
specific part of the Draft Decision (Finding 3 39), and if followed would lead to the conclusion that

there isaninfringement of the generalprinciple of fairness under Article 5(1)(a)GDPR,in additionto
the breach of the separate requirements relating to transparency under this provision 39. The

387Meta IEArticle65Submissions,Annex1,paragraph7.8.
388Meta IEArticle65Submissions,Annex1,paragraph7.9.
389Seeparagraphs73-75ofthisBindingDecision.
390
EDPBGuidelinesonRRO,paragraph27.
391Complaint,paragraph2.3.1.
392Complaint,paragraph2.3.2.
393CompositeResponse,paragraph30.
394
395ITSAObjection,p.4-5.
ITSAObjection,p.4-5.
In respect of Meta IE’s arguments in paragraph 4.9 of its Article65 Submissions on this objection not being
relevant, theEDPB recalls that theanalysis of whethera given objectionmeets thethreshold set by Art. 4(24)

GDPRis carriedoutonacase-by-casebasis.MetaIEreferstotheEDPB’sBindingDecision2/2022andspecifically
to theparagraphswheretheEDPBestablishedthatspecificobjections raisedbytheDE SAs andNOSAinthat
casewerenotrelevantandreasoned.Thereareseveraldifferencesbetweenthoseobjectionsandtheobjection
oftheITSAthatis beinganalysedinthissection.
Morespecifically,intheBindingDecision2/2022theobjectionsreferredtobyMetaIEdidnot“establishadirect

connectionwiththespecificlegalandfactualcontentoftheDraftDecision”(BindingDecision2/2022paragraphs
139,147,164)whereastheITSAobjectionheremakesseveralclearlinkswiththecontentoftheDraftDecision,
byreferringtotheanalysiscarriedoutbytheIESAinrespectofthebreachofthetransparencyobligationsand
to specificobservationsmadebytheLSAandexplainshowtheadditionalinfringementofArt.5(1)(a)couldbe

established on that basis (see, for example, p. 6 of the IT Objection referring to paragraph 185of theDraft
Decisionconcerningusersbeingleft“inthedark”).
396ITSAObjection,p.5-6.

57
Adopted objection, if followed, would also entail the exercise of corrective powers, i.e. the measures to be
397
imposed on the controller inorder tobring the processing into conformitywiththe GDPR .

217. The ITSA objectionis alsoreasonedbecauseitincludesseveralspecific legalandfactualargumentsin
398
support of finding anadditionalinfringement oftheprinciple offairnessunder Article5(1)(a)GDPR .
For example,the IT SA explainsthat “[t]ransparencyand fairness are two separatenotions” andthat

“transparencyrelatestoclarityoftheinformationprovided tousersvia theToSandtheprivacypolicy”,
while “fairness relatesto how the controller addressed the lawfulness of the processing activities in
399
connection with its social networking service” . The IT SA contends that the “overall relationship
betweenMetaandInstagram usersis markedly as wellas significantly unbalanced” 400. According to
the IT SA, the first wayin which Meta IE hasinfringed the principle of fairness is by misrepresenting

the legalbasis for processing in order to pursue its business model “without taking due account of
users’ rightto theprotectionofpersonaldata” andleaving “itsusersin thedark” 401.Further, intheIT

SA’s view, Meta IE has breached the fairness principle, by justifying via the broad reference to the
legalbasis ofperformanceof contractamassive collectionof personaldataandtheirreuse for awide
402
rangeof purposes, disproportionately interfering withusers’ private life .

218. The ITSA objection alsoidentifies the risks posed by the absence inthe DraftDecisionof a finding on

the infringement of thefairness principle, namelysettinga dangerousprecedent for future decisions
concerning otherdigitalplatform operators-more generally,other controllersbelonging tothesame

business sector -andmarkedlyweakeningthesafeguardsthatmustbe provided throughtheeffective
implementationof the dataprotectionframeworkon account ofthe comprehensive disregardofthe
403
fairness ofthe processing principle .

219. Therefore, the EDPB considers that the IT SA objection is relevant and reasoned (cf. Article 4(24)

GDPR).

6.4.2 Assessment on the merits
220. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the

matterswhichare the subject of the relevantand reasonedobjections, inparticularwhether there is
aninfringement ofthe GDPR.

397ITSAObjection,p.1.
398Seeparagraphs206-208ofthisBindingDecision.
399
ITSAObjection,p.5.
400ITSAObjection,p.5.
401ITSAObjection,p.6.
402ITSAObjection,p.6.Seealsoabove,paragraphs206-208.InrespectofMeta IE’sargumentsinparagraph4.9

ofits Article65Submissionsonthisobjectionnotbeingreasoned,theEDPBnotesthattheobjectionsthatwere
foundtobenotrelevantand/ornotreasonedintheBindingDecision2/2022did“notprovidesufficientlyprecise
and detailed legal reasoning regardinginfringement of each specific provision in question”, did not explain
sufficiently clearly, nor substantiateinsufficient detail how theconclusion proposed could bereached, or did
notsufficientlydemonstratethesignificanceoftheriskposedbytheDraftDecisionfortherightsandfreedoms

ofthedata subjectsorthefreeflowofdatawithintheEU(BindingDecision2/2022,paragraphs140,148,165).
The IT SAobjection provides, instead, a numberof legal and factual arguments andexplanations as to why a
breachofthefairnessprincipleistobeestablished,andadequatelyidentifiestheriskposedbytheDraftDecision
ifitwas adoptedunchanged.
403ITSAObjection,p.7.

58
Adopted221. The EDPBconsiders thatthe objection found tobe relevant andreasoned in thissubsection requires
anassessment of whetherthe DraftDecision needstobe changedinsofar as it containsno finding of

infringement of the fairness principle under Article 5(1)(a) GDPR. Whenassessing the merits of the
objection raised, the EDPB also takes into account Meta IE’s position on the objection and its
submissions.

222. The EDPBtakesnoteof MetaIE’sviewthattheITSA objection lacksmeritasit goesbeyondthe scope
404
of theinquiry . The EDPBalsonotes thatMetaIElinks the issue ofthe potentialinfringement ofthe
principle offairness, raisedinthe ITSA objection, withthequestion ofthe competenceof CSAsor the
EDPB toassess the validity of contractsinthe context of Article 6(1)(b) GDPR and, when responding

tothe meritsof the ITSA objection, Meta IEreferstoits submissions on applicationof Article6(1)(b)
GDPRwithrespect tostandardform contracts 405.While takingnote of MetaIE’sview onthis matter,

the EDPB considers the question of Meta IE’scompliance withthe principle of fairness under Article
5(1)(a) GDPRtobe distinct from the question of the choice of the appropriate legalbasis (althougha
connectedone, asexplainedbelow) andproceedswithits respectiveassessment below.

223. Firstly, the EDPBrecallsthatthe basic principles relating toprocessing listed inArticle 5 GDPRcan,as
406
such, be infringed . This is apparent from the text of Article 83(5)(a) GDPR which subjects the
infringement ofthe basic principles for processing toadministrative fines ofupto20 million euros, or
inthe caseof undertaking,upto4% ofthetotalworldwide annualturnover ofthe precedingfinancial

year,whichever is higher.

224. The EDPBunderlines thatthe principles of fairness, lawfulness andtransparency,allthree enshrined
in Article 5(1)(a) GDPR, are three distinct but intrinsically linked and interdependent principles that
every controller should respect when processing personal data. The link between these principles is

evident from a number of GDPR provisions: Recitals39 and 42, Article 6(2) and Article 6(3)(b) GDPR
referto lawfulandfair processing,while Recitals60and71GDPR,aswellasArticle13(2),Article14(2)

andArticle 40(2)(a)GDPRrefertofair andtransparentprocessing.

225. On the basis of the above consideration, the EDPB agreeswiththe IE SA’s view that “Article 5(1)(a)
407
links transparencyto the overall fairness of the activities of a controller” but considers that the
principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s

compliance with the principle of transparency does not automatically rule out the need for an
assessment ofMetaIE’scompliance withthe principle offairness too.

404Meta IEArticle65Submissions,Annex1,paragraph7.10.Inthisrespectseeparagraphs73-75(section4.41)
onthis BindingDecision.
405“To the extent the IT SAObjects tothe lawfulnessofMetaIreland’sdataprocessingbasedonthenatureof

the contract between Meta Ireland and users of the Instagram Service (i.e. a standard form contract), Meta
IrelandsubmitsthatthevalidityofcontractisnotwithinthecompetenceofCSAsortheEDPB.Inanyevent,Meta
Ireland respectfully asks the EDPB to take into account its submission abovewith respect to standard form
contracts”.Meta IEArticle65Submissions,Annex1,paragraph7.10.
406SeealsoBindingDecision1/2021,paragraph191.
407
DraftDecision,paragraph193.

59
Adopted226. The EDPB recallsthat, in data protection law, the concept of fairness stems from the EU Charter of
408
Fundamental Rights . The EDPB hasalreadyprovided some elementsas tothe meaning andeffect
of the principle of fairness in the context of processing personal data. For example, the EDPB has

previously opined in its Guidelines on DataProtectionby Designand by Defaultthat “[f]airness is an
overarching principle which requires that personal data should not be processed in a way that is
unjustifiably detrimental,unlawfullydiscriminatory, unexpectedormisleading to thedata subject” 409.

227. Among the key fairness elements that controllers should consider in this regard, the EDPB has

mentioned autonomy of the data subjects, data subjects’ expectation, power balance, avoidance of
deception, ethicaland truthful processing 410. These elements are particularlyrelevant in the caseat

hand. The principle of fairness under Article 5(1)(a) GDPR underpins the entire data protection
framework and seeks to address power asymmetries between the data controllers and the data

subjects in order to cancel out the negative effects of such asymmetries and ensure the effective
exercise of thedata subjects’ rights.The EDPBhas previously explained that“theprinciple of fairness
includes, interalia, recognisingthe reasonable expectationsofthe data subjects, considering possible

adverse consequences processing may have on them, and having regard to the relationship and
potentialeffectsofimbalance betweenthemand thecontroller” 411.

228. The EDPB recalls that a fair balance must be struck between, on the one hand, the commercial

interests of the controllers and, on the other hand, the rights andexpectations of the data subjects
under theGDPR 41.Akeyaspectofcompliancewiththeprinciple offairnessunder Article5(1)(a)GDPR
413
refersto pursuing “powerbalance” asa “key objectiveof the controller-datasubject relationship” ,
especiallyinthecontextofonline servicesprovidedwithoutmonetarypayment,whereusersareoften
not aware ofthe ways andextent to which their personal data is being processed 41. Consequently,

lack of transparency can make it almost impossible in practice for the data subjects to exercise an
informed choice over the use oftheir data 415which is incontrast withthe element of “autonomy”of

datasubjects astothe processing of their personaldata 416.

229. Considering theconstantlyincreasing economic value ofpersonal datainthedigitalenvironment, it is
particularly important to ensure that data subjects are protected from any form of abuse and

deception, intentionalor not, whichwould result in the unjustified loss ofcontrol over their personal

408Art. 8 EU Charter of Fundamental Rights states as follows:“1. Everyone has the right to the protection of

personal data concerninghim orher. 2. Such data must be processed fairlyforspecified purposes andon the
basisoftheconsentofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw”(emphasisadded).
409EDPB Guidelines 4/2019 onArticle25 Data Protection by Designand by Default, Version 2, Adopted on 20
October2020(hereinafter“EDPBGuidelinesonDataProtectionbyDesignandbyDefault”),paragraph69.
410
411EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph12.
412Onthebalancebetweenthedifferentinterests atstakeseeforexample:JudgementoftheCourtofJustice
of12December2013,X,C-486/12,ECLI:EU:C:2013:836;JudgementoftheCourtofJusticeof7May2009,College
vanburgemeesterenwethoudersvanRotterdamvM.E.E. Rijkeboer,C-553/07,ECLI:EU:C:2009:293;Judgment

of the Court (GrandChamber) of 9 November 2010, Volker undMarkus ScheckeGbR (C-92/09)andHartmut
Eifert(C-93/09)vLandHessen,ECLI:EU:C:2010:662.
413EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
414Ononlineservices,seeEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs3-5.
415
416FurtherEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph4.
EDPB Guidelines on Data Protectionby Design and byDefault, paragraph70. According to this element of
fairness,“datasubjectsshouldbegrantedthehighestdegreeofautonomypossibletodeterminetheusemade
oftheirpersonaldata,aswellasoverthescopeandconditionsofthatuseorprocessing”.

60
Adopted data.Compliance by providers ofonline services actingascontrollers withallthree of thecumulative

requirements under Article 5(1)(a) GDPR, taking into account the particular service that is being
provided and the characteristicsof their users, serves as a shield from the danger of abuse and
deception, especiallyin situationsof power asymmetries.

230. The EDPB haspreviously emphasised that the identification of the appropriate lawfulbasis is tiedto
417
theprinciples of fairnessandpurpose limitation .Inthisregard,theITSA rightlyobserves thatwhile
finding a breachof transparencyrelatesto the wayin which information hasbeen provided to users

via the InstagramTermsof Use andDataPolicy, compliance withthe principle of fairnessalso relates
to“how thecontrolleraddressedthelawfulnessoftheprocessingactivitiesin connectionwithitssocial
networkingservice” 41. Thus the EDPB considers that anassessment of compliance by Meta IE with

the principle of fairness requires also an assessment of the consequences that the choice and
presentation of the legal basis entail for the users of the Instagram service. In addition, that

assessment cannot be made in the abstract, but has to take into account the specificities of the
particularsocialnetworking serviceandof theprocessing ofpersonaldatacarriedout,namelyfor the
419
purpose of online behaviouraladvertising .

231. The EDPBnotesthatin thisparticularcase thebreachof MetaIE’stransparencyobligationsisofsuch

gravitythatit clearlyimpactsthe reasonable expectationsof the Instagramusers by confusing them
on whether clicking the “Agree to Terms” button results in giving their consent to the processing of

their personal data. The EDPB notes in this regardthat one of the elementsof compliance withthe
principle offairness is avoiding deception i.e.providing information“in an objectiveand neutralway,
420
avoiding anydeceptiveor manipulative language or design” .

232. Asoutlined inthe DraftDecision,the Complainant arguesthatMetaIEreliedon“forcedconsent” asa

result of being led to believe that the legalbasis for processing the controller was relying upon was
consent 421. The Complaint demonstratesthe confusion suffered bythe Complainant both due tothe
422
(lack of) information presented to Instagram users in the context of their “agreement” and the
circumstancesof how the act of“agreement”wassought by MetaIE 423.TheEDPBconsiders thatthe

LSA should have takeninto account such Meta IE’spracticesin relationto the principle of fairness,
regardlessof its finding that Meta IE hasnot sought to rely on consent in order to process personal
datatodeliver the Termsof Use 424.

233. Inaddition, andasrecognisedby the LSA itself, further toitsassessment of the informationprovided

concerning processing being carriedout in reliance on Article 6(1)(b) GDPR, “it is impossible for the
user to identify with any degreeof specificitywhat processing is carriedout on what data, on foot of

417EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph1.
418
419ITSAObjection,p.5.
SeeDraftDecision,paragraph104wheretheIESAholdsthat“thecoreoftheserviceofferedbyMetaIreland
is premised on the delivery of personalised advertising”and Meta IE Article65 Submissions, paragraph 6.38
whereMeta IEclaimsthat“ItwouldbeimpossibletoprovidetheInstagramServiceinaccordancewiththeTerms
ofUse withoutprovidingbehaviouraladvertising”.
420
421EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.
DraftDecision,paragraph37.
422Complaint,p.3.
423Complaint,p.6-7.
424DraftDecision,Finding1.

61
Adopted the specified lawful bases” 425. Considering this, in the EDPB’sview, there are clear indications that
426
Instagram users’ expectations with regard to the applicable legal basis have not been fulfilled .
Therefore, the EDPB shares the IT SA’s concern that Instagram users are left “in the dark” 427and
considers that the processing by Meta IE cannot be regardedas ethicaland truthful 428because it is

confusing withregardtothetype ofdataprocessed,the legalbasisandthepurpose oftheprocessing,
whichultimatelyrestrictsthe Instagramusers’ possibility toexercisetheir datasubjects’ rights.

234. Furthermore, the EDPBconsiders that the extensive analysis by the IE SA withregardto the issue of

legalbasisandtransparencyinrelationtotheprocessing being carriedoutinrelianceonArticle6(1)(b)
GDPRisclosely linkedtotheissue of complianceby MetaIEwiththe principle offairness. Considering
the seriousness of the infringementsof the transparencyobligations by MetaIE alreadyidentified in

theDraftDecisionandthe relatedmisrepresentationofthelegalbasis reliedon, theEDPBagreeswith
the IT SA that Meta IE has presented its service to the Instagram users in a misleading manner 429,

which adversely affectstheir control over the processing of their personal data and the exercise of
their data subjects' rights. Therefore, the EDPB isof the opinion that the IE SA’sfinding of breachof
430
Article 5(1)(a) GDPRwithregardto the principle of transparency should extend tothe principle of
fairness too.

235. This is all the more supported by the fact that, in the circumstances of the present case as
demonstrated above 431, the overall effect of the infringements by Meta IE of the transparency

obligations under Article 5(1)(a), Article 12(1), Article 13(1)(c) GDPR and the infringement of Article
6(1)(b) GDPR 432furtherintensifiestheimbalancednatureof therelationshipbetweenMetaIEandthe

Instagramusersbrought upbytheITSA objection. Thecombinationoffactors,such asthe asymmetry
of the informationcreatedby MetaIEwithregardto theInstagram service users, combinedwiththe
“take it or leave it” situation that they are faced with due to the lack of alternative services in the

marketand the lackofoptions allowing them toadjust or opt out from a particularprocessing under
the contract with Meta IE, systematically disadvantages the Instagram service users, limits their

control over the processing of their personal data andundermines the exercise of their rightsunder
Chapter IIIofthe GDPR.

236. Therefore, the EDPB instructs the IE SA to include a finding of an infringement of the principle of
fairness under Article 5(1)(a) GDPR by Meta IE, in addition to the infringement of the principle of

transparency under the same provision, and to adopt the appropriate corrective measures, by
addressing, but without being limited to, the question of anadministrative fine for thisinfringement

asprovided for in Section9 of thisBinding Decision.

425DraftDecision,paragraph185.
426According to the fairness element of “expectation”, “processing should correspond with data subjects’

427sonableexpectations”.EDPBGuidelinesonData ProtectionbyDesignandbyDefault,paragraph70.
ITSAObjection,p.6.
428See EDPB Guidelines on Data Protection by Designand byDefault, paragraph 70, wheretheEDPB explains
that “ethical”means that “[t]he controllershouldsee the processing’s widerimpact on individuals’ rights and
dignity“and “truthful”means that “[t]he controllermust make available information about how theyprocess

429sonaldata,theyshouldactastheydeclaretheywillandnotmisleadthedatasubjects”.
ITSAObjection,p.5.
430DraftDecision,paragraphs180-196.
431Paragraphs223-235ofthisBindingDecision.
432Paragraph137ofthisBindingDecision.

62
Adopted 7 ON THE POTENTIALADDITIONAL INFRINGEMENTOFTHE

PRINCIPLESOF PURPOSE LIMITATION ANDDATA MINIMISATION

7.1 Analysis by the LSA inthe DraftDecision
433 434
237. The IESA referstoArticle5(1)(b)GDPR andArticle5(1)(c) GDPR whenanalysingthe extentofthe
controller’sobligation under Article 13(1)(c) GDPRandwhether Meta IEhas infringed this provision.

More specifically, the IESA highlightsthat Article13 GDPRrequiresthat the purposesandlegalbases
must be specified in respect of the intended processing and cannot just be cited in the abstract 435.
AfterexplainingwhyMetaIE’sviewthatthereisnospecific obligationfor thelegalbasistobe mapped

to the purpose of processing cannot be reconciled with a literalreading of the GDPR, the IE SA, for
completeness, alsoengagesina systemic readingbasedon thelegislator’sobjective andthecontents
436
of theGDPRasa whole .

238. In this context, the IE SA points out that the six principles laid down under Article 5 GDPR are
interconnectedandoperatein combinationtounderpin the whole GDPR 437.However,theIESA does
not assess whether MetaIE’sprocessing activitiesentaila separate infringement of the principles of

purpose limitationanddataminimisation under Article5(1)(b) andArticle 5(1)(c)GDPR.

7.2 Summary of the objection raisedby the CSAs

239. According tothe ITSA, thereisanadditionalinfringement ofpoints (b)and(c)of Article5(1)GDPRon
accountof MetaIE’sfailuretocomplywiththe purpose limitationanddataminimisation principles. It

considers that suchinfringement should be found without the needfor anyfurther investigationand
should result intoa substantialincrease ofthe proposed administrative fine 438.

240. The IT SA puts forward several factual and legal arguments for the proposed change to the Draft

Decision.First,itpointsout thattheIESAconfinesitsassessment toonlyone ofthecontractspurposes
(the provision of online behavioural advertising), while the Instagram service would actually be
composed of several processing activities pursuing several purposes 439. According to the IT SA, the

fact that Meta IE inappropriately based its multifarious processing activities only on Article 6(1)(b)
GDPRentailsaninfringement ofthe purpose limitationanddataminimisation principles 440. The IT SA

stresses the relevance of these principles in online services contracts, astheyare not negotiatedon
an individual basis, and refers to pages 15 and 16 of the WP29 Opinion 03/2013 on purpose
441
limitation .The ITSA also refersto the EDPBGuidelines 2/2019 on Article 6(1)(b) GDPR andrecalls
that, where the contract consists of several separate services or elements of a service that can be

433
434DraftDecision,paragraphs152-160.
DraftDecision,paragraph152.
435DraftDecision,paragraph162.
436DraftDecision,paragraphs167-171.
437Draft Decision, paragraph 152 andparagraphs 153-160withrespect to theprincipleof purposelimitation

438erArt.5(1)(b)GDPR.
ITSAObjection,p.4.
439ITSAObjection,p.2.
440ITSAObjection,p.2.
441ITSAObjection,p.3.

63
Adopted performed independently, the applicability of Article 6(1)(b) GDPR should be assessed for each of
442
those services separately .

241. On the risks posed by the Draft Decision, the IT SA refers to the risk identified by the WP29 in its
Opinion 03/2013 on purpose limitation 443, namely that “data controllers may seek to include

processingtermsincontractsto maximise thepossible collectionand usesof datawithout adequately
specifying those purposes or considering data minimisation obligations” 444. In addition, in the IT SA’s

view, the failure to specify and communicate the purposes of the processing to the data subject
creates a risk of artificially expanding the types of processing or the categories or personal data
considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would

nullify the safeguardsaffordedtodata subjectsunder dataprotectionlaw 445.

7.3 Position of the LSA on the objection

242. The IE SA does not consider that the IT SA’s objection is relevant and reasoned 446. Categorising the

objection asrelating tothe scope andconduct ofthe inquiry, the IE SA adopts the same approachas
with regard to the alleged infringement of the principle of fairness. More specifically, the IE SA

contends thatintroducing novel issues not raised bythe Complainant or otherwise put tothe parties
would represent a significant departurein termsof the scope of the inquiry 44. It highlightsthe legal

consequences thatwouldflow frommaking materialchangesconcerninginfringementsoutside ofthe
complaint andDraftDecision,namelythelikelihood thatMetaIEwouldsucceedinarguingbeforethe
IrishCourts thatit hasbeendenied anopportunity tobe heardon additionalandextraneousfindings

thatare adverse toit 448.The IE SA’sconcernarose from the fact that,accordingtothe IE SA, MetaIE
wasnever invitedto be heardin response toanallegationthatit had infringedthe fairness principle

set out in Article 5(1)(a) GDPR. The IE SA notes, in this regard, that a respondent has the right tobe
heardin response tothe particularsof the case being made against it andthat this is a core element

of a fair procedure pursuant toIrish law.The IESA takesthe view thatexpanding the materialscope
of the inquiry is not possible under Irish procedurallaw 449.Itfurther notes that avery significant risk

ofproceduralunfairness, under Irishnationallaw,wouldresult from the proposal toassume, without
anyfurther factualexamination,thatMetaIE hasinfringedthe purpose limitationprinciple 45.

7.4 Analysis of the EDPB

7.4.1 Assessment of whether theobjection was relevant and reasoned
451
243. The ITSA’sobjection concerns “whetherthereisan infringement oftheGDPR” .

442ITSAObjection,p.3.
443WP29Opinion03/2013onpurposelimitation,WP203,adoptedon2April2013.
444ITSAObjection,p.3.
445
ITSAObjection,p.3.
446CompositeResponse,paragraph36.
447CompositeResponse,paragraph29.
448CompositeResponse,paragraphs31-32.
449
CompositeResponse,paragraph32.
450CompositeResponse,paragraph33.
451EDPBGuidelinesonRRO,paragraph24.

