Is surveillance capitalism legal in the EU? (Part 3)
A look at the EDPB's ban on Meta's behavioural advertising
This series of posts looks at the legalities of surveillance capitalism in the context of EU data protection law, which has been covered in several important decisions in the EU in recent years.
The first post in this series looked at whether behavioural advertising can be carried out on the basis of contractual necessity (spoiler, it cannot!).
The second post looked at the CJEU's decision in Bundeskartellamt concerning the legalities of Facebook's surveillance capitalism under EU law.
This post looks at the binding decision of the European Data Protection Board (EDPB) on the processing of personal data for behavioural advertising by Meta. This decision banned Meta from carrying out surveillance capitalism on the basis of contractual necessity or legitimate interest.
In coming to this decision, the EDPB made the following findings:
Meta had infringed the requirements for contractual necessity under Article 6.1(b) GDPR.1
Meta had infringed the requirements for legitimate interest under Article 6.1(f) GDPR.2
Meta had not complied with previous decisions made by supervisory authorities regarding the processing of personal data for behavioural advertising.3
There was an urgent need to order final measures regarding the processing operations of Meta given the identified risks to the rights and freedoms of data subjects arising from the infringements of the GDPR.4
It was appropriate, proportionate and necessary to order final measures banning the processing of personal data for behavioural advertising.5
The lead up to the 2023 EDPB decision
The Bundeskartellamt judgment remains a significant blow to business models based on surveillance capitalism. It was basically the beginning of the end for online platforms relying on inappropriate legal bases for the processing of their users' personal data for advertising purposes.
Merely 10 days after that judgment (on 14 July 2023), the Norwegian data protection authority (DPA) imposed a temporary ban on the processing of personal data of data subjects in Norway. It cited Bundeskartellamt as one of the reasons for taking such action.
The Norwegian DPA's decision was made in accordance with Article 66.1 GDPR. This states that, in urgent cases, European DPAs can "immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months."
This was followed by a request made by the Norwegian DPA in September 2023 to the EDPB for final measures against Meta. This request was made under Article 66.2 GDPR, whereby European DPAs can request "an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision."
The EDPB eventually finalised its urgent binding decision on Meta's in October 2023, which was published in December of that year. It concluded that there were "ongoing infringements of the GDPR and [that] there [was] an urgent need to act in light of the risks for the rights and freedoms of the data subjects."
It should also be noted that in the lead up to the EDPB's decision, the Irish Data Protection Commissioner (DPC) was engaged in frequent back-and-forth with Meta regarding the company's compliance efforts following the EDPB's decision in 2022 on behavioural advertising and contractual necessity. I covered this decision in the first post of this series.
Most notably during this time, Meta attempted to change the legal basis for its behavioural advertising from contract (which was prohibited by the EDPB in 2022) to legitimate interest. This was in April 2023, a few months before the devastating Bundeskartellamt decision that triggered the actions of the Norwegian DPA and the subsequent EDPB decision.
The published 2023 EDPB decision provides more comprehensive coverage of the relevant events during this time period.6 The Board also published a simplified version of this on its website which can be seen below:
For an urgent decision made pursuant to Article 66.2, the EDPB needs to satisfy two cumulative conditions:7
There needs to be an infringement of the GDPR
There needs to be an urgent situation to justify a derogation from the regular cooperation procedure.8
Meta infringements of the GDPR
The EDPB's 2023 Decision identifies two infringements of the GDPR by Meta:
An infringement of the contractual necessity provision under Article 6.1(b)
An infringement of the legitimate interest provision under Article 6.1(f)
Contractual necessity
Recall that, under Article 6.1(b) GDPR, personal data may be processed if the processing is:
...necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
In the first post in this series, I covered the EDPB's 2022 decision on Meta's use of contractual necessity as a legal basis for processing personal data for behavioural advertising. In that decision, the EDPB found that Meta could not rely on this basis given that "behavioural advertising was not the main purpose of the Facebook service" and therefore not necessary to provide that service to users.9
The EDPB therefore instructed the Irish DPC to find an infringement of Article 6.1 by Meta for inappropriately relying on the contractual necessity provision.10 Indeed, on the basis of the Board's decision, the Irish DPC "ordered Meta...to bring its processing into compliance with [the] GDPR" and to "address the finding that Meta...is not entitled to process personal data for the purpose of behavioural advertising on the basis of [contractual necessity]."11
As mentioned before, in April 2023, Meta subsequently changed the legal basis for behavioural advertising from contractual necessity to legitimate interest. It also informed the Irish DPC that it continued to rely on contractual necessity for "limited categories of non-behavioural information" to show advertisements on Facebook and Instagram.12
But as provided in a 2010 opinion by the Article 29 Working Party (the precursor to EDPB), behavioural advertising is defined as:
...advertising that is based on the observation of the behaviour of individuals over time. Behavioural advertising seeks to study the characteristics of this behaviour through their actions (repeated site visits, interactions, keywords, online content production, etc.) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their inferred interests.
