Thoughts on behavioural advertising, Meta and privacy

by Eva Jarbekk


Hands holding a phone.


Meta Platforms offers a community for people to connect, find and discover communities, but also for businesses to grow. What communities and activities people engage in, may vary greatly; from finding support and relevant information on illnesses or saving the oceans to keeping in touch with old friends. I actually know many people that appreciate the idea of Facebook.

Meta not only enables people to find each other and keep in touch, but also helps people find new or existing products, marketed by businesses, small and large, all around the world. Small businesses have a particular interest in finding their targeted audiences. The same goes for NGOs/charities that may reach their constituents.

Instead of requiring a fee from users in exchange for them to enjoy their services, they have based their business model on online personalised advertising. As many other companies. Advertisers pay for the advertising service which has enabled Meta to provide its services to users free of charge. The reason for this approach is twofold.

First, it allows them to offer tailored advertisements, connections and services to users, without selling the user’s personal data to advertisers. This saves users from searching for such products themselves and (hopefully) opens up for possibilities for services that users may otherwise never have discovered. Users may set their ad preferences, block or hide specific advertisers.

Second, Meta does not have to ask for a fee, ensuring that everyone, whatever their income, can access the platforms. This is in my view the most important objective.

Recent developments in the data protection sphere challenge both these aims.

Following the Court of Justice of the EU (CJEU), who find that Meta's processing of personal data when collected from third party services and linked with personal data collected on Facebook for behavioural advertising can neither be based on contractual necessity nor legitimate interest under the GDPR, we now find ourselves in a situation with uncertainty for many companies.

The decision is being hailed as a ban on behavioural advertising on the basis of contractual necessity or legitimate interest, but this is actually not a correct description of the case. Important aspects of the CJEU's ruling are being overlooked.

The CJEU decision applies to 'off-Facebook data' which limits the scope of the ruling. "Off-Facebook data" is data that is not gathered from Facebook itself, but from other apps or third parties. I will revert to this below. Many are interpreting the implications of the ruling too widely.

The DPAs themselves do not even agree on the topic of legal bases for personalised ads. Let us have a closer look at the situation.

Processing personal data

European data protection law aims to protect individuals' personal data, and to facilitate free movement of data in the EEA. To process personal data, a legal basis is required. That is a fundamental requirement under the GDPR. And a good one, too.

There are 6 different legal bases.[1] Each may be suited for different purposes depending on the circumstances and it is largely up to the controller to select the right one. In many cases, several legal bases may apply, and the controller must then choose the most appropriate basis. As per the Irish DPC, "there is no hierarchy or preferred option within this list, instead each instance of processing should be based on the legal basis which is most appropriate in the specific circumstances".[2] The Information Commissioner's Office equally provides that, "No single basis is 'better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual". [3] This is in line with fundamental privacy principles.

Meta initially based their processing of first party personal data (their own "on-platform data") for the purpose of behavioural advertising on contractual necessity – the need to perform the contract entered into with users.[4] Further, they based the processing of third party personal data (off-platform data) for the purpose of behavioural advertising on consent. The choice of legal bases was previously assessed by the Information and Data Protection Commissioner ("IDPC"). No request to change it was made by the IDPC until 31 December 2022.

The terms (the contract) were transparent and set out in the user agreement, with the general terms that all users of their platforms agree to when clicking on the 'Sign up' button and completing the registration process. As stated by a decision from the Austrian Court of Appeal judgement of 7 December 2020 (my underlining):

“The nature of this Facebook business model and the contractual purposes associated with it (from the perspective of the Facebook user, above all: gaining access to a personalized communication platform - also through tailored advertising - without having to pay money for it; from the perspective of Defendant, in particular: Generating income through personalized advertising, made possible by the personal data of Facebook users) is explained in the Terms of Services in a way that is easily understandable to any reader who is even moderately attentive. This model is also neither immoral (…) nor unusual (…) Finally, the contractual purposes (…) are clearly illustrated in the overall structure of this set of rules. (…) The processing of personal user data is a supporting pillar of the contract concluded between the parties. Only this use of data enables tailor-made advertising, which significantly shapes the "personalized experience" (…) and at the same time provides (…) the income necessary to maintain the platform and to make a profit. This data processing is therefore "necessary" for the performance of the contract (…)”.

