News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | EDPB issues binding decision banning Meta's targeted advertising practices Related reading: Irish DPC, EDPB Meta decisions raise complex, fundamental questions

rss_feed

An unprecedented shakeup in the advertising technology space has arrived in Europe. Changes are coming to adtech's approach to privacy and consent around personalized advertising after the European Data Protection Board issued an urgent binding decision to ban Meta's data processing for behavioral advertising.

The EDPB decision applies to Meta's Facebook and Instagram users across EU member states and European Economic Area countries. It stems from a request from Norway's data protection authority, Datatilsynet, to make a previously-issued interim ban in Norway permanent and extend its reach and impact to all of Europe. Norway's interim ban was applied in July and set to expire 3 Nov.

"Already in December 2022, the EDPB binding decisions clarified that contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioural advertising," EDPB Chair Anu Talus said in a statement. "In addition, Meta has been found by the (DPC) to not have demonstrated compliance with the orders imposed at the end of last year. It is high time for Meta to bring its processing into compliance and to stop unlawful processing."

Ireland's Data Protection Commission, Meta's lead supervisory authority in the EU, notified Meta of the EDPB binding decision 31 Oct., according to the EDPB. Datatilsynet Head of International Tobias Judin told the IAPP the two-week period for the DPC to serve the ban began 27 Oct. and Meta will be required to comply within a week of receipt.

Ahead of the EDPB decision being published, Meta announced 30 Oct. it is rolling out a subscription model for ad-free Facebook and Instagram services in the EU to comply with the EU General Data Protection Regulation and commit "to keeping people's information private and secure." The platform also sued Datatilsynet in the Oslo District Court 25 Oct. to remove the targeted advertising ban.

"The option for people to purchase a subscription for no ads balances the requirements of European regulators while giving users choice and allowing Meta to continue serving all people in the EU, EEA and Switzerland," Meta said in its subscription announcement. "In its ruling, the (Court of Justice of the European Union) expressly recognised that a subscription model, like the one we are announcing, is a valid form of consent for an ads funded service."

Judin indicated Norway does not recognize Meta's subscription initiative as GDPR compliant or sufficient to lift the ban.

"We have strong concerns regarding Meta's proposed 'consent' mechanism," Judin said. "Meta has been informed about these concerns, but for some reason they still chose to make their public announcement, disregarding critical comments already put forth by regulators."

EDPB Head of Information and Communications Greet Gysen told the IAPP Ireland's DPC "is currently evaluating" Meta's new consent approach and "it is too soon" for the EDPB to judge its compliance. The evaluation will occur "in narrow cooperation with concerned (supervisory authorities)," she said.

The changing advertising landscape

The fate of Meta's business model was sealed when Ireland's DPC issued its 390 million euro fine in January that included binding orders from the EDPB that mirror the complaint by Norway's DPA. The DPC said at the time that the decision focused on how "Meta Ireland is not entitled to rely on the 'contract' legal basis in connection with the delivery of behavioural advertising."

According to privacy technologist Gilbert Hill, CIPM, all adtech companies in the EU have been on unofficial notice since that January decision considering Meta's place and connections in the space.

"Any player in the 'lumascape' of 5,000 European adtech businesses plugs into Meta and/or another of their digital properties," Hill said. "And under GDPR, responsibility is shared among processors so yes, this does concern the entire ecosystem. It should provide an opportunity for all the stakeholders to look at some of the tools and business models suggested by privacy sandboxes in particular."   

Meta's reliance on service agreements for user consent to process data is not a practice exclusive to its services. Luxembourg's National Commission for Data Protection fined Amazon 746 million euros for similar consent-related GDPR violations in July 2021. However, the fine was suspended in a ruling by the Administrative Court of Luxembourg later that year.

The European Commission also cited Google's targeted advertising practices as problematic and reportedly had plans in July to file an antitrust complaint to address the issues and break up the company's adtech business.

"I hope that the Norwegian DPA's decision will be the start of a meaningful, industry-driven change in the digital advertising market," AWO EU Policy Consultant Nick Botton said. "Our study argues that the decentralised nature and complexity of digital advertising means that the GDPR's enforcement structure is inadequate to deal with compliance problems in the market. I would love to be wrong on this though."