64
Adopted244. The EDPB takes note of Meta IE’s view that the IT SA’s objection does not meet the relevant and
452
reasoned thresholds because it falls outside the defined scope of the inquiry . As previously
explained, the EDPBdoes not share the understanding thatCSAs maynot disagree withthe scope of
the inquiry asdecidedby the LSA bywayof anobjection 453.

245. MetaIEpointsout thatthe objectionconcernsmattersthathavenot beeninvestigatedandrelatesto
454
theoreticalfindings on legalbases . Meta IE further arguesthat even if the objection satisfied the
abovementioned thresholds, it should be disregarded because otherwise Meta IE’s right to fair
455
proceduresunder bothIrishand EUlaw would be contravened .

246. The EDPB considers that the IT SA objection is relevant as it refers to specific parts of the Draft

Decision, namely Finding 2 and Finding 3 456, and argues that the IE SA should have found an
infringement of Article 5(1)(b) and Article 5(1)(c) GDPR which lay down the principles of data

minimisation andpurpose limitation.

247. The objection also includes argumentson legaland factualmistakesin the IESA’s DraftDecisionthat
require amending.According tothe ITSA, theIE SA’sreasoning isinconsistent because thehigh-level,
ratherunclearinformation provided tothedatasubjects isa major criticalitythat shouldhave ledthe

IE SA not only to question the features of the information notice, but also to verify, in detail, the
application of the principles of purpose limitation and data minimisation from a substantive
457
perspective . More specially, the ITSA takesthe view that the IE SA should have hadregardtothe
actualconfigurationof theprocessing operations performedin ordertoassess whetherthecontroller

had abided by the obligation toprocess personal data for specified, explicit and legitimatepurposes
bothwhen collectingthose dataandthereafter 45.

248. As regards the risk posed by the Draft Decision, the EDPB takes note of the IT SA’s reference to
paragraph16 of the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR and reiteratesthe particular

relevance ofArticle 5(1)(b) andArticle 5(1)(c)GDPRin the contextof contractsfor online services, in
view of the risk that data controllers may seek to include generalprocessing terms in contracts in

order to maximise the possible collection and uses of data, without adequately specifying those
purposes or considering dataminimisationobligations 45.Nevertheless,theEDPBstressesthatamere
referencetothe EDPBGuidelinesisnot sufficient todemonstratetherisks posedbythe DraftDecision

inthis specific caseand inthese specific circumstances.

249. The IT SA also considers that the purposes for the processing “must be clearly specified and
communicated to the data subject, in line with the controller’spurpose limitation and transparency

obligations”, otherwise there is “a risk that other data protection obligations might be evaded by
artificiallyexpanding the typesofprocessing or thecategoriesofpersonaldata that areconsideredto

452
Meta IEArticle65Submissions,Annex1,paragraphs7.1-7.4.
453Seeparagraphs73-75ofthisBindingDecision.
454Meta IEArticle65Submissions,Annex1paragraphs7.2.
455Meta IEArticle65Submissions,Annex1,paragraphs7.3.
456
TheIT SArefers to theIE SA’s reasoning preceding Finding 2 and to paragraphs 122-149and 184, 185and
187precedingFinding3oftheDraftDecision.
457ITSAObjection,p.4.
458ITSAObjection,p.4.
459EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph16.

65
Adopted be ‘necessary’forperformanceofthecontractunder Article6(1)(b)GDPR -which would in turn nullify
thesafeguards affordedto datasubjectsbypersonaldata protectionlaw” 46.

250. The EDPB recalls that the objection must put forward arguments or justifications concerning the

consequences of issuing the decision without the changesproposed in the objection, andhow such
consequences would pose significant risks for datasubjects’ fundamentalrightsandfreedoms 46.The

CSA needs to advance sufficient arguments to explicitly show that such risks are substantial and
plausible462. Inaddition,the demonstrationofthe significance ofthe risks cannotbe implied from the
legaland/or factualargumentsprovidedbythe CSA, but hastobe explicitlyidentified andelaborated
463
inthe objection .

251. The EDPB considers that the IT SA’s objection fails to meet these requirements as it does not
demonstratethe significance of the risk stemmingfrom anomission inthe DraftDecisionof afinding
that the principles of purpose limitationand data minimisation have beeninfringed by Meta IE. The

risk, asdescribed by the IT SA objection, is not substantial andplausible enough. Moreover, the risk
relatesto the IE SA’s decision not to conclude on the inappropriate use of Article 6(1)(b) GDPR asa

legalbasis for MetaIE’sprocessing activitiesbut fails toestablish a clear link withthe LSA’sdecision
not tomake a finding on the infringement ofArticle 5(1)(b) andArticle5(1)(c) GDPR.

252. Therefore, the EDPB considers that the abovementioned objection by the IT SA is not reasoned (cf.
Article4(24) GDPR)andwillnot assess iton the merits.

8 ON CORRECTIVEMEASURESOTHER THAN ADMINISTRATIVE FINES

8.1 Analysis by the LSA inthe DraftDecision

253. The IE SA considers thatanorder tobring processing into compliance (Art. 58(2)(d) GDPR)should be
imposed on Meta IE, requiring them tobring their Data Policy andTerms of Service into compliance

with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR asregardsprocessing carriedout on the
basis ofArticle 6(1)(b) GDPRwithinthreemonths of thedate ofnotification ofanyfinal decision 46.

254. The LSA considers an order is necessary and proportionate, contrary to the controller’sposition 46.
Regarding the necessity, the IE SA explains that this order is the only way toguarantee that Meta IE

amendsthe infringementsoutlined in the DraftDecision,which isessentialfor the protectionofdata
subjects’ rights46. Concerning the proportionality, the LSA points out that the proposed measure is

the minimum action required to ensure the future compliance of the controller. Further, the IE SA

460ITSAObjection,p.3.
461EDPBGuidelinesonRRO,paragraph18.
462
463EDPBGuidelinesonRRO,paragraph37.
EDPBGuidelinesonRRO,paragraph37.
464DraftDecision,paragraphs200and203.
465 Meta IE Submissions on Preliminary Draft Decision, paragraphs 12.1, 12.2, and 12.4; Draft Decision,
paragraphs200and201.
466DraftDecision,paragraph204.

66
Adopted recallsMetaIE’savailableresources,thespecificity ofthe LSA’sorder, andthe importanceof thedata
467
subject’srightsconcernedtoconclude thatsuch measureis proportionate .

8.2 Summary of the objections raised by the CSAs

255. The NL SA objects tothe choice of the corrective measuresof the LSA in their Draft Decision 468. The
NLSA notesthattheIESA isproposing toimpose anorder pursuant toArticle58(2)(d)GDPRalongside

an administrative fine, and that this objection concerns the first of these two measures 46. More
specifically, theNL SA objectstotheorder tobringprocessing intocompliance (Article58(2)(d) GDPR)

within three months proposed by the LSA, arguing that it is not appropriate, not necessary, nor
proportionate to ensure compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR, as

well as the additional infringement of Article 6(1)(b) andArticle 9(2) GDPR raisedin its objection 47.
The NL SA takes the view that the proposed order is insufficient to remedy the serious situation of

non-compliance arising from these infringements, since it does not remedy the illegality of the
conduct carriedout during the transitionperiod (i.e. the time between the issuance of the decision

andtheexpirationdateof theorder),bearing inmindthateverydaythe service continuesoperations
as described in the Terms of Use andData Policy, it does so in an illegalwayharming the rightsand
471
freedoms ofmillions of datasubjects in the EEA .Accordingtothe NL SA, the DraftDecisionshould
be modified to include a temporary ban on Meta IE’sprocessing of personal data for the duration

necessary for the controller to bring its processing into compliance with the GDPR (Article 58(2)(f)
GDPR), as this would be appropriate, necessary and proportionate taking into account the
circumstancesofthe case 472,andwouldbe the onlymeasure suitabletomakesure thattheexpansive

violation ofthe fundamentalrightsand freedomsof datasubjects is not continued 47. The NL SA also
arguesthat the breachesofthe GDPR establishedbythe LSA, combinedwiththe additionalbreaches

put forward bythe NL SA, areof a very gravenature andjustify haltingprocessing operations during
the time the controller needs to remedy its severe lack of compliance 474. In essence, the NL SA

identifies the risk posed by the DraftDecision in thatit allowsthe companyto resume operations as
usual while amending the compliance deficits (with regard to transparency), which they argue
475
essentially deprivesdata subjectsof their rightsduring atransitionperiod .

256. The FISA alsoarguesthatthe IESA should “exerciseeffective,proportionateanddissuasive corrective
powers” and order Meta IE to“bring itsprocessing operations into compliance with the provision of

Article 6(1) GDPR and prohibit to process users’ personal data for behavioural advertising by relying
on Article 6(1)(b) GDPR as laid down in Article 58(2)(d) GDPR” 476. The HU SA reaches the same
conclusion, proposing toapplythe legalconsequencesunder Article58(2)(d) GDPRandtoinstructthe

controller toindicate a different legalbasis47. Onthe risks, boththe FI andthe HU SAs statethatthe
absence of appropriate and necessary corrective powers would amount to a dangerous precedent,

467
DraftDecision,paragraph205.
468NLSAObjection,paragraph55.
469NLSAObjection,paragraph56.
470NLSAObjection,paragraph56.
471
NLSAObjection,paragraph57.
472NLSAObjection,paragraph58
473NLSAObjection,paragraph59.
474NLSAObjection,paragraph63.
475
NLSAObjection,paragraphs57,58,and63.
476FI SAObjection,paragraph25.
477HUSAObjection,p.3.

67
Adopted sending a deceiving message to the market and to data subjects whose fundamental rights and

freedoms wouldultimatelyjeopardise 478.Moreover, theFI SA notes thattheDraftDecisionaffectsall
datasubjectswithintheEEAandthat,therefore,theconsequencesofnot makinguse ofthecorrective

measurespursuant Article58(2)would be enormous 479.

257. The AT SA requests thatthe LSA makes use of itscorrective measurespursuant toArticle 58(2)GDPR
in relationto the additional infringement of Article 6(1)(b) GDPR 48, inorder tobring the processing
481 482
operationsofthecontroller inline withtheGDPR andremedytheinfringement .Accordingtothe
AT SA, the IESA should exercise ‘’correctivepowers’’soastoensure thatMeta IE couldnot continue

to unlawfully rely on Article 6(1)(b) GDPR for the processing of users’ personal data for behavioral
advertising 483. More specifically, the AT SA suggests that the IE SA prohibits Meta IE “the processing
484
of a user’s datafor behavioural advertising by relying on Article 6(1)(b) GDPR” . Inthe absence of
additionalcorrectivemeasures,theATSAconsidersthatifcorrectivemeasuresarenotimposed, there

is a risk “that [Meta IE] continues to unlawfully rely on Article 6(1)(b) GDPR for the processing of a
user’s data for behavioural advertising and continues to undermine or bypass data protection
485
principles’’ , which would affect millions of data subjects within the EEA and bear vast
consequences 486.

258. The FR SA notes that reversing the findings concerning the infringements of Article 6(1) GDPR also

affects the scope of the corrective actions proposed by the IE SA, in addition to the administrative
fine 487

259. Finally, accordingtothe NOandDESAs,the IESAshould takeconcretecorrectivemeasuresinrelation
totheadditionalinfringement ofMetaIEwithArticle6(1)(b) GDPR,namelytoorderMetaIEtodelete

personal data that hasbeen unlawfully processed on Article 6(1)(b) GDPR andtoprohibit the use of
thislegalbasis for such processing activities 488.

478FI SAObjection,paragraph28;HUSAObjection,p.4.
479FI SAObjection,paragraph29.
480
481AT SAObjection,p.7.
AT SAObjection, p. 8. TheAT SAalso highlights that according to theCJEU wherean infringement is found
during a complaint-based procedure, theSA is under an obligationto takeappropriateaction by exercising
correctivepowers,anditcitesC-311/18,paragraph111.Additionally,theAT SAclarifiesthatalthoughittakes

the positionthat a complainant does not havea subjectiveright to request from therespectivesupervisory
authoritytheexerciseofa specificcorrectivepoweranditisuptotheauthorityonlytodecidewhichactionis
appropriateandnecessary(referringtoC-311/18,paragraph112),itfindstheexerciseofcorrectivepowersto
benecessaryinthecurrentcase.
482AT SAObjection,p.8-9.
483
AT SAObjection,p.7-8.
484AT SAObjection,p.9.
485AT SAObjection,p.7.
486AT SAObjection,p.8.
487
FRSAObjection,paragraph50.
488DESAs Objection,p.10;NOSAObjection,p.9.

68
Adopted 8.3 Position of the LSA on the objections

260. The IESA does not consider the objections above tobe relevantand/or reasonedanddoesnot follow
them 48. Giventhat these objections were premised upon the requirement for the DraftDecision to
include a finding of infringement of Article 6(1)(b) GDPR on which the IE SA expressed its

disagreement,theIESAdoesnot consider theobjectionsrequesting theexerciseofacorrectivepower
inresponse toa finding of infringementof Article6(1)(b) GDPRasbeing relevant andreasoned 490.

8.4 Assessment of the EDPB

8.4.1 Assessment of whether theobjections were relevant and reasoned

261. The objections raisedby theAT,DE,FI,FR,HU,NLandNOSAsconcern“whethertheactionenvisaged
491
inthe DraftDecisioncomplies withthe GDPR” .

262. Inaddition tothe primaryargumentlevelledagainst allCSA’sobjections, MetaIE provides additional
argumentson whetherthese are relevantand/or reasoned 492.

263. Meta IE argues the AT and NL SAs’ objection cannot be considered relevant because they are
dependent on another objection, which Meta IE deems inadmissible and without merit 493. On the
494
same basis, MetaIE refutesthatthe AT SA’sobjection isadequatelyreasoned . Asstatedabove,in
Section 4.4.1, the EDPB finds the AT and NL SAs’ objections on the subject of Article 6(1)(b) GDPR
495
relevantand reasoned .

264. Additionally, MetaIEarguesthatthe AT andNL SAs’ objections fail toset out how the DraftDecision
would pose a direct andsignificant risk to fundamental rightsand freedoms. First, Meta IE refersto
theirargumentsputforwardinresponse tothe ATandNL SAs’objections onthematterofcompliance

with Article 6(1)(b) GDPR 496. The EDPB has takenthis line of reasoning into consideration above in

489CompositeResponse,paragraphs103-104(inresponsetotheATandFI SAs),paragraph105(inresponseto
NLSA), paragraph106(inresponsetoDESAs),paragraph107(inresponsetoNOSA)andparagraph108(in
responsetoHUSA).
490
CompositeResponse,paragraphs110.
491EDPBGuidelinesonRRO,paragraph32.
492Meta IEargues that“theEDPBcannotexpandthescopeoftheInquiryinthemannersuggestedbytheCSAs
throughObjectionsthatarenotrelevanttothesubstanceoftheComplaint.”and“suchobjectionsoughttobe

disregardedintheirentiretybytheEDPB”.TheEDPBdoes notsharethisunderstanding,asexplainedabove.
SeeSection4.4.1.
493Meta IEArticle65Submissions,Annex1,p.71:“TheATSA’sObjectionfailstosatisfytheSufficientlyRelevant
Threshold,becauseitisitselfbasedonanObjectiongroundedinamistakenallegationofinfringementofArticle
6(1)(b)GDPR,whichdoesnotsatisfytheThresholdsandlacksmerit.Therefore,thisObjectionisnotsufficiently

relevantasithasnodirectconnectiontothesubstanceandreasoningoftheDraftDecision.”Analogouswording
is usedinresponsetotheNLSA’s objectioninMetaIEArticle65Submissions,Annex1,p.110.
494Meta IEArticle65Submissions,Annex1,p.71:“TheATSA’sObjectionfailstosatisfytheAdequatelyReasoned
Threshold because it is premised on its Objection that Meta Ireland infringed Article 6(1) GDPR, which, as

analysedintheprevioussection,doesnotsatisfytheThresholdsandlacksmerit”.Analogouswordingisusedin
responsetotheNLSA’s objectioninMeta IEArticle65Submissions,Annex1,p.110.
495Paragraph84above.
496Meta IEArticle65Submissions,Annex1,p.72andp.111.

69
Adopted Section 4.4.1 497. Second, Meta IE puts forward that the AT and NL SAs appear to consider that the
498
Draft Decision provides “a mandate for Meta Ireland to unlawfully process data” . Meta IE points
out thatnosuchinferencecanbedrawnfrom theDraftDecision,goingontodrawtheconclusion that

“asthe DraftDecisiondoesnot in anyway give a blanket approval for any unlawful processing based
on Article 6(1)(b) GDPR, there is no direct and significant risk to the fundamental rights and
499
freedoms” .Astothissecond line ofreasoning, theEDPBfails tosee wording by whichthe ATSA or
NL SA might have suggested it understands the Draft Decision as a mandate for Meta Ireland to

unlawfully process data,thuslimiting future investigations.

265. The NLSA disagreeswiththecorrectivemeasure chosenby theIESA inadditiontothe administrative

fine, arguinga temporarybanon processing (Article58(2)(f) GDPR)should have been included inthe
Draft Decision instead of an order to bring processing into compliance. If followed, this objection

wouldleadtoadifferentconclusion astothechoiceofcorrectivemeasures.Inconsequence,theEDPB
considers the objection tobe relevant.

266. The NL SA argues that an order to bring processing into compliance entails that Meta IE would
500
maintain its illegal conduct while they amend their compliance deficits . Conversely, a temporary
ban on Meta IE’s processing of data would ensure that data processing is halted during the time
501
needed for the company tochange its practicesto comply withthe GDPR .Intermsof risk, the NL
SA puts forwardthat ‘’nottemporarilybanning thisprocessing would underminethe effectivenessof
502
theGDPR’’,andwouldcontinue todeprive datasubjectsoftheir rightsduring thetransitionperiod .
The NL SA considers the risk significant, asthe controller provides the Instagramservice tohundreds
of millions ofusers across Europe and because the processing involves special categoriesof personal

data 503.Therefore, the EDPB considers the objection to be reasonedandtoclearlydemonstrate the
significance of therisks posed bythe DraftDecision.

267. TheAT SA disagreeswitha specific partoftheIESA’sDraftDecision,namelyChapter 8‘’Ordertobring

processinginto compliance’’,arguingthatthe LSA should have included correctivemeasures inorder
toremedyaninfringement ofArticle6(1)(b) GDPR 504.Morespecifically,the ATSA suggeststhattheIE
505
SA prohibits Meta IE from relying on Article 6(1)(b) GDPR . Therefore, if followed, this objection
would leadto a different conclusion asto the choice of corrective measures 506. Inconsequence, the

EDPBconsiders the objection tobe relevant.

268. Furthermore,theATSAarguesthatwhenaninfringementisfound-notablyinlightofotherobjections
raised in the current case in relation to additional infringement of Articles 6(1)(b) - the supervisory

authority is under an obligation to issue appropriate corrective measures pursuant to Article 58(2)

497
498Paragraph82above.
Meta IEArticle65Submissions,Annex1,p.111.AnalogouswordingisusedinresponsetotheATSA, Meta
IE's Article65Submissions,Annex1,p.72.
499Meta IEArticle65Submissions,Annex1,p.111.AnalogouswordingisusedinresponsetotheATSA, Meta
IE's Article65Submissions,Annex1,p.72.
500
NLSAObjection,paragraph57-58.
501NLSAObjection,paragraph63.
502NLSAObjection,paragraphs58-59.
503NLSAObjection,paragraphs58-59.
504
AT SAObjection,pp.7-8.
505AT SAObjectionpp.7-8.
506AT SAObjection,pp.7-8.

70
Adopted GDPR.Intermsofrisk, the AT SA arguesthat without this amendment of the DraftDecision, MetaIE
“could simply continue to unlawfully rely on Article 6(1)(b) GDPR and to undermine data protection
principles” which would continue toaffect millions of datasubjects within the EEA0.Therefore,the

EDPBconsiders the objection tobe reasonedandtoclearlydemonstrate the significance of the risks
posed by theDraftDecision.

269. Considering the above, the EDPBfinds thatthe objections of theAT andNL SAs requesting additional
and/or alternativespecific correctivemeasurestobe imposed arerelevantandreasonedpursuantto
Article4(24) GDPR.

270. In addition, the EDPB recalls the analysis made in Section 4.4.1 above concerning the objections in
relationtotheadditionalbreachby MetaIEofitslawfulness obligationmadebythe FRSA (requesting

totakeappropriate correctivemeasures), andbythe FI andHU SAs(asking the LSA totakecorrective
measuresunder Article58(2)(d) GDPR),whichwerefound tobe relevantandreasoned.

271. The EDPBrecallsthatthe DE andNOSAscalledonthe LSA totake specific correctivemeasuresinthe
event theEDPBfollowedtheir objectionon compliancewithArticle6(1)(b) GDPR.TheEDPBconsiders
these to be reflections upon how, in their view, the LSA should give full effect to the binding

direction(s)assetoutintheEDPB’sdecision 50.Intheabsenceoflegalorfactualargumentsthatwould
justify including these specific corrective measures in the Draft Decision as opposed to others, the
EDPB does not consider this aspect of the DE and NO SAs’ objections to meet the requirements of

Article4(24) GDPRastheyarenotsufficientlyreasoned.

8.4.2 Assessment on the merits

Preliminarymatters

272. The EDPBconsiders thatthe objections found tobe relevantand reasonedin this subsection require
an assessment of whether the Draft Decision needs to be changed in respect of the corrective

measures proposed. More specifically, the EDPB needs to assess the request to impose a ban of
processing for both the infringements of the transparency obligations found by the LSA and the
additional infringement of Article 6(1) GDPR established above in Section 4.4.2, andthe connected

issue of the corrective measure to be imposed for the infringement of Article 6(1) GDPR. When
assessing the meritsof the objections raised, the EDPBalso takesinto account MetaIE’sposition on
the objection anditssubmissions.

273. Bywayofintroduction, the EDPBhighlightsthatthe analysis carriedout in thissection doesnot refer
tothecontentoftheDraftDecisionandoftheobjectionsinrespectoftheimposition ofadministrative

fines, which arecoveredbelow inSection9.

507
AT SAObjection,p.8.
508EDPBGuidelinesonArticle65(1)(a)GDPR,paragraph50.

71

Adopted MetaIE’sposition on theobjectionsand itssubmissions

274. MetaIEconsidersthe LSAhassole discretiontodeterminethe appropriatecorrectivemeasuresinthe

event of a finding of infringement 509and that the EDPB lacks competence to determine or adopt
decisions onappropriate correctivemeasures 510.

275. While MetaIEacknowledgesthat“Article65(1)GDPRallowstheEDPBtoconsiderreasonedobjections

as to whether the envisaged corrective measures comply with the GDPR”, it argues that CSAs are
strictlylimitedtocriticism ofthe correctivemeasuresalreadyput forwardintheDraftDecisionbythe

LSA. Therefore,accordingtoMetaIE,“should theEDPBfind an infringementof Article6(1)GDPR[...],
theappropriatecoursewouldbetoreferthematterbacktotheLSA(i.e.theDPC)todeterminewhether
to impose any appropriate corrective measures. To do otherwise, including direct the DPCto make a

specific orderinthetermsproposedbycertainObjections,wouldexceedtheEDPB’scompetenceunder
Article65 GDPR” 51.

276. Withrespect tothe issue ofthe correctivemeasure tobe imposed for theinfringement of Article6(1)

GDPR,ifany,MetaIE arguesthata temporarybanisneither necessary, nor proportionate toachieve
theobjective ofensuringcompliance withtheGDPR,asthereexistsalternative,lessonerousmeasures
512
tobringitsprocessing operationintocompliance withtheGDPR .Inaddition,MetaIEcontendsthat
it would be both unfair anddisproportionate to order an immediate ban given that it relied upon a
good faith understanding as to what it considered to be a valid legal basis 513. Further, Meta IE

considers there is no urgent necessity for a banbased on other decisions takenunder the Article 60
GDPRcooperationmechanism insimilar circumstances 514.Finally,MetaIEputsforwardthesignificant

impact of a temporaryban not only on itsactivities but also on third parties’business, such as small
andmedium sizedbusinesses acrossEurope, relying onthe platform for behavioural advertising 515.

EDPB’sassessment on themerits

277. First of all, according to the EDPB, the views of Meta IE amount to a misunderstanding of the GDPR

one-stop-shop mechanism and of the shared competences of the CSAs. The EDPB recalls that the
GDPR requires supervisory authorities to cooperate pursuant to Article 60 GDPR to achieve a
516
consistent interpretation of the Regulation . The fact that the LSA will be the authority that can
ultimatelyexercise the corrective powerslisted in Article 58(2)GDPRcannot neither limit the role of
517
the CSAs withinthe cooperationprocedure nor theone ofthe EDPBinthe consistency procedure .