The simple reason for using contractual necessity as legal basis was supposedly because the processing of personal data to personalise ads is necessary (i) to deliver a personalised service, as explained in the terms of use; and (ii) to fund the services. Like other companies, Meta is not obliged to offer the service for free. It is possible to say that this even is a good ambition.

Following complaints from two data subjects in 2018, the DPC, Meta's lead data protection regulator in the EU - as Meta's headquarters are in Ireland (more on that below) -, launched an investigation into Meta's use of contractual necessity as a legal basis. In its draft decision, the DPC found that the GDPR did not in principle preclude Meta's reliance on contractual necessity and submitted its draft decision to the many other peer regulators in the EU/EEA – known as Concerned Supervisory Authorities (CSAs).

The majority of CSAs actually agreed with the DPC's view. But 10 out of the 47 CSAs with a right to vote (i.e. 21%) opposed it. (Note that EEA DPAs, such as the Norwegian DPA, do not have a right to vote).[5]

These 10 CSAs argued that Meta should not be allowed to rely on contractual necessity because they found that delivering personalised advertising was not necessary to perform the core elements of what, they thought, was (or should have been) a much more limited form of agreement.[6]

As the Austrian Court did in 2020, the DPC disagreed. "Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising. In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service", said the DPC.[7]

As no unanimous consensus could be reached, the DPC referred the disputed points to the European Data Protection Board (EDPB), who on 5 December 2022 decided that Meta could not rely on contractual necessity for the purposes of behavioural advertising.[8] The EDPB considered the underlying agreement irrelevant and did therefore not assess it.

Forced to comply with the EDPB's decision, on 31 December 2022, the DPC found that Meta must change their approach to the legal basis under the GDPR within 3 months.[9] As such, Meta announced on 30 March 2023 that they would move from contractual necessity to legitimate interest, effective from 5 April 2023.[10]

The story did not, however, end there.

EU court: neither necessary for a contract, nor a legitimate interest

In 2019 the German Federal Cartel Office essentially prohibited Meta Platforms, Meta Platforms Ireland and Facebook Deutschland[11] from making the use of the social network Facebook by German private residents subject to "the processing of their off-Facebook data and from processing the data without their consent on the basis of the general terms in force at the time". Do note the rather limited description of what facts the decision pertains - something that is often overlooked when the decision from the CJEU is debated. As all lawyers will know, the decision from the CJEU cannot be interpreted different from the facts it is based on.

Meta subsequently filed an appeal with the Düsseldorf Higher Regional Court, who requested a preliminary ruling from the CJEU. 

Off-Facebook data

Importantly, the preliminary ruling does not concern the processing of all personal data for the purposes of behavioural advertising. Its scope is narrower than that. As noted above, it relates to off-Facebook data. The CJEU defines off-Facebook data as personal data "relating to activities outside the social network", that is, "data concerning visits to third-party webpages and apps, which are linked to Facebook through programming interfaces – 'Facebook Business Tools' – as well as data concerning the use of other online services belonging to the Meta group".[12]

Accordingly, a central question the CJEU had to answer was: "Can an undertaking, such as [Meta Platforms Ireland], which operates a digital social network funded by advertising and offers personalised content and advertising, network security, product improvement and consistent, seamless use of all of its group products in its terms of service, justify collecting data for these purposes from other group services and third-party websites and apps via integrated interfaces such as “Facebook Business Tools”, or via cookies or similar storage technologies placed on the internet user’s computer or mobile device, linking those data with the user’s account and using them, on the ground of necessity for the performance of the contract under Article 6(1)(b) of the GDPR or on the ground of the pursuit of legitimate interests under Article 6(1)(f) of the GDPR?"[13]

