+44 (0) 121 582 0192 [email protected]


In recent times, data privacy and protection have become paramount in the digital age. With the ever-increasing amount of personal data being collected and processed, companies are under scrutiny to ensure they comply with relevant data protection laws. Meta, formerly known as Facebook, has faced its fair share of privacy-related challenges, including concerns about its use of “legitimate interest” as a lawful basis for processing user data for targeted Ads. In response to investigations by the Irish Data Protection Commission (DPC), Meta has made significant changes to its data processing practices for EU and Swiss citizens. This article delves into the decision of the Irish DPC and how Meta shifted its lawful basis for processing data from legitimate interest to consent.

The Legitimate Interest as a Lawful Basis:

Under the General Data Protection Regulation (GDPR), companies are required to have a lawful basis for processing personal data. One of the six legal bases specified in Article 6 of the GDPR is “legitimate interest.” This basis allows organizations to process personal data if they have a genuine and legitimate reason, provided that it does not override the individual’s rights, freedoms, and interests.

Meta, like many other tech giants, had long relied on legitimate interest as its lawful basis for processing user data. The argument put forth by the company was that data processing was essential for maintaining its services, ensuring user security, and enhancing user experience. However, concerns were raised about the extent to which the company used this lawful basis and whether it was genuinely necessary for the provision of its services.

Irish DPC Investigation and Findings:

The Irish DPC, being the lead data protection authority for Meta in the European Union, launched an investigation into the company’s data processing practices. The investigation aimed to determine whether Meta had been compliant with the GDPR’s requirements and whether legitimate interest was indeed a valid legal basis for their extensive data processing activities.

After a comprehensive examination, the Irish DPC released its findings, which raised concerns about the company’s handling of user data. The regulator found that Meta’s use of legitimate interest as a lawful basis for processing data was not always adequately justified. There were instances where the interests and rights of users were potentially compromised, as the data processing exceeded what was strictly necessary for the provision of Meta’s services.

Transition to Consent as a Lawful Basis:

In response to the Irish DPC’s investigation and its findings, Meta decided to make a significant shift in its approach to data processing. Rather than relying heavily on legitimate interest for targeted Ads, the company chose to emphasize consent as its primary lawful basis for handling user data for all of its EU and Swiss Customers.

Consent, as defined in the GDPR, requires that users provide explicit and informed agreement to the specific processing activities carried out by the company. By transitioning to consent as the primary lawful basis when processing for targeted ads, Meta aims to be more transparent and accountable for its data processing practices. This change would give users more control over their personal information, enabling them to make informed choices about the data they share and the processing activities they allow.


The Irish Data Protection Commission’s decision concerning Meta’s use of legitimate interest as a lawful basis for data processing for targeted ads for EU and Swiss customers has significantly influenced the company’s approach to data privacy. With the shift to consent as the primary lawful basis, Meta aims to prioritize user rights and privacy while ensuring compliance with the GDPR. This transition serves as an essential step towards building trust with users and fostering a more privacy-centric environment in the digital realm. As data protection laws continue to evolve, it is crucial for companies to remain vigilant and adaptable to maintain the highest standards of data privacy and protection.

Formiti Recommends organisations to revisit its use of legitimate interest and review and document its legitimate Interest Assessments. As stated in Article 35 of the GDPR data Controllers need to complete a  legitimate Interest Assessment  for all high risk data processing activities.