The European Data Protection Board (EDPB) has published an urgent binding decision to ban Meta’s processing of personal data for behavioural advertising conducted on the legal bases of performance of a contract or legitimate interests. Behavioural advertising allows advertisers to display ads that are personalised to the user based on their web-browsing history. This is often done through cookies stored on a user’s computer when visiting a website.
Chain of events
In December 2022, the EDPB issued a binding decision that Meta’s services (through Facebook and Instagram) cannot rely on ‘necessary for performance of a contract’ (under Article 6(1) GDPR) as a legal basis for the processing of personal data for behavioural advertising purposes. Following this, the Irish Data Protection Authority (DPA) ordered Meta to bring its processing into compliance with such binding decision. Meta subsequently changed its legal basis to ‘legitimate interest’, which caused concern for DPA’s across the EU, particularly the Norwegian DPA, who requested that the Irish DPA issue a temporary ban on the processing of personal data for behavioural advertising based on legitimate interest.
Following the CJEU’s decision in the Buderskartellamt case, in which the CJEU concluded that the interests and fundamental rights of a user override the legitimate interest of Facebook in personalised advertising, the EDPB issued an urgent binding decision on 27 October 2023. The decision confirmed there was a need for urgent measures and instructed the Irish DPA to issue a ban on Meta’s processing of personal data across the EEA for behavioural advertising purposes on the legal bases of performance of a contract or legitimate interest. The Irish DPA adopted the decision and gave Meta one week to implement the ban. The EDPB published its binding decision on 7 December 2023.
Practical considerations for organisations
EDPB decisions are no longer binding in the UK, but businesses (particularly in the Adtech space) should still take note of the decision if they have operations in the EU that involve processing personal data for behavioural advertising purposes.
Some practical considerations such businesses should consider are as follows:
- You may need to conduct a Data Protection Impact Assessment to consider what appropriate Article 6(1) GDPR legal basis can be relied on to carry out the processing, which is now likely to be consent given by the data subject.
- If you do rely on consent as the legal basis, then you need to ensure the business has mechanisms in place to regularly review that the consent remains in place, as the data subject can withdraw its consent at any point.
- If your business uses cookies to store or access information for behavioural advertising, you will need to ensure you obtain consent from the user for placing the cookie on their device (as required under the Privacy and Electronic Communications Regulations 2003). This cookie consent is in addition to needing consent from the user to process their personal data (as required under Article 6(1) GDPR).
If you have any concerns over legal compliance of your behavioural advertising practices, our IT and data protection team here at Mills & Reeve can assist you – please do get in touch!
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.