European Publishers Council Executive Director Angela Mills Wade said the latest binding decision "provides for consistency across the EU" while noting the January fine and binding order asked Meta to make necessary changes that it did not respond to. Despite discussions to act and reform practices since January, Meta "must now do so if they want to continue to operate within the law," Wade added.

New practice, same problem?

Meta spent the months following the DPC's decision pondering its next move to maintain a compliant ad-based business model, with its efforts being ramped up by Datatilsynet's interim ban. The company reportedly began circulating a plan to offer opt-outs to EU users in March before landing on its ad-free subscription model, which it formally proposed to EU regulators at the start of October.

The compliance of the new subscription model is based on a 4 July decision for the Court of Justice of the European Union in a case raised by the German Federal Cartel Office on the validity of Meta's reliance on user contracts for processing.

"Whether 'pay or okay' is acceptable needs to be assessed on a case-by-case basis, and in this case we think that it is not," Datatilsynet's Judin said. "Considering the power imbalance between Meta and its users, which is the primary concern of the CJEU in the Bundeskartellamt judgment, we doubt that the purported consents will be 'freely given' as required by the GDPR."

Subscription as means for consent and maintaining a business model raises questions regarding a perceived shift to "paying for privacy." Wade said DPAs are devising guidance on the matter and ongoing court cases, adding both are "likely to bring further clarity" to whether subscription-based consent is valid.

Botton opined Meta has other avenues it can explore before another "go around the block" with this matter potentially being raised back to the CJEU.

"Meta is one of the richest companies on earth, and could realistically start relying on contextual advertising more," Botton said. "It's unclear what the revenue impact of this would be, but I doubt that they would go bankrupt, given the competitive advantage they get from their large quantities of users."

Editor's note: A prior version of this story indicated social news aggregator Reddit removed EU user opt-out capabilities from its website. The platform did so for select jurisdictions, but opt-outs remain available to EU users.


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Joseph Duball IAPP Staff Contributor
Tags
Marketing/Retail
Europe
Big Data
Enforcement
Privacy Law
Social Networking
3 Comments

If you want to comment on this post, you need to login.

  • comment Jay Libove • Nov 1, 2023 
    I'm very pleased to see Judin/Datatilsynet's comment that Meta's proposed "pay for no ads (and privacy)" is not GDPR compliant. The correct thing for Meta to offer would be "ads (without tracking/targeting based on personal data)" at a price that is transparently, provably related to the reduction in revenue that Meta would receive by showing only contextual, not targeted-using-personal-data ads. Meta's current proposal "ads (with tracking and targeting)" "for free" or "no ads" (for quite a lot of money) is disingenuous and deserves quick and painful punishment by the authorities.
  • comment Dean Urquhart Scotson • Nov 2, 2023 
    "A contract is a legally binding promise (written or oral) by one party to fulfil an obligation to another party in return for consideration. A basic binding contract must comprise four key elements: offer, acceptance, consideration and intent to create legal relations." - Thompson Reuters Practical Law.

1st Party - META, 2nd Party - USER, 3rd Parties - many, many 'other' advertisers: 

1. Offer - pay us to not track you for behavioural marketing purpose by 3rd parties
2. Acceptance - user agrees offer to not be tracked and marketed to
3. Consideration - user pays a fee to accept the offer
4. Legal relations - "Meta will offer people in the EU, EEA and Switzerland the choice to pay a monthly subscription to use Facebook and Instagram without any ads".

How is this NOT "Contract" based processing still?. 

(not even going near tracking as a purpose OR Opt In/Out marketing by 3rd parties for unrelated services).
  • comment Vessela Nikolova • Nov 15, 2023 
    The acceptance of the contract should be based on free will. Without the free will, there is no acceptance. First people were forced to give a consent. Now they are forced into a contract. Where is the difference? That I can chose to walk away? Sure, in 99% I will walk away. But out of curiosity, I accepted one contract once. I am a lawyer and attorney-at-law and I couldn’t find out the terms of the „contract“ after putting a serious amount of time into it. The so-called contract is smoke and mirrors.
Related Stories
Related Stories
Tags
Marketing/Retail
Europe
Big Data
Enforcement
Privacy Law
Social Networking
Recent Comments