509
510Meta IEArticle65Submissions,paragraphs8.4and8.18.
Meta IEArticle65Submissions,paragraph8.6.
511Meta IEArticle65Submissions,paragraph8.13.
512Meta IEArticle65Submissions,paragraph8.27.
513Meta IEArticle65Submissions,paragraph8.28.
514
Meta IEArticle65Submissions,paragraph8.28.
515Meta IEArticle65Submissions,paragraph8.29.
516 See Art. 51(2), Art. 60, Art. 61(1) GDPR, and C-645/19, Facebook v Gegevensbeschermingsautoriteit,
paragraphs53,63,68,72.
517
See Art. 63 and 65 GDPR. In this regard it should benoted that Recital 11 GDPR stresses that ‘effective
protection of personal data throughout the Union requires [...] equivalent sanctions forinfringements in the
MemberStates’. Therefore, in orderto ensurethis ‘consistent monitoringandenforcement’ of theGDPR, the
legislatorhasdecidedtoprovidesupervisoryauthoritieswiththe‘samecorrectivepowers’(Recital129GDPR).

72
Adopted278. More specifically, when raising an objection on the existing or missing corrective measure(s) in the

Drafting Decision, the CSAs should indicate which actionthey believe would be appropriate for the
LSA toundertakeandinclude inthe finaldecision 518. Incaseof disagreementonthese objections, the
dispute resolution competence of the EDPBcovers ‘’allthe matterswhich are subject of therelevant
519
and reasonedobjection’’(emphasisadded) . Therefore,contrarytoMetaIE’sviews,the consistency
mechanism may also be used to promote a consistent application by the supervisory authorities of
520
their correctivepowers, takingintoaccount the rangeofpowerslisted inArticle 58(2)GDPR ,when
arelevantandreasonedobjectionquestions theaction(s)envisagedbytheDraftDecisionvis-a-visthe

controller/processor, or theabsence thereof.

279. Inaddition, the EDPBfinds thatMeta IEmisunderstands the AT SA’s objection when it arguesthatit

does acknowledge that it is for the LSA alone to decide which corrective measures are appropriate
andnecessary, byciting paragraph112of the SchremsIICJEU judgment 521.Infact,the ATSA doesno

such thing: in its objection it stated‘’acomplainant doesnot have a subjective right to request from
the respective supervisoryauthority(in this case: the DPC)the exercise ofa specific corrective power

and it is for the supervisory authorityalone to decide which action is appropriate and necessary(see
C ‑311/18, point 112)’’522anddid not engage inan interpretationof how Article 58(2) GDPR is to be
understood in cross-border cases in the sections referred to. The cooperation and consistency

mechanism of the GDPRisnot addressed inCJEU ruling C-311/18 (SchremsII)either.

280. Moving onto the analysis of the issue of corrective measuresas requiredby the objections found to
be relevant and reasoned above, the EDPB recalls that when a violation of the GDPR has been

established, competent supervisory authorities are required to react appropriately to remedy this
infringement in accordance with the means provided to them by Article 58(2) GDPR 523. Article 58(2)
GDPRprovidesa wide choice ofeffectivetools for theauthoritiestotakeactionagainstinfringements

of the Regulationandwhich can be imposed in addition toor instead of a fine. According to Recital
129 GDPR, every corrective measure applied by a supervisory authority under Article 58(2) GDPR

should be ‘‘appropriate, necessary and proportionate in view of ensuring compliance with the
Regulation’’inlightof allthe circumstancesofeachindividual case.Recital148 GDPR showsthe duty

for supervisory authorities toimpose corrective measuresthat are proportionate to the seriousness
of the infringement 52. This highlights the need for the corrective measures and any exercise of
powersby supervisory authoritiestobe tailoredtothe specific case 525.

281. Considering the nature and gravityof the infringement of Article 6(1)(b) GDPR established above in

Section4.4.2,aswellasthe number of datasubjects affected,theEDPBsharesthe view of the AT,FI,

518SeeEDPBGuidelinesonRRO,paragraph33.
519Art. 65(1)(a)GDPR.
520
521SeeEDPBGuidelinesonArticle65(1)(a)GDPR,paragraph92.
Meta IEArticle65Submissions,paragraph8.6.Seeaboveparagraph274.
522AT SAObjection,p.8.
523C-311/18,SchremsII,paragraph111.
524Recital 148GDPR states, forinstance:“in a case of a minorinfringement orif the fine likely to be imposed

would constitute a disproportionate burden toa natural person, a reprimand may be issuedinsteadof afine”.
TheEDPBconfirmedthat“theindicationsprovidedbythisRecitalcanberelevantfortheimpositionofcorrective
measures in general and for the choice of the combination of corrective measures that is appropriate and
proportionatetotheinfringementcommitted”.EDPBBindingDecision1/2021,paragraph256.
525EDPBBindingDecision1/2021,paragraph256.

73
Adopted FR, HUand NL SAs thatit is particularlyimportantthat appropriatecorrective measuresbe imposed,

inaddition toa fine, inorder toensure thatMetaIEcomplies withthisprovision ofthe GDPR.

282. Inrespectof whichmeasure should be imposed, asstated,theNL SA arguesthatthe IESA's proposal
toorder MetaIEtocomplywithArticle5(1)(a), Article12(1)andArticle 13(1)(c)GDPRwithina period
of threemonths is not appropriate,considering these breachesinconjunction withthe gravityofthe

additional breachesof Article 6(1)(b) and Article 9(2)GDPR identified in its objection526. Instead,the
NL SA is of the opinion that only a temporaryban imposed in respect of all these infringements can

effectively protectthe rightsof the data subjects during the transition period inwhich the controller
remedies to these violations 52. The FI SA considers that the IE SA should “exercise effective,

proportionate and dissuasive corrective powers” and, taking into account the nature of the
infringement, order MetaIE to“bringits processing operations into compliance with the provision of

Article 6(1) GDPR and prohibit to process users’ personal data for behavioural advertising by relying
on Article 6(1)(b) GDPR as laid down in Article 58(2)(d) GDPR” 528. The HU SA proposes to apply the
legalconsequences under Article 58(2)(d) GDPR in relationtoviolation of Article 6(1) GDPRby Meta

IE andtoinstruct the controller toindicate a another alternativelegalbasis 529. Inaddition, the AT SA
callsontheIESA touse itscorrectivepowersunder Article58(2)GDPRinordertobringthe processing

operations of Meta IE into line with the GDPR, and suggests ‘’that the DPC prohibits Facebook the
processing of a user’s data for behavioural advertising by relying on Article 6(1)(b)’ stating that
530
‘otherwise,Facebookcould simply continue tounlawfully relyon Article6(1)(b) GDPR’’ .

283. Meta IE argues that a temporary ban would not be necessary as less onerous measures could be
imposed and that it would be unfair and disproportionate, also considering its impact on third
parties 53.

284. The EDPBagreeswiththe observations madeby the NLSA thatthe infringement found inthe case at

hand constitutes a “very serious situation of non-compliance” 532with the GDPR, in relation to
processing of “extensiveamountsof[...]data,whichis essentialto thecontroller’sbusinessmode”’ 533,
534
thusharming“therightsand freedomsofmillions ofdata subjectsin theEEA” .Asaresult, theEDPB
sharestheNLSA’sconcernthatthecorrectivemeasurechoseninthecircumstancesofthiscaseshould

aimtobringthe processing intocompliancewiththeGDPRthusminimising thepotentialharm todata
subjects createdbythe violations of theGDPR.

526
NL SAObjection, paragraph57. In this respect, theEDPB recalls that, as stated in Sections 4.4.2 and 5.4.2
above,whiletheEDPBfinds thattheIESAshouldhavefoundaninfringementofArt.6(1)(b)GDPRinits Draft
Decision,itdoesnothavesufficientfactualevidenceallowingittofinda possibleinfringementbyMeta IEofits
obligationsunderArt.9(2)GDPR.
527
NLSAObjection,paragraph58.
528FI SAObjection,paragraph25.
529HUSAObjection,p.3.
530AT SAObjection,p.8-9.
531
532Meta IEArticle65Submissions,paragraphs8.27-8.28.
NLSAObjection,paragraph54.
533NLSAObjection,paragraph58.
534NLSAObjection,paragraph57.

74
Adopted285. Inaddition, the EDPB recallsthatcontrarytoMetaIE’scontention, it is not necessarytoestablish an
‘urgentnecessity’ 535for imposing atemporaryban, in thatnothing in the GDPRlimits the application
536
of Article58(2)(f) GDPRtoexceptionalcircumstances .

286. Atthe sametime,theEDPBnotesthatinassessing the appropriatemeasuretobeapplied, Recital129

GDPR provides that consideration should be given to ensuring that the measure chosen does not
create ‘’superfluouscosts’’ and‘’excessive inconveniences’’ for the persons concerned in light of the

objective pursued. When choosing the appropriate corrective measure, there is a need to assess
whether the chosen measure is necessary to enforce the GDPR and achieve protection of the data
subjects withregardtothe processing oftheir personaldata,whichis the objective being pursued 53.

Compliance withtheprinciple of proportionalityrequiresensuring thatthe chosen measuredoes not
createdisproportionate disadvantagesinrelationtothe aim pursued.

287. The EDPB takes note of the elements raised by the objections, particularlythe NL SA, to justify the
needfor imposing atemporaryban,consisting in essence inthe need tohalt the processing activities

thatarebeingundertakeninviolationoftheGDPRuntilcomplianceisensuredinordertoavoidfurther
prejudicing data subject rights. However, the EDPB considers that the objective of ensuring

compliance and bringing the harm to the data subjects to an end can, in this particular case, be
adequatelymetalsobyamendingtheorder tobring processing intocompliance envisagedintheDraft
DecisiontoreflectMetaIE’sinfringementofArticle6(1)GDPRidentifiedinSection4.4.2ofthisBinding

Decision. In addition tothe fines that willbe imposed, this measure would require Meta IE toput in
placethenecessarytechnicalandoperationalmeasurestoachievecompliance withinaset timeframe.

288. Inrespectofthe imposition of anorder tobring processing intocompliance, MetaIEsubmitsthatany
such order should ‘’afforda reasonable opportunity’’toMetaIE tocomply 538. Whendetermining the

transitionperiodfor bringingMetaIE’sprocessingintocompliance withGDPR,theEDPBrequeststhat
the IE SA gives due regardtothe harm caused tothe data subjects by the continuation of Meta IE’s

infringement ofArticle6(1)GDPRduring thisperiod. More specifically, theorder should requireMeta
IEtorestorecompliance withinashort periodoftime.Inthisrespect,theEDPBnotesthat,inresponse
to Meta IE’s submission, the IE SA considered the three-month deadline for compliance for the

infringements of Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR necessary andproportionate
in light ofthe potentialfor harmstothe datasubjects rightsthatsuch a measure entails, considering
539
that the interim period for compliance ‘’willinvolve a serious ongoing deprivation of their rights’’ .
The LSA also points out the significant financial, technological, and human resources, as well asthe

535Meta IEArticle65Submissions,paragraph8.28.
536 See a contrario Art. 4 Implementing Decision 2010/87, in its version prior to the entry into force of

537lementingDecision2016/2297;C-311/18SchremsII,paragraph114.
C-311/18, Schrems II, paragraph112:‘’Althoughthe supervisory authority must determine which actionis
appropriate and necessary and take into consideration all the circumstances [...] in that determination, the
supervisory authority is nevertheless required to execute its responsibility forensuringthat the GDPR is fully
enforcedwithallduediligence’’.
538Meta IEArticle65Submissions,point8.31.
539
Draft Decision, paragraph 202. Inthis regard, Meta IE argues that this was not a reasonableperiodof time
within which to makethenecessary changes, as thechanges would beresource-intensiveand wouldrequire
“sufficientleadintimeforpreparing,drafting,designingandengineeringtherelevantchanges,conductingand
takingaccountofusertestingoftheproposedchanges,internalcross-functionalengagementaswellasofcourse
engagement with the Commission, and localisation and translation of the information forcountries in the

EuropeanRegion’’.DraftDecision,paragraph201.

75
Adopted clear instructions provided to Meta IE to comply with GDPR 540. The EDPB considers that this line of
reasoning applies all the more to the corrective measures imposed in relation to Meta IE’s

infringement ofArticle 6(1)GDPR.

289. Finally, the EDPBrecalls thatnon-compliance withanorder issued by a supervisory authoritycanbe

relevantboth intermsof it being subject toadministrative fines up to20 million euros or,in the case
of anundertaking,up to4% ofthe totalworldwide annualturnover of the preceding financialyear in
line with Article 83(6) GDPR, and in terms of it being an aggravating factor for the imposition of

administrative fines541. Inaddition, the investigative powers of supervisory authorities allow them to
order the provision of all the information necessary for the performance of their tasks including the
542
verificationof compliance withone of theirorders .

290. The EDPBtherefore instructsthe IESA toinclude in itsfinaldecision anorder for MetaIE tobring its

processing of personaldatafor thepurpose ofbehaviouraladvertising inthecontextof theInstagram
services intocompliance withArticle6(1) GDPRwithinthreemonths.

291. Inaddition, the EDPBnotesthatthe currentwording ofthe order“to bring theDataPolicyand Terms
of Use into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR as regards

information providedondata processedpursuanttoArticle6(1)(b)GDPR”’shouldbe modifiedinorder
toreflecttheEDPB’sfindingsinSection4.4.2thatMetaIEisnotallowedtorelyonArticle6(1)(b)GDPR
for the processing of personal data for the purpose of behavioural advertising. Therefore, the EDPB

instructstheLSA toadjust itsorder toMetaIEtobringitsInstagramDataPolicyandTermsofUse into
compliance withArticle 5(1)(a), Article 12(1) andArticle 13(1)(c) GDPRwithin three months, to refer
not onlytoinformationprovided ondataprocessed pursuant toArticle6(1)(b) GDPR,butalsoondata

processed for the purpose of behavioural advertising in the context of Instagram services(to reflect
the finding of the EDPB inSection 4.4.2 that for this processing the controller cannot rely on Article

6(1)(b) GDPR).

540DraftDecision,paragraph202.
541Art. 83(2)(i)GDPR.
542
Art. 58(1)GDPR.

76
Adopted 9 ON THE DETERMINATIONOF THE ADMINISTRATIVEFINE

292. The EDPB recalls that the consistency mechanism may also be used to promote a consistent
applicationof administrativefines 543.

9.1 On the determination of the administrativefine for the transparency

infringements

9.1.1 Analysis bythe LSA in the Draft Decision

The applicationof thecriteriaunder Article83(2)GDPR

293. InitsDraftDecision,the IESA explainshow itconsidered the criteriainArticle 83(2)GDPRindeciding
whether to impose an administrative fine and to determine its amount in the circumstancesof this
case 544.The most pertinent criteriafor the present dispute aresummarised below.

Thenature,gravityanddurationoftheinfringement,taking into accountthe naturescopeor purpose
of theprocessing concernedas wellas the numberof data subjects affectedand the levelofdamage

sufferedbythem(Article 83(2)(a)GDPR)

294. The IESAexplains thatitassesses theinfringementsofArticle5(1)(a), Article12(1)andArticle13(1)(c)
GDPR identified in the Draft Decision simultaneously in the context of the Article 83(2) GDPR
545
criteria .Further,the IESA explainsthat‘’theprocessing concerned’’refersto“allofthe processing
operationsthat[MetaIE]carriesoutinthecontextoftheInstagramserviceonthepersonaldata under
its controllership for which it relies on Article 6(1)(b) GDPR”, in line with the scope of the inquiry

(permissibility inprinciple ofprocessing personal datafor behaviouraladvertising) 546.

295. In terms of the nature ofthe infringements, the IE SA explains that they concern a cornerstone of
data subject rights, namely the right to information. The IE SA argues that ”the provision of the
informationconcernedgoes to theveryheart ofthe fundamentalright ofthe individual to protection

ofpersonaldata whichstemsfrom thefreewilland autonomyoftheindividual toshare theirpersonal
datain avoluntary situation such asthis. Ifthe requiredinformation hasnot been provided, thedata
subject has been deprived of the ability to make a fully informed decision as to whethertheywish to

use aservice that involves the processing of their personal data and engagestheir associated rights.
Furthermore,theextenttowhicha data controller hascomplied with itstransparencyobligationshas

a direct impact on the effectivenessof the other data subject rights. If data subjects have not been
providedwith the prescribed information, theymaybe deprived of the knowledge theyneedin order
to consider exercising one of the other data subject rights”54. Further, the IE SA points out that the

543SeeRecital150GDPR;EDPBGuidelinesonRRO,paragraph34andEDPBGuidelinesonArticle65(1)(a)GDPR,
paragraph91.
544
DraftDecision,paragraphs206-207.
545“While I emphasise that each is an individual anddiscrete “infringement”of the GDPR, I am proposingto
assessallthreeinfringementssimultaneouslyasallconcerntransparencyand,byreasonoftheircommonnature
and purpose, are likely to generate the same, orsimilar, outcomesin the context of some of the Article 83(2)
GDPRassessmentcriteria”.DraftDecision,paragraph209.
546DraftDecision,paragraph210.
547
DraftDecision,paragraphs212.

77
Adopted breachof the transparencyprinciple by Meta IE has the potentialto undermine other fundamental
dataprotectionprinciplessur astheprinciples offairnessandaccountability 54.Finally,theIESA notes

thatthe Europeanlegislator included infringementsonthe right toinformationandArticle 5 GDPRin
Article83(5) GDPR,whichcarriesthe highest maximum fine 549.

296. In terms of the gravity of the infringements, the IE SA explains that Meta IE is found to also have

infringed Article 12(1) and Article 5(1)(a)GDPR because the company hasnot provided the required
information inthe required manner under Article 13(1)(c) GDPR.TheIE SA adds thatthis “represents
a significant levelof non-compliance,taking into account theimportance of theright to information,

the consequent impact on the data subjects concerned and the number of data subjects potentially
affected” 550.

297. With regardsto the nature,scopeorpurposeofthe processingconcerned,theIE SA considers that
the “processing carried out by [Meta IE] in the context of the Instagram service pursuant to Article

6(1)(b) GDPR is extensive. [Meta IE]processes a varietyof data in order to provide Instagram users
with a ‘personalised’ experience, including by way of serving personalised advertisements. The

processingis centralto andessentialto thebusiness modeloffered,and,for this reason,the provision
of compliant information in relation to that processing becomeseven more important. This, indeed,
mayinclude location and IPaddressdata” 551.

298. With reference to the number of data subjects affected, the IE SA points out that, as Meta IE

confirmed, ’’asof the date of the commencement ofthe Inquiry, i.e. 31 August 2018, [Meta IE]had
approximately monthly active accounts and, as of December 2021, it had approximately
monthlyactiveusersin theEuropean EconomicArea” 552.While noting thefiguresprovided by

MetaIE incorrectlyexcluded the number of UKactive accountstowhich the GDPRwas applicable at
the dateoftheComplaint, the LSA consideredthat,whenmeasuring these figuresby referencetothe

totalpopulationoftheEEA(including theUK),a‘’significantportionofthepopulationoftheEEAseems
to have beenimpactedby theinfringements’’ 553.

299. Intermsof damagessufferedby affecteddata subjects, the IE SA finds that“failure to provide all of
theprescribed information underminesthe effectivenessofthe data subjectrightsand, consequently,

infringes the rights and freedomsof the data subjects concerned. A core element oftransparency is
empoweringdata subjectsto makeinformed decisions aboutengaging withactivitiesthatcause their

personal data to be processed, and making informed decisions about whether to exercise particular
rights,and whethertheycan do so. Thisright isundermined bya lackof transparencyon thepart ofa
datacontroller” 55.

300. OnArticle 83(2)(a)GDPR,theIESA concludes that“[the]infringementsareserious in nature.Thelack

of transparencygoes to the heart of data subject rights and risks undermining their effectivenessby
not providing transparentinformation in that regard.While the infringementsconsidered hererelate

548DraftDecision,paragraph213
549
550DraftDecision,paragraph214.
DraftDecision,paragraph216.
551DraftDecision,paragraph221.
552DraftDecision,paragraph223.
553DraftDecision,paragraphs223-225and253.
554DraftDecision,paragraph228.

78
Adopted to one lawful basis, it nonethelessconcernsvast swathesof personaldata impacting millions ofdata

subjects. When such factors are considered, it is clear that the infringements are serious in their
gravity” 55. The IE SA further notes the impact of the infringement on a ‘’significant portion of the

population of the EEA’’, as well as on ‘’data subject’s ability to be fully informed about their data
protectionrights,or indeed about whetherin theirview theyshould exercisethoserights’’ 556.

301. The IE SA does not attachsignificant weight tothe durationof the infringements 55, considering that
the complaint - andtherefor the Inquiry - wasmade againsta specific set of documents (Instagram’s

DataPolicy and Termsof Use) and thatmore recentversions of the relevantdocuments areoutside
the scope of the Inquiry 55.

Theintentionalor negligentcharacterofthe infringements(Article83(2)(b) GDPR)

302. The IESA notesthecomplainantsview thattheinfringement arosefrom ‘’[MetaIE]madea deliberate
and calculated decision to present the information in a particular manner such as to mislead data

subject’’559 but statesthat there is no evidence that Meta IE ‘’made adeliberate decision to present
the information to data subject in a particular way’’ 560. The IE SA further notes that the EDPB

Guidelines on Administrative Fines ‘’recognisethatan intentionalbreachgenerallyonly occurswhere
thereis a deliberateact to infringe the GDPR’’,andthat,in this regard,‘’afinding of intentionalityis

predicatedon knowledgeand wilfulness as tocharacteristicsofan offence’’.TheIESA finds therewas
noevidence ofanintentionalandknowing breachofaprovision ofthe GDPR. TheIESAhowever finds

thatthe infringement wasnegligent,takingintoaccount ‘’the failure ofan organisation ofthis sizeto
provide sufficientlytransparentmaterialsin relation to thecoreof itsbusiness mode” 56.

The action taken by the controller or processor to mitigate the damage suffered by data subjects
(Article83(2)(c) GDPR)

303. The IE SA notes MetaIE’sposition that “hasdischarged itstransparencyobligations in respectof the

Instagram service and, accordingly, complies fully with the GDPR in this respect.” Notwithstanding
their disagreementwiththis position, the IESA “accept[s]thatit representsa genuinelyheld beliefon

[Meta IE’s] part’’. Onthat basis, the IE SA notes that ‘’there hasnot been an effort to mitigate the
damage to data subjects, as it was [Meta IE’s] position that data subjects were incurring no such
damage” 562.TheIESA isnot swayedby MetaIE’sargumentthattheireffortstocomplywiththeGDPR

555DraftDecision,paragraph253.
556DraftDecision,paragraph253.
557
558DraftDecision,paragraph253.
DraftDecision,paragraphs218and253.TheIESAnotes,however,that“Inimposingcorrectivepowers[...]
theGDPRrequiresthatthebroaderimpactofinfringementsbeconsidered”(DraftDecision,paragraph218).
559DraftDecision,paragraph231.
560DraftDecision,paragraph232.Initsanalysis,theIESAtakes intoconsiderationtheEDPBGuidelineson

AdministrativeFines onthenotionsof‘intentional’and‘negligent’.DraftDecision,paragraphs230-232.
561Inthis regard,theIESAnotes that‘’Meta Irelandshouldhavebeenawareofitstransparencyrequirements,
especiallyinlightofthetransparencyguidelinesandshouldhaveprovidedclarityaboutthepreciseextentofthe
processing operations carried out pursuant to Article 6(1)(b) GDPR. Meta Ireland furthershould have ensured

that it adhered strictly to its transparency obligations when choosingthe lawful bases onwhich they rely and
should have used these obligations as a guide as to the information to be conveyed to data subjects’’ (Draft
Decision,paragraph253).
562DraftDecision,paragraph234.

79
Adopted should be takeninto consideration, as -in general-compliance withthe GDPRis a duty imposed on

each controller. In the present case, the IE SA finds this factor is neither mitigating nor aggravating
insofar as“beyondsimply complyingwith the GDPR,thereareno obvious mitigating stepsthat could
563
have been taken” . Notwithstanding this, the IE SA identifies a mitigating factor in Meta IE’s
willingness toengageinstepstobring itsprocessing intocompliance ona voluntarybasispending the
conclusion ofthe inquiry 564.

The degree of responsibility of the controller taking into account technical and organisational

measuresimplementedpursuantto Articles25 and 32 (Article83(2)(d) GDPR)

304. The IE SA does mentionthis factor asanaggravatingfactorin the DraftDecision. The IE SA takesthe
view that, considering that guidance on transparency was available to Meta IE at the date of the

complaint, it ’’shouldhave been awareof theappropriate standards– albeit at a generallevel– and,
having madea deliberatedecisionto presentthe information in a manner which fellsignificant below
thestandardrequired,hasa high degreeofresponsibilityfor thelackofcompliancewiththeGDPR’’ 565.

