EU privacy regulator steps in to restrict Meta’s advertising practices

7 Dec 2022

Image: © nikkimeel/Stock.adobe.com

Ireland’s data watchdog now has one month to adopt the EU body’s decision, which could impact Meta’s targeted advertising policies in Europe.

Meta’s targeted advertising model in Europe is under renewed scrutiny as the EU’s key GDPR watchdog has stepped in.

The European Data Protection Board (EDPB) has issued three dispute resolution decisions regarding Meta’s advertising practices. It rules that Meta should only be able to run advertising based on personal data with the consent of users, a person familiar with the matter told Reuters.

The decision relates to GDPR complaints against Meta in 2018 by privacy campaigner Max Schrems regarding the company’s advertising practices. The Irish Data Protection Commission (DPC) led the investigations, as the company’s EU headquarters are based in Ireland.

The EDPB said its decisions address “important legal issues” stemming from the DPC’s draft decisions in the Meta case. The Irish regulator now has one month to issue a ruling based on the EDPB’s binding decision.

This new ruling could have a significant impact on Meta’s advertising practices in Europe. It could also lead to new fines, with the company setting aside €2bn to handle expected European fines over the next year, The Irish Times reports.

The EDPB said other European data watchdogs issued objections to the Irish DPC’s draft decision on this Meta case, with concerns around “the legal basis for processing, data protection principles and the use of corrective measures including fines”.

“The EDPB binding decisions play a key role in ensuring the correct and consistent application of the GDPR by the national supervisory authorities,” it added.

The Irish data watchdog has faced scrutiny in the past for its enforcement of GDPR. Last year, Schrems accused the DPC of improperly lobbying other EU regulators to allow Meta to bypass GDPR regulation. The DPC said these accusations were “baseless”.

Earlier this year, a delegation of MEPs called for an independent review of Ireland’s DPC, due to concerns that the authority is a “bottleneck” of GDPR enforcement.

Data Protection Commissioner Helen Dixon defended the DPC’s track record in enforcing GDPR earlier this year. The Irish Government is also set to appoint two additional commissioners to support the needs of the DPC and help it deal with “an increased workload with increasingly complex investigative requirements”.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com