The move is the latest episode in a long-running saga on this issue. Earlier this year, the Irish DPC concluded an investigation into the data processing operations of Meta’s services, Instagram and Facebook. The investigation concluded following input from the European Data Protection Board. The outcome forced Meta to alter not once, but twice, its stated legal basis for processing personal data for behavioural advertising.
The Norwegian data protection authority, Datailsynet, has not been persuaded by Meta’s measures, and it was their temporary ban, issued in August, which was the precursor for the EDPB decision.
Looking forward, Meta stated in August an intention to change its legal basis for processing personal data for behavioural advertising to that of consent. However, this is unlikely to be the end of the tale. The proposed change has still prompted concerns, with the Norwegian DPA already indicating that it “strongly doubts that Meta's proposed ‘consent’ mechanism, often dubbed ‘pay or okay’, complies with the GDPR”. The 'pay or okay' mechanism refers to recent moves by Meta in rolling out changes to Facebook and Instagram which allows users to pay not to be shown advertisements or agree to consent to the processing of their data for advertising purposes.
The European consumer organisation, BEUC, has stated that it is assessing whether Meta is infringing data protection law with these changes. In the meantime it has filed a complaint (linked here) with the European network of consumer protection authorities alleging Meta is engaging with unfair commercial practice. The privacy activist group, noyb, has also filed a complaint against Meta with the Austrian data protection authority on this issue. The complaint (linked here) argues that “It is obvious that Meta wants to secure its business model, which is based on the processing of personal data for advertising, by switching to a "pay or okay" model… Meta is now trying to extort supposed consent from its users with a "yes or pay" choice.”
Background to the EPDB decision
Earlier this year, the DPC had concluded that "Meta Ireland is not entitled to rely on the “contract” legal basis (Article 6(1)(b) GDPR) in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR."
Meta altered its position, intending to rely upon on the 'legitimate interests' legal basis. However in July 2023, the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-252/21, Facebook Inc. and Others v Bundeskartellamt. This decision concluded that Meta was not permitted to rely on the 'legitimate interests' legal basis for delivering behavioural advertising.
In the face of this pressure, Meta announced on 1 August it would change legal basis again to ‘consent’. In practice, this means Meta will ask its users for consent before showing behavioural advertising in the future.
Against this backdrop, the Norwegian DPA had already raised concerns amid possible additional GDPR breaches that arose as a result of the initial change to legitimate interest. Therefore, prior to the August consent announcement, the Norwegian DPA issued a temporary ban on the processing of personal data for behavioural advertising for 3 months, along with fines for each day of non-compliance.
Meta’s appeal against the ban failed and the Norwegian DPA referred to the EDPB asking for the ban behavioural advertising on Facebook and Instagram be made permanent and extended to the entire EU/EEA. The EDPB agreed.
Meta’s proposed change to consent does not apply to users in the UK. There has been no further comments from the Information Commissioner's Office since a statement in August that an "appropriate response" is being considered from a UK perspective.