EDPB Decision on noyb complaint against Meta is ultra-vires its authority and unfair

After GDPR became effective on May 25, 2018, many businesses had to re-work their personal data handling methods to ensure that the collection meets the requirements under Article 6 of GDPR related to “Lawfulness of Processing”.

Article 6 of GDPR  lists 6 options for lawfulness and says that processing shall be lawful if atleast one of the six conditions apply.

The six options are

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Apart from the “Consent” the Article lists “necessary for performance of a contract to which the data subject is a party”.

Meta accordingly added in its “Terms and Conditions” that personal data of the data subject may be used for the purpose of personalized advertising and considered it as part of the “Contract”. (Presume this was done during the period prior to May 25 2018)

“noyb” an Activist group of Max Schrems  filed a complaint on 25th May 2018 itself objecting to the Meta practice. Hence this represents the Pre-GDPR practice which was challenged. The Irish Data Protection Commission (DPC) did not agree with ‘noyb’ and a further appeal landed with EDPB. On January 4 2023, the EDPB came up with its decision overruling DPC view and holding that use of data for personalized advertising can be done only through a “Consent” and not through “Contract”.

This means that Article 6 (1) (b) of GDPR cannot be used and only 6(1)(a) is applicable for this use.  EDPB has every right to interpret this clause the way it wants but such interpretation is subject to Judicial review and would be fair only if it is prospective. The correct decision should have been an advisory to Meta to change the procedure subject to its right for a further appeal.

However EDPB decision to overrule the decision of the Irish Data Protection Commission (DPC) and holding that META is “Bypassing” GDPR through the measure and coming down heavily with a fine of over $300 million does not seem to be a fair decision. It appears to be guided by a sense of vindictiveness on Meta or perhaps an outcome of  Irish and Non Irish division in the EDPB.

The decision of EDPB may not appear correct from the judicial perspective since “Terms and Conditions” which are part of an online service is recognized as a contract and it was well within the rights of Meta and DPC to accept it as a Lawful basis since the data subjects has accepted the contract.

The argument would be whether the “personalized advertising” is  an acceptable use or not and whether it should be considered as “Necessary for the service” or not.

If Meta considers that “Advertising Revenue” is essential for its existence, it may argue that personal advertising is “Necessary” for the service and therefore it can seek consent as part of the Terms. If the user does not accept the Terms he can opt out of the service.

To insist that a service provider should provide the service but he should only use certain revenue sources as “Content Based Advertising” and not “User identity based Advertising” is an intrusion into the policies of structuring of a commercial service.

Since this decision of EDPB is an over ruling of GDPR Article 6 which says “Any one of the following applies..) it may be considered “Ultra Vires” the authority of EDPB.

I therefore consider that the decision of EDPB is unfair and would not be surprised if a judicial authority overturns this decision.

Refer for details here: noyb.eu

Also refer: Meta’s new year kicks off with  $410M+ in fresh EU privacy fines

PS: Counter views are welcome


P.S: The EDPB decision does not accord additional protection to the data subject since it does not prevent collection of personal data.  It only suggests that there shall be no personalized advertisement without specific consent. The personalized ads only appear when the data subject is viewing the content himself. Hence it is difficult to see what kind of  “Harm” is caused by such advertising.

Also read.. Advertising Profile



About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.