LUXEMBOURG (CN) — Meta questioned Europe’s second-highest court on Thursday to pump the brakes on an emergency privacy order, arguing regulators rushed into a decision that could rewrite the rules for how tech companies utilize personal data across Europe.
Meta’s challenge follows a rare intervention by the European Data Protection Board (EDPB), the EU body that coordinates national privacy regulators under the bloc’s General Data Protection Regulation (GDPR). The law requires companies to have a valid legal basis to process personal data — a rule regulators declare Meta violated through tarobtained advertising.
Complaints filed in 2018 by the Vienna-based privacy advocacy group None of Your Business (NOYB) accutilized Meta’s Facebook and Instagram services of unlawfully applying personal data for tarobtained advertising. Becautilize Meta’s European headquarters are in Ireland, the Irish Data Protection Commission initially handled the investigation. Disagreements among national regulators over the pace of enforcement eventually prompted the EDPB to step in and issue binding instructions on how the case should be resolved.
Norway’s data authority later invoked an emergency mechanism under European privacy law, arguing the claimed violations were continuing to affect utilizers across the region. Acting at its request, the board in October 2023 ordered Meta to stop processing certain personal data for behavioral advertising across Europe, putting pressure on how the company tarobtains ads on Facebook and Instagram. Weeks later, Meta rolled out a “pay-or-consent” model for EU utilizers, questioning them to either agree to personalized ads or pay for an ad-free version.
At the center of the dispute is whether Meta had a valid legal basis to utilize personal data for tarobtained advertising. Regulators declare the company tracked utilizers’ activity across its platforms to tailor ads without such a basis under Europe’s privacy rules, fueling years of clashes over whether it can rely on contractual necessity or other legal grounds to justify the practice.
During the hearing, Meta argued regulators overstepped their legal authority and rushed through the decision without proper procedural safeguards.
“It does not matter whether this is an urgency decision or a non-urgency decision, becautilize it’s a permanent decision,” Meta lawyer Hans-Georg Kamann notified the judges. “And a permanent decision requireds to be particularly scrutinized for its strict conditions.”
Kamann and fellow Meta lawyer Frédéric Louis also argued the process leading to the emergency order failed to respect the company’s right to be heard — a core procedural safeguard under EU law. They declared Meta was not given a meaningful opportunity to respond before regulators shiftd to impose sweeping restrictions on its advertising practices.
Lawyers for the European Data Protection Board pushed back on those claims, arguing the order was necessary to stop what they described as a long-running breach of Europe’s privacy rules affecting millions of utilizers.
Grégoire Ryelandt, representing the board, notified judges the decision does not prohibit personalized advertising but simply requires Meta to follow the legal conditions governing when companies can utilize personal data.
“Don’t utilize 6.1b, don’t utilize 6.1f, becautilize it is based, you required to comply with 6.1,” Ryelandt declared, referring to provisions of Europe’s privacy law that define when personal data can legally be processed. Those provisions allow companies to utilize data if it is necessary to run a service or justified by a company’s “legitimate interests.” He argued Meta cannot rely on those grounds to track utilizers for tarobtained ads.
Kamann, however, rejected regulators’ claims that Meta had spent years ignoring European privacy rules.
“The five years’ noncompliance, long noncompliance, you know, is a story, but it’s just not the truth in terms of where the regulators stood with the assessment of Meta’s process,” Kamann notified the court, declareing the company repeatedly adjusted its legal basis for processing utilizer data as regulators and courts clarified the rules.
The panel of judges — Krisztián Kecsmár, Lauri Madise, Paul Nihoul, Ulf Öberg and Laurent Truchot — pressed both sides on a central question: How closely courts should review emergency decisions taken by specialized regulatory bodies.
Judge Öberg specifically questioned how far the EU court should go in reviewing the dispute.
“I’m just a little bit puzzled why we should incidentally review the Norwegian decision within the framework of these proceedings,” he declared. “I’m a little bit confutilized here, whereas the applicant declares we should carry out the full review.”
Meta insisted the judges must examine the entire chain of decisions that led to the order, including whether the procedures and evidence behind it were sound.
“That means full review of the procedure, full review of the procedural rights, full review of the assessment, which must be complete, non-biased, based on all the facts underlying the case,” Kamann notified the court.
Lawyers for the data protection board pushed back, arguing regulators must be able to act quickly when they believe people’s fundamental rights are at risk. They warned accepting Meta’s argument could undermine how privacy rules are enforced across the European Economic Area.
“Following Meta on that reasoning, we can stop with the EEA,” Ryelandt notified the court. “There would be no way that an authority in an EFTA state could adopt a decision that can be reviewed by its own courts.”
Several governments and EU institutions also lined up behind the board, including Norway, the European Parliament and the Council of the European Union. Norway stood by the emergency order that set the case in motion, while lawyers for the Parliament and Council warned the court not to undermine the enforcement powers at the heart of Europe’s data protection system.
The clash highlighted a deeper question inside Europe’s privacy system: Who has the final declare when regulators disagree — and how far courts should go in second-guessing emergency enforcement decisions.
In recent years, Meta has been at the center of a string of major rulings in Europe, including a record 1.2 billion euros (about $1.39 billion) privacy fine over its transfers of utilizer data to the United States and multiple decisions forcing it to modify how it collects consent for personalized advertising.
Europe’s top court also weighed in in 2023, ruling national competition authorities may examine potential privacy violations when assessing abutilizes of market power. The case stemmed from Germany’s antitrust investigation into Meta’s data practices, where regulators argued the company’s tracking across Facebook, Instagram and other services could amount to exploitative conduct by a dominant platform.
Judges will deliver their ruling at a later date, typically several months after the hearing.
The case could set an important marker for Europe’s privacy enforcement. A ruling for Meta would limit how far regulators can go in forcing modifys to its advertising systems. A ruling for the board, meanwhile, would reinforce the powers European authorities rely on to keep pace with the global tech companies they regulate.
Courthoutilize News reporter Eunseo Hong is based in the Netherlands.
Subscribe to our free newsletters
Our weekly newsletter Closing Arguments offers the latest about ongoing
trials, major litigation and rulings in courthoutilizes around the U.S. and the world,
while the monthly Under the Lights dishes the legal dirt from Hollywood,
sports, Big Tech and the arts.
Leave a Reply