Anyrelevantpreviousinfringementsbythe controlleror processor(Article83(2)(e) GDPR)

305. The IESA does not mentionthis factoras anaggravatingormitigatingfactorinthe DraftDecision 56,

taking into consideration that‘’theCommission has not made any findings ofinfringementsby Meta
Ireland in the context of the Instagram service which could be considered relevant for [this]
567
assessment’’ .

Thecategoriesof personaldata affectedbythe infringements(Article83(2)(g) GDPR)

306. The IESA notesthat “[the]lackof transparencyconcernedbroad categoriesofpersonal data relating
568
to userswho sign up to theInstagramservice” .Althoughacknowledgingthatthe assessment made
by the IE SA in this Inquiry “was rather generalised in nature” the LSA points out that the lack of

transparency by Meta IE contributed to the “lack of clarity as to the precise categories of personal
datarelevantfor thisInquiry” 569.

307. Nonetheless, the IE SA concludes that, in the absence of evidence that these personal data are of a
particularlysensitive nature,this factorshould be regardedasneitheraggravatingnormitigating 570.

563DraftDecision,paragraph235.
564
DraftDecision,paragraph236.
565DraftDecision,paragraph240.
566DraftDecision,paragraph253.
567Draft Decision, paragraphs 241 and 243. The IE SA notes their disagreement with Meta IE Article 65

568missionsthattheabsenceofpreviousdecisionshouldbeconsideredasa mitigatingfactor.
DraftDecision,paragraph247.
569DraftDecision,paragraph247.
570DraftDecision,paragraph247.

80
Adopted The manner in which the infringementsbecame known to the supervisory authority(Article 83(2)(h)

GDPR)

308. The IE SA notes that “[the] subject matter became known to the Commission due to an Inquiry

conducted on foot of the Complaint. The subject matter did not give rise to any requirement of
notification,and Ihave alreadyacknowledged severaltimesthatthe controller’sgenuinelyheld belief
571
is thatno infringementis/was occurring” .The IESA does not mentionthis factoras anaggravating
or mitigatingfactorin theDraftDecision 57.

Anyotheraggravating ormitigating factor (Article83(2)(k) GDPR)

309. The IE SA considers whether the “lack oftransparencyhas the potentialto have resulted in financial
benefitsfor [MetaIE]”basedon theview thata “moretransparentapproachtoprocessing operations

carriedouton foot ofthatcontractwouldrepresentariskto[MetaIE]’sbusiness model”,whichwould
be thecase“ifexistingorprospectiveusersweredissuaded fromusing theInstagramservicebyclearer

explanations of the processing operationscarried out, and their purposes”. The IE SA concludes that
thisfactorisneitheraggravatingnormitigating,arguingthat“anygeneralconsiderationofthis[factor]
ultimatelyinvolvesanelementofspeculation on both [MetaIE]’sand the Commission’s part” 573.

The applicationof thecriteriaunder Article83(1)GDPR

310. Basedonthese circumstances,theIESAconsiders thatadministrativefinespursuant toArticle 58(2)(i)

GDPRandArticle83 GDPR,totalinganamountnotlessthan€18 million andanamountnot morethan
€23 millionshould be issued onMetaIEforthe infringementofArticle5(1)(a),Article12(1)andArticle
574
13(1)(c) GDPRinthe contextof Instagramservice .

311. The LSA considers that the proposed administrative fines areeffective, proportionate and dissuasive
taking into account all of the circumstancesof the Inquiry 575. Regarding the effectiveness, the IE SA
argues that the “infringements are serious, both in terms of the extremelylarge number of data

subjectspotentiallyaffected,thecategoriesofpersonaldata involved,and theconsequencesthatflow
from the failure to comply with the transparency requirements for users” 576. Concerning the

dissuasiveness, the LSA states that the fine must “dissuade both the controller/processor concerned
as wellas other controllers/processorscarrying out similar processing operationsfrom repeating the

571DraftDecision,paragraph248.
572
DraftDecision,paragraph253.
573DraftDecision,paragraphs251-252.
574DraftDecision,sections9and10.
Morespecifically,theIESAproposesthefollowingadministrativefines(DraftDecision,paragraph254):

- a fineof between €11.5millionand€14millionforthefailuretoprovidesufficientinformationinrelationto
the processing operations carried out on foot of Article6(1)(b) GDPR, thereby infringing Articles 5(1)(a) and
13(1)(c)GDPR;
- a fineof between €6.5millionand€9millionforthefailuretoprovidetheinformationthatwasprovidedon
theprocessingoperations carried out infoot of Article6(1)(b) GDPR, in a concise, transparent, intelligibleand

easilyaccessibleform,usingclearandplainlanguage,therebyinfringingArticles5(1)(a)and12(1)GDPR.
Theproposedadministrativefinesaretobeappliedcumulatively,astheydonotsurpassthemaximumprovided
forinArt.83(5)GDPR.SeeDraftDecision,paragraphs264,295and296.
575DraftDecision,paragraph258.
576DraftDecision,paragraph255.

81
Adopted conductconcerned” 577.Asregardstheproportionality, theIESA considers thatthefines proposed “do

not exceed what is necessary to enforce compliance with the GDPR, taking into account the size of
Instagram user base, the impact of the infringementson the effectivenessof the data subject rights

enshrinedinChapter IIIofthe GDPRandthe importanceof thoserights in the contextofthe GDPRas
awhole” 578.

312. The IE SA refers tothe needto takeinto account the undertaking’sturnover in the calculationofthe
579
maximum possible fine amounts . The notion of “undertaking” is determined to refer to Meta
Platforms,Inc. 580.The IESA takesintoconsiderationthe revenue reportedbyMetaPlatforms,Inc.for
the yearending 31 December2020 ($85.965billion) 58.

9.1.2 Summary of theobjections raised by theCSAs

582
313. The DE,FR, IT, NL, andNOSAs object tothe envisagedactiontakenby the LSA withregardto the
administrative fine proposed in the DraftDecision concerning the infringements of the transparency
583
obligationsbyasking the IESA toimpose a(significantly) higheradministrativefinewithreference
totheestablishedinfringements.

314. The dispute arising from these objections concerns whether the proposed fine is effective,
proportionate and dissuasive pursuant to Article 83(1) GDPR 58. With reference to these three

criteria,theabove mentioned CSAs, specifically, argueasfollows.

315. According tothe DESAs, thefine proposed bythe LSA in the DraftDecisionis not proportionate with
regard to the financial position of the undertaking. More specifically, the DE SAs argue that the

envisaged fine of at most 23 million euros is not proportionate compared to the worldwide annual
turnoveronMetaPlatforms,Inc 585.TheDESAspointoutthattheproposedfine‘’representsonlyabout
586
0.03%oftheturnoverofMetaPlatforms,Inc.andabout 0.72%ofthemaximum fine“ .Withrespect
to dissuasiveness, the DE SAs consider that the fine proposed by the LSA “weakensthe position of

supervisory authorities and endangers compliance with the GDPR’’ as this would leave controllers
under the impression that“enforcementoftheGDPRwill notbe felt economically’’ 587.

316. The FR SA arguesthat the amount of the envisaged fine “seemslow and hardlycompatible with the
objective set by Article 83(1) GDPR of ensuring to impose dissuasive fines” taking into account “the

577
DraftDecision,paragraph256.
578DraftDecision,paragraph257.
579DraftDecision,paragraph274.
580
581DraftDecision,paragraphs275-295.FormerlyFacebook,Inc.
DraftDecision,paragraph295.
582DE SAs Objection,pp.10-12;FRSAObjection,paragraphs36-48;ITSAObjection,pp.7-10;NLSAObjection,
paragraphs39-53;NOSAObjection,pp.9-13.
583All theseCSAsspecifiedthatthefineshouldbeincreased‘’significantly’’or‘’substantially’’excepttheNLand

theITSAs (whichstatedthefineshouldbeincreased).SeeDESAs Objection,p.12;FRSAObjection,paragraph
45;ITSAObjection,pp.8-9;NOSAObjection,p.13;NLSAObjection,paragraph51.
584DESAs Objection,p.11;FRSAObjection,paragraph47;ITSAObjectionpp.7-8;NLSAObjection,paragraph
50;NOSAObjection,pp.11-12.
585
DESAs Objection,p.11.
586DESAs Objection,p.11.
587DESAs Objection,p.11.

82
Adopted number of data subjects concerned, the particularlyintrusive nature of the processing operations in

question,thebreachesobserved,theposition ofMetaPlatformsIrelandLimited asa quasi-monopolist
anditsfinancial situation”588.Inthisrespect,the FRSA notesthatthe fine proposed by theIE SA isno

proportionate since “the cumulative amount of the two breaches of the provisions of Articles 5-1-a)
and13-1-c) ofthe GDPR,onthe one hand, andthe provisions of Articles5-1-a) and 12-1 of theGDPR,
on the otherhand, representsonly about 0.03% of the turnover of MetaPlatforms Inc.and lessthan

1% ofthe maximum fine” 58.

317. The IT SA arguesthat ‘’byhaving regardto the controller, inparticular the nature and size of Meta
Platforms Inc. [...]the range at issue would appear to be overly low and neither proportionate nor
590
dissuasive’’ .

318. The NL SA doubts, also referring to the EDPB Guidelines on Administrative Fines, that the fines
proposed bythe IESA meettheobjective tobe effective,“particularlyconsidering thestrong financial
positionofthecontrollerandthefindingthatthe identifiedlackoftransparencylikelyhashadfinancial

benefits for the controller” 59. As regard to dissuasiveness, the NL SA argues, also referring to
establishedCJEU case-law,thatMetaIE“generatesaturnoverofover86billion dollars(approximately

79 billion euros)per annum, thereforeit would be able to generatea daily revenueof approximately
235 million dollars. Instead of dissuading future behaviour, the penaltywould be simply regenerated
592
in a few hours” (specific deterrence) . With reference to proportionality, the NL SA questions the
lack of reasoning in the Draft Decision as to why the amounts proposed are commensurate to the
593
seriousness of theinfringements .

319. TheNOSA arguesthattheenvisagedamountofthe fine isnoteffective nor dissuasive neithertoMeta

IE nor to other controllers, considering the financial benefits accrued because of the violation and
worldwide annual turnover ofMetaPlatform, Inc.for 2020 594Inparticular,theNOSA points out that

MetaIE“would likelyhave no issue paying theproposed fine,and theamount ofthefine it isnot likely
to affect [it] in such a waythat it would see a need to substantially change its practices”5. The NO

SA illustratesthisby the factthat in2020, MetaIEset aside one billion euroof provisions toaddress,
inter alia,the riskof fines for infringement tothe dataprotectionrules596.

320. In addition, these objections raise arguments with regardsto the weight afforded to some of the
criterialistedin Article83(2) GDPR.

321. The ITSA objects totheLSA's decision not toconsider WhatsApp's previous infringementsin the case

IN-18-12-2asanaggravatingcircumstanceunderArticle83(2)(e)GDPR,insofarasitispartofthesame
group of companies of Meta IE. According to the IT SA “even though the WhatsApp case did raise

additional,morespecific issues,one canhardlyquestionthattherelevantdecisionsetsa keyprecedent

588FRSAObjection,paragraph38.
589
FRObjection,paragraph40.
590ITSAObjection,p.8.
591NLSAObjection,paragraph48.
592NLSAObjection,paragraph49.
593
594NLSAObjection,paragraph50.
NOSAObjection,p.12.
595NOSAObjection,p.12.
596NOSAObjection,p.11.

83
Adopted in assessing controller’srepetitiveconduct’’as‘’notonly did the controller in question clearlystickto

the same business modelin offeringits different social networking services,it also did not change its
assessment as to how to manage users’ data with particular regard to its information and
597
transparencyobligations’’ .

322. According to the DE, FR, NL and NO SAs, the fine proposed by the LSA in the Draft Decision is not

proportionate withregardtotheseriousness of the infringement 59.

323. The NL SA argues that the fine is not commensurate with the seriousness of the infringements
established(Article 83(2)(a)GDPR)andisinconsistent withtheIESA's qualificationsassuch 599.The FR

SA alsoarguesthat the fine isincontradictionwiththe seriousnessofthe violationsidentified andthe
natureof the processing (Article 83(2)(a)GDPR) 600.

324. The DE,FR,andIT SAs statethatthe fine proposed is not consistent withthe amount retainedbythe
IESA initsdecision dated20 August2021 againstthecompanyWhatsAppIrelandLimited(caseIN-18-

12-2), in which the IE SA imposed an administrative fine of 225 million euros, including a fine of 30
million eurosfor the infringementof Article12 and13GDPRanda fine of90 millionon accountofthe
601
infringement ofArticle5(1)(a) GDPR .Moreover,theFR andITSAs statethatthe amount proposed
appears low also in comparison with the one retained by the LU SA in its decision of 15 July 2021

againstthecompanyAmazonEuropeCore, whereanadministrativefine of746 millioneuroshasbeen
imposed fortheinfringementsofArticles6,12and13GDPR,andwhichwasalso basedonacomplaint

that the processing operations carried out by the companies of the Amazon group relating to
behaviouraladvertisingdidnot havea validlegalbasis 602.Inaddition, theFRSA notesthattheamount
ofthefine proposedbytheIESA“seemstobeunderestimatedincomparisonwiththeamountretained

in thedeliberation oftheCNIL’srestrictedcommitteeNo.SAN-2019-001 of21 January2019 imposing
a penalty of 50 million euros on the company Google LLC” 603. The FR SA considers this case as

comparable because it is also based on a referral “filed by the association ‘NOYB’ with the CNIL,
relating to a similar issue and formulated against Google, and that the restricted committee has

identifiedabreach ofArticle6 of theGDPRand a breachof theprovisions ofArticles12 and 13 of the
GDPR” 60. However, the FR SA notes that “the amount retained against Google LLC is close to that

proposed by the Irish data protection authority, even though the processing operations in question
concernall European users, [...]which was not the case in the above-mentioned CNIL’s decision, for
whichonlyFrench usersweretaken into account” 605.

597
ITSAObjection,p.9.
598DESAs Objectionp.11;FRSAObjection,paragraph47;NLSAObjection,paragraphs39and43-44;NOSA
Objection,p.12.
599NLSAObjection,paragraphs39and43-44.
600
FRSAObjection,paragraph50.
601FRSAObjection,paragraph42;ITSAObjection,p.8.
602FR SAObjection,paragraph43.SimilarreasoningisincludedintheITSAObjection,whichstates that‘’even
byproportiontotherespectiveturnover[...]there islittle doubtthatthefiningproposalbytheLSAisnotinline

603hthe proportinalityrequirement’’(ITSAObjection,p.8).
FRSAObjection,paragraph41.
604FRSAObjection,paragraph41.
605FRSAObjection,paragraph41.

84
Adopted325. TheNOSA arguesthat“thesuggestedfine isnotproportionatetotheseriousnessofthe violationsand

the aggravating factors identified”, the “number of data subjects affected in the EEA amounts to
hundredsofmillions” andagreeswiththe LSA thatthe controller’s“levelof responsibility ishigh” 606.

326. Onthe risksposed by the DraftDecision,the DE,FR,IT,NL,andNOSAs consider that,ifadopted,the

Draft Decision would lead to a significant risk for the protection of the fundamental rights and
freedoms of the data subjects 607. The DE, FR, IT, NL, andNOSAsexplain that it would not ensure an

effective enforcementof theGDPR,asthe proposed fine isunable tocreateadeterrenteffect(either
specifically towardsthe controller, or in generaltowardsother controllers) 608. The NO SA considers
this would mean, “that the complainant and the affected data subjects would in practice be denied

the levelof data protectionset out in the GDPR” 60. The FR SA arguesthe Draft Decisionas it stands
would “lead to a levelling down of the level of administrative fines imposed by European data

protectionauthorities,therebyreducingtheauthorities'coercivepowerand,consequently,theirability
to ensureeffectivecompliancewith theprotectionofthe personaldataof Europeanresidents” 610.The
611
DESAsaddthat“theDraftDecisiondoesnotensureaconsistentapplicationofadministrativefines” .

9.1.3 Position ofthe LSA on theobjections

327. The LSA considers none of theobjections relatingtothequantum of theproposed administrative fine
asrelevantand reasoned 61.

328. Inrelationtoobjections calling for anincrease ofthe amount ofthe fine setout inthe DraftDecision,
the LSA statesthat notwithstanding the variance betweenthe viewsofthe CSAsonthe calculationof

the fine that the IE SA has “fully taken into account the criteria at Article 83(2) GDPR, and that the
proposedadministrativefinesmeettherequirementsofArticle83(1)GDPR,takinginto accountallthe
613
circumstancesofthismatterand asset out Part9 oftheDraft Decision” .The IESA also arguesthat
the IE SA considers “the proposal as to the fine to be meaningful in terms of both the financial

significance of it on any view, as well as the significant publicity that a fine in this region will
attract’’614.

329. Withreference totheobjections relatingtothe mode ofcalculatingthe proposed administrative fine

(assessment of the Article 83(2) GDPR criteria), the LSA does not accept that these objections are
relevant 615. The LSA recalls that it has already examined in its Draft Decision whether the
infringements were intentional and whether Meta IE obtained a financial benefit as a result of the

infringements,questions towhichitansweredinthenegative 61.Furthermore,theLSAtakesthe view

606NOSAObjection,p.12.
607DESAs Objection,p.12;FRSAObjection,paragraph47;ITSAObjection,pp.8-10;NLSAObjection

608agraph52;NOSAObjection,p.12.
DESAs Objection,p.12;FRSAObjectionparagraph47;ITSAObjection,pp.8-10;NLSAObjection
paragraph49and52;NOSAObjection,p.12.
609NOSAObjection,p.12.
610FRSAObjection,paragraph.48.
611
DESAs Objection,p.11.
612CompositeResponse,paragraph120.
613CompositeResponse,paragraph118.
614CompositeResponse,paragraph119.
615
CompositeResponse,paragraph126.
616CompositeResponse,paragraph124.Onthismatter,theIESArefers torespectivelyparagraphs230-233
and251-252oftheDraftDecision.

85
Adopted that“itwouldbe contraryto a literalinterpretationofArticle83(2)(e)GDPRtotakethedecision made

bytheIESA in respectofWhatsApp IrelandLimited(i.e.IN-18-2-1)in the calculationofthefine for this
Draft Decision in circumstances where the infringements do not concern the same controller or
617
processor’’ .

9.1.4 Assessment of the EDPB

9.1.4.1 Assessmentof whethertheobjectionswererelevantandreasoned

330. The objections raisedby the DE,FR,IT,NL,andNOSAs concern‘’whethertheactionenvisaged in the
DraftDecisioncomplieswiththeGDPR’’ 618.

331. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe
619
threshold ofArticle 4(24)GDPR .

332. With specific regard to these objections on the determination of the administrative fine for the
transparency infringements, Meta IE acknowledges that the objections as to whether envisaged

corrective measures comply with the GDPR fall within the scope of the dispute resolution
mechanism 62,however intheir view,objections thatsolelyobject totheamount ofa fine areoutside
the scope of this mechanism 621. Meta IE arguesthat ‘’the DPC, asthe LSA, has the sole competence

and discretion to impose an administrative fine’’ 62. Moreover, Meta IE claims that the EDPB is not
competenttodeterminewhethertheadministrativefine iseffective,proportionate,anddissuasive 623.

The EDPBdoes not share thisreading ofthe GDPR,asexplainedabove (see Section 8.4.2,paragraphs
277-279 ofthis Binding Decision)andconsiders thatCSAs mayobject tothefine amount proposed by
624
anLSA in itsdraftdecision .

617CompositeResponse,paragraph126.
618
EDPBGuidelinesonRRO,paragraph32.
619Meta IEArticle65Submissions,Annex1,p.65.
620Meta IEArticle65Submissions,paragraph8.5
621Meta IEArticle65Submissions,paragraph9.2
622
623Meta IEArticle65Submissions,paragraph9.2.
Meta IEArticle65Submissions,paragraph9.2.Meta IEarguesthat“TheGDPRdoesnotconferanypoweron
theEDPBto considerobjectionssolelychallengingtheamountofafine,andtheEDPBmaynotgiveinstructions
asto whetherafineoughttobeimposed,orastoitsamount’’.
624
Inthis regard,Recital150GDPRcanberecalled,asitstatesthattheconsistencymechanismmayalsobeused
to promote a consistent application of administrativefines. Consequently, an objection can challengethe
elements reliedupontocalculatetheamountofthefine,andiftheassessmentoftheEDPBwithinthiscontext
identifiesshortcomingsinthereasoningleadingtotheimpositionofthefineatstake,theLSAwillbeinstructed
to re-assess thefineandremedytheidentifiedshortcomings(EDPBGuidelinesonArt.65(1)(a),para 91;EDPB

RROGuidelines,paragraph34). TheEDPBfoundseveralobjectionsonthissubjectmatteradmissibleinthepast,
seeinteraliaBindingDecision1/2020,paragraphs 175-178and180-181,BindingDecision1/2021,paragraphs
310-314, Binding Decision 1/2022 paragraphs 53-55, Binding Decision 2/2022, paragraphs 186-190.
Consequently,withinitsmissionofensuringa consistentapplicationoftheGDPR,theEDPBis fullycompetent

to resolvethedisputearisenamongsupervisoryauthoritiesandremedytheshortcomingsintheDraftDecision
concerningthecalculationoftheamountofthefine,whichwillinanyeventbequantifiedandimposedbythe
LSAinits nationaldecisionadoptedonthebasisoftheEDPB’s bindingdecision.

86
Adopted333. The EDPBtakesnote of further argumentsput forwardbyMetaIE,aiming todemonstratethe lackof
625
relevance of the objections raised by the DE, FR, IT, NL, and NO SAs . Meta IE disagrees with the
content ofthese objections, whichconcerns itsmeritsandnot itsadmissibility.

334. The EDPB finds that the DE, FR, IT, NL, and NO SAs disagree with specific parts of the IE SA’s Draft
Decision, namelythe assessment madeby the LSA in Chapter 9 ‘’Administrativefine’’andChapter 10

‘’Otherrelevantfactors’’insettingtheadministrative fine applicable tothe violationsof transparency
identified626. Iffollowed, these objections would leadtoa different conclusion in termsof corrective

measures imposed. In consequence, the EDPB considers the objections raised by the DE, FR, IT, NL,
andNOSAs tobe relevant.

335. MetaIEfurtherconsiders thatthe DE,FR,IT,NLandNOSAs’ objections have not created“reasonable

doubt’’astothe validityofthe LSA’scalculationofthe fine anddonot explainwhythe fine envisaged
in the DraftDecision is incompatible withArticle 83 GDPR 627.Inthis respect, MetaIE claims thatthe
objections ofthe DE,FR,IT,NLandNOSAsare not sufficientlyreasonedastheyfocusonhypothetical

“preventiveeffects”ofthefine on other controllersinfuture proceedings 628.Inaddition, MetaIEputs
forward that the comparison made by the DE, FR, and IT SAs in their objections with other fines

imposed in other cases is not relevant to the extent that fines should result in a case-by-case
assessment 629. Meta IE also objects to the FR SA’s objection that the fine should be tied to the

turnover, considering that Meta IE’s turnover is only relevant for determining the maximum fine
amount under Articles83(4)-(6) GDPRand not the fine amount 630.Finally, in response tothe NOSA’s

objection, Meta IE argues that controller’s financial provisions for potential regulatory-related
expenses cannot be considered asa relevant factor under Article 83(2) GDPR 63. It follows from the
above argumentsthatMetaIEdisagreeswiththe reasoning provided inthese objections, which thus

concernsthe meritsandnot the admissibility ofthe objection.

336. The EDPB finds that the DE, FR, IT, NL, and NO SAs argue why they propose amending the Draft
Decisionandhow this leadstoadifferent conclusion intermsof administrativefine imposed, i.e.why
632
theypropose toimpose a higherfine for the transparencybreaches .

