Please enable javascript in your browser to view this site

GDPR: Meta required to change behavioural advertising practices

No longer able to rely on a GDPR exemption for its use of personal data, Meta has begun to rollout a new subscription model across the EU

Meta cannot use GDPR clause for personal data usage

On 27 October 2023, the European Data Protection Board (EDPB) issued a binding decision banning Meta’s use of personal data for behavioural advertising. The decision specifically prohibits Meta from citing the use of personal data in pursuit of “legitimate interests” under the General Data Protection Regulation (GDPR) as part of behavioural advertising on its Facebook and Instagram platforms. The Irish Data Protection Commission (DPC) – which often acts as the enforcer of data protection rules given many European tech headquarters are located in Ireland – previously banned Meta from justifying its practices as “necessary for the performance of a contract” under the GDPR after EDPB direction in December 2022. The EDPB’s most recent decision directs the DPC to take final measures against Meta.

The EU has followed Norway’s lead

The permanent and EU-wide ban on invoking the legitimate interest justification extends the work of Datatilsynet, the Norwegian Data Protection Authority, which issued a temporary ban on the practice in August 2023. Datatilsynet imposed its temporary ban while awaiting updates from the DPC’s ongoing investigation into Meta’s behavioural advertising. The temporary ban carried a NOK1m (£73,468) daily fine for non-compliance and was referred to the EDPB for an urgent binding decision.

Meta rolls out new subscription model

On 30 October 2023, Meta responded to European regulators by announcing the rollout of a paid subscription plan for Facebook and Instagram users in the EU, which will become available for purchase from November. In announcing its new paid model, Meta cited the Court of Justice of the European Union’s July 2023 ruling on the legal basis of personalised advertising that stated offering a financially necessary and appropriate payment scheme for an ad-free option would meet consent requirements under the GDPR. Meta announced a general intention to move to a consent justification for its personal data usage in August 2023 as the Datatilsynet ban on the legitimate interest basis came into effect and following the Court’s ruling. Meta has also stated that it paused all advertising to users under 18 as of 6 November 2023 due to “legal uncertainty” over the use of the data of minors in targeted advertising under the EU’s Digital Services Act (DSA).

DPC will be the final arbitrator for Meta

The DPC is now responsible for advancing the matter against Meta under the EDPB’s binding decision. In addition to its prior decision outlawing the use of a contract justification for Meta’s personalised ads, the DPC also decided in May 2023 that Meta had violated the GDPR in continuing to transfer Facebook and Instagram user data from the EU to the US. That decision resulted in the firm being fined €1.2bn (£1.04bn) – the largest penalty so far under the GDPR regime. Since the beginning of 2022 alone, the DPC has fined Meta over €2.27bn (£1.98bn) in relation to a variety of its data practices. The DPC has yet to report its progress in evaluating Meta’s subscription plan as a legitimate vehicle for a consent-based justification of personal data usage, although Datatilsynet has stated its objection to such a ‘pay or OK’ model, which it does not consider compliant with the GDPR.