A crucial question therefore is whether the "limited categories of non-behavioural information" Meta processed to show ads nevertheless constituted behavioural advertising. The specific data that Meta was referring to included:13
Demographic data (age, gender and estimated location).
In-use app, browser and device data (the type of device being used, the language chosen and the app version being used).
Advertisements shown (information on whether the ad is rendered and delivered to a user).
Advertisement interaction data (information about how a user interacts with an ad).
The EDPB found that the processing of such data for the purpose of showing ads to users of Meta's platforms did in fact constitute behavioural advertising. Regarding the use of location and advertisement interaction data in particular, the EDPB found that:
...Meta IE did not provide sufficient information to explain why other categories of data processed by Meta IE do not amount to behavioural data, such as device data and advertisements shown. In this respect, the EDPB finds, in line with the view of the IE SA, that in relation to device data, if Meta IE would use device data to identify different market segments, this would constitute a processing for behavioural advertising.14
Accordingly, the EDPB found that:
...there [was] an ongoing infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(b) GDPR for processing of personal data, including location data and advertisement interaction data collected, on Meta’s products for behavioural advertising purposes.15
Legitimate interest
Under Article 6.1(f) GDPR, personal data may be processed if the processing is:
...necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Meta had identified four legitimate interests it relied on for the processing of personal data for behavioural advertising:
(1) Meta IE’s ‘interest and the interests of other users to provide a positive user experience that users will want to engage with, and which is tailored to users - providing quality targeted and personalised ads is a core element of the wider user experience across Meta Products’,
(2) Meta IE’s ‘interest and the interests of other users to enable [Meta IE] to generate revenue and continue to innovate, improve and develop the Meta Products and new technologies’,
(3) Meta IE’s and third parties’ (e.g. advertisers) interests ‘to provide businesses, both big and small, the opportunity to connect with the users who are most likely to be interested in their products and services’, and
(4) Meta IE’s ‘interests and the interests of third parties (e.g. advertisers) and other users, for businesses, both big and small, to be able to promote their products and services to users’.16
To rely on legitimate interest as a legal basis for processing, the data controller (namely Meta in this case), needs to meet three cumulative conditions (as the CJEU explained in Bundeskartellamt, which I covered in part 2 as this series):
It needs to be shown that the controller or a third party is pursuing a legitimate interest. This means that the controller must inform data subjects of the legitimate interests being pursued at the time that their data are collected.
The processing of personal data must be necessary to pursue that legitimate interest. This requires proof that "the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects."
The legitimate interest being pursued, and the data processing it entails, must not take precedence over the interests or fundamental freedoms and rights of the data subjects. This means that the rights of the data subjects and the interests of the controller must be balanced, taking into account the relevant context of the processing. (Emphasis added)
On the first condition, the EDPB acknowledged the legitimate interests Meta identified. But the EDPB found that Meta had failed to meet the second and third conditions.
On the second condition, the EDPB found that Meta did not demonstrate the necessity of the processing for any of the legitimate interests it identified. Citing Bundeskartellamt, the EDPB noted that it must be shown that "the legitimate data processing interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects".17
Applying this to Meta, the EDPB reiterated a point made in its 2022 decision, which is that "there are realistic, less intrusive alternatives to behavioural advertising" that Meta could rely on to generate revenue.18 The EDPB cited contextual advertising based on geography, language and content as one possible alternative.
On the third condition (the balancing test), the CJEU in Bundeskartellamt made the following stipulation:
the interests and fundamental rights of such a user override the interest of that operator in such personalised advertising by which it finances its activity, with the result that the processing by that operator for such purposes cannot fall within the scope of point (f) of the first subparagraph of Article 6(1) of the GDPR.19
Similarly, the EDPB cited its guidelines on automated individual decision-making and profiling under the GDPR in which it states that:
...it would be difficult for controllers to justify using legitimate interests as a lawful basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering.20
Accordingly, the EDPB concluded that:
...there [was] an ongoing infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(f) GDPR for processing personal data collected on Meta’s products for behavioural advertising purposes.21
The existence of urgency
The EDPB considered that there was an urgent situation to justify a derogation from the regular cooperation procedure for the following key reasons:
The infringement of the contractual necessity and legitimate interest provisions of the GDPR constituted "a very serious situation of non-compliance" involving the "processing of extensive amounts of data" that harmed "the rights and freedoms of millions of data subjects in the EEA."22
Meta carrying out behavioural advertising without an appropriate legal basis was causing "supplementary harm to the data subjects and [allowed] Meta to continue to collect significant amounts of personal data of millions of European individuals on a daily basis and to generate significant revenue from the unlawful processing of the personal data of millions of data subject in the EEA" that could not be retroactively remedied.23
Accordingly, "failing to put an end to the processing activities at stake and to enforce the IE SA Decisions [exposed] data subjects to a risk of serious and irreparable harm."24
Additionally, given that the Irish DPC had already issued decisions ordering Meta to comply with the GDPR, and that the company had failed to do so, the EDPB found that "the regular cooperation or consistency mechanisms [could not] be applied in their usual manner, and that due to the risk of serious and irreparable harm without urgent final measures, there [was] a need to derogate from the regular cooperation and consistency mechanisms to order final measures due to the urgency of the situation."25
The need for a ban on behavioural advertising
Given the "serious situation of non-compliance" by Meta, its duty to comply with the orders of regulators and the existence of urgency, the EDPB found it necessary to order final measures against Meta. The question that the EDPB had to address though was what form these final measures should take.