625Meta IEargues thattheseobjectionsare“adirectcriticismof theamountoftheDPC’sproposedfine(i.e.an

areawithintheDPC’ssolediscretionasLSA)ratherthanthelawfulnessoftheDPC’srelianceontherelevant
factorstocalculatethefine(whichwouldbetheDraftDecision’srelevantlegalandfactualcontenttowhich
the[CSAs]couldobject)’’.Meta IEArticle65Submissions,Annex1,paragraphs2.17-2.19,5.13,7.12,8.23,and
9.19.
626
DESAs Objection,p.10;FRSAObjection,paragraph36;ITSAObjection,pp.7-9;NLSAObjection,
paragraph40and53;NOSAs’Objection,pp.9-10.
627Meta IEArticle65Submissions,Annex1,paragraphs2.21,5.15,5.17-18,7.14,8.25,and9.22.Inthisregard
Meta IEsubmitsthat‘’afineproposedbytheLSAiseffective,proportionate,anddissuasiveaslongasthecriteria
laiddowninArticle83(2)GDPRaredulytakenintoaccount(whichisclearlythecasehere).Indeed,thecalculation

of fines is subjective, and there is significant variance amongst objecting CSAsas to what the appropriate fine
shouldbe’.
628Meta IEArticle65Submissions,Annex1,paragraphs2.22,5.19,7.16,8.26,and9.23.
629Meta IEArticle65Submissions,Annex1,paragraphs2.23,5.18,and7.17.
630
631Meta IEArticle65Submissions,Annex1,paragraph5.21.
Meta IEArticle65Submissions,Annex1,paragraph9.26.
632DESAs Objection,p.11-12;FRSAObjection,paragraphs38,40,42,43,47;ITSAObjection,pp.7-9;NLSA
Objection,paragraphs44-45and47-50;NOSAObjection,pp.11-12.

87
Adopted337. Intermsof risks, Meta IEclaims the DraftDecision does not pose any risk, let alone a significant risk

tofundamentalrightsandarguesthe objections of the DE,FR,IT,NL,andNOSAs failtodemonstrate
the contrary,asrequired 63.

338. Inparticular,MetaIEconsidersthattheDE,FRSA andITSAs’ objections appeartofocusonincreasing
the “punitive impact” of the fine on Meta IE, instead of demonstrating any significant risks to the

fundamentalrightsofdatasubjects 63.MetaIEfurtherclaimsthattheNLandNOSAs’objections does
not set out how the proposed fine would pose a direct andsignificant risk tofundamentalrightsand
635
freedoms . In addition, Meta IE argues the DE, FR, IT, NL and NO SAs’ objections rest on
unsubstantiatedpossible effecttheDraftDecisioncouldhaveonfuture behaviourofothercontrollers,
636
without demonstrating how this Decision would lead to significant risks in the case at hand .
Therefore, Meta IE claims that, in doing so, the assessment made by the DE, FR, IT and NL SAs is
637
incorrectastheydo not consider the reputationalcosts generatedbysuch afine .

339. First, the EDPBnotes thatany risk assessment addresses future outcomes whichare tosome degree

uncertain,andfinds thereis no basis in theGDPRtolimit the notion ofrisks tothe boundaries ofthe
particular case at hand. Article 4(24) GDPR referstothe risks posed to the "fundamentalrights and

freedomsof data subjects" and “where applicable, the free flow of personaldata within the Union”.
Bothofthese aspectsare phrasedina generalway. The wording ofthisprovisiondoesnot in anyway

limit the demonstration of the risks to showing the risks posed to the data subjects affectedby the
concrete processing carriedout by the specific controller, in light of the objective of guaranteeing a
638
‘’highlevelofprotectionintheEUfortherightsand interestsoftheindividuals’’ .Therefore,therisks
posedbyadraftdecision tobe demonstratedbya relevantandreasonedobjectionmightalsoconcern
datasubjects whose personaldatamight be processed inthe future, including by other controllers.

340. The EDPB also notes that the DE, FR, IT, NL, and NO SAs 639 considered both of the aspects that are

entailedbydissuasiveness ofthe fine, i.e.specific deterrenceandgeneraldeterrence 640.

633Meta IEArticle65Submissions,Annex1,paragraphs2.24-2.27,5.22-5.25,7.18-7.21,8.28-8.32,and9.25-
9.27.
634Meta IEArticle65Submissions,Annex1,paragraphs2.24,5.22,and7.18.
635
Meta IEArticle65Submissions,Annex1,paragraphs8.28,and9.25.
636Meta IEArticle65Submissions,Annex1,paragraphs2.25,5.23,7.19,8.30,and9.26.
637Meta IEArticle65Submissions,Annex1,paragraphs2.26,5.24,7.20,8.31.Meta IEaddsthat,inanycase,it
‘’doesnotconsiderthatfinessuchastheoneproposedintheDraftDecisioncouldencourageothercompanies

638tocomplywiththeGDPR’’.
Judgement of the Court of Justiceof 6 November 2003, Lindqvist, CaseC-101/01, ECLI:EU:C:2003596,
(hereinafter‘C-101/01Lindqvist'),paragraph95;JudgementoftheCourtofJusticeof16December2008,Heinz
HubervBundesrepublikDeutschland,C‑524/06,ECLI:EU:C:2008:724,(hereinafter‘C‑524/06Huber’),paragraph
50; Judgement of the Court of Justice of 24 November 2011, Asociación Nacional de Establecimientos

FinancierosdeCrédito,C-468/10andC-469/10,ECLI:EU:C:2011:777,paragraph28.
639DESAs Objection,p.12(referringtothe‘’undertakinginquestion’’),FRSAObjection,paragraph47(referring
to ‘’the controller’’); IT SA Objection pp.8-9 (referring to ‘’the controller’’); NL SA Objection, paragraph52
(referring to the risk in relation to ‘’the illegal processing at hand’’);NO SA Objection, p.12 (referring to

640ncentivesforMetaIE’’).
TheCJEUhas consistentlyheldthata dissuasivefineisonethathasagenuinedeterrenteffect,encompassing
bothspecificdeterrence(discouragingtheaddresseeofthefinefromcommittingthesameinfringementagain)
andgeneral deterrence(discouragingothersfromcommittingthesameinfringementinthefuture).See, inter

88
Adopted341. The EDPB finds that the DE, FR, IT, NL, and NO SAs articulate an adverse effect on the rights and
freedomsof datasubjectsifthe DraftDecisionis leftunchanged,by referringtoa failuretoguarantee
641
a highlevelof protectioninthe EU for the rightsand interestsof the individuals .

342. Therefore,the EDPBconsiders the DE,FR,IT,NL,andNOSAs objections tobe reasoned.

9.1.4.1 9.1.4.2. Assessment on themerits

343. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the
matters which are the subject of the relevant and reasoned objections, in particular whether the
envisagedactioninrelationtothe controller complies withtheGDPR.

344. The EDPB recalls that the consistency mechanism may also be used to promote a consistent
642
application of administrative fines . A fine should be effective, proportionate and dissuasive, as
required byArticle 83(1) GDPR,takingaccount of the factsof the case 643. Inaddition, when deciding
ontheamount ofthe fine,theLSA shalltakeintoconsiderationthecriterialistedinArticle83(2)GDPR.

345. The EDPB responds to Meta IE’s argument that the LSA has sole discretion to determine the

appropriate corrective measures in the event of a finding of infringement above (see Section 8.4.2,
paragraphs277 -279 aswellasfootnote 624).

346. The finding in the Draft Decision of a transparency infringement for the processing concerned still
stands. The EDPB recalls that, on substance, no objections were raised on this finding. Meta IE

infringed its generaltransparency obligations by being unclear on the link between the purposes of
processing, the lawful bases of processing and the processing operations involved 644, irrespective of
the validityofthe legalbasis reliedonfor the ‘processing concerned’.Itremainsthecase that,forthe

transparencyinfringements, ‘‘theprocessing concerned’’shouldbe understood asmeaning all ofthe
processing operations thatMetaIEcarriesout onthe personaldata under itscontrollershipfor which
645
Meta IE indicated it relied on Article 6(1)(b) GDPR , including for the purposes of behavioural
advertising.This is without prejudice tothe fact thatMetaIE inappropriatelyrelied on Article6(1)(b)
GDPR asa legalbasis to process personal data for the purpose of behavioural advertising as part of

the delivery of its Instagram service under the Termsof Use. Whether or not Meta IE appropriately
chose its legal basis for processing, the transparencyinfringement as assessed in the Draft Decision

still stands. Therefore, the IE SA must not modify this description retro-actively in light of the
assessment ofthevalidityofthelegalbasis, including forthepurpose ofcarryingoutanyreassessment
of the administrative fines originally proposed by the Draft Decision, as might be required by this

Binding Decision.

alia, Judgement of the Court of Justiceof 13 June 2013, Versalis Spa v European Commission, C-511/11P,
ECLI:EU:C:2013:386,(hereinafter‘C-511/11,Versalis’),aragraph 94.
641DESAs Objection,p.12,FRSAObjection,paragraphs47-48;ITSAObjection,pp.8-9;NLSAObjection,
paragraph52;NOSAObjection,p.12.SeealsoEDPBGuidelinesonRRO,paragraph37.
642
Recital 150GDPR. EDPB Guidelines on RRO, paragraph 34;EDPB Guidelines on Administrativefines p. 7
(“When the relevant andreasonedobjection raises the issue of the compliance ofthe corrective measure with
the GDPR, the decision of EDPB will also discuss how the principles of effectiveness, proportionality and
deterrence are observed in the administrative fine proposedin the draft decision of the competent supervisory
authority”).
643
644EDPBGuidelinesonAdministrativefines,p.7;EDPBGuidelinesoncalculationoffines,paragraphs132-134.
DraftDecision,paragraph189.
645DraftDecision,paragraph210.

89
Adopted347. Inlightofthe objectionsfound relevantandreasoned, theEDPBaddresseswhetherthe DraftDecision
proposes afine for the transparencyinfringements thatis inaccordancewith thecriteria established

by Article83(2) GDPRandthe criteria provided for by Article 83(1)GDPR.Indoing this, the EDPBwill
first assess the disputes arisen in respect of the analysis of specific criteria under Article 83(2)GDPR
performed by the LSA, and then examine whether the proposed fine meets the requirements of

effectiveness, dissuasiveness and proportionality set in Article 83(1) GDPR, including by affording
adequateweighttothe relevant factorsandtothe circumstancesofthe case.

On any relevantpreviousinfringementsby thecontrolleror processor (Article83(2)(e)GDPR)

348. Article 83(2)(e) GDPR requires supervisory authorities to give due regard to any previous relevant

infringement of the GDPRbythe controller or processor asone of the circumstancesthat justifies an
increase inthe basic amount of the fine. Assimilar reference canbe found inRecital148 GDPR.

349. For the purposes of Article 83(2)(e) GDPR, both previous infringements of the same subject matter
and infringements of a different subject matter but committed in a manner similar to that under

investigation, should be considered as relevant. Furthermore, the EDPB recalls that the scope of
assessment ofinfringementsmayinclude not only previous decisions bythe investigatingsupervisory
authority, but also infringements found by other authorities, provided that theyare relevant tothe
646
case under investigation .

647
350. The EDPB first notes that, contrary to Meta IE’s views , substantial similarities exist in the
infringements found by the LSA in its draft decision and in its decision IN-18-12-2 in relation to
WhatsApp Ireland Limited and in which breach of GDPR obligations were established. As rightly

pointed out by the IT SA, the LSA indeed considered in both decisions that the controller had not
provided transparentinformationon thelegalbasisandpurposesofthe processing operationsor sets

ofprocessing operationscarriedout,therebyinfringing Article5(1)(a),Article12(1)andArticle13(1)(c)
GDPR 648.

351. TheITSA contendsthat,totheextentthatMetaIEandWhatsAppIrelandLimitedarepartofthesame
corporategroup, theprevious decision concerning WhatsAppIrelandLimited“setsa keyprecedentin

assessing a controller’srepetitive conduct”,as“not onlydid the controller in question clearlystickto
the same business modelin offering its different social networking services,it also did not change its
assessment as to how to manage users’ data with particular regard to its information and
649
transparencyobligations” . The IE SA disagreeswiththis objection, considering thatArticle83(2)(e)

646EDPBGuidelinesonAdministrativeFines,paragraph93.
647Meta IEArticle65Submissions,paragraph10.3.AccordingtoMeta IE’s theDPCFinalDecisionIN-18-12-2

againstWhatsAppIrelandLimitedconcerns‘’whollyseparateproceedinginvolvingwhollyseparateallegations
andclaims’’.
648DPCFinalDecisionIN-18-12-2concerningWhatsAppIrelandLimited,20August2021,paragraphs496,591
and595,availableat: https://edpb.europa.eu/system/files/2021-09/dpc final decision redacted for issue
to edpb 01-09-21 en.pdf;DraftDecision,p.71.
649
ITSAObjection,p.9.

90
Adopted GDPRcannot apply in the circumstancesof thiscase insofar as itsdecision againstWhatsApp Ireland
650
Limitedwasaddressedtoa different controller .

352. In this respect, the EDPB notes that Meta IE and WhatsApp Ireland Limited are both subsidiaries of
MetaPlatforms, Inc. 651.Nonetheless,the EDPBrecallsthat the GDPRdrawsa distinction betweenon
the one handthe “controller”or“processor” 652,whichare responsible for complying withthe rulesof

the GDPR,andonthe otherhand the“undertaking” 653towhichthe controller or processor is partof,
andthatmaybefound jointly andseverallyliable for thepaymentofthe fine 65.Inthiscontext,Article

83(2)(e)GDPRexplicitlyreferstotheneedtoconsider previousrelevantinfringementscommitted‘’by
thecontrolleror processor’’(emphasis added).

353. Therefore,the EDPBconsiders thatthe Final Decisiondoes not needtorefer tothe infringements by

WhatsAppIrelandLimited,asestablishedinDecisionIN-18-12-2,asanaggravatingfactorunderArticle
83(2)(e) GDPRfor thecalculationof thefine.

Theeffectiveness,proportionalityanddissuasiveness ofthe administrativefine (Article 83(1)GDPR)

354. Withregardtoeffectivenessofthe fines, theEDPBrecallsthattheobjective pursuedby thecorrective

measure chosencanbe tore-establishcompliance withthe rules,or topunish unlawfulbehaviour, or
both 655. In addition, the EDPB notes that the CJEU has consistently held that a dissuasive penalty is
one that has a genuine deterrent effect. Inthat respect, a distinction canbe made betweengeneral

deterrence (discouraging others from committing the same infringement in the future) and specific
deterrence(discouraging theaddressee of the fine from committingthe same infringement again) 656.

Therefore, in order to ensure deterrence, the fine must be set at a level that discourages both the
controller or processor concerned as well as other controllers or processors carrying out similar

processing operations from repeating the same or a similar unlawful conduct. Proportionality of the
fine needs also to be ensured as the measure must not go beyond what is necessary to attainthat
657
objective .Inthisrespect,theEDPBdisagreeswithMetaIE’sviewsthatthereisnobasis toconclude
thatthe amount ofthe fine must have a generalpreventive effect 65.

650CompositeResponse,paragraph125.AccordingtotheIE SA, this stems directlyfromthewordingofArticle
83(2)(e) GDPR, which ‘’expressly states that only relevant previous infringements by the same controlleror

651cessormustbetakenintoconsideration’’.
DPCFinalDecisionIN-18-12-1concerningWhatsAppIrelandLimited,20August2021,paragraph872;Draft
Decision,paragraphs5and288.
652SeeArt. 4(7)-(8)GDPR.
653AccordingtoRecital150,‘’whereadministrativefinesareimposedonanundertaking,anundertakingshould

beunderstoodtobeanundertakinginaccordancewithArticles101and102TFEUforthosepurposes’’.According
to settled case-law of theCJEU, the term ‘undertaking’ “encompasses every entity engagedin an economic
activity,regardlessofthelegalstatusoftheentityandthewayinwhichitisfinanced’’(see,inthisregard,EDPB
BindingDecision1/2021,paragraph292).
654
655EDPBBindingDecision1/2021,paragraph290.
EDPBGuidelinesonAdministrativeFines,p.6.
656See, interalia,C-511/11,Versalis,paragraph94.
657SeeJudgementoftheGeneral Courtof14October2021,MTvLandespolizeidirektionSteiermark,C‑231/20,
, ECLI:EU:C:2021:845,paragraph 45(“theseverityofthepenaltiesimposedmust[…]becommensuratewiththe

seriousness of the infringements forwhich they are imposed, in particularby ensuring a genuinelydeterrent
effect, whilenotgoingbeyondwhatisnecessarytoattainthatobjective”).
658Meta IEArticle65Submissions,Annex1,paragraphs,2.22,5.16,7.16,8.30and9.23.

91
Adopted355. The EDPB reiterates that it is incumbent upon the supervisory authorities to verify whether the

amount of the envisaged fines meets the requirements of effectiveness, proportionality and
dissuasiveness, or whetherfurther adjustmentstothe amountarenecessary,considering the entirety

of the fine imposed and allthe circumstancesof the case,including e.g.theaccumulationof multiple
infringements, increases and decreases for aggravating and mitigating circumstances and
659
financial/socio-economic circumstances . Further, the EDPB recallsthat the setting of a fine is not
an arithmeticallyprecise exercise 66, andsupervisory authoritieshave a certainmarginof discretion
661
inthis respect .

356. The DE,FR,IT,NL,andNOSAs ,object tothe level ofthe fine envisaged inthe DraftDecisionas they

consider the proposed fine not effective,proportionate anddissuasive (Article83(1) GDPR) 662.

357. These CSAs arguethatthe elementsof Article83(2)GDPRarenot weighedcorrectlybythe LSA when
calculating the administrative fines in the present case, in light of the requirements of Article 83(1)
663
GDPR .Specifically,theDE,FR,IT, NLandNOSAs arguethatthefine envisagedintheDraftDecision
isnot proportionatewithIESA’sfindings inrelationtothenatureandseriousness oftheinfringements
664
andthe number of datasubjects concerned .

358. In addition, these CSAs argue that the fine is not effective, proportionate and dissuasive taking into
account thefinancial position of MetaPlatform,Inc. 66.

359. The EDPBtakesnote of MetaIE’sdisagreement withthe fine proposed by the IESA 666 andtheir view
that the LSA alreadyconsiders all factorsit considered tobe relevant toArticle 83(2) GDPR andthat

‘’noneoftheCSAs have createdanyreasonable doubt asto thevalidity ofthe DPC’scalculation’’ 667.

360. The EDPB notes that in the Draft Decisionthe IE SA indicates being satisfied the proposed fines are
effective, proportionate and dissuasive, taking into account all the circumstances of the IE SA’s
668
inquiry . TheIESAassessed thedifferentcriteriaofArticle83(2)GDPRinrelationtothe transparency

659EDPB Guidelines on calculation offines, paragraph 132, and EDPB Guidelines on AdministrativeFines, p. 6,

specifyingthat”administrativefinesshouldadequatelyrespondtothenature,gravityandconsequencesofthe
breach, and supervisory authorities must assess all the facts of the case in a mannerthat is consistent and
objectivelyjustified”.
660See Judgement of the General Court of 22 September 2021, AlticeEuropeNV v Commission, T 425/18,
ECLI:EU:T:2021:607, paragraph 362; Judgement of theGeneral Court of 5 October 2011, Romana Tabacchi v

Commission,CaseT‑11/06,ECLI:EU:T:2011:560, paragraph 266.
661See, inter alia, judgement of the General Court of 16 June 2011, Caffaro Srl v Commission, T-192/06,
ECLI:EU:T:2011:278, paragraph 38.SeealsoEDPBGuidelinesoncalculationoffines,p.2.
662
DE SAs Objection,pp.10-12;FRSAObjection,paragraphs36-48;ITSAObjectionpp.7-10;NLSAObjection,
paragraphs39-53;NOSAObjection,pp.9-13;
663DESAs Objection,p.11;FRSAObjection,paragraph47;ITSAObjectionpp.7-8;NLSAObjection,paragraph
50;NOSAObjection,pp.11-12
664
DESAs Objection,p.11;FRSAObjection,paragraph38;ITSAObjection,p.8;NLSAObjection,paragraph42
and48;NOSAObjection,p.12.
665DESAs Objection,p.11;FRSAObjection,paragraph38-40;ITSAObjection,pp.8;NLSAObjection,paragraph
48-49;NOSAObjection,pp.11-12.
666
Meta IEArticle65Submissions,paragraph9.1.
667Meta IEArticle65Submissions,paragraph9.3.
668DraftDecision,paragraphs255-258.

92
Adopted infringements found 669. The IE SA considered the infringements as serious in nature 670, andin terms

of gravityofthe infringements found a significant levelof non-compliance 671. Furthermore,the EDPB
underlines that, as established by the IE SA, the infringements affect a significant number of data

subjects 672 and are extensive 673. The EDPB also observes that the IE SA considered the negligent
character ofthe infringement 674, aswell as the high level of responsibility of Meta IE for the lackof

compliance with the GDPR 675 as aggravating factors under Article 83(2) GDPR. Further, the IE SA
qualifiedthelevelofdamagesufferedbydatasubjectsassignificant 676.Inaddition,theIESAidentified

only one mitigating factor, without indicating, however, whether this should lead to a slight or
substantialreductionof the fine range 677.

361. MetaIEarguesthatreputationcostsshould alsobe takenintoconsideration, citingthe IESA’sremark
678
on “the significant publicity that a fine in this region will attract” . Onprinciple, the EDPB agrees
thatreputationcostscould be takenintoconsideration tosome extent,ifcredible argumentsareput
679
forward about the grave detriment that would ensue. Meta IE does not present such arguments .
The EDPBisoftheview thatinthis caseother incentiveswouldoffset anyreputationalcosts. Asfaras

advertisers are concerned, Meta IE puts forward that “The personalised nature of the Instagram
Service is also the reason why it has been instrumental in the success of small and medium sized

businesses (“SMBs”) worldwide, including across the EU. Personalisation on social media and other
digitaltechnologies,including theInstagram Service,enablesSMBstocompeteforcustomersthrough

“customizing [sic] productsand services,[...]building a unique brand image,tailoring marketing to a
specific audienceand developing a strong one-to-oneconnectionwith a communityof customers’’ 680.
As far asusers of the Instagramservice are concerned,there are networkeffectsat playwhich leads

to incentives to join - or not leave - the platform, so as not to be excluded from participating in
discussions, corresponding withandreceiving informationfrom others 68.

362. According tothe DE, FR, and IT SAs, the proposed fine is not consistent with the fine of 225 million

eurosdecideduponbytheIESAinitsdecision dated20August2021againstWhatsAppIrelandLimited

669
DraftDecision,paragraphs209-252.
670DraftDecision,paragraphs212-215and253.
671DraftDecision,paragraphs216-217and253.
672
673DraftDecision,paragraphs223-225and253.
DraftDecision,paragraph221.
674DraftDecision,paragraphs230-233and253.
675 Draft Decision, paragraph240. The IE SA considers that ‘’Meta Ireland should have been aware of the

appropriate standards– albeit at a general level – and, having made a deliberate decision to present the
information in a mannerwhich fellsignificant below the standard required, hasa high degree of responsibility
forthe lackofcompliancewiththeGDPR’’.
676TheIESAfindsitsufficientlyshownthat“rightshavebeendamagedinasignificantmanner,giventhelackof

677pportunitytoexercisedatasubjectrightswhilebeingfullyinformed”,DraftDecision,paragraph229
DraftDecision,paragraphs234-236.
678CompositeResponse, paragraph 119. SeeMeta IE Article65 Submissions, Annex 1, paragraphs 2.26, 5.24,
7.20,8.31.
679Meta IE states that“evenifMetaIrelandorothercompaniescouldeverconsiderthatmulti-millionfinesare

negligible from a financial point of view (a statement that is unsubstantiated anddisputed), such companies
wouldobviouslybeconcernedbythereputationalcostofsuchfines.”Meta IE Article65Submissions,Annex1,
paragraphs2.26,5.24,7.20,and8.31.
680Meta IEArticle65Submissions,paragraph6.23.
681
NO SA Objection, p. 5. Inthesamevein, theFR SAdescribes Meta IE’s position as quasi-monopolist (FR SA
Objection,paragraph38).

93
Adopted for the same transparencyinfringements(breaches of Articles12 and 13 GDPR) 68. Inparticular, the

DE SAs point out that ‘’the facts and the seriousness of the infringements in the two cases are no
sufficiently different to justify a difference of 85% in the fine imposed’’83. The FR and IT SAs also

comparewiththe fine of 746million euros decidedbythe LU SA initsdecision of 15July 2021 against
the companyAmazonEurope Core for carryingout behaviouraladvertising without a validlegalbasis

andfor transparencyinfringements(Articles 6,12 and13 GDPR) 684.While theEDPBagreeswithboth
theIESAandMetaIEthatimposingfinesrequiresacase-by-caseassessment under Article83GDPR 685,

the EDPB notes that the cases cited by the DE, FR and IT SAs do show marked similarities with the
currentcase,astheybothrefertolargeinternetplatformsrunbydatacontrollerswithmulti-national

operations and significant resources available tothem, including large, in-house, compliance teams.
Moreover, there are similarities with regards to the nature and gravity of the infringements
686
involved . Thus, these casescangive anindication onthe matter.

687
363. The DE,FR,ITandNOSAscalculatethatthe envisagedupper limit of thefine rangeisabout 0.03%
of the global annual turnover of Meta Platforms, Inc., which the DE SAs note is about 0.72% of the
688
maximum ceiling provided for in Article 83(5) GDPR . For illustrative purposes also, is the amount
oftimeit wouldtakeMetaPlatforms,Inc.onaveragetogenerate23millioneurosinturnover in2020,
689
whichwasabout 2 hours and33 minutes .

