Meta has been temporarily banned from running behavioral advertising on Facebook and Instagram in Norway — unless it obtains users’ consent to the processing.
The urgent order of provisional measures on Meta’s business, which has been made by Norway’s data protection authority, the Datatilsynet, applies for an initial three-month period.
It stipulates Meta may run other forms of targeted advertising, such as contextual targeting, i.e. which don’t rely on tracking and profilings users. Or it can continue to run behavioral advertising if it obtains users’ consent. However if Meta keeps on with its privacy-hostile ‘business as usual’ in the market — running behavioral ads without giving users a choice to deny its tracking and profiling — it will face fines of up to one million NOK (~$100,000) per day.
“The Norwegian Data Protection Authority considers that the practice of Meta is illegal and is therefore imposing a temporary ban of behavioural advertising on Facebook and Instagram,” it wrote in a press release announcing the ban order, adding: “We consider that the criteria for acting urgently in this case are fulfilled, in particular because Meta has recently received both a decision and a judgment against them to which they have not aligned themselves with. If we don’t intervene now, the data protection rights of the majority of Norwegians would be violated indefinitely.”
“Invasive commercial surveillance for marketing purposes is one of the biggest risks to data protection on the internet today,” the authority also warned.
While the Norwegian DPA is not Meta’s lead data supervisor in the region it’s able to make use of emergency powers contained in the General Data Protection Regulation (GDPR) which allow authorities to step in and take action on urgent concerns in order to protect users in its own market. Hence why the ban order only applies in Norway.
The DPA’s action follows a ruling earlier this month by the Court of Justice of the EU (CJEU) — which unpicked the legal basis Meta currently claims to microtarget users with ads in the region (aka legitimate interests).
Prior to that, a major decision out of Ireland’s Data Protection Commission (DPC) in January found Meta’s ads processing to be in breach of the bloc’s GDPR over a prior claim to rely on performance of a contract as the legal basis.
Meta was fined $410M+ for the breach and ordered to fix its compliance — quickly switching to a claim of legitimate interests for the processing. However the CJEU has since said that legal basis is also inappropriate for its surveillance advertising business, as we reported at the time. Which is why the Norwegian DPA says it’s taking urgent action now.
“In December last year, the Irish Data Protection Commission issued a decision on behalf of all data protection authorities across the EEA [European Economic Area] which established that Meta has conducted illegal behavioural advertising. Since then, Meta has made certain changes, but a fresh decision from the Court of Justice of the European Union has stated that Meta’s behavioural advertising still does not comply with the law. Therefore, the Norwegian Data Protection Authority is now taking action by imposing a temporary ban,” it wrote.
“The ban will apply from 4 August and last for three months, or until Meta can show that it complies with the law. Should Meta not comply with the decision, the company risks a coercive fine of up to one million NOK per day. The Norwegian Data Protection Authority’s decision only applies to users in Norway.”
Reached for a response to the ban order, Meta sent a brief statement (below) in which it tries to dodge the core issue by implying there is still “debate” over whether it can rely on legitimate interests for its behavioral ads business — despite the CJEU ruling a few weeks ago that LI is not a valid legal basis for its ads business. (Its statement omits mention of the CJEU ruling entirely.)
Here’s Meta statement in full:
The debate around legal bases has been ongoing for some time and businesses continue to face a lack of regulatory certainty in this area. We continue to constructively engage with the Irish DPC, our lead regulator in the EU, regarding our compliance with its decision. We will review the Norway DPA’s decision, and there is no immediate impact to our services
The tech giant did not confirm whether it will appeal the order.
It also did not respond to questions we put to it asking it to justify its claim of “ongoing debate” on a point the CJEU has recently clarified. Nor did it confirm whether it will be amending how it operates Facebook and Instagram in Norway.
Since Meta switched to a claim of LI to process user data for behavioral advertising it has had to offer EU users a way to object to this processing — which is a requirement for relying on the legal ground. This means it does already have a way to offer users a version of its service that does not rely on tracking and profiling for the ad targeting. So it could just blanket-apply that less intrusive form of ad targeting to all users in Norway. However it’s not clear whether the company will be switching that on in the market. (Or, indeed, making any changes to how it operates Facebook and Instagram in Norway.)
If Meta delays acting on the DPA’s ban order it’s risking daily fines for the next three months — which could stack up into several millions of dollars in penalties.
Perhaps more potentially concerning for Meta is the fact the Norwegian authority has warned it could seek to refer the matter to the European Data Protection Board (EDPB) — such as by asking it to take a binding decision to extend the ban order beyond the initial three month validity period.
Such an order by the EDPB could require Meta to stop running its consent-less behavioral advertising across the entire EU. Albeit, the Board may prefer to encourage the Irish DPC take up the baton, in its capacity as lead data supervisor for Meta, so it remains to be seen whether we’ll see a quick response from European data protection regulators to enacting this latest CJEU decision or another slow burn — with Meta set to benefit from any fresh enforcement delays.
We’ve reached out to the Irish DPC to ask whether it will be taking any action on Meta’s reliance of LI for behavioral ads in light of the CJEU ruling and will update this report with any response.
Update: The DPC’s deputy commissioner, Graham Doyle, confirmed the regulator has been conducting an assessment of Meta’s compliance following the earlier GDPR enforcement on legal basis for ads and the CJEU ruling — which it has passed to other EU data protection authorities for review. He added that it expects to conclude this process by the middle of next month. So Meta is likely to face further action on the legal basis issue this summer.
Here’s the DPC statement:
Having concluded its final decisions in these investigations, the DPC issued these to Meta and is now supervising compliance with the orders contained in the decisions. To that end, the DPC has assessed Meta’s compliance reports with the orders and sought views of all Concerned Supervisory Authorities (“CSAs”). The DPC has now produced a provisional assessment paper on the compliance reports that incorporates CSA views and considered the recent CJEU Bundeskartellamt judgement.
The DPC has provided its assessment to all CSAs and they have until Friday 21 July to make submissions to the DPC. Our Norwegian colleagues are in fact the first of our colleagues to respond to us and they have confirmed that they “found your analysis very thorough, thoughtful and sensible”. As you can see this process is very well advanced and the DPC intends to close out by way of a harmonised approach its supervision of Meta on this matter by no later than mid-August. All Supervisory Authorities who are party to this process are aware of this timetable.
In the meanwhile, EU users of Facebook and Instagram continue to be subject to Meta’s tracking and profiling by default, with no up-front choice to deny its surveillance — even as the recent CJEU ruling suggests consent is likely the only viable basis for Meta to run its behavioral advertising legally in the region.
“Meta, the company behind Facebook and Instagram, holds vast amounts of data on Norwegians, including sensitive data. Many Norwegians spend a lot of time on these platforms, and therefore tracking and profiling can be used to paint a detailed picture of these people’s private life, personality and interests. Many people interact with content such as that related to health, politics and sexual orientation, and there is also a danger that this is indirectly used to target marketing to them,” the Norwegian DPA warned.
Privacy concerns attached to Threads, Meta’s latest social network — which also tracks user activity, including gathering sensitive info like financial and health data — also explain why the service hasn’t launched in the EU.