The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Behavioral advertising and urgent binding decision

The European Data Protection Board (EDPB) has made public the urgent binding decision adopted on October 27, 2023 (UBD) ordering the adoption of definitive actions against Meta IE in relation to its processing of personal data for behavioral advertising purposes, indicating as legal bases the performance of a contract and the legitimate interest.

The EDPB’s measure, the first of its kind to the best of our knowledge, contains several provisions that are of general interest even beyond this complex case, with important indicators of the strategic policy of online platform operators as well as on implications of the relations between national supervisory authorities.

Urgency Procedure

Article 66 of the GDPR titled “Urgency Procedure” identifies a case of derogation from the consistency mechanism (Articles 63-65) and the cooperation procedure between authorities (Article 60, GDPR) initiated by a concerned supervisory authority.

According to the GDPR definition, the “supervisory authority concerned” is distinguished from the lead authority – which is the one where the principal establishment of the controller or processor is located –and is the one:

  • Of the member state where the controller or processor is (further) established.
  • Of the member state where the data subjects affected by the processing reside
  • Which has received a complaint [Art. 4, 22), GDPR].

Article 66 addresses the case where urgent action is needed to protect the rights and freedoms of data subjects for which:

  • a supervisory authority, despite the lapse of the cooperation procedure, considers that it is necessary to take provisional measures in its territory, for a specified period not exceeding three months, and considers that it is urgent to take definitive measures [Article 66(2), GDPR]
  • any supervisory authority considers that “a competent supervisory authority has not taken an appropriate measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms of data subjects (…)” [Art. 62(3), GDPR].

In either case, the supervisory authority may request the EDPB to issue an urgent binding decision to protect the rights and freedoms of data subjects.


The circumstances begin with an investigation resulting from a complaint filed in May 2018 with the Belgian authority regarding Facebook and Instagram services offered by the then Facebook Group, later Meta Platform Ireland Ltd (Meta IE).

LSA final decision

Following a complex investigation carried out under the procedure of cooperation among multiple national supervisory authorities and culminating in binding decisions by the EDPB, the Irish supervisory authority (IE DPA) – as the lead authority – on December 31, 2022, initially issued two decisions against Meta IE.

The two decisions concern Facebook and Instagram services, respectively, and both conclude that Meta IE had relied on an inadequate legal basis for processing personal data for behavioral advertising purposes by having relied on contractual performance under Article 6(1)(b) of the Regulation. At the same time, the IE DPA orders Meta IE to identify an adequate legal basis within three months (UBD, p. 2).

Consistency mechanism and lead authority

The consistency mechanism is triggered when a personal data processing under investigation involves several national supervisory authorities for which the legislature requires them to cooperate on a common case resolution.

In this eventuality, the supervisory authority that, according to certain criteria dictated by the legislature, has the greatest connection to the trans-European processing – known as the “lead authority”— takes the lead in coordinating operations with the other supervisory authorities concerned and is responsible for the investigative activity and the final decision on the supposed violation. The GDPR imposes a duty of cooperation on all authorities.