364. The EDPB agreeswith the objections raised that - if the proposed fine was to be imposed for the
transparency infringements - there would be no sufficient special preventive effect towards the
controller, nor a credible generalpreventive effect 69.The proposed fine amount,even where a final

amountattheupper limitoftherangewouldbe chosen, isnot effective,proportionateanddissuasive,
in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of

doing business 691. Asbehavioural advertising is atthe core of MetaIE’sbusiness model 692, the riskof
this occurring is allthe greater69.Bybearingthe cost of the administrative fine, the undertaking can

avoidbearing the cost ofadjusting their business modeltoone that iscompliant aswellasanyfuture
losses that wouldfollow from theadjustment.

682
DESAObjection,p.11-12;FRSAObjection,paragraph42;ITSAObjection,p.8.TheIESA’s decisioninthis
case(caseIN-18-12-2)isunderappealbeforetheIrishcourts.
683DESAObjection,p.12.
684
685FRSAObjection,paragraph43;ITSAObjectionp.8.
DraftDecision,paragraph219-220;Meta IEArticle65Submissions,pargraphs2.23,5.18,7.17.
686Inthis regard,theDE SApoints outthatinbothdecisionstheIESAstatedthattheprovisionsinfringed‘’go
tothe heartofthegeneralprincipleoftransparencyandthefundamentalrightoftheindividualtoprotectionof

his/herpersonal data which stems from the free will andautonomyof the individual to share his/herpersonal
data”.DESAObjection,p.11.
687DESAObjection,p.11;FRSAObjection,paragraph40;ITSAObjection,p.8;NOSAObjection,p.12.
688DESAObjection,p.11.
689Basedonthetotal annualturnoverof2020beingEUR79billioncalculatedbytheNLSAinits objection(NL

SAObjection,paragraph49)onthebasisoftheturnoverofMeta Platforms,Inc.referredtointheDraft
Decision(86billiondollars).Thus,a fineofEUR23millionwouldhavetaken2h33togenerate.
690DESAObjection,p.12; ITSAObjection,pp.8-9;NOSAObjection,p.12;FRSAObjection,paragraph47.
691NOSAObjection,p.11.
692
DraftDecision,paragraphs102,221,227and251.
693NOSAObjection,pp.11-12.

94
Adopted365. Though the IE SA touches upon the notions of effectiveness, proportionality and dissuasiveness in
relation to the proposed fine 69, there is no justification based on elements specific to the case to

explain the modest fine range chosen. Moreover, the EDPB notes that while the IE SA takes into
considerationthe turnoverof theundertakingtoensure thatthefine it proposed doesnot exceedthe
695
maximum amount of the fine provided for in Article83(5) GDPR ,theIESA does not articulatehow
andtowhatextentthe turnover ofthisundertaking isconsidered toascertainthatthe administrative
696
fine meetsthe requirementof effectiveness, proportionality and dissuasiveness . Inthis regardthe
EDPB recalls that, contraryto Meta IE’sviews 69, the turnover of the undertaking concerned is not
exclusively relevant for the determination of the maximum fine amount in accordance with Article

83(4)-(6) GDPR,butshould alsobe consideredfor thecalculationof thefine itself, whereappropriate,
toensure the fine iseffective,proportionate anddissuasive inaccordancewithArticle 83(1)GDPR 698.

The EDPB therefore instructs the IE SA to modify its Draft Decision to elaborate on the manner in
which the turnover of the undertaking concerned has beentakeninto account for the calculationof
the fine.

366. In light of the above, the EDPB considers that the proposed fine does not adequately reflect the

seriousness andseverity of the infringements nor has a dissuasive effect on Meta IE. Therefore, the
fine does not fulfil the requirement of being effective, proportionate and dissuasive in accordance
with Article 83(1) and (2) GDPR. Inlight of this, the EDPB directs the IE SA to set out a significantly

higher fine amount for the transparencyinfringementsidentified, in comparison withthe upper limit
for the administrative fine envisagedin the Draft Decision. Indoing so, the IESA must remainin line

withthe criteriaof effectiveness, proportionality, anddissuasiveness enshrined inArticle 83(1)GDPR
inits overallreassessment of the amountof the administrativefine.

9.2 On the determination of anadministrative finefor further infringements

9.2.1 Analysis bythe LSA in the Draft Decision
367. The IE SA in the Draft Decisionconcludes that Meta IE hasnot sought to relyon consent in order to

processpersonal datatodeliver itsservice asoutlinedinthe InstagramTermsofUseandis not legally
obligedtorelyon consent inorder todo so(Finding 1) 699. Alongside, theIE SA concludes thatMetaIE

can rely on Article 6(1)(b) GDPR as a legalbasis to carryout the personal data processing activities
involved inthe provision of itsservice tousers, including behaviouraladvertisinginsofar asthatforms
700
a core part of the service (Finding 2) . In these terms, the IE SA did not propose to establish an
infringement ofArticle 6(1)GDPR.

694
DraftDecision,paragraphs255-258.
695DraftDecision,paragraph295.
696EDPBGuidelinesoncalculationoffines,paragraph120.
697Meta IEArticle65Submissions,paragraphs9.8-9.10.Inaddition,Meta IE’sargumentthat“[turnover]isnota

relevant consideration whendeterminingthe amount of the fine underArticle 83(2) GDPR”is not withinthe
scopeofthedisputeasnoCSAsraisedanobjectionontheconsiderationofturnoverunderthisprovision(Meta
IEArticle65Submissions,paragraphs9.5-9.8).
698EDPBBindingDecision1/2021,paragraphs405-412.
699DraftDecision,p.23.
700DraftDecision,paragraphs111-115andp.40.

95
Adopted368. Inaddition, no infringement of Article 9(1) GDPR hasbeen found as the IE SA has not identified and

separatelyassessed anyprocessing of specialcategoriesofpersonal databyMetaIEin thecontext of
InstagramTermsof Use.

369. The IESA initsDraftDecision concludes thatMetaIEhasinfringed Article5(1)(a), Article 13(1)(c)and
Article12(1)GDPRduetothelackoftransparencyinrelationtotheprocessing for whichArticle6(1)(b)

GDPRhasbeenreliedon (Finding 3) 701.

9.2.2 Summary ofthe objections raised bythe CSAs
702
370. The AT, DE,FR, IT, NO, andSE SAs object tothe LSA’s failure totake actionwithrespect toone or
more specific infringementstheydeem should have beenfound and askthe IESA toimpose a higher
administrativefineas a resultoftheseadditionalinfringements.

Objectionsrequesting the imposition of a fine for the additional infringement of Article 6(1)GDPR or

Article6(1)(b) GDPR

703
371. TheDEandFR SAsaskfor theadministrative fine tobe increased asa consequence ofthe proposed
finding of an infringement of Article 6(1) GDPR704. The AT, NOandSE SAs argue that the fine should
705
be increasedfollowing the finding of aninfringement ofArticle 6(1)(b) GDPR .

372. The DE SAs state that the fact that Article 6(1) GDPR was infringed is not properly reflected in the

calculationofthefine intheDraftDecision 706.TheDESAsarguethatinthecurrentcasetheprocessing
of personal data was performed without a legal basis as consent of the data subjects would be

required,whichwasnot given,andthatthe“DraftDecisionisinsofar not incompliancewithArticle83
GDPR as it does not consider the additional infringement of Articles 5(1)(a), Art. 6(1), 9(1) when
707
calculating the amount of the administrative fine” . The DE SAs state that it is a highly serious
infringement under Article 83(2)(a) GDPR considering that personal data of at least
708
individuals were affected .TheDE SAs also highlight thatthe fine imposed needs toaim toprevent
further infringementsof theGDPR;first, itshould have “specialpreventive”effects,meaningthatthe
amount imposedneeds tobe such that“itisnot tobeexpectedthatthespecificcontrollerwillcommit

similar infringementsagain” byhaving“such anoticeableimpacton theprofitsoftheundertakingthat
future infringementsofdata protectionlaw would not be ‘discounted’ into the processing performed

701
702DraftDecision,p.71.
AT SAObjection,pp.11-12;DESAs Objection,p.10and12;FRSAObjection,pp.9-10.;NOSAObjection,pp.
9-13;SESAObjection,pp.4-5.
703FRSAObjection,paragraph44;DESAs Objection,p.10.
704DESAs Objection,pp.1-6andpp.9-10;FRSAObjection,paragraphs5-14,33and52;
705
AT SAObjection,pp.11-12;NOSAObjection,pp.10-11;SESAObjection,pp.4-5.
In addition, also theDE (DE SAs objection, p. 10), FI and NO (NO SA objection, p. 9) SAs (FI SA Objection,
paragraph26)arguethatanadministrativefineshouldbeimposedfortheinfringementofArticle6(1)(b)GDPR;
however, this aspect of theobjectionraisedby the DE, FI and NO SAs was deemed to be not relevant and

706sonedbytheEDPBinparagraph85above.
DESAs Objection,p.10.
707DESAs Objection,p.10.
708DESAs Objection,p.10.

96
Adopted by the undertaking lightly”; secondly, it should have ‘’generalpreventive” effects by leading other

controllersto“make asignificant effortto avoid similar violations” 709.

373. The FRSA considers thatsome violations arewronglynot included inthe DraftDecision 710andargues
that “since it considers that breach of Articles 6 has been committed, which is added to the other

breachesfound by the Irish data protection authority, the amount proposed by the latter should be
accordinglyincreased” 71.TheFRSArecallsthatthesame approachofcumulating theamountsofthe
712
fine hasbeenadoptedby theEDPBin points 324 to327 ofits Binding Decision1/2021 .

374. On risks posed by the Draft Decision, the DE SAs explain that the shortcoming of the Draft Decision
would cause significant risks for the fundamentalrightsandfreedoms of the datasubjects, “because

an effectiveenforcement oftheGDPR,which isthepreconditionfortheprotectionofthefundamental
rights and freedoms of the data subjects, cannot be ensured’’ 713. The DE SAs also point out that

administrative fines shall in eachindividual case be effective,proportionate anddissuasive and both
special andgeneralpreventive since these two“conceptsaim to protect the fundamentalrightsand
714
freedom ofthe data subjectsby preventingfurther infringementsof the GDPR” .Moreover,theDE
SAs raisethat“thenon-compliance withone ofthecentralprovisions oftheGDPRwould not have any

negativefinancial impacton theundertakingand therefore,fromaneconomicalpoint ofa view could
beareasonable optionfor controllers’’ 715.TheFRSAconsiders thatadoptingthe IESA'sDraftDecision

asitstands“presentsarisktothefundamentalrightsand freedomsofthedata subjects,inaccordance
with Article 4(24)of the GDPR” 716and“would lead to a levelling down of the levelof administrative
fines imposed by European data protection authorities, thereby reducing the authorities' coercive

power and, consequently, their ability to ensure effective compliance with the protection of the
personaldata ofEuropean residents” 717.

***

375. The AT,NOand SE SAs, whichconsidered that theIE SA should have found aninfringement of Article

6(1)(b)GDPR 71,askfor theadministrativefine tobeincreasedasa consequence ofthatinfringement.

376. The AT SA arguesthat “theadditional infringement [of Article 6(1)(b) GDPR]is not properlyreflected
in the envisaged amount of the administrative fine” and that the IE SA’s Draft Decision is not in

compliance withArticle83 GDPRinsofar asit does not consider the additionalinfringement of Article
6(1)(b) GDPRwhencalculatingthe amount ofthe administrative fine 719.

709DESAs Objection,p.10.
710
FRSAObjection,paragraph44.
711FRSAObjection,paragraph44.
712FRSAObjection,paragraph44.
713DESAs Objection,p.12.
714
DESAs Objection,p.10.
715DESAs Objection,p.12.
716FRSAObjection,paragraph47.
717FRSAObjection,paragraph48.
718
AT SAObjection,pp.1-7;NOSAObjection,pp.10-11;SESAObjection,pp.2-3.
719AT SAObjection,p.11.

97
Adopted377. The NO SA statesthat anadministrative fine should be imposed for MetaIE’sprocessing of personal
720
datainthecontext ofonline behaviouraladvertisingwithout avalidlegalbasis . The NOSA analyses
severalof the criteria listedin Article 83(2) GDPR in order to prove the need of the imposition of an
721
administrative fine . Specifically, the NO SA argues that an administrative fine of a substantial
amount is needed, in light of the nature andgravityof the infringement (giventhat “the principle of
lawfulness [...] is a fundamental pillar of the GDPR” and “processing personal data without a legal

basis is a clear violation of the data subjects’ fundamental right to data protection because no one
should have to tolerate processing of their personal data save for when it is legitimised by the
722
legislators” ), as well as the scope of the processing (“wide”, as ‘’all data subject activity may
potentiallybeusedfor OBApurposes”),the number ofdatasubjects affectedinthe EEA(“hundredsof

millions”) and the intangible damage suffered by them (Article 83(2)(a) GDPR), the high level of
responsibility of Meta IE(Article 83(2)(d) GDPR),the categoriesof personal datainvolved (“of a very

personal and private nature”, able to“revealintimate detailsofthe data subjects’ lifestyle, mindset,
preferences,psychologicalwellbeinget cetera”)(Article83(2)(g)GDPR)andanadditionalaggravating

factor(highlikelihood of contributiontodevelopment of‘’targetingalgorithmswhichmaybeharmful
onanindividual andsocietallevel’’,Article83(2)(k)GDPR) 723.

378. The SE SA arguesthat“theDraftDecisionis not in compliance withArticle 83 insofar asthe additional
infringement of Article 6(1)(b) is not considered in calculating the administrative fine” and that “an

administrative fine pursuant to Article 83 GDPR cannot be regarded as ‘effective, proportionate and
dissuasive’ when the provision that the processing is based on, namely Article 6(1)(b) GDPR, was

infringed and when this infringement is not properly reflected in the envisaged amount of the
administrativefine” 724.TheSESAtakestheview thatthattheintentionalcharacteroftheinfringement
(Article83(2)(b) GDPR)andthefinancialbenefitsgainedfrom theinfringement (Article83(2)(k)GDPR)

must be found as aggravating factors 725. Astointentionality, the SE SA arguesthat the switch from
consent toArticle6(1)(b)GDPRin2018 suggeststhisactwasdone withthe intentionof circumventing

the new rights afforded to users by the GDPR when the processing relies upon consent, and that in
anywaytheinfringement needstobe consideredasintentionalatleast asofthe moment ofadoption

of the EDPB Guidelines on Article 6(1)(b) GDPR which “clearly gives doubt to the legality of the
processing” 726.Astothefinancialbenefitsgained,theSE SAargues“MetaIrelandhasmadesignificant

financial gain from being able to provide personal advertisementaspart ofa whole takeit or leaveit
offer for its social media platform service” andthat due tothe unclear information provided todata

subjects itcanbe reasonablyassumedthatmore datasubjectshave beenmisledintobeing subject to
the processing 727. Lastly, the SE SA considers it would be appropriate to take into account Meta IE’s
turnover for the calculationofthe fine inorder tomake it effective anddissuasive 728.

720NOSAObjection,p.10.
721NOSAObjection,p.10-11.
722
TheNO SAalsohighlightsthat“[behaviouraladvertising]entailsprofiling,whichinherentlyconstitutesrisks
forthe datasubjects’integrity”.
723NOSAObjection,p.10-11.
724SESAObjection,p.4.
725
726SESAObjection,p.4.
SESAObjection,p.4.
727SESAObjection,p.4.
728SESAObjection,p.4-5.

98
Adopted379. Onrisks posed bythe DraftDecision, theAT SA arguesthat“should theDraft Decisionbe approvedin

its current version, the risks for the fundamental rights and freedomsof data subjects lie in the fact
that theactionenvisagedin relationto the controlleris likelyto fall short ofthe proportionalityand–

above all– dissuasiveness requirementssetforthin Article83 GDPR”andthat“ignoring infringements
of the GDPRwhencalculatingfines would lead to lesser compliance with the GDPRand ultimatelyto
lesserprotectionofdatasubjectsinrelationtotheprocessing ofpersonaldata” 72.TheNOSA explains

thatnot imposing afine for the lackof legalbasis createsthe risk thatthe violatedprovisions arenot
respectedby MetaIEor other controllersand the LSA would not be able toeffectively safeguardthe

data subjects’ rights, and that “in absence of corrective measures that create the appropriate
incentivesfor [MetaIE]andothercontrollersto changetheir behaviour,the same or similar violations
730
arelikelyto reoccurtothedetrimentofthecomplainantandotherdata subjects” .TheSE SA argues
the infringement of Article 6(1)(b) GDPR “is not properly reflected in the envisaged amount of the

administrative fine,it shows controllers(MetaIreland included)thatenforcementoftheGDPRand its
provisions is not effective.Thisthreatenscompliancewith the GDPRon a generallevel, seeing ashow

non-compliance could be a viable option for controllers when the costs for compliance are greater.
Given the proposed changed findings regarding legal basis, there are significant risks to the
fundamental rights of data subjects if these does not also merits a substantive increase in fines to
731
dissuade MetaIrelandand other controllers” .

Objectionsrequestingthe imposition of a fine for theadditional infringementof Article9 GDPR

380. The DE and FR SAs argue that, as the IE SA should have identified and separately assessed any
processing of specialcategoriesofpersonaldataunder Article 9GDPRinthe contextofthe Instagram

Terms of Use and that Meta IE processes the entire amount of data it holds, including special
categoriesof data in breachof Articles6 and9 GDPR 732,the amount of the fine should be increased
733
accordingly .

381. The DE SAs state that “the infringement ofArticle 5(1)(a), Article 6(1)and Article 9(1) GDPR [...]also
entailsanadministrativemeasureand a fine accordingtoArt.83(2)(5)GDPR” 734,andarguethatthese
735
infringements are “serious” . The FR SA considers that a breach of Article 9 GDPR is wrongly not
included in the Draft Decision 736 and that the amount of the fine proposed by the LSA should be
increased in light of the addition of such infringements to those already established 73. The FR SA

recallsthatthe same approachof cumulatingthe amounts ofthe fine hasbeen adoptedbythe EDPB
inpoints 324 to327 of the Binding Decision1/2021 73.

382. On risks posed by the Draft Decision, the DE SAs explain that the shortcoming of the Draft Decision

would cause significant risks for the fundamentalrightsandfreedoms of the datasubjects, “because
an effectiveenforcement oftheGDPR,which isthepreconditionfortheprotectionofthefundamental

729AT SAObjection,p.12.
730NOSAObjection,p.12.
731
SESAObjection,p.5.
732SeeSection5.2.,paragraphs150-155.
733DESAs Objection,pp.7-8;FRSAObjection,paragraph30.
734DESAs Objection,p.10.
735
736DESAs Objection,p.10.
FRSAObjection,paragraph44.
737FRSAObjection,paragraph44.
738FRSAObjection,paragraph44.

99
Adopted rights and freedoms of the data subjects, cannot be ensured’’ 73. The DE SAs also point out that

administrative fines shall in eachindividual case be effective,proportionate anddissuasive and both
special andgeneralpreventive since these two“conceptsaim to protect the fundamentalrightsand
740
freedom ofthe data subjectsby preventingfurther infringementsof the GDPR” .Moreover,theDE
SA raisesthat“thenon-compliance withone ofthecentralprovisions oftheGDPRwould not have any

negativefinancial impacton theundertaking and therefore,fromaneconomicalpoint ofa view could
beareasonable optionfor controllers’’ 74.TheFRSAconsiders thatadoptingthe IESA'sDraftDecision

asitstands“presentsarisktothefundamentalrightsand freedomsofthedata subjects,inaccordance
with Article 4(24)of the GDPR” 742and“would lead to a levelling down of the levelof administrative
fines imposed by European data protection authorities, thereby reducing the authorities' coercive

power and, consequently, their ability to ensure effective compliance with the protection of the
personaldataofEuropeanresidents” 743.

Objections requesting the imposition of a fine for the additional infringement of Article 5(1)(a) and

5(1)(b)-(c) GDPR

383. The IT SA arguesthat the fine should be increasedfollowing the finding of aninfringement of Article
744 745
5(1)(a) GDPR , and of Article 5(1)(b) and Article 5(1)(c) GDPR . As stated in Section 6.2 of this
Binding Decision, the IT SA agrees to a large extent with the Draft Decision’s Finding 3 on the
infringement ofArticle12(1), Article13(1)(c), andArticle5(1)(a)GDPRintermsoftransparency 746but

itarguesthatMetaIEhasalsofailedtocomplywiththemoregeneralprincipleoffairnessunder Article
5(1)(a) GDPR, which, in the view of the IT SA, entails separate requirements from those relating

specifically to transparency747.Moreover,as analysedin Section 7.2,the IT SA statesthatthere is an
additional infringement of points (b) and (c) of Article 5(1) GDPR on account of Meta IE’sfailure to
748
comply withthe purpose limitationanddataminimisation principles . The ITSA asks for afine tobe
issued for those two additional infringements. With regardtoArticle 5(1)(a) GDPR, the IT SA argues

thatthe finding of such infringement“should resultinto theimposition of the relevantadministrative
fine asperArticle83(5)(a)GDPR”asfaras“theinfringementofthefairnessprinciple in additionto the

transparencyone [...] should result into increasing the amount ofthe said fine substantiallybyhaving
regardto the requirementthateach fine should be proportionate and dissuasive. Indeed,thegravity
749
of the infringementwould be factually compounded” .With referenceto Article 5(1)(b) andArticle
5(1)(c) GDPR,theIT SA considers that “theinfringementof purpose limitation and data minimisation
principles(...)should result into increasing the amount of the said fine substantially by having regard

to the requirement that each fine should be proportionate and dissuasive. Indeed, the gravityof the
infringementwould befactually compounded” 75.

739
740DESAs Objection,p.12.
DESAs Objection,p.10.
741DESAs Objection,p.12.
742FRSAObjection,paragraph47.
743FRSAObjection,paragraph48.
744
ITSAObjection,Section2,p.7
745ITSAObjection,Section2,p.4
746ITSAObjection,Section2,pp.4-5.
747ITSAObjection,Section2,pp.4-7
748
ITSAObjection,Section1,pp.2-4.
749ITSAObjection,pp.6-7
750ITSAObjection,p.4.

100
Adopted384. On the significance of risks posed by the Draft Decision, the IT SA arguesthat “the failure to find an

infringement ofArticle5(1)(a) GDPRasfor the fairnessprinciple may becomea dangerousprecedent
with a view to future decisions concerning other digital platform operators– more generally, other

controllersthatrelyonthesamebusiness model–and markedlyweakenthesafeguardstobeprovided
by way of the effective, comprehensive implementation of the data protection framework including
thefairness ofprocessingprinciple” 751.Withreference toArticle5(1)(b) andArticle5(1)(c) GDPR,the

ITSA addsthat,should theDraftDecision be approvedin itscurrent version, the infringement oftwo
key principles of the whole data protection framework as introduced by the GDPR will not be

punished, “which would seriously jeopardise the safeguards the data subjects (Instagram users) are
entitledto” 752.

9.2.3 Position ofthe LSA on theobjections

385. The LSA considers none of the objections requesting the imposition of a fine for the proposed
additional infringements as meeting the threshold set by Article 4(24) GDPR 753. Given that these

objections were premised upon the requirement for the Draft Decision to include findings of
infringement of Article 6(1)(b), Article 9, Article 5(1)(a), 5(1)(b) and5(1)(c) GDPR,on which the IE SA

expressed its disagreement – the IE SA does not consider the objections requesting exercise of a
correctivepower in response tothese findings ofinfringement asbeing relevant andreasoned.

9.2.4 Analysis ofthe EDPB

9.2.4.1 Assessmentof whethertheobjectionswererelevantandreasoned
386. The objections raised by the AT,DE,FR, IT,NO,and SE SAs concern“whethertheaction envisaged in
754
theDraft Decisioncomplieswith theGDPR” .

387. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe
threshold of Article 4(24) GDPR 755. Meta IE rejects the objections in this section based on its view
that the LSA has sole discretion to determine corrective measures 756. The EDPB responds to these

arguments above (see Section 8.4.2) and is of the view that CSAs may ask for specific corrective
measurestobe takenby the LSA, whetherthis concernsinfringements alreadyidentified in theDraft
757
Decision or as a result of the one identified by the CSA in its objection . Meta IE refutes the
allegations of additional infringements put forward in the objections, and by consequence, any
758
demands for increasing the administrative fine in relation them . The EDPB recalls that the
assessment ofadmissibility ofobjections and theassessment of themeritsare twodistinct steps 75.

