European officials have told Ireland's privacy watchdog to impose a ban on Meta's processing of personal data for behavioral advertising throughout the European single market within the next two weeks.

The decision follows a request in September from Norway's Data Protection Authority, Datatilsynet, that the European Data Protection Board (EDPB) extend Norway's countrywide ban on Meta's processing of personal data - via Facebook and Instagram - to the entire European Economic Area (EEA), which includes local non-EU states. This would dump a huge roadblock in the way of Meta's social networking plans.

And so it shall be done: the EDPB today told Ireland's Data Protection Authority (DPA) to roll out that ban across the single market.

"After careful consideration, the EDPB considered it necessary to instruct [the DPA] to impose an EEA-wide processing ban, addressed to Meta [Ireland]," said EDPB Chair Anu Talus in a statement. "Already in December 2022, the EDPB Binding Decisions clarified that [Meta's end-user] contract is not a suitable legal basis for the processing of personal data carried out by Meta for behavioral advertising."

Talus said the DPA found that Meta has failed to comply with orders imposed at the end of 2022. "It is high time for Meta to bring its processing into compliance and to stop unlawful processing," she said.

Meta has argued that its Terms & Conditions contract, which users of its services accept, represents a valid legal basis to process personal data and deliver behaviorally targeted ads. European courts, however, have disagreed [PDF]. Under the 2018 European General Data Protection Regulation, people must give specific consent before they're presented with personalized ads.

Meta says: No ads, no problem, right?

A few days ago, the ad biz debuted a no-ads subscription option for those in EU, EEA and Switzerland, claiming that a recent Court of Justice of the European Union (CJEU) ruling "expressly recognized that a subscription model, like the one we are announcing, is a valid form of consent for an ads funded service."

In a statement to The Register, Meta sounds surprised by the EDPB's data collection ban. "Meta has already announced that we will give people in the EU and EEA the opportunity to consent and, in November, will offer a subscriptions model to comply with regulatory requirements."

"EDPB members have been aware of this plan for weeks and we were already fully engaged with them to arrive at a satisfactory outcome for all parties. This development unjustifiably ignores that careful and robust regulatory process."

In light of Meta's assurance that it intends to seek valid consent, the EDPB ban may not have much consequence. The Register understands that within a week or two, Meta is likely to add a popup notification in its Facebook and Instagram apps in the EEA that asks for consent to process personal data in a legally acceptable way. If that's the case, the ban will be much ado about nothing.

The Irish DPC said it could not immediately go into details about how it will respond to the EDPB directive.

"The DPC can confirm that the EDPB has notified a decision that issues a direction to the DPC as Lead Supervisory Authority for Meta," said Graham Doyle, Deputy Commissioner, in an emailed statement. "As the EDPB has not published its decision, it is difficult for the DPC to engage in media queries about this matter in light of the fact that much of the background detail is not available."

"Leaving aside the EDPB decision which relates to legal bases Meta no longer intends to rely on (following findings of the DPC that reliance on these bases did not demonstrate compliance with GDPR) from November, the DPC in consultation with its fellow EU data protection authorities, is focused on concluding its detailed assessment of the consent-model that Meta announced in August and confirmed details of in a statement yesterday."

Datatilsynet welcomed the EDPB decision, stating that while it has been clear that Meta is breaking the law, the social network continued its data collection anyway.

"Enough is enough," said Tobias Judin, head of Datatilsynet's international section, in a statement. "After more than five years of violations of users' basic privacy protection, the Data Protection Council is now putting its foot down against Meta's lack of respect for the law."

The Data Protection Council is now putting its foot down against Meta's lack of respect for the law

The Norwegian Data Protection Authority also said it "strongly doubts whether Meta's proposed consent solution, which means that those who do not consent to behavior-based marketing must pay a fee, will be legal."

Noyb, a privacy advocacy group based in Austria, similarly argues that Meta's interpretation of the CJEU decision comes up short. The company's legal reasoning, the group said, relies on things said in passing by the court that are generally considered non-binding.

While Noyb says it intends to fight this approach, the group also acknowledges that news organizations like Der Standard have gotten away with using the subscription-or-ads model as an indicator of consent for personal data collection. This may make it more difficult for data regulators to deny Meta the same option.

Alexander Hanff, a privacy advocate who recently asked the DPC to disallow YouTube's use of scripts to detect the presence of ad blocking extensions, echoed Datatilsynet's sentiment about the dubious legality of Meta's subscription option as a measure of consent.

"It is likely that most people will opt to provide consent rather than pay (and presumably this is what Meta are also expecting) but if that consent is not considered as freely given, Meta's advertising model will still be illegal," he wrote in a LinkedIn post, adding that European consumer protection law also disallows contract changes that aren't negotiable or create imbalance.

It's not entirely clear what the DPC will do to carry out the EDPB-ordered personal data processing ban if Meta fails to cooperate. Hanff told The Register that fines will be an option, and could be substantial if the courts involved find Meta has acted with contempt. Other enforcement options, depending on the DPC's legal authority, could include bank account seizures, orders to Apple and Google to remove Facebook and Instagram from European App Stores, or directing ISPs to undertake network-level intervention.

Hanff said he expects Meta will try to obtain an injunction to block DPC from carrying out the EDPB ban, and failing that will either comply or withdraw its services from Europe until the company can find a valid legal basis or business model that's acceptable to European authorities.

"This is new territory and I have my popcorn ready," said Hanff. ®

https://www.theregister.com//2023/11/01/eu_data_meta_networking/