By: Megan Whitaker (Mills & Reeve)
In December 2022, the European Data Protection Board (EDPB) issued a decisive ruling stating that Meta’s services, including Facebook and Instagram, cannot use the legal basis of “necessary for performance of a contract” (as outlined in Article 6(1) of the GDPR) for processing personal data for behavioral advertising purposes. In response, the Irish Data Protection Authority (DPA) directed Meta to align its processing practices with this ruling. Meta subsequently shifted its legal basis to “legitimate interest,” prompting concerns among DPAs across the EU. Notably, the Norwegian DPA urged the Irish DPA to impose a temporary ban on processing personal data for behavioral advertising based on legitimate interest.
Subsequent to the CJEU’s ruling in the Buderskartellamt case, where it determined that the interests and fundamental rights of users take precedence over Facebook’s legitimate interest in personalized advertising, the EDPB issued an urgent binding decision on October 27, 2023. This decision highlighted the need for immediate action and instructed the Irish DPA to impose a ban on Meta’s processing of personal data for behavioral advertising across the European Economic Area (EEA) based on the legal bases of performance of a contract or legitimate interest. The Irish DPA endorsed the decision, granting Meta one week to comply with the ban. The EDPB’s binding decision was made public on December 7, 2023.
For organizations, especially those in the Adtech sector, it’s crucial to consider the implications of these developments. While EDPB decisions no longer hold binding authority in the UK, businesses with operations in the EU engaged in processing personal data for behavioral advertising should still heed the decision’s ramifications…