The decision therefore has implications for the processing of personal data by an operator of a social network, whereby such processing includes the collection of personal data of (i) users of the network from other services of the group to which said operator belongs (e.g., Instagram, which is also a social network service and shares the same data controller and privacy policy as Facebook) or (ii) users who visit third-party websites or apps which decide to send data to Facebook, which then link such data with the users social network account including for behavioural ads.[14]

The decision does not, however, relate to the processing of all personal data, e.g. on-Facebook data, for the purposes of behavioural advertising. The preliminary ruling from CJEU provides instructions on the interpretation of, inter alia, Article 6(1)(b) and Article 6(1)(f) in this context. However, it is the responsibility of the referring court to conclude on the factual matter, not the CJEU.[15]

Legal Bases

As a start here, it may be useful to mention that behavioural ads are legitimate in the EU. The Digital Service Act ("DSA") legislative discussion specifically addressed this and ended up setting out specific restrictions on the use of special categories of data and for targeted advertising towards minors. Targeted advertising against adults is allowed. The Digital Market Act ("DMA") includes specific obligations for gatekeepers on processing of personal data from different "core platform services", which could be necessary for personalised ads. The recent adoption of the Political Ads Regulation is another legislative piece that reconfirmed the legitimacy of behavioural ads, specifically in the area of political ads, and further targeting restrictions in the regulation were not added in the end even though suggested earlier.

Returning to the Meta case, also the CJEU recognised the usefulness of personalised content for users. But - it concluded that Meta's processing of third party data for behavioural ads was not necessary for the provision of the services.[16]

Rather, they continued: “those services may, where appropriate, be provided to the user in the form of an equivalent alternative which does not involve such a personalisation, such that the latter is not objectively indispensable for a purpose that is integral to those services”. Nor are, stated the CJEU, users obliged to subscribe to the various services offered by the Meta group to create a Facebook account, meaning products and services offered by the group may be utilised independently of each other. Based on this, the CJEU concluded that "the processing of personal data from services offered by the Meta group, other than the online social network service, does not appear to be necessary for the latter service to be provided".[17]

As for legitimate interests as a legal basis, "such processing can be regarded as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, within the meaning of that provision, only on condition that the operator has informed the users from whom the data have been collected of a legitimate interest that is pursued by the data processing, that such processing is carried out only in so far as is strictly necessary for the purposes of that legitimate interest and that it is apparent from a balancing of the opposing interests, having regard to all the relevant circumstances, that the interests or fundamental freedoms and rights of those users do not override that legitimate interest of the controller or of a third party".[18] On the other hand, the CJEU held that users “cannot reasonably expect that the operator of the social network will process that user’s personal data, without his or her consent, for the purposes of personalised advertising”.[19] It is however the national court that will pass the final decision on the factual matter.

This leaves consent as a legal basis. But even consent is subject to certain requirements.

“[U]sers must be free to refuse individually, in the context of the contractual process, to give their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator”, said the CJEU.[20]

The CJEU also stated that, "users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations”.[21] Meta announced their intention of moving to consent as legal basis for advertising in the European Economic Area on 1 August 2023 and started preparing for this.[22]

Behavioural advertising: somewhat urgently banned?

Shortly after the CJEU's ruling, the Norwegian DPA imposed a temporary ban on Meta's behavioural advertising practices, when using contractual necessity and legitimate interest as legal bases, on Facebook and Instagram. The order applied from 4 August 2023 to 3 November 2023.

At the same time, the Irish DPC was heading the dialogue with Meta on behalf of other DPAs in Europe as Meta's European headquarter is in Dublin, Ireland. This is known as the one-stop-shop arrangement under GDPR, where a company having activities in several European countries can rely on advice from the DPA in the country where they have their head office. That DPA is called the "lead" DPA, which, simply put, is the authority with the primary responsibility for dealing with a cross-border data processing activity.[23]

After the CJEU ruling of 4 July 2023, the DPC was in dialogue with Meta on Meta's upcoming consent mechanism. The Norwegian DPA did not wait for the DPC to finalise their work with Meta but went out singlehandedly ahead with their order. It is fair to say that this was unusual. Usually the lead DPA and other DPAs coordinate and cooperate to contribute to a consistent application of the GDPR.[24] And, unsurprisingly, the lead DPA usually takes the lead as mandated by the GDPR.

