EDPB rules Meta’s advertising practices unlawful

In a decision issued on 27 October 2023, the European Data Protection Board (EDPB) has found that Meta’s processing of personal data for the purposes of behavioural advertising through Facebook and Instagram platforms to be unlawful.

Behavioural advertising

 Behavioural advertising that involves collecting and processing the personal data of website users to show them targeted ads based on their preferences, interests or behaviour. Whilst it can act as a powerful marketing tool, it also comes with legal obligations and risks under the GDPR.

The decision 

The EDPB clarified that Meta’s reliance on contractual necessity was not a valid legal basis under the GDPR for the processing of personal data for behavioural advertising. The EDPB did not consider contractual necessity a justifiable basis against the intrusive data processing activities that Meta was carrying out, without first obtaining the consent of data subjects. As a result, the EDPB ordered the Irish DPA, the lead supervisory authority, to impose a ban on Meta's processing of personal data for behavioural advertising on a contractual legal basis across the EEA. The Irish DPA complied with this order and issued an enforcement notice against Meta on 10 November 2023. 

Our Views

Whilst the EDPB’s decisions are no longer binding in the UK, this decision remains of particular relevance to organisations who are subject to the dual jurisdictions of the EU and UK data protection regimes. Additionally, the decision signifies a crucial reminder to all organisation regarding the importance of selecting an appropriate legal basis for data processing activities, especially when they involve sensitive or large-scale data. In order to ensure GDPR compliance, organisations should consider:

• conducting a Data Protection Impact Assessment (DPIA) to identify and mitigate the potential risks and impacts of data processing activities on the rights and freedoms of individuals and determine the most appropriate legal basis for data processing
• when relying on consent as a legal basis for processing personal data, ensure that a system in place to monitor and review the consent status of users
• if a website makes use of cookies, a functionality to obtain consent from users should be implemented before placing cookies on user devices

Read the other topical articles from our Winter Data Protection Update:

• AI News: EU reaches landmark agreement on Artificial Intelligence Act
• Information Commissioner’s Office launches consultation on Generative AI
• European Commission publishes first review of pre-GDPR EU adequacy decisions
• ICO Opens Consultation on Draft Recruitment and Employee Records Guidance