The European Data Protection Board (EDPB), a collective of EU data protection regulators, has issued a binding decision to prohibit Meta’s platforms from utilizing personal data for behavioral advertising.
The full decision is available here (pdf).
This development follows Norway’s initial three-month ban on Meta-owned platforms employing extensive user profiling for behavioral advertising.
Despite this, Facebook and Instagram remained operational in Norway, where EU data protection laws prohibit such advertising practices. After not addressing any privacy breaches, Norway began to impose a daily fine of one million Norwegian kroner (around $98,000).
Before being banned, the platforms (Facebook and Instagram) could process publicly shared personal information, like a user’s biography, location, gender, age, or interests, provided the user explicitly supplied them.
The GDPR’s jurisdiction extends to all 27 EU countries and the additional three European Economic Area nations: Iceland, Lichtenstein, and Norway. National privacy regulators can enact provisional measures for up to three months but must inform the EDPB and the European Commission. The respective authority is expected to request an urgent prohibition from the EDPB, substantiating the necessity for such action.
In a separate but related January decision by the EDPB, the Irish Data Protection Commissioner concluded that Meta’s method of processing EU personal data for advertising violated the European data protection framework.
Shortly after, Meta introduced paid subscriptions for Facebook and Instagram in the EU, priced at “€9.99/month on the web or €12.99/month on iOS and Android,” allowing users to opt out of targeted ads.
The introduction of the premium model has been a cause of concern for several activist and consumer-oriented organizations. Most notably, at the end of November, EU consumer groups and the digital activism organization noyb filed complaints against Meta’s “pay or consent” model.
The EDPB’s decision responds to the Norwegian Data Protection Authority’s plea for an EEA-wide ban, superseding the temporary national prohibition.
In their press release, the Board said that regular cooperation mechanisms under GDPR were insufficient, given the serious and irreparable harm posed to data subjects without immediate intervention.
The Board also found that the Irish Data Protection Authority (IE DPA) had not addressed a mutual assistance request from the Norwegian Data Protection Authority (NO DPA) within the GDPR’s stipulated timeframe, further supporting the need for urgent action.
Anu Talus, EDPB’s Chair, emphasized that the Board’s decisions have made it clear that using contracts as a legal basis for processing personal data for behavioral advertising by Meta is inappropriate.
The Board underscored the necessity for immediate and definitive measures, rather than temporary national bans, to mitigate the serious and potentially irreversible harm to individuals’ data rights.