Only in exceptional circumstances, when there is an urgent need to act in order to protect the rights and freedoms of data subjects , can DPAs immediately adopt a provisional measure.[25]
Accordingly, the conditions for cross-border cases when a DPA wishes to act on its own without consulting the other DPAs concerned are strict. The following three conditions must be fulfilled:

i) exceptional circumstances;
ii) an urgent need to act; and
iii) the need for protection of the rights and freedoms of data subjects.

Were these conditions satisfied in the Meta case? 

Meta had already announced (on August 1) their intention to abide by the CJEU ruling and change the legal basis. 

Was the Norwegian DPA perhaps more frustrated that the DPC was taking too long? 

The two DPAs had been in dialogue earlier. On 5 May 2023, the Norwegian DPA requested the DPC to decide on a temporary ban and informed the DPC that if the DPC did not follow up on the request, the Norwegian DPA would assess the possibility of taking action under the urgency exception. The DPC replied it could not comply with the request and on 13 June 2023 informed the relevant DPAs that it would wait until CJEU concluded in case C-252/21.[26].
Following the CJEU's decision, the DPC sent a draft report to all the other DPAs, further informing them that the DPC would finalise their evaluation within 21 August 2023.

The Norwegian DPA could not wait until then. In their view, the urgency measure was necessary, largely due to the DPC not complying with the deadlines set by the Norwegian DPA and the DPC not complying with their request on a temporary ban, as well as Meta allegedly not complying with the GDPR within the 3 month deadline to change to a legal basis different from the contract imposed by the EDPB and set by the DPC in December 2022 (Meta had in fact from April 2023 moved to legitimate interest as legal basis).

In its order, the Norwegian DPA states that, "The existence of exceptional circumstances, which justify the adoption of urgent and provisional measures under Article 66(1) GDPR, is further evidenced by the fact that IE SA has not adopted any measures towards Meta in response to our express request to that effect, nor has it indicated that any measures will be imposed in the future".[27]

The Norwegian DPA, moreover, affirmed that, "Pursuant to Article 61(1), we requested the DPC to provide a timeline for how it would ensure that Meta complies with Article 6(1) GDPR in an expedient manner. We have not received such information. Instead, we have received a timeline for the finalisation of the DPC's assessment of compliance. That is not the same thing, as the information received does not indicate which corrective measures the DPC is prepared to impose following a finding of non-compliance nor any timeframe for such imposition. The DPC has not indicated that it intends to share any information additional to the result of its compliance assessment. Furthermore, we have not received any explanation as to why it was not possible to provide the requested information. Therefore, Article 61(8) applies, which means that the urgent need to act under Article 66(1) is presumed to be met".[28]

As per GDPR Article 61 (mutual assistance), each DPA shall adopt appropriate measures to reply to requests from another DPA without undue delay and no later than 1 month after receiving the request. The requested DPA must also inform the requesting DPA of the results or the progress of measures taken to respond to a request. If they fail to do so within 1 month of receiving a request from another DPA, the requesting DPA may implement a provisional measure within its territory, and the urgent need to act under Article 66(1) "shall be presumed to be met and require an urgent binding decision from the Board".[29]

This shows that sound cooperation between DPAs will become ever more important in processes going forward. Though a 1 month deadline lays the basis for closer collaboration and drives progress, it may also inadvertently render most situations urgent. Large investigations take time and effort, and a 1 month deadline to inform the requesting party about the results or of the progress of the measures taken in order to respond to the request may be too short notice for the DPA leading the investigation.

The Meta process further shows that, if DPAs cannot cooperate, the business subject to scrutiny may very well end up suffering the consequences. 

Meta subsequently initiated legal proceedings against the Norwegian DPA, claiming that its order was invalid, as well as seeking an interim injunction to stop the implementation of the ban from 14 July 2023.[30] The Norwegian District Court found that it was unlikely that Meta would suffer any reputational or financial damage. The Norwegian District Court also disagreed with Meta's claims that the emergency order was invalid under the Norwegian public law due to the rules on advance notification and investigation. It could be said that the decisive elements in this decision were not basically founded on privacy principles, but in Norwegian procedural topics.

