EDPB Imposes EEA-Wide Ban on Meta for GDPR Violations

In a landmark move, the European Data Protection Board (EDPB) issued an urgent binding decision on October 27th, 2023, directing the Irish data protection authority (IE DPA) to impose a ban on Meta Ireland Limited (Meta IE). This decision follows a request from the Norwegian Data Protection Authority (NO DPA), seeking measures that would apply across the entire European Economic Area (EEA).

Key Points:

1. Legal Basis for Ban:
   

   • The EDPB found ongoing GDPR infringements related to the inappropriate use of the legal bases of contract and legitimate interest by Meta IE for behavioral advertising purposes.

   • Meta IE had previously been instructed by the IE DPA in December 2022, with the EDPB stating that contract is not a suitable legal basis for such data processing.

1. Urgency and Derogation:
   

   • Utilizing Art. 66 of the GDPR, the EDPB employed an urgency procedure, a deviation from regular cooperation mechanisms. This exceptional measure was deemed necessary due to the risks posed to the rights and freedoms of data subjects.

1. Violation of Duty to Comply:
   

   • The EDPB concluded that Meta had breached its duty to comply with decisions by Data Protection Authorities (DPAs), specifically the IE DPA's final decisions from December 2022.

1. Failure of Mutual Assistance Request:
   

   • The EDPB found that the IE DPA failed to address a request for mutual assistance from the NO DPA within the stipulated timeframe, justifying the need for urgent action.

1. Scope and Duration of Ban:
   

   • The IE DPA was instructed to impose an EEA-wide ban on Meta IE for processing personal data collected for behavioral advertising based on contract and legitimate interest.

   • The ban is an outcome of the urgent binding decision, issued to protect the rights and freedoms of data subjects.

1. Background on Art. 66 GDPR:
   

   • Art. 66 of the GDPR allows DPAs to adopt provisional measures in exceptional circumstances to safeguard the rights and freedoms of data subjects within their territory.

   • The provisional measures can have a legal effect for a maximum of three months and can be communicated to other concerned DPAs, the EDPB, and the European Commission.

The EDPB's decision to impose an EEA-wide ban on Meta IE marks a significant development in data protection enforcement. This action underscores the urgency and severity of GDPR violations and sets a precedent for cross-border measures to protect data subjects' rights and freedoms. The case serves as a reminder of the GDPR's robust enforcement mechanisms, allowing DPAs to take swift and decisive action when necessary.

Read more https://edpb.europa.eu/news/news/2023/edpb-publishes-urgent-binding-decision-regarding-meta_en