According to a confidential EU privacy watchdog ruling, Meta will only be allowed to run user advertisements based on user data with user consent, a person familiar with the subject told Reuters.

The source said the decision was made by the European Data Protection Board (EDPB), a body that coordinates GDPR enforcement across the EU. The ruling would be a blow to Meta, which uses user data to run targeted advertisements at scale.

Since Meta’s European headquarters are in Dublin, the Irish data privacy regulator has been granted a month to deliver a verdict consistent with the EDPB’s ruling, Reuters reports. The EDPB will likely force the Irish regulator to levy fines, according to the source, who requested anonymity due to the matter’s sensitivity.

Scrutiny intensifies

Big tech’s targeted advertising and data collection business has sparked regulatory scrutiny worldwide. Meta’s stock was down 6.2 percent in mid-session trading. Google, Snap, and Pinterest, which rely on digital advertising as well, lost anywhere from 2 to 8 percent.

The Irish case against Meta was sparked by a complaint by Austrian privacy campaigner Max Schrems in 2018.

“Instead of having a yes/no option for personalised ads, they just moved the consent clause in the terms and conditions”, Schrems said in a statement. “This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”

EDPB intervened

According to Schrems, the EDPB’s latest ruling implies that Meta must redesign all of its applications to provide a privacy-friendly version for users that do not consent to the use of personal data for advertising. The tech giant may still use non-personal data to personalize ads or directly ask users for approval.

According to a Meta spokesperson, the organization is in talks with the Irish government. An EDPB representative declined to comment. The body stated that it intervened when other national watchdogs didn’t approve of a draft judgment from the Irish data privacy regulator.

Tip: AWS never talks about sovereign cloud, but definitely has it, says Amazon CSO