Disagreeing with the Norwegian District Court's findings, in October 2023, Meta raised another suit against the Norwegian DPA, further opposing the validity of the order, but this case has later been withdrawn by Meta while waiting for yet more EU decisions in the case. 

Despite being publicly known since August that Meta would implement the consent basis within months, the Norwegian DPA requested an urgent binding decision from the EDPB on banning Meta from using behavioural advertising based on legitimate interest or contractual necessity. The EDPB adopted a binding decision which further banned such processing based on legitimate interest or contractual necessity across the entire EEA on 27 October 2023. The EDPB gave the DPC two weeks to implement the order. This implied that the ban could be in effect from mid-November 2023.

This has been presented as a forceful move to stop Meta from using behavioural advertising – but was it really? 

Meta was already using consent for the use of third-party data for behavioural ads. 

Regarding the use of first party data for behavioural advertising, Meta was clear that it would no longer use contractual necessity, or, when this was also later on banned by the CJEU, the legitimate interest, and had committed to moving to consent from November 2023. As far as making Meta change its policies, the decision changed nothing except for speeding up the process. So, an important question is whether this is sufficient enough for the DPA to adopt a provisional measure? 

These questions make it necessary to comment on the cooperation between the DPAs in Europe. It is common knowledge that some DPAs have been dissatisfied with how fast the DPC handles some cases where they are lead DPA. The DPC have by some been found to act both too slowly and too leniently. If data protection rights are being infringed, it is in everyone's interest that DPAs act swiftly and coordinate. Swiftness is presumably what the Norwegian DPA sought to achieve when it issued its temporary urgency decision. But was it really that urgent? 

Can urgency be created by a DPA setting deadlines? Yes, obviously it can, but it would be fair to assume that such deadlines then have to be reasonable. In this case, the legal framework had existed since 2018 and Facebook had changed their legal bases several times due to feedback from the regulators. During this time no regulator had suggested to urgently stop Facebooks processing. One may therefore argue that the situation was not urgent. Meta was also going to change their practise in a few weeks pursuant to the regulatory process led by the DPC that was ongoing at that time. It is necessary to separate urgent matters from the otherwise important ones. Most privacy matters dealt with by the DPAs will by nature be important. However, few of them should be defined as urgent under the Article 66. 

Any use of the urgency procedure should be reserved for the clear-cut cases to avoid the threshold being lowered over time, which may undermine the cooperation between the DPAs. The latter being one of the main objectives of the GDPR.[31] Although Article 61(8) includes a rule of presumption, this rule should not be misused to make a mere important matter urgent on the expense of cooperation between the DPAs. 

One may question the whole set-up for collaboration between DPAs in the GDPR. Is the standard for 'exceptional circumstances' too low? If DPAs quite easily can take action alone, why coordinate and follow GDPR Chapter 7 on cooperation at all?

Given that the real effect on Meta from the EDPB decision was practically none, some have asked if the real motive for the Norwegian DPA was to set an example for the DPC. This may be so or not, but the important judicial question onwards is of course what legal basis Meta may use for behavioural advertising and regarding which kind of data. And this is not only relevant for Meta, but also for other companies.

What now?

While the current proceedings focus on Meta, the consequences concern the wider criticism against targeted advertising. Multiple companies may be impacted since PUR models are commonly used both by large companies and smaller companies.[32] The question at hand relate to the fundamental right and freedom to conduct a business in accordance with both EU law and national laws and practises.[33] Any limitation must therefore be proportionate and necessary and genuinely meet recognized objectives of general interest or the need to protect the rights and freedoms of others. In other words, one must balance Meta's or any other companies, regardless of size, fundamental right to conduct business up against the general right to privacy.