388. The EDPB finds that the objections concerning the increase of the administrative fine in connection
withthe additional infringement ofArticle 6(1)/6(1)(b) GDPRand/or Article 9 GDPRraisedby the AT,

751ITSAObjection,p.7.
752ITSAObjection,p.4
753CompositeResponse,paragraph110..
754
EDPBGuidelinesonRRO,paragraph32.
755Meta IEArticle65Submissions,Annex1,p.65.
756Meta IEArticle65Submissions,Annex1,paragraphs1.31,2.21,5.18,7.15,9.22,and10.16.
757EDPBRROGuidelines,paragraph34.SeealsoRecital150GDPR.TheEDPBfoundseveralobjectionsonthis

758jectmatteradmissibleinthepast,seeBindingDecision2/2022,paragraphs186-190.
SeeMeta IEArticle65Submissions,paragraphs8.10-8.15,andmorespecificallyAnnex1,paragraphs1.33,
2.18,5.20,7.13,9.18and9.20,and10.16.
759EDPBGuidelinesonArticle65(1)(a),paragraph63.

101
Adopted DE, FR, NO, and SE SAs stand in direct connection withthe substance of the Draft Decision, as they

concerntheimposition ofa correctivemeasurefor anadditionalinfringement,whichwould be found
as a consequence of reversing the conclusions in the Draft Decision also in scope of this dispute 76.

Clearly, the decision on the merits of the demands to take corrective measures for a proposed
additional infringement is affectedby the EDPB’sdecision on whether to reverse the findings in the
DraftDecisionandwhether toinstruct theLSA toestablishadditionalinfringements.

389. The EDPBtakesnote of further argumentsput forwardbyMeta IEaiming todemonstrate the lackof
761
relevance of these objections, specifically with regard to the objections raised by the ATSA .
However,theEDPBnotesthatMetaIEdisagreeswiththe contentofthese objections, whichconcerns

itsmeritsandnot its admissibility.

390. If followed, these objections would lead to a different conclusion in terms of corrective measures
imposed 762. Inconsequence, the EDPB considers the objections raised by the AT, DE, FR, NOand SE
SAs in connection to imposing an administrative fine for the alleged breach of Article 6(1)/6(1)(b)

GDPRand/or Article 9 GDPRtobe relevant.

391. Meta IE arguesthat the AT, NO, and SE SAs objections in relation to the need to increase the fine
amount because ofthe allegedinfringement ofArticle 6(1)(b)GDPRlacksadequatereasoning asthey
763
fail todemonstrate why Meta IE could not rely on Article 6(1)(b) GDPR . According toMeta IE, the
SE SA’sobjectionisalsobasedontheunfounded claimthatMetaIEintentionallysoughttocircumvent
764
datasubjectrightsbyswitchingfrom consenttocontractualnecessityasthelegalbasisinMay2018 .
Furthermore, Meta IE takes the view that the objections from the AT, DE, FR and NO SAs are not
sufficiently reasoned astheyrefer tothe use of administrativefine as''generalpreventivemeasures''

on controllers, thus speculating on potential future behaviour or intentions of unidentified
controllers765. The EDPB understands that Meta IE disagrees with the reasoning provided in the

objections, whichthusconcerns their meritsandnot their admissibility.

392. Inaddition, MetaIEarguesthattheFRSA’sobjectionis notreasonedbecause itdoes not substantiate
“how a fine for the additional purportedinfringementswould be calculated, whether thisfine would
766
needto be added to the proposed fine and how this would affect the overallfine” .Meta IEfurther
takesissue withthe AT SA’sobjection andarguesit has not put forwarda sufficiently reasonedbasis
for itsobjection tochallenge theLSA’scalculationof thecriterialaiddowninArticle83(2) GDPR 767. In

this respect, the EDPB recalls that CSAs are not required to engage in a full assessment of all the

760AT SAObjection,p.11;DESAs Objection,p.2;FRSAObjection,paragraphs44and50;NOSAObjection,p.

761SE SAObjection,p.4.
Meta IEArticle65Submissions,Annex1,paragraph1.32.AccordingtoMeta IE,byreferringtothefactthat
‘’MetaIrelandis... theproviderofoneofthebiggestsocialmedianetworkintheworld’’,theAT SA‘’failsto
explainhowthisrelatestoanyspecificfactualandlegalcontentoftheDraftDecision’’.
762AT SAObjection,p.11;DESAs Objection,p.2;FRSAObjection,paragraph44and50;NOSAObjection,p.

11;SE SAObjection,p.4.
763Meta IEArticle65Submissions,Annex1,1.33,9.20,and10.17.
764Meta IEArticle65Submissions,Annex1,10.17.
765Meta IEArticle65Submissions,Annex1,paragraphs1.35,2.22,5.16and9.23.Meta IEaddsthat‘’inany

event,wherea fineaslargeasthatcurrentlyproposedintheDraftDecisionisimposed,thereisnodoubtthat
othercontrollerswilltakenoteofthisinsuchcircumstances’’.
766Meta IEArticle65Submissions,Annex1,paragraph5.20.
767Meta IEArticle65Submissions,Annex1,paragraph1.34.

102
Adopted aspects of Article 83 GDPR in order for an objection on the appropriate administrative fine to be

considered reasoned.Itis sufficient tolayout whichaspect ofthe DraftDecisionthat,intheir view, is
deficient/erroneous and why. Second, the EDPB recalls that the criteria listed in Article 83(2) GDPR

are not exhaustive, thus it is entirely possible to argue an administrative fine is not “effective,
proportionate and dissuasive” in the meaning of Article 83(1) GDPR without referring to a specific

criterionlistedin Article83(2)GDPR.

393. The EDPBfinds thatthe AT,DE,FR, NOandSE SAsadequatelyargue whytheypropose amendingthe
Draft Decision 768 and how this leads to a different conclusion in terms of administrative fine
imposed 769.

394. Intermsof risks, Meta IEclaims the DraftDecision does not pose any risk, let alone a significant risk

to fundamental rights, and argues the objections of the AT, DE ,FR, NO and SE SAs 770 fail to
demonstratethe contrary,asrequired.

395. More specifically, Meta IE considers that the DE and FR SAs’ objections focus on increasing the

‘’punitive impact’’ of the fine on Meta IE rather than demonstrating any significant risks to the
fundamental rights of data subjects 771. In this regard, Meta IE argues the AT, DE, NO, and SE SAs’

objections rest on unsubstantiated possible effect of the Draft Decision on the future behaviour of
other controllers, instead of doing a case by case assessment under Article 83 GDPR 772.Inparticular,

MetaIEclaimsthat,indoing so, the assessment made by these supervisory authoritiesis incorrectto
the extentit only takesintoaccount financialcostsanddoes not consider reputationalcosts 773.

396. The EDPB recalls that any risk assessment addresses future outcomes which are to some degree
uncertain 774. Contrary to Meta IE’s views, the objections reflect specifically on Meta IE’s future

approachintheevent the DraftDecisionisadoptedasit standsandgobeyondproviding “speculative
argumentbasedon theputativelackofa generalpreventiveimpactonothercontrollers” 775. TheEDPB

also notes that the DE, FR, NL, NOandSE SAs 776considered both of the aspects that are entailedby
dissuasiveness of the fine, i.e.specific deterrenceand generaldeterrence 777.

768AT SAObjection,pp.11;DESAs Objection,p.10;FRSAObjection,paragraph50;NOSAObjectionpp.9-11;
SE SAObjectionp.4.
769AT SAObjection,pp.11-12;DESAs Objection,p.12;FRSAObjection,paragraphs44-45;NOSAObjection

77013;SE SAObjection,p.4
Meta IEArticle65Submissions,Annex1,paragraphs1.36-1.40,2.24-2.27,5.22-5.25,9.25-9.27,and10.18-
10.20.
771Meta IEArticle65Submissions,Annex1,paragraphs2.24and5.22.
772
773Meta IEArticle65Submissions,Annex1,paragraphs1.38,2.255.23,9.26,and10.18.
Meta IEArticle65Submissions,Annex1,paragraphs1.38,2.26,5.24,and10.19.Meta IEaddsthat,inany
case,it‘’doesnotconsiderthatfinessuchastheoneproposedintheDraftDecisioncouldencourageother
companiesnottocomplywiththeGDPR’’.
774SeeSection9.1.4.1ofthisBindingDecision.
775
Meta IEArticle65Submissions,Annex1,paragraph10.18(SESA).
776DESAs Objection,p.12(referringtothe‘’undertakinginquestion’’),FRSAObjection,paragraph47(referring
to ‘’the controller’’); IT SA Objection pp.8-9 (referring to ‘’the controller’’); NL SA Objection, paragraph52
(referringto the risks in relation to ‘’the illegal processing at hand’’);NO SA Objection, p.12 (referring to

‘’incentivesforMetaIE’’).
777TheCJEUhas consistentlyheldthata dissuasivefineisonethathasa genuinedeterrenteffect,
encompassingbothspecificdeterrence(discouragingtheaddresseeofthefinefromcommittingthesame

103
Adopted397. The EDPB finds that the AT, DE, FR, NO, and SE SAs articulate an adverse effect on the rights and

freedomsof datasubjectsifthe DraftDecisionis leftunchanged,by referringtoa failuretoguarantee
a highlevelof protectioninthe EU for the rightsand interestsof the individuals 77.

398. Therefore,theEDPBconsiders the AT,DE,FR, NO, andSE SAsobjectionsconcerning the impositionof
a fine for the alleged additional infringements of Article 6/6(1)(b) and/or Article 9 GDPR to be

reasoned.

***

399. With respect tothe objection raisedby the IT SA concerning the imposition of anadministrative fine

for the infringement of the fairness principle enshrined in Article 5(1)(a) GDPR, the EDPB finds,
contrarytoMetaIE’sviews 77, thatit standsin connection withthe substance of the DraftDecision,
asit concerns the imposition of a correctivemeasure for anadditionalinfringement, whichwould be

found asaconsequence ofincorporatingthefinding putforwardbythe objection.Clearly,thedecision
on the merits of the demand to take corrective measures for a proposed additional infringement is

affectedby the EDPB’sdecision onwhether toinstruct theLSA toinclude anadditionalinfringement.

400. If followed, the IT SA’s objection would lead to a different conclusion in terms of corrective
measuresimposed 78. Taking note of Meta IE’sposition 781, the EDPB finds the objections raisedby
the ITSA tobe relevant.

401. MetaIE arguesthe IT SA’s objection does not put forward reasonable doubt as tothe validityof the

LSA’s calculation of the fine and claims there is no basis in the GDPR for suggesting that an
administrativefine must havea ‘’generaldeterrenteffect’’ 78.TheEDPBfindsthattheITSAadequately

argueswhy theypropose amending the DraftDecisionandhow this leadstoa different conclusion in
termsofadministrative fine imposed 783.

infringementagain)andgeneraldeterrence(discouragingothersfromcommittingthesameinfringementin

thefuture).See,interalia,C-511/11,Versalis,paragraph94.
778AT SAObjection,p.11-12;DESAs Objection,p.12;FRSAObjection,paragraphs47-48;NOSAObjection,p.
12; SESAObjection,p.5.SeealsoEDPBGuidelinesonRRO,paragraph37.
779Meta IEArticle65Submissions,paragraph7.13.AccordingtoMeta IE,theITSAobjectionsisnotrelevant

giventhattheLSAhas notfoundanyinfringementofthefairness,purposelimitationanddata minimisation
principles(Article5(1)(a)-(c)GDPR).
780ITSAObjection,p.7.
781Meta IE Article65 Submissions, paragraph 7.13. According to Meta IE, given theIE SA has not found any
infringementofthefairnessprinciple,thereisnobasisfortheimpositionofa fineonthisground.EDPBalready

782pondedtothislineofreasoningaboveinSection8.4.2.
Meta IEArticle65Submissions,paragraphs7.15-16.
783TheITSAargues thatthefindingofsuchinfringement“shouldresultintoincreasingtheamountofthesaid
finesubstantiallybyhavingregardtotherequirementthateachfineshouldbeproportionateanddissuasive’’
insofaras‘’thegravityoftheinfringementwouldbefactuallycompounded.”(ITSAObjection,pp.6-7).

104
Adopted402. MetaIEarguesthe objectionof theIT SA fails todemonstrate the riskposed by the DraftDecision,as
required 784 and,indoing so, MetaIEdismisses the concernsarticulatedbythe ITSA ontheprecedent
785
the DraftDecisionsetsfor othercontrollers .

403. The EDPBfindsthattheITSA articulatesanadverse effectonthe rightsandfreedomsof datasubjects

ifthe DraftDecision isleft unchanged, byreferringtoa failure toguaranteea highlevelofprotection
inthe EU for the rightsandinterestsofthe individuals 78.

404. Therefore, the EDPB considers the IT SA’s objection concerning the imposition of a fine for the
additionalinfringement of theprinciple of fairnessenshrined in Article5(1)(a) GDPRtobe reasoned.

***

405. The EDPB recallsits analysis of whether the objection raisedby the IT SA in respect of the proposed
additionalinfringements ofArticle 5(1)(b) andArticle 5(1)(c)GDPRmeetsthe threshold set by Article

4(24)GDPR(see Section7.4.1above).Inlight ofthe conclusion thatsuchobjection isnot relevantand
reasoned, theEDPBdoes not need tofurtherexamine thislinked objection.

9.2.4.2 Assessmenton themerits
406. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a Binding Decision concerning all the

matters which are the subject of the relevant and reasoned objections, in particular whether the
envisagedactioninrelationtothe controller or processor complies withthe GDPR.Morespecifically,
the EDPB needs to assess whether an administrative fine should be imposed for the additional

infringementsof Article 6(1)GDPRandthe principle of fairnessunder Article 5(1)(a)GDPR.However,
in light of its findings in Section 5.4.2 above, the EDPB does not need to examine the merits of the

objections ofthe DEand FR SAs requesting the imposition of a fine for the allegedadditional breach
of Article9 GDPR.

407. The EDPB recalls that the consistency mechanism may also be used to promote a consistent
application of administrative fines 787 and that the objective pursued by the corrective measure
788
chosen canbe tore-establish compliance withthe rulesor topunish unlawful behaviour (or both) .
The EDPB responds above toMeta IE’sposition that the LSA has sole discretion to determine which
correctivemeasuresare appropriate(see Section 8.4.2).

9.2.4.2.1 Assessment of whether an administrative fine should be imposed for the infringement of
Article6(1) GDPR

784Meta IEArticle65Submissions,paragraph7.18.
785Meta IEArticle65Submissions,paragraph7.19.Onthis,theEDPBhassetoutitspositionaboveinSection
9.1.4.1above.
786ITSAObjection,p.7.
787
Recital150GDPR.EDPBGuidelinesonRRO,paragraph34;EDPBGuidelinesonAdministrativefinesp.7
(“Whentherelevantandreasonedobjectionraisestheissueofthecomplianceofthecorrectivemeasurewith
theGDPR,the decisionofEDPBwillalsodiscusshowtheprinciplesofeffectiveness,proportionalityand
deterrence areobservedintheadministrativefineproposedinthedraftdecisionofthecompetentsupervisory
authority”). Seealsoaboveparagraph344.
788
EDPBGuidelinesonAdministrativeFines,p.6.Seealsoparagraph354ofthisBindingDecision.

105
Adopted408. The EDPB recallsits conclusion in this Binding Decision on the infringement of Article 6(1) GDPR 789

and that the objections raised by the AT, DE, FR, NOand SE SAs found to be relevant and reasoned
requestedthe IESA toexercise itspower toimpose anadministrative fine 790.

409. The EDPBtakesnote of MetaIE’sviewsthat,evenifaninfringement isfound, the appropriatecourse
would be to refer the matter back to the LSA to determine whether to impose any appropriate

correctivemeasures 791,andthattheLSA hassole competenceanddiscretionregardingtheamountof
the fine792. The EDPB responds toMeta IE’sargument that the LSA has sole discretion todetermine

the appropriatecorrectivemeasures inthe event ofa finding ofinfringement above in Section8.4.2.

410. The EDPBconcurs thatthe decision toimpose anadministrativefine needs tobe takenon a case-by-
case basis in light ofthe circumstancesand is not anautomaticone 793. Inthe case athand, however,

the EDPBagreeswiththe reasoning put forwardby theAT, DE, FR, NOandSE SAsintheir objections.
The EDPB reiterates that lawfulness of processing is one of the fundamental pillars of the data
protectionlaw and considers that processing of personal data without anappropriate legalbasis isa

clearandserious violationof the datasubjects’ fundamental righttodataprotection 794.

411. Several of the factors listed in Article 83(2) GDPR speak strongly in favour of the imposition of an
administrative fine for the infringement of Article6(1)GDPR.

Thenature,gravityand duration of theinfringement(Article83(2)(a) GDPR)

412. Asmentionedabove andoutlined below 795,the natureandgravityoftheinfringementclearlytipthe

balance infavour of imposing anadministrativefine.

413. Withrespecttothe scopeofprocessing,theEDPBnotestheIESA’sassessment thatthepersonaldata
processing carriedout by MetaIEon thebasis of Article6(1)(b) GDPRis extensive,adding that“Meta

Irelandprocessesavarietyofdatain ordertoprovideInstagramuserswitha‘personalised’experience,
including byway ofserving personalised advertisements.Theprocessing is centralto and essentialto
796
thebusiness modeloffered[...]’’ .

789Section4.4.2ofthisBindingDecision.
790
Paragraph390and398ofthisBindingDecision.
791Meta IEArticle65Submissions,paragraph8.13
792Meta IEArticle65Submissions,paragraph9.2,10.4,
793EDPB Guidelines onAdministrativefines, p. 6 (“Like all corrective measures in general, administrative fines

should adequately respond to the nature, gravity and consequences of the breach, and supervisory authorities
must assess all the facts of the case in a mannerthat is consistent andobjectively justified. The assessment of
whatis effective, proportionalanddissuasiveineachcasewillhaveto alsoreflect the objectivepursuedbythe
corrective measure chosen, that is either to re-establish compliance with the rules, or to punish unlawful
behaviour(or both)”), p. 7 (“The Regulation requires assessment of each case individually”;“Fines are an

importanttoolthatsupervisoryauthoritiesshoulduseinappropriatecircumstances.Thesupervisoryauthorities
are encouraged to use a considered and balancedapproach in theiruse of corrective measures, in order to
achieve both an effective and dissuasiveas well as a proportionate reactionto the breach. The point is to not
qualifythefinesaslastresort,nortoshyawayfromissuingfines,butontheotherhandnottousetheminsuch

794ywhichwoulddevaluetheireffectivenessasatool.”).
Article8(2),EUCharterofFundamentalRights.SeeNOSAobjection,p.10.
795Inparticular,seeSection4.4.2ofthisBindingDecisionaswellasparagraphs408,413-415.
796DraftDecision,paragraphs221.

106
Adopted414. Inthisrespect,theEDPBalsorecallsthattheinfringementatissuerelatestotheprocessingofpersonal
dataof asignificant numberofpeople 797andthatthe impacton them hastobe considered.

415. Thoughthe damageis very difficult toexpress intermsof a monetaryvalue, it remainsthe case that
data subjects have been faced with data processing that should not have occurred (by relying

inappropriately on Article 6(1)(b) GDPR as a legal basis as established in Section 4.4.2). The data
processing in question - behavioural advertising - entails decisions about information that data

subjects are exposed to or excluded from receiving. The EDPB recalls that non-material damage is
explicitly regardedasrelevant in Recital75 and thatsuch damagemay result from situations “where
data subjectsmight bedeprivedoftheirrightsand freedomsor preventedfromexercisingcontrolover

their personaldata”. Given the nature and gravityofthe infringement of Article 6(1)(b) GDPR, a risk
of damage caused todata subjects is, in such circumstances, consubstantial with the finding of the

infringement itself.

Theintentionalor negligentcharacterofthe infringement(Article83(2)(b) GDPR)

416. The SE SA arguesthe infringement of Article 6(1)(b) GDPRshould be considered intentionalon Meta
IE’spart,whichis anaggravatingfactor 798.

417. The EDPBtakesnote ofMetaIE’sposition thatit did not actintentionally withtheaim toinfringe the
GDPR,nor wasnegligent- but “has reliedon what it has consistentlyconsidered in good faith to be a

valid legalbasis for thepurpose ofprocessing ofpersonal data for behaviouraladvertising andwhich
now requiresescalation to theEDPBfor resolution” 799.Beforeaddressing eachofthe elementsofthis
claim, the EDPB first notes that establishing either intent or negligence is not a requirement for

imposing a fine, but deserves “due regard”. Second, contrary to what Meta IE implies, the mere
circumstancethat a dispute betweenthe LSA and the CSAs hasescalatedtothe EDPBdoes not serve

asevidence thata controller actedingoodfaithwithrespect tothe disputedissues. First, the dispute
arisesonly (long)afterthe controllerhas decidedonitscourse of action,andthereforecannot inform
it. Second, a dispute may simply bring to light that an LSA has decided to challenge a position

commonly held by(a majorityof) theCSAs.

418. The EDPB Guidelines on calculation of fines confirm that there are two cumulative elements on the
basis of which aninfringement canbe considered intentional: the knowledge of the breach andthe
willfulness inrelationtosuchact 800.Bycontrast,aninfringementis “unintentional”whentherewasa

breachofthe dutyof care,withouthaving intentionally causedthe infringement.

419. The characterisation of an infringement as intentional or negligent shall be done on the basis of

objective elements of conduct gatheredfrom the facts of the case 801. It is worthnoting the broader

797DraftDecision,paragraph253,theInstagramserviceisprovidedtoa significantportionofthepopulationof
theEEA. This aspectwasalsohighlightedbytheobjectionsraisedbytheNOSA(NOSAObjection,pp.10-11)
andDESAs (DESAs Objection,pp.9and11).
798SESAObjection,pp.4-5.
799
Meta IEArticle65Submissions,paragraph8.28.
800 The EDPB Guidelines on calculation of fines, paragraphs 56, referring to the EDPB Guidelines on
AdministrativeFines:“ingeneral,‘intent’includesbothknowledgeandwilfulnessinrelationtothecharacteristics
ofanoffence,whereas‘unintentional’meansthattherewasnointentiontocausetheinfringementalthoughthe
controller/processorbreachedthedutyofcarewhichisrequiredinthelaw”.
801
EDPBGuidelinesoncalculationoffines,paragraph57andEDPBGuidelinesonAdministrativeFinesp.12.

107
Adopted approachadopted withrespect to the concept of negligence,since it also encompasses situations in
which the controller or processor has failedtoadopt the requiredpolicies, whichpresumes a certain
802
degree of knowledge about a potential infringement . This provides an indication that non-
compliance insituations inwhichthe controlleror processor should have beenawareofthepotential
breach(inthe exampleprovided, due tothelackofthenecessarypolicies) mayamount tonegligence.

420. The SE SA arguesthatMetaIE “hascontinued to relyon Article6(1)(b) for theprocessing, despite the

aforementioned[EDPB Guidelines2/2019 on Article 6(1)(b) GDPR]– which clearlygives doubt to the
legalityoftheprocessing–which werefirstadoptedon9 April2019and madefinalon 8October2019.
Theinfringement must inall casesbeconsidered intentionalfromthat laterdate” 803.

421. The EDPB recalls that even prior to the adoption EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR,

therewereclearindicatorsthatspoke againstrelyingon contractaslegalbasis. First, inWP29 Opinion
02/2010 on online behavioural advertising, only consent - asrequired by Article 5(3) of the ePrivacy
Directive-is put forwardaspossible legalbasis for thisactivity.As Article6 GDPRresembles Article7

ofthe DataProtectionDirectivetoalargeextent,WP29 Opinion 02/2010 remaineda relevantsource
onthismatterfor controllerspreparingfor theGDPRtoenter intoapplication. Second, WP29 Opinion

06/2014 onthenotion oflegitimateinterestsexplicitlystatesthat“thefactthatsomedata processing
is covered by a contract does not automatically mean that the processing is necessary for its
performance.Forexample,Article7(b)is nota suitable legalground for building a profile ofthe user’s

tastes and lifestyle choices based on his click-stream on a website and the items purchased. This is
because the data controller has not been contracted to carry out profiling, but rather to deliver

particular goods and services, for example. Even if these processing activities are specifically
mentionedin the small print of the contract, thisfact alone does not make them ‘necessary’ for the
performanceofthecontract” 804.

422. Itstems from the above thatMetaIE had(or should have had)knowledge about the infringement of

Article 6(1)(b) GDPR. However, this mere element is not sufficient to consider an infringement
intentional, asstatedabove, since the “aim” or “wilfulness” of the actionshould be demonstrated.

423. TheEDPBrecallsthatthathavingknowledge ofaspecific matterdoesnotnecessarily implyhavingthe
“will” to reacha specific outcome. This is in fact the approach adopted in the EDPB Guidelines on

calculation of fines and WP29 Guidelines on Administrative Fines, where the knowledge and the
“wilfulness” are considered two distinctive elements of the intentionality 805. While it may prove
difficult todemonstrateasubjective element suchasthe “will” toactina certainmanner,thereneed
806
tobe some objective elementsthatindicate theexistence of such intentionality .

