The European Data Protection Board has extended the temporary ban on targeted advertising on Facebook and Instagram, imposed by the Norwegian Data Protection Authority (DPA) in July.
As the Norwegian DPA (Datatilsynet) explained in July, Meta uses content preferences, the info users post on Facebook and Instagram, and their location information to build personalized profiles for targeted advertising, a tactic commonly known as behavioral advertising.
The European watchdog’s 27 October urgent binding decision instructs Ireland’s Data Protection Commission (DPC) to ban the processing of personal data for behavioral advertising across the entire European Economic Area (EEA) within two weeks.
Meta will have a week to comply with the order once the Irish data regulator finishes evaluating the company’s proposal to rely on a consent-based approach as a legal basis for processing its users’ data.
“After careful consideration, the EDPB considered it necessary to instruct the IE SA to impose an EEA-wide processing ban, addressed to Meta IE. Already in December 2022, the EDPB Binding Decisions clarified that contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioural advertising,” said EDPB Chair Anu Talus.
“In addition, Meta has been found by the IE SA to not have demonstrated compliance with the orders imposed at the end of last year. It is high time for Meta to bring its processing into compliance and to stop unlawful processing.”
The Norwegian data protection agency said today that Meta had been informed that their business model and the use of personal data are in breach of European privacy regulations and, although the company said it would ask users for consent to use their data for behavioral marketing in the future, it has yet to introduce any changes.
“The Norwegian Data Protection Authority is very concerned about the illegal tracking, monitoring, and profiling on Facebook and Instagram. Although it has long been clear that Meta is breaking the law, and despite the Norwegian Data Protection Authority’s ban, Meta continues with its illegal processing of personal data,” Datatilsynet said (automated translation).
“This is why we have chosen to raise the matter to the Personal Data Protection Board (EDPB), which has now agreed that there is an urgent need for a permanent ban on illegal activities at the European level.”
In December 2022, the Irish DPC also fined Meta a total of €390 million (~$438 million) for illegal behavioral advertising by forcing Instagram and Facebook users to consent to personal data processing for targeted advertising.
Meta rejected DPC’s findings and said it would appeal the fine, blaming the decision on a “lack of regulatory clarity.”
The Court of Justice of the European Union (CJEU) found that Meta’s GDPR approach to behavioral advertising was still non-compliant with EU regulations even though the Irish watchdog ordered Meta to bring its current data processing operations into compliance with GDPR’s regulations within the next three months.
In November 2022, Meta was slapped with another €265 million ($275.5 million) fine for failing to protect Facebook users’ data from scrapers after data linked to 533 million accounts leaked on a hacker forum.