A recent decision by the Norwegian Privacy Appeals Board (the authority who handles complaints against the Norwegian DPA's decisions) has, for instance, found that Grindr is not obliged to offer a gay dating app for free.[34] It also recognised that a key feature of the business model for social media is that registrants pay for the use of social media by accepting that their personal data is used commercially, for example by being disclosed to advertising partners. There are few reasons to differentiate between Grindr's service and Meta's service. Thus, the result would likely have been the same for Meta.

Like all companies, Meta needs to finance its operations to provide services to users all around the world. There is no surprise that Meta chooses to challenge court decisions saying that Meta's practises must change, and they should not be criticised for doing so. It is a benefit for all that we have clarifications on how GDPR is to be interpreted. And even though some matters in this case now are clarified by the CJEU, we must also look closely at what the CJEU decision actually states. And it is fair to point at inconsistencies in the CJEU decision too.

Meta has been able to build a very large social media platform. As clearly stated in its terms of use, advertising has been funding the services (and is a part of its contractual service offer).

Some are saying that other possible sources of income from advertising could be contextual advertising (”a la Google”). For social media like Facebook which is not a search based service, contextual advertising may not be possible because conclusions on context are almost exclusively based on user interactions with content and sites. This is very different from a search engine or specific content providers. If the DPAs were to establish general guidelines about personalised ads (which seems to be the mandate they have agreed to in the EDPB February plenary), these should be business model agnostic and subject to public consultation; indeed, personalised ads and subscription models are not particular to social media.

From a strictly legal and logical point of view, there are some peculiarities with the arguments from the data protection authorities and the CJEU.

Appropriate fees – an opening?

A hurdle for the DPAs who have been negative to the "pay or ok" model is the statement made by the CJEU that "users must be free to refuse individually, in the context of the contractual process, to give their consent their consent to particular data processing operations not necessary for the performance of the contract, without being obliged to refrain entirely from using the service offered by the online social network operator, which means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations".[35] A very long sentence from the CJEU, there.

The consequence is however that, it may look like the CJEU has already confirmed that the door has always been open for "pay or ok" models and that a consent may be given freely even though the user otherwise will have to pay a fee to use the service. This is also in line with earlier decisions.

Furthermore, it seems rather unproblematic to argue that a fee is "necessary" if the reason is to fund the service. In this context there is no personal data involved.

The remaining question is therefore related to the requirement that the fee must be "appropriate". CJEU has not given any further explanation. However, it is likely that the requirement was included to ensure that the user does not in reality refrain entirely from using the service by not consenting because of an unreasonably high fee. This leaves a rather complex question related to the determination of when a fee is inappropriate.

There are good reasons why the EDPB and the DPAs should refrain from overregulating pricing of a service. This is a complicated question and the DPAs or EDPB are most likely not qualified to conclude on the pricing of a service. As mentioned previously, it is necessary to strike a balance between the fundamental right to conduct business and the fundamental right to privacy. A regulation of Meta's pricing will constitute a limitation of Meta's right to conduct business. Thus, it must be necessary and proportionate. This will require caution.

Uncertainty ahead

There is presently a large degree of legal uncertainty for businesses and even a situation with inconsistent rules.

The GDPR is a complex legal framework. Not only do businesses differ in their interpretations of its requirements and how to comply in practice, but so do DPAs. For example, the Austrian and Spanish data protection authorities explicitly require a "Reject all" button on the first layer of a cookie management solution, while the Irish DPC seems to accept this in the second layer. Even the German data protection authority does not require this in a first layer – rather, they focus on whether declining consent necessitates more effort than giving it.[36] Not directly relevant to the case, I know, but it shows a large difference in the interpretations.

It is also interesting to note that the German data protection authorities issued a joint opinion in March 2023, ahead of the CJEU ruling, legitimising the subscription model as a way to obtain consent for behavioural advertising and focused on addressing features such as the transparency or consent granularity when purposes additional to behavioural ads were also at stake.

The data protection authorities are doing their best to adequately and effectively implement the GDPR, but so do most businesses.

The Meta decision and the uncertainty it creates, impacts the industry at large. Meta has been called the canary in the coalmine when it comes to GDPR enforcement. Although not comparable to a canary in size, whatever affects Meta, affects others.

