Meta’s ‘behavior-based marketing’ permanently banned in Europe

The European Data Protection Board (EDPB) has extended its ban on Meta Ireland and made it permanent across the EU and EEA.

The EDPB’s ‘quick binding decision‘ urges the Irish Data Protection Authority to impose a permanent ban on Meta Ireland Limited (Meta IE) over “the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest”. The ban would apply across the entire European Economic Area (EEA) in accordance with Article 66(1) of the Data Protection Regulation. 

The decision follows a request from Datatilsynet, the Norwegian Data Protection Authority, which earlier won a court action against Meta IE over alleged illegal processing of data and behavioral marketing in Norway.

EDPB Chair Anu Talus said: “After careful consideration, the EDPB considered it necessary to instruct the IE SA (Irish Supervisory Authorities) to impose an EEA-wide processing ban, addressed to Meta IE. Already in December 2022, the EDPB Binding Decisions clarified that contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioural advertising.

“In addition, Meta has been found by the IE SA to not have demonstrated compliance with the orders imposed at the end of last year. It is high time for Meta to bring its processing into compliance and to stop unlawful processing.”

Norwegian ban on Meta IE

Earlier in September, the Norwegian DPA urged Meta IE to stop its illegal behavior-based marketing on on Facebook and Instagram, saying it involved a very intrusive monitoring of its users. Meta IE, however, did not stop its marketing, which made the authority also impose a compulsory fine of NKr 1m ($93,761) for every day the ban is breached.

Meta IE submitted several administrative complaints regarding the Norwegian Data Protection Authority’s decision, which made the authority take the issue to the EDPA.

“It is high time for Meta to bring its processing into compliance and to stop unlawful processing.”

EDPB Chair Anu Talus

Line Coll, director of the Norwegian Data Protection Authority, said that the authority is very pleased with the decision, and hopes it will bring an improvement in privacy for users across Europe.

“Enough is enough. After more than five years of violations of users’ basic privacy protection, the Data Protection Council is now putting its foot down against Meta’s lack of respect for the law”, said Tobias Judin, head of the international section.

The EDPB says it “takes note of Meta’s proposal to rely on a consent based approach as legal basis”, and the Irish Data Protection Commissioner (DPC) is currently evaluating this together with the Concerned Supervisory Authorities.

The Irish DPC notified Meta IE of the EDPB’s decision on October 31, 2023. The ban will apply to the entire EU/EEA, and will come into force next week.

Meta issued a statement saying: “Meta has already announced that we will give people in the EU and EEA the opportunity to consent and, in November, will offer a subscriptions model to comply with regulatory requirements.

“EDPB members have been aware of this plan for weeks and we were already fully engaged with them to arrive at a satisfactory outcome for all parties. This development unjustifiably ignores that careful and robust regulatory process.”