07 March 2023

In a recent decision, the European Data Protection Board (EDPB) said Meta (owner of Facebook and Instagram) was not entitled to rely upon “contractual necessity” under Article 6(1)(b) of the General Data Protection Regulation ((EU) 2016/679) (GDPR) as a legal basis for processing personal data for behavioural advertising on its Facebook and Instagram services.

The Irish Data Protection Commission (DPC) had investigated whether Meta’s behavioural advertising operations were compliant with certain GDPR requirements, acting as lead supervisory authority under the GDPR’s “one stop-shop” co-operation and consistency procedure for EU supervisory authorities (SAs). Objections were raised to parts of the DPC’s draft decisions and referred to the EDPB for resolution under the consistency mechanism (Article 60, GDPR).

The EDPB disagreed with the DPC’s conclusion that Meta could rely on Article 6(1)(b) of the GDPR as its legal basis for the processing of users’ data necessary for the provision of the services including behavioural advertising as a core part of the service offered to and accepted by users.

According to the EDPB, the core purpose for which users use Facebook and Instagram and accept their terms of service is to communicate with others, not to receive personalised advertisements.

Furthermore, the complexity, massive scale and intrusiveness of Meta’s behavioural advertising practice was such that reasonable users could not be expected to understand and anticipate that their personal data was being processed for behavioural advertising when they accepted the terms of service, nor was it as essential to enable Meta to deliver Facebook and Instagram services.

The EDPB told the DPC to reassess the level of fines to be imposed and to conduct an investigation into all of Facebook and Instagram’s data processing operations to examine special categories of personal data that may or may not be processed in the context of those operations.

Meta said it would appeal the decisions and fines, and the DPC said it would mount a challenge to the extent the direction to conduct a fresh investigation exceeded the EDPB’s authority.

The EDPB’s decisions can help guide UK businesses when they’re selecting a legal basis for their data collection under GDPR and UK data protection laws. The scale of Meta’s operation made it look as though behavioural advertising dwarfed the primary purpose of Facebook and Instagram for users: to keep in touch and to look at friends’ and contacts’ photographs and stories.

If you have any privacy or data protection questions, including the basis on which you process the data you receive from customers, please do get in touch with Brian Levine at or telephone 01935 846 000.