Other businesses should, too, expect scrutiny, possible litigation and unclarity on whether their GDPR practices are satisfactory. Some DPAs presently seem unwilling to apply the CJEU decision (and the earlier German Conference opinion), which has provided a path to comply with GDPR enabling a business’ economic viability with a "pay or ok model". The parameters on lawful consent and its link to the subscription models and the viability of legitimate business models are topics which will be debated in years to come.

If consent is now necessary for behavioural advertising using information from third parties – how shall groups of companies with many entities draw the line for what is acceptable behavioural advertising onwards?

Quite possibly, using behavioural advertising based upon legitimate interest could still be legal for a company using its own information (first party data) to profile the users. This is actually the basis of the so-called “soft opt-in” (in those situations when direct marketing is at stake) that was set up in the E-commerce Directive. However, the decisions from the CJEU (and some DPAs) leave little guidance for companies when determining the threshold for when the processing should be regarded as something the user cannot reasonably expect the company to do without the user's consent. If a company's evaluation of this is subsequently deemed inaccurate, it could encounter significant fees and legal proceedings with the DPAs.

It could also be argued that users of free network services are generally aware that such services are sustained through income from behavioural advertising. The users would also have the right to object to such processing based on legitimate interest. Following the recent developments, users may now be faced with the choice to either consent, pay for services, or discontinue their use of such services. This prompts the question of whether a better and more effective solution would have been to open for such processing based on legitimate interest but impose stricter requirements for information and visibility of the user's choice, rather than rejecting legitimate interest and thereby pushing companies to start collecting payment for free services.

Many are also afraid that the legal developments discussed in this article may stifle innovation. Small, up-and-coming digital platforms cannot afford to be free of charge, meaning they rely on personalised advertising. They likely do not (yet) have a large enough or loyal user base to pay for their services. If businesses cannot fund their services via advertising or user fees, one cannot fund the business at all. Taken together this may harm competition and provide a barrier to market entry for new innovators.

It is in everyone's interest that individuals enjoy a fair and balanced level of data protection. We all agree on this. The current road to getting there may, however, not be the best way forward.

In this context, I would also like to point out that in the report "Out of Control", written by the Norwegian Consumer Council, they heavily criticize the AdTech business in general.[37]
They are especially critical to the long vendor chains and how some companies gather information on individuals over time. They even write " As demonstrated throughout this report, it is unreasonable to assume that consumers can give informed consent to the excessive tracking, sharing, and profiling that pervades in the AdTech industry. It is therefore highly doubtful that this comprehensive system of commercial surveillance can be fixed by providing new consent mechanisms or better designed legal documents." This is interesting, as it suggests they do actually not see how any changes in consent mechanisms could help remedy what they (and many others) see as an important matter.

Regarding the Meta case in this context, it is worth remembering that they do not share personal data with third parties - this is a large difference to many other companies.

The start of the end to one-stop-shop?

I expect that recent developments will spur discussions on national enforcement, as well the efficacy of the one-stop-shop mechanism and question whether reform is needed. After all, this most recent order came from an urgent referral to the EDPB from the Norwegian DPA, not the Irish DPC which is Meta's lead DPA. 

In practise, we now see that the EDPB is very much making the calls in difficult legal questions. Criticism is raised on that companies are not invited to have procedural rights in the EDPB processes (which is internal between the DPAs). 

The one-stop-shop mechanism has been criticized for leading to inefficient and inadequate enforcement of the GDPR.[38]
Overburdened (and sometimes small), DPAs are tasked with investigating, following up and enforcing all the GDPR complaints against some of the largest tech companies. This has, in turn, led to a massive backlog which further slows down the process. 

What next?

The Irish DPC, along with other DPAs, is currently evaluating Meta's new consent-based approach. It includes the ability for EU, EEA, and Swiss consumers to elect for paid subscription without ads from Facebook and Instagram and without the data processing for behavioural ads.

