In a recent press release, the EDPB made a groundbreaking move to protect the privacy and data rights of individuals across the EEA. On the 27th of October 2023, the EDPB adopted an urgent binding decision, instructing the Irish Data Protection Commission (DPC), the lead supervisory authority, to take definitive action against Meta Ireland Limited (Meta) within two weeks. The directive is clear: impose a ban on the processing of personal data for behavioural advertising, citing the legal bases of contractual necessity and legitimate interests.

The EEA-wide ban on data processing for behavioural advertising is set to go into effect just one week after the DPC notifies Meta of the final measures, with the official notification having been issued on the 31st of October 2023. This significant move comes in response to a request from the Norwegian Data Protection Authority, Datalisynet, to impose permanent measures that encompass the entire EEA. Datatilsynet had previously enforced a temporary ban on Meta's unlawful processing of personal data for behavioural advertising through its Facebook and Instagram services, a ban set to expire on the 3rd of November 2023.

Meta has proposed to use consent as the legal basis for its data processing activities and has suggested offering a subscription model to comply with regulatory requirements. This proposal is currently under evaluation by the DPC and Concerned Supervisory Authorities.

Anu Talus, Chair of the EDPB, explained the necessity of this decision, saying, "Already in December 2022, the EDPB Binding Decisions [3/2022 and 4/2022] clarified that a contract is not a suitable legal basis for the processing of personal data conducted by Meta for behavioural advertising... It is high time for Meta to bring its processing into compliance and to stop unlawful processing." Meta is yet to demonstrate its compliance with binding decisions 3/2022 and 4/2022.

It's important to note that while the EDPB's decisions are no longer binding under the UK data protection regime, they remain a point of interest for UK organisations when selecting a legal basis. These decisions also hold relevance for data operations subject to the dual jurisdictions of the EU and UK data protection regimes.

The EDPB's action against Meta's unlawful behavioural advertising practices is a significant development in the ongoing battle to protect individuals' data rights and privacy across the EEA. As this story continues to evolve, it is clear that the data protection regulatory landscape is facing transformative changes, impacting not only Meta but also organisations and individuals throughout the EEA.

In the wake of the EDPB's decision to impose a ban on Meta's behavioural advertising practices, it is crucial for consent to be freely given, which plays a pivotal role in this unfolding story. According to the GDPR, consent must meet specific criteria to be considered valid. First and foremost, it should be a clear and affirmative act, leaving no room for ambiguity. Individuals must accordingly have the option to say "yes" or "no" without any coercion, pressure, or negative consequences. Consent also requires transparency, meaning that data subjects should be fully informed about what they are consenting to, the purpose of data processing, and who will process their data. Additionally, consent should be easy to withdraw, putting individuals in control of their data.

With Meta's proposal to rely on consent as a legal basis under scrutiny, the EDPB's decision underscores the importance of ensuring that consent is freely given, informed, and unambiguous in all data processing activities.

Read the EDPB's full press release here, and binding decisions 3/2022 and 4/2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.