424. TheEDPBrecallsthattheCJEU hasestablisheda highthreshold inorder toconsider anactintentional.
Infact,evenincriminalproceedingstheCJEU hasacknowledgedtheexistenceof“seriousnegligence”,

802The EDPB Guidelines on calculation of fines, paragraph 56 (Example4) quote the EDPB Guidelines on
Administrative Fines, which mention, among the circumstances indicative of negligence, “failure to adopt

policies(ratherthansimplyfailuretoapplythem)”.
803SESAObjection,p.4.
804WP29Opinion06/2014onthenotionoflegitimateinterests,p.16-17.
805EDPBGuidelinesoncalculationoffines,paragraph56,andEDPBGuidelines onAdministrativeFines,p.11.
806SeeEDPBGuidelinesoncalculationoffines,paragraphs56and57,andWP29GuidelinesonAdministrative

Fines,p.12.

108
Adopted ratherthan“intentionality”when“thepersonresponsible commitsapatentbreachofthedutyofcare
whichhe should have andcould have compliedwith in view ofhis attributes,knowledge,abilitiesand
807
individual situation” . In this regard, while the EDPB confirms that a company for whom the
processing of personal data is at the core of its business activities is expected to have sufficient
measures in place for the safeguard of personal data 80, this does not, however, per se change the

natureof the infringement from negligenttointentional.

425. Inthisregard,theSESA putsforwardthatMetaIEbaseditsprocessing ofpersonalised advertisement

on consent until the GDPR came intoforce on 25 May2018, and at this time switchedto relying on
Article6(1)(b) GDPRfor the processing inquestion instead. Thetiming andthe logisticsfor thisswitch

suggeststhis act wasdone withthe intention of circumventing the new rights of users under Article
6(1)(a) GDPR. The SE SA adds that “[the] proposed finding of infringement concerning information
deficitsabout the processing, namelyonwhat legal basis it is based, furthersupports thisconclusion,

since it goes to show that MetaIrelandwas aware ofthe questionable legalityof thatbasis and tried
to concealthe infringementto avoidscrutinybysupervisory authoritiesand data subjects” 809.

426. The EDPB considers the timing of the changes made by Meta IE toits Instagram Termsof Use asan
objective element, however this alone does not indicate intention. Around this time period, many

controllers updated their data protection policies. The objection suggests that the conclusion on
intentionalityiscorroboratedbythe shortcomingstothetransparencyobligations.Inthe EDPB’sview,
thecombinationofthetimingofthechangeoflegalbasiswiththelackoftransparencyisnotsufficient

toindicate intentioneither.

427. Therefore,on the basis of the available information, the EDPBis not able to identify awill of MetaIE

toactinbreachofthe lawasit cannotbe concluded thatMetaIEintentionallyactedtocircumvent its
legalobligations.

428. Therefore,theEDPBconsidersthattheargumentsputforwardbytheSE SA donotmeetthethreshold
to demonstrate the intentionality of the behaviour of Meta IE. Accordingly, the EDPB is of the view

thatthe DraftDecisiondoes not needtoinclude thiselement.

429. At the same time, the EDPB notes that, even establishing that the infringement was committed

negligently,acompanyfor whom theprocessing ofpersonaldataisatthecoreofitsbusiness activities
should have inplace sufficient proceduresfor ensuring compliance withthe GDPR 810.

430. The EDPBdoesnot acceptMetaIE’sclaimof“good faith”,butis oftheview thatMetaIEwascertainly
seriously negligent in not taking adequate action, within a reasonable time period, following the

adoption of the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR on 9 April 2019. Even before that
date, the EDPB considers there was at the very least negligence on Meta IE’s part considering the

contentsof WP29 Opinion 02/2010 on online behaviouraladvertising andWP29 Opinion 06/2014 on
the notion of legitimateinterests(see paragraph421 of this Binding Decision), whichmeans MetaIE
had (or should have had) knowledge about the infringement of Article 6(1)(b) GDPR, giventhe fact

807JudgementoftheCourtofJusticeof3June2008,TheQueen,ontheapplicationofInternationalAssociation
of Independent Tanker Owners (Intertanko) and Others v. Secretary of State for Transport, C-308/06,
ECLI:EU:C:2008:312,paragraph77.
808
809EDPBBindingDecision1/2020,adoptedon9November2020,paragraph195.
SESAObjection,p.4.
810SeeEDPBBindingDecision1/2020,paragraph195.

109
Adopted thatprocessing ofpersonal dataisat thecore of itsbusiness practices,andtheresources availableto

MetaIEtoadaptits practicesso astocomply withdataprotectionlegislation.

The degree of responsibility of the controller taking into account technical and organisational
measuresimplementedpursuantto Articles25 and 32(Article83(2)(d) GDPR)

431. The EDPB considers the degree of responsibility of Meta IE’spart to be of a high level, on the same
811
grounds asset inthe DraftDecisionwithregardstothe transparencyinfringements .

Thefinancial benefit obtainedfrom the infringement(Article83(2)(k) GDPR)

432. TheSE SA arguesMetaIEgainedfinancialbenefitsfrom theirdecision torelyoncontractaslegalbasis
for behavioural advertising,rather thanobtaining consent from the users of Instagram 812.While not

providing an estimate of its size, the SE SA considers the existence of financial benefit sufficiently
provenonthe basisof“theself-evidentfactthatMetaIrelandhasmadesignificant financialgain from

being able to provide personal advertisement aspart of a whole take it or leave it offer for its social
mediaplatform service,as opposed to establishing a separate legalbasis for it.Byalso being unclear
in the informationto data subjects, it is a reasonable assumption that more data subjectshave been

misled into being subject to the processing, thus increasing the financial benefits gained by Meta
Irelandpursuant to personaladvertisement” 813.

433. As explicitly statedin Article 83(2)(k) GDPR, financialbenefits gaineddirectly or indirectly from the

infringement can be considered an aggravating element for the calculation of the fine. The aim of
Article 83(2)(k) GDPRis toensure that the sanctionapplied is effective,proportionate and dissuasive
814
ineachindividual case .

434. Inparticular,in view of ensuring fines that areeffective, proportionate and deterrent,andin light of

common acceptedpracticeinthe fieldof EU competitionlaw 81,whichinspired the fining framework
under the GDPR, the EDPB isof the view that, whencalculating the administrative fine, supervisory

authorities could take account of the financial benefits obtained from the infringement, in order to
impose a fine thataim at“counterbalancing thegains from theinfringement” 816.

435. When applying this provision, the supervisory authorities must “assess all the facts of the case in a
817
manner that is consistent and objectively justified” . Therefore, financial benefits from the
infringement could be an aggravating circumstance if the case provides information about profit
obtainedasa result of theinfringement of the GDPR 818.

811DraftDecision,paragraph240.Inthisrespect,theEDPBnotes thatthehighdegreeofresponsibilityofMeta

IEforthenon-compliancewiththeGDPRwasconsideredasanaggravatingfactorbyLSAforthecalculationof
thefine.
812SESAObjection,p.4.
813SESAObjectionp.4.
814
815EDPBGuidelinesoncalculationoffines,paragraph107.
SeetheCJEUrulingscitedinEDPBBindingDecision2/2022,paragraph219.
816EDPBGuidelinesoncalculationoffines,examples7cand7d.
817 EDPB Guidelines on Administrative Fines, p. 6 (emphasis added), quoted in Binding Decision 1/2021,
paragraph403.
818
EDPBGuidelinesoncalculationoffines,paragraph110.

110
Adopted436. In the present case, the EDPB considers that it does not have sufficiently precise information to
evaluatethe specific weightofthe financialbenefit obtainedfrom the infringement.

437. Nonetheless, the EDPBacknowledgesthe needtoprevent thatthe fineshave littletono effectifthey
are disproportionally low compared to the benefits obtained with the infringement. The EDPB

considers thattheIESAshould ascertainifanestimationofthefinancialbenefit fromtheinfringement
ispossible inthis case.Insofar asthisresultsin theneedtoincrease theamount of thefine proposed,
the EDPBrequeststhe IESA toincrease the amount of thefine proposed.

Competitiveadvantage -otherfactor (Article83(2)(k) GDPR)

438. The NOSA identifies anaggravatingfactorinthat“thatthe unlawfulprocessing ofpersonaldata in all

likelihood hascontributedtothedevelopmentofalgorithmswhich maybe harmfulon an individualor
societal level, andwhich may have considerable commercialvalue to [Meta IE]. The algorithms may
have contributedto giving[MetaIE]acompetitiveadvantage vis-à-vis its competitors” 81.

439. Onprinciple, the EDPBagreesthatacompetitive advantagecouldbe anaggravatingfactorifthe case
820
provides objective information thatthis wasobtained asa result of the infringement of the GDPR .
In the present case, the EDPB considers that it does not have sufficiently precise information to
evaluate the existence of a competitive advantage resulting from the infringement. The EDPB

considers that the IESA should ascertainif anestimation ofthe competitive advantagederived from
the infringement is possible in this case.Insofar asthis results inthe need toincrease the amount of
the fine proposed, the EDPBrequeststhe IESA toincrease the amount of thefine proposed.

***

440. Takinginto accountthe nature andgravityofthe infringement aswellasother aspectsinaccordance
with Article 83(2) GDPR, the EDPB considers that the IE SA must exercise its power to impose an

additionaladministrative fine. Also, covering this additionalinfringement witha fine would be in line
with the IE SA’s (proposed) decision toimpose administrative fines in this case for the transparency
821
infringements relating to processing carried out in reliance on Article 6(1)(b) GDPR . The EDPB
underlines that, in order to be effective, proportionate and dissuasive, a fine should reflect the
circumstances of the case. Such circumstances not only refer to the specific elements of the

infringement,but alsothose ofthe controller or processor whocommittedthe infringement,namely
itsfinancialposition.

9.2.4.2.2 Assessmentof whetheranadministrativefineshouldbeimposedfor theinfringementofthe
fairnessprincipleunderArticle5(1)(a) GDPR

441. The EDPBrecallsits conclusion in thisBinding Decision onthe infringement byMetaIEof the fairness
principle under Article 5(1)(a)GDPR 822andthatthe objection raisedbythe ITSA, which wasfound to

819NOSAObjection,p.11.
820EDPBGuidelinesoncalculationoffines,paragraph109.Seealsoparagraphs433ofthisBindingDecision.
821DraftDecision,paragraphs253-258.
822
Section4.4.2ofthisBindingDecision.

111
Adopted be relevant and reasoned, requested the IE SA to exercise its power to impose an administrative
fine823.

442. The EDPBtakesnote of MetaIE’sviewsthat it would not be appropriatefor the EDPBtoinstruct the

LSA to take corrective measures in relation to the additional infringement of the fairness principle
under Article5(1)(a)GDPRconsidering thatthisissue does not fallwithinthescope ofthe Inquiry.The
824
EDPBresponds tothese argumentsabove inSection6.4.2 .

443. The EDPB recallsthat the decision to impose an administrative fine needs tobe takenon a case-by-
825
case basis in light of the circumstances andis not an automatic one . Inthe same vein, the EDPB’s
assessment ofMetaIE’scompliance withthe principle of fairnessis carriedout bytakinginto account

the specificities of the case, ofthe particular social networking service at handand of the processing
of personaldatacarriedout,namelyfor thepurpose of online behaviouraladvertising 826.

444. As previously established, the principle of fairness under Article 5(1)(a) GDPR, althoughintrinsically
linked tothe principles oflawfulness andtransparencyunder thesame provision, hasanindependent
827
meaning . It underpins the whole data protection framework and plays a key role for securing a
balance ofpower in thecontroller-data subject relationship 828.

445. Considering the EDPB’sfindingsin Section6.4.2thatMetaIEhasnot compliedwithkeyrequirements
ofthe principle offairness asdefinedbythe EDPB,namelyallowing for autonomyofthe datasubjects

as tothe processing of their personal data, fulfilling data subjects’ reasonable expectation, ensuring
power balance,avoiding deceptionandensuring ethicalandtruthfulprocessing, aswellastheoverall
effect of the infringement by Meta IE of the transparencyobligations and of Article 6(1) GDPR, the

EDPBreiteratesitsview thatMetaIEhasinfringed theprinciple offairness under Article5(1)(a)GDPR
andagreeswiththeITSA thatthisinfringement should be adequatelytakenintoaccount bythe IESA

in the calculationofthe amount ofthe administrative fine tobe imposed following the conclusion of
thisinquiry.

446. Therefore,theEDPBinstructstheIESAtotakeintoaccounttheinfringementbyMetaIEofthefairness
principle enshrined inArticle5(1)(a) GDPRasestablished above whenre-assessing the administrative

fines for the transparencyinfringements andthe determinationof the fine for the lack oflegalbasis.
If, however, the IE SA considers an additional fine for the breach of the principle of fairness is an

appropriatecorrectivemeasure,the EDPBrequeststhe IE SA toinclude thisinitsfinaldecision. Inany
case,the IESA must take into account the criteriaprovided for by Article83(2) GDPRand ensuring it
is effective,proportionate anddissuasive inline withArticle 83(1)GDPR.

823Paragraphs399-404ofthisBindingDecision.
824Meta IEArticle65Submissions,paragraph8.15.
825Seeaboveparagraph410.
826Seeabovesection6.4.2
827
828Seeabovesection6.4.2,paragraph224.
Seeabovesection6.4.2

112
Adopted 10 BINDINGDECISION

447. Inlightof theabove, andinaccordancewiththetaskof theEDPBunder Article 70(1)(t)GDPRtoissue
binding decisions pursuant to Article 65 GDPR, the EDPB issues the following Binding Decision in

accordancewithArticle65(1)(a) GDPR.

448. The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in

accordancewithArticle65(2) GDPR.

On the objections concerning whether the LSA should have found an infringement for lack of
appropriatelegalbasis

449. The EDPBdecidesthattheobjections ofthe AT,DE,ES,FI,FR,HU,NL,NO, andSE SAs regardingMeta

IE’sreliance onArticle 6(1)(b) GDPRin thecontext of itsoffering of the InstagramTermsof Use meet
the requirementsofArticle 4(24)GDPR.

450. Onthepartsofthe DESAs’objectionrequesting thefinding ofaninfringementofArticle5(1)(a)GDPR,

and the partsof the DE andNO SAs objections requesting specific correctivemeasures under Article
58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the imposition of an
administrative fine, a ban of the processing of personal data for the purpose of behavioural
advertising, anorder to delete personal data processed under Article 6(1)(b) GDPR, andan order to

identify a valid legal basis for future behavioural advertising or to abstain from such processing
activities, the EDPB decides that these partsof their objections do not meet the threshold of Article
4(24)GDPR.Similarly,thepartofthe FISA objection concerningthe imposition ofa specific corrective

measures, namely anadministrative fine is not reasoned anddoes not meet the threshold of Article
4(24)GDPR.

451. The EDPB instructsthe IESA to alterits Finding 2 of itsDraftDecision, which concludes that MetaIE

mayrelyonArticle6(1)(b)GDPRinthecontextofitsoffering ofInstagramTermsofUse,andtoinclude
aninfringement of Article 6(1) GDPR,basedon the shortcomings that the EDPBhas identified in this
Binding Decision.

On theobjectionsconcerningwhethertheLSA’sDraftDecisionincludessufficientanalysis andevidence
to concludethat MetaIEis not obliged to relyon consentto processtheComplainant’spersonal data

452. The EDPB decidesthat the objections of the AT,DE, FI,FR, andNL SAs regardingthe LSA’sFinding 1
thatMetaIEisnot legallyobligedtorelyon consent toprocesspersonal datatodeliver the Instagram

TermsofUse meetthe requirementsofArticle 4(24)GDPR.

453. On the part of the NL SA objection asking the IE SA to include in its Draft Decision the elements
concerning the need torely on consent for the placing of tracking technology on end users devices

under ePrivacy legislation, the EDPB decides that this part falls outside the scope of the EDPB’s
mandate.The objection raisedby the ESSA regardingthe potentialinfringement of Article9 GDPRis
not sufficiently reasoned and, therefore, the EDPB decides that the objection of the ES SA does not
meetthe threshold provided for by Article4(24) GDPR.

454. The EDPBinstructs the IE SA toremove from its DraftDecisionits conclusion on Finding 1. The EDPB
decides that the IE SA shall carry out a new investigationinto Meta IE’sprocessing operations in its

113
Adopted Instagramservicetodetermineifit processesspecialcategoriesofpersonaldata(Article9GDPR),and

complies with the relevant obligations under the GDPR to the extent that the investigation
complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding
Decision; and,basedon theresults ofthisinvestigation, issue anew draftdecision inaccordancewith
Article60(3) GDPR.

Onthe objectionconcerningthepotentialadditional infringementof theprinciple offairness

455. TheEDPBdecidesthattheobjectionofthe ITSAregardingtheinfringementbyMetaIEofthe principle
of fairnessunder Article5(1)(a)GDPR,meetsthe requirementsof Article4(24) GDPR.

456. The EDPBinstructs the IE SA to find in itsfinal decision anadditionalinfringement of the principle of
fairness under Article 5(1)(a)GDPRbyMetaIE.

On the objection concerning the potential additional infringement of the principles of purpose
limitationanddataminimisation

457. On the objection by the IT SA concerning the possible additional infringements of the principles of
purpose limitation and data minimisation under Article 5(1)(b) and (c) GDPR, the EDPB decides this

objection does not meetthe requirementsofArticle 4(24)GDPR.

Onthe objectionsconcerningcorrectivemeasuresotherthan administrativefines

458. The EDPB decidesthat the objections of the AT and NL SAs requesting additional and/or alternative

specific correctivemeasurestobe imposed meet the requirementsofArticle 4(24)GDPR.

459. The EDPBinstructsthe IESA toinclude inits finaldecision anorder for MetaIEtobring its processing
of personal data for the purposes of behavioural advertising in the context of the Instagram service

intocompliance withArticle 6(1)GDPRwithinthree months.

460. TheEDPBalsoinstructstheLSA toadjust itsorder toMetaIEtobring InstagramDataPolicyandTerms

of Use into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR within three
months, torefernot only toinformationprovided ondataprocessedpursuant toArticle6(1)(b)GDPR,
but also to data processed for the purposes of behavioural advertising in the context of Instagram
service (toreflect thefinding of theEDPBthat for thisprocessing thecontroller cannot relyon Article

6(1)(b) GDPR).

On the objections concerning the determination of the administrative fine for the transparency

infringements

461. The EDPBdecidesthatthe objections oftheDE,FR,IT,NL,andNOSAsregardingthedeterminationof
the administrative fine for the transparencyinfringements, meet the requirements of Article 4(24)
GDPR.

462. The EDPBconsiders thatthe Final Decisiondoes not needtorefer tothe infringementsby WhatsApp
IrelandLimited,as established in DecisionIN-18-12-2, as anaggravatingfactorunder Article 83(2)(e)
GDPRfor the calculationofthe fine.

463. The EDPB instructs the IE SA to modify its Draft Decision to elaborate on the manner in which the
turnover of the undertakingconcernedhas beentakenintoaccount for the calculationofthe fine, as

114
Adopted appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Article

83(1)GDPR.

464. The EDPB considers that the proposed fine does not adequatelyreflect the seriousness and severity
of the infringements nor has a dissuasive effect on Meta IE. Therefore, the fine does not fulfil the

requirement ofbeing effective,proportionate anddissuasive inaccordance withArticle83(1) and(2)
GDPR. Inlight ofthis, the EDPB directsthe IE SA toset out a significantly higher fine amount for the
transparencyinfringementsidentified, incomparison withthe upper limit for the administrative fine

envisaged in the Draft Decision. In doing so, the IE SA must remain in line with the criteria of
effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR in its overall
reassessment of the amount ofthe administrative fine.

Onthe objectionsconcerningtheimposition ofan administrativefine for the lackoflegal basis

465. The EDPBdecidesthattheobjections of theAT,DE,FR,NO,andSE SAs regardingthe impositionofan
administrative fine for the infringement ofArticle 6(1)or Article 6(1)(b)GDPRmeetthe requirements
of Article4(24)GDPR.

466. Inrelation tointentionality under Article 83(2)(b) GDPR, the EDPB considersthat the argumentsput
forwardby the SE SA in their objection do not containsufficient objective elementsto demonstrate

the intentionalityofthe behaviour ofMetaIE.

467. Regarding the possible financial benefit obtained from the infringement as well as the competitive
advantage (Article 83(2)(k) GDPR), the EDPB instructs the IE SA to ascertain if an estimation of the

financial benefit from the infringement is possible in this case. Insofar as further estimation of the
financialbenefit from the infringement is possible in thiscase and resultsin the needto increasethe
amountofthefine proposed, theEDPBrequeststheIESAtoincreasetheamount ofthefineproposed.

468. The EDPB instructs the IE SA to cover the additional infringement of Article 6(1) GDPR with an
administrative fine which is effective, proportionate and dissuasive in accordance with Article 83(1)
GDPR. Indetermining the fine amount, the IE SA must give due regardto all the applicable factors

listed in Article 83(2) GDPR, inparticular the nature and gravityof the infringement, the number of
datasubjects affectedand theseriously negligentcharacteroftheinfringement.

On the objection concerning the imposition of an administrative fine for the infringement of the
fairness principleunder Article5(1)(a) GDPR

469. The EDPBdecidesthatthe objectionofthe ITSA regardingtheimposition ofanadministrative fine for
the infringement ofArticle 5(1)(a)GDPRmeetsthe requirementsof Article4(24) GDPR.

470. TheEDPBinstructstheIESA tofactortheadditionalinfringementoftheprinciple offairnessenshrined
in Article5(1)(a) GDPRintoits adoptionof appropriate correctivemeasures. Inthisrespect,the IE SA
is instructed totake due account of this infringement when re-assessing the administrative fines for

the transparency infringements and the determination of the fine for the lack of legal basis. If,
however, the IE SA considers an additional fine for the breach of the principle of fairness is an
appropriatecorrectivemeasure,the EDPBrequeststhe IE SA toinclude thisinitsfinaldecision. Inany

case,the IESA must take into account the criteriaprovided for by Article83(2) GDPRand ensuring it
is effective,proportionate anddissuasive inline withArticle 83(1)GDPR.

115
Adopted On the objection concerning the imposition of an administrative fine for the infringement of Article
5(1)(b) and(c)GDPR

471. The EDPBdecidesthatit doesnot needtoexamine theobjectionof theITSA regardingthe imposition

of anadministrative fine for the infringement ofArticle 5(1)(b) andArticle5(1)(c) GDPR.

11 FINAL REMARKS

472. ThisBinding Decision isaddressed tothe IESA andtheCSAs. TheIE SA shalladopt itsfinal decision on
the basis ofthis Binding Decisionpursuant toArticle 65(6)GDPR.

473. Regardingtheobjections deemednot tomeetthe requirementsstipulatedby Article4(24)GDPR,the
EDPB does not take any position on the merit of any substantial issues raised therein. The EDPB

reiteratesthatitscurrentdecisioniswithoutanyprejudice toanyassessments theEDPBmaybecalled
upon tomake inother cases, including withthesame parties,taking intoaccount the contentsofthe
relevantdraft decision andthe objections raisedby the CSAs.

474. According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding
Decision without undue delayandat the latestby one monthafter the Boardhas notified itsBinding

Decision.

475. The IESA shall inform the Boardof the datewhen itsfinal decision is notified tothe controller or the
829
processor . This Binding Decisionwill be made public pursuant toArticle 65(5)GDPRwithout delay
afterthe IESA hasnotified itsfinaldecision tothe controller 830.

476. The IESA will communicateits finaldecision tothe Board 831.PursuanttoArticle 70(1)(y) GDPR,theIE
SA’sfinal decision communicatedtothe EDPBwillbe included in the registerofdecisions whichhave

beensubject totheconsistency mechanism.

For the EuropeanDataProtectionBoard

The Chair

(Andrea Jelinek)

829
Art. 65(6)GDPR.
830Art. 65(5)and(6)GDPR.
831Art. 60(7)GDPR.

116
Adopted

@@ Line 98: / Line 98: @@
 === Facts ===
-In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a prospective user had to create an Instagram account and was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).
+In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a user was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).
-In accordance with the GDPR, Instagram was obliged to have a lawful basis for the processing of any personal data they undertook. [[Article 6 GDPR#1|Article 6(1) GDPR]] detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.
+Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. [[Article 6 GDPR#1|Article 6(1) GDPR]] detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.
-A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Austrian DPA (DSB), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.
+A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (APD), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.
 Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.
@@ Line 112: / Line 112: @@
 Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.
-The Belgian DPA (DSB) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]].
+The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]].
 In response to the complaint Meta IE submitted, among others points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The company stated that it “''does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use''” (Para 41).