The DPAs of Norway, the Netherlands and Hamburg have in accordance with Article 64(2). asked the EDPB to issue an opinion on the matter. Is pay or OK legal? Some organisations say no. Should a company then be forced to render its services for free? Should one differentiate between which companies must render free services and not? Or should one implement limits on what remuneration may be asked for? There is a large number of important questions to address here.

The normal procedure is that the opinion shall be adopted within eight weeks by simple majority of the members of the board. However, that period may be extended by a further six weeks, considering the complexity of the subject matter. There are good reasons why such an extension should be used by the EDPB in this case. The questions they are dealing with right now, may not have the largest impact on Meta but on very many other companies in the EEA. Fundamental and complicated questions are related to the requirement of an "appropriate fee" and the striking of a balance between the fundamental right to conducting business and the right to privacy and data protection.

The consequences of the EDPB's opinion will be massive for all businesses dependent on this business model and a change to it may also have unknown implications for the users of the services. Some weeks to decide on that seems frighteningly low. Further, it does not ring well with ordinary contradiction principles that the possibility for interested companies (and individuals) to comment on the procedure is quite limited.

The EDPB is given power to handle many important questions through the GDPR. It seems balanced that they may give opinions in many questions of how to interpret the GDPR. But, it is also appropriate to ask if the procedural framework they are operating within, is equipped for them rendering opinions on questions that are comparable to materially changing the law for the whole EEA.

Note: The author has provided legal advice to Meta Platforms in Norway.

[1] GDPR, Article 6. See Article 9 for sensitive data. 
[2] DPC, 'Guidance Note: Legal Bases for Processing Personal Data' December 2019 pg 2,
[3] ICO, 'A guide to lawful basis'
[4] Meta, ' How Meta Uses Legal Bases for Processing Ads in the EU'
[5] DPC, 'Data Protection Commission announces conclusion of two inquiries into Meta Ireland' 4 January 2023>; Note that one CSA withdrew their objection in the case of the draft decision relating to the Facebook service.
[6] ibid.
[7] ibid.
[8] EPDB, ' Binding Decision 4/2022 on the dispute submitted by the Irish SA on Meta Platforms Ireland Limited and its Instagram service (Art. 65 GDPR)' adopted on 5 December 2022 <
[9] DPC Decision 31 December 2022
[10] Meta, 'How Meta Uses Legal Bases for Processing Ads in the EU' Update on 30 March
[11] Formally; Facebook Germany GmbH.
[12] C-252/21 para 28.
[13] ibid para 35.
[14] ibid para 86.
[15] ibid para 114.
[16] ibid para 102.
[17] ibid para 104.
[18] ibid para 126.
[19] ibid para 117.
[20] ibid para 150.
[21] ibid.
[22] Meta, 'How Meta Uses Legal Bases for Processing Ads in the EU' Update on 1 August 2023
[23] Guideline 8/2022 on identifying a controller or processor's lead supervisory authority, para 14, available at
[24] GDPR, Articles 60-62.
[25] GDPR, Article 66.
[26] TOSL-2023-114365 – TOSL-2023-114359.
[27] Datatilsynet, 'Urgent and Provisional Measures – Meta' 14 July 2023> pg. 27.
[28] ibid, pg. 29.
[29] GDPR, Article 61(8).
[30] TOSL-2023-114365 – TOSL-2023-114359.
[31] GDPR, recital 13.
[32] David Pfau (commissioned by the BVDW from conreri digital development GmbH), 'PUR models Status quo on the European market', October 2023.
[33] Charter of Fundamental Rights of the European Union, Article 16.
[34] PVN-2022-22 Grindr - utlevering av personopplysninger uten gyldig samtykke – overtredelsesgebyr
[35] C-252-21 para 150.
[36] Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder, Orientierungshilfe der Aufsichtsbehörden für Anbieter:innen von Telemedien ab dem 1. Dezember 2021 (OH Telemedien 2021) Version 1.1; Asélle Ibraimova and Sven Schonhofen, ' “Reject All” button in cookie consent banners – An update from the UK and the EU' 8 November 2023
[37] https://storage02.forbrukerrad...
[38] Matt Burgess, 'How GDPR is failing' 23 May 2022

Do you have any questions?