On that, the EDPB explored the imposition of a ban on processing. For this, the EDPB had to consider the appropriateness, necessity and proportionality of such a measure.
This reflects what is suggested in Recital (129) GDPR:
...each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned.
Paragraph 295 of the decision I think nicely summarises the EDPB's position as to why it considered a ban on behavioural advertising to be appropriate, necessary and proportionate:
...while certainly the imposition of a ban causes significant disadvantages to the controller, the EDPB considers that such disadvantages are not at this point in time, per se, disproportionate compared to the harm caused to data subjects by the unlawful processing and continued non-compliance. In this regard, moreover, the EDPB notes that the controller was granted the opportunity to take remedies without facing these disadvantages. As highlighted above, several months have passed since the adoption of the IE SA Decisions and the expiry of the deadline for the orders to bring processing into compliance contained therein. At this stage, the controller has undertaken efforts to comply with the GDPR but compliance has not yet been achieved, as indicated in the IE SA Final Position Paper, and there is still no clear indication that compliance will be reached soon542. The imposition of an order to bring processing into compliance within a short deadline did not succeed in reaching the objective it pursued, consisting in ‘ensuring compliance and bringing the harm to the data subjects to an end’.26
In essence, Meta had been given opportunities to bring its processing into compliance with the GDPR which it failed to take up. And given the serious nature of this non-compliance, and the subsequent risks to data subjects, a ban on processing was considered to be the best way forward.
The EDPB therefore adopted the following decision:
The EDPB considers that the ban should refer to Meta IE’s processing of personal data collected on Meta’s products for behavioural advertising purposes on the basis of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR across the entire EEA. The processing activities to which the ban refers are: (i) the processing of personal data, including location data and advertisement interaction data, collected on Meta’s products for behavioural advertising purposes, having established in this respect the infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(b) GDPR; (ii) processing of personal data collected on Meta’s products for behavioural advertising purposes, having ascertained in this respect the infringement of Article 6(1) GDPR arising from inappropriate reliance on Article 6(1)(f) GDPR.27
Final remarks
The EDPB ban could be looked at as evidence of the EU's preference for a centralised approach to data protection enforcement.
Many large tech companies opt to have their European establishments in Ireland to take advantage of the GDPR's one-stop-shop and have the Irish DPC as their primary regulator. But this does make the Irish DPC somewhat of a bottleneck when it comes to enforcement decisions.
Additionally, the Irish DPC is sometimes seen as too lenient in its regulatory approach. Indeed, that the Norway DPA felt the need to make a request to the EDPB to ban the processing operations of Meta may have been fuelled by this.
And maybe this leniency is what has allowed Meta to jump around different legal bases to justify its behavioural advertising. But with the centralised approach to enforcement on this issue, in the form of a binding EDPB decision, Meta are being left with fewer options to play with.
Though this is not just limited to Meta. Any other online platform with business models based on surveillance capitalism have to take notice of this decision and its implications.
Since the EDPB's ban, Meta has moved to its 'pay or okay' model where users either agree to being tracked for behavioural advertising or paying a subscription to use the platform without being tracked. This model will be subject of the next post in this series.
EDPB, Binding Decision 01/2023, para. 315.
EDPB, Binding Decision 01/2023, para. 316.
EDPB, Binding Decision 01/2023, para. 317.
EDPB, Binding Decision 01/2023, para. 318.
EDPB, Binding Decision 01/2023, para. 321.
EDPB, Binding Decision 01/2023, paras. 2-56.
EDPB, Binding Decision 01/2023, para. 71.
This second condition is referring to the one-stop-shop mechanism under the GDPR. This is framework for the regulation of organisations with data processing operations that span across the EU (like Meta), which I explained in a post from 2019.
EDPB, Binding Decision 3/2023, para. 124.
EDPB, Binding Decision 3/2023, para. 85.
EDPB, Binding Decision 3/2023, para. 86.
EDPB, Binding Decision 3/2023, para. 87.
EDPB, Binding Decision 3/2023, para. 91.
EDPB, Binding Decision 3/2023, para. 99.
EDPB, Binding Decision 3/2023, para. 152.
EDPB, Binding Decision 3/2023, para. 115.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 108.
EDPB, Binding Decision 3/2023, para. 130.
Case C-252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), para. 117.
Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, p.15.
EDPB, Binding Decision 3/2023, para. 153.
EDPB, Binding Decision 3/2023, para. 196.
EDPB, Binding Decision 3/2023, para. 202.
EDPB, Binding Decision 3/2023, para. 205.
EDPB, Binding Decision 3/2023, paras. 212-215 and 220.
EDPB, Binding Decision 3/2023, para. 295.
EDPB, Binding Decision 3/2023, para. 323.