Brussels, 7 December 2023 – Following the EDPB’s urgent binding decision of October 27th 2023, the Irish data protection authority (IE DPA) adopted its final decision on 10 November 2023, imposing a ban on Meta Ireland Limited (Meta IE) for the processing of personal data for behavioural advertising purposes on the basis of contract and legitimate interest. The EDPB urgent binding decision followed a request from the Norwegian Data Protection Authority (NO DPA) to order final measures in this matter which would have effect in the entire European Economic Area (EEA).
EDPB Chair Anu Talus said: “After careful consideration, the EDPB considered it necessary to instruct the IE DPA to impose an EEA-wide processing ban, addressed to Meta IE. Already in December 2022, the EDPB Binding Decisions clarified that contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioural advertising. In addition, Meta has been found by the IE DPA to not have demonstrated compliance with the orders imposed at the end of last year. This has led to the use of the Art. 66 urgency procedure – a derogation from the usual cooperation procedure which can only be used in exceptional circumstances.”
On 14 July 2023, the NO DPA adopted an order imposing a temporary ban under Art. 66 (1) GDPR on Meta IE and Facebook Norway AS (“Facebook Norway”) regarding the processing of personal data of Norwegian data subjects for behavioural advertising relying on the legal bases of contract or legitimate interest. This ban was limited in time and geographic scope: it was valid for three months and only applicable in Norway. On 26 September 2023, the NO DPA submitted a request to the EDPB for an urgent binding decision to order the adoption of final measures applicable for users in all EEA states.
Following its analysis of the file, the EDPB concluded that there are ongoing infringements of the GDPR and there is an urgent need to act in light of the risks for the rights and freedoms of the data subjects.
Based on the evidence provided, the EDPB found that there was an ongoing infringement of art. 6 (1) GDPR because of the inappropriate use of the legal bases of contract and legitimate interest for the processing of personal data collected by Meta IE for the purpose of behavioural advertising.
In addition, the EDPB concluded that there was also an ongoing infringement of Meta’s duty to comply with decisions by DPAs, most notably the IE DPAs final decisions of December 2022.
Regarding the existence of urgency, the EDPB concluded that the regular cooperation mechanisms cannot be applied in their usual manner and that the urgent need to order final measures is clear in light of the risks of serious and irreparable harm caused to data subjects without the adoption of final measures.
Furthermore, the EDPB found that the IE DPA failed to address a request for mutual assistance from the NO DPA within the timeframe set out in the GDPR. The presumption of urgency set by Art. 61 (8) GDPR therefore applies, which further corroborates the need to derogate from the regular cooperation and consistency mechanisms.
The EDPB therefore decided that final measures needed to be adopted by the IE DPA. It considered it appropriate, proportionate and necessary to instruct the IE DPA to impose a ban on processing addressed to Meta IE for processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of contract and legitimate interest.
This urgent binding decision was addressed to the IE DPA, the NO DPA and the other concerned DPAs and the IE DPA adopted its final decision on 10 November 2023.
Background
What is Art. 66 GDPR?
In exceptional circumstances, when a DPA considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects within its territory, it can adopt provisional measures that have a legal effect on their own territory for a maximum of three months.
These measures are adopted by way of derogation from the GDPR’s consistency mechanism (Art. 63 GDPR) or the One-Stop-Shop mechanism (Art.60 GDPR). This tool was designed so that authorities are always in a position to protect the rights and freedoms of individuals in their respective Member State, in all circumstances.
The DPA that issues such provisional measures must communicate these measures and the reasons for adopting them without undue delay to the other DPAs concerned, the European Data Protection Board and the European Commission.
If the DPA that has taken such provisional measures considers that final measures need to be adopted urgently, it can request an urgent opinion or an urgent binding decision from the EDPB, providing the reasons for the urgent need to order the adoption of final measures by derogation to the standard cooperation and consistency procedures.