The European Data Protection Board (EDPB), which is the body that represents all 27 of the European Union’s data protection authorities, is set for a showdown with Meta and (potentially) the Irish Data Protection Commission (IDPC), after it has announced an urgent binding decision instructing the IDPC to ban Meta’s legitimate interest and contract-based processing of personal data for behavioural advertising purposes.
The move is likely to have been anticipated by Meta as it comes hot off the heels of an announcement that Meta intends to move away from those lawful basis, and instead move towards a bifurcated ‘pay or okay’ subscription/consent-based model.
Now it seems that the EDPB may force Meta to make that move sooner than it may have planned. But all may not be plain sailing on that front either, as the EDPB has noted that it is evaluating Meta’s proposals (as set out in its announcement). Further even if the EDPB does become comfortable with Meta’s proposals, activist groups have indicated that they are also prepared to challenge them.
The IDPC will have two weeks (i.e. until 10 November or thereabouts) to impose the ban, and then Meta will have a further week (i.e. until 17 November) to comply with it.
It remains to be seen how Meta will react, or what the consequences will be if they do not act. As at the time of writing, Meta has not issued a formal response.
It also remains to be seen how the IDPC will react to (what may be perceived as) being backed into a corner by the EDPB (not for the first time). Earlier this year, in the context of a separate investigation, the IDPC did not take kindly to being instructed by the EDPB to conduct an investigation into WhatsApp’s processing operations (IDPC reaction in the quote below). Further we would have thought it likely that Meta would have run its EU proposals via the IDPC before going public; if that is the case the EDPB insistence of further evaluation of the proposals might be also taken as another slight by the IDPC.
Another interesting turn in this ongoing data soap opera. Watch this space!
The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR.