By way of background, Meta tracks user activity on Facebook and Instagram platforms and profiles users “based on where they are, what type of content they show interest in, and what they publish, amongst others,” according to the Norwegian DPA. These personal profiles are used for “illegal” behavioral advertising purposes, the Norwegian DPA said.
In December 2022, in a decision issued on behalf of all DPAs across the European Economic Area (EEA), the Irish Data Protection Commission found that Meta was engaging in behavioral advertising in violation of Article 6(1)(b) of the General Data Protection Regulation (GDPR) and ordered Meta to bring its processing activities into compliance within three months.
On July 4, 2023, the Grand Chamber of the Court of Justice of the European Union (CJEU) held, that “a national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed.”
Because Meta’s European headquarters are in Dublin, the Irish Data Protection Commission, typically, is Meta’s lead supervisory body in the EEA. However, the Norwegian DPA noted that it can intervene directly against Meta when there is “an urgent need to act and, in such case, we can issue a decision which is valid for a period of three months.”
“We consider that the criteria for acting urgently in this case are fulfilled, in particular because Meta has recently received both a decision and a judgment against them to which they have not aligned themselves with,” the Norwegian DPA added. “If we don’t intervene now, the data protection rights of the majority of Norwegians would be violated indefinitely.”
Scope of the Ban
On July 17, the Norwegian DPA announced it imposed a “temporary ban” on “Meta’s processing of personal data of data subjects in Norway” for targeted advertising purposes, beginning Aug. 4 until October, initially, “or until Meta can show that it complies with the law.” Should Meta not comply, it risks facing a fine of up to one million Norwegian kroner (US$100,000) per day, the Norwegian DPA said.
Norwegian DPA Head of International Tobias Judin said the decision applies only to users in Norway and does not ban Facebook or Instagram in Norway. “The purpose is rather to ensure that people in Norway can use these services in a secure way and that their rights are safeguarded,” Judin said.
Neither does the Norwegian DPA ban Meta from targeting advertising based on a user’s profile bio information—such as place of residence, gender and age, or based on interests a user has provided themselves. Nor does the decision ban Meta from behavioral advertising to users who have given valid consent.
Next Steps
“Moving forward, we may take the matter to the European Data Protection Board (EDPB), of which we are a member, after the summer,” the Norwegian DPA stated. “The EDPB will decide whether the decision may be extended beyond its initial three-month validity period.”
“Meta has expressed its views in relation to the case, and the company disagrees with our assessments,” the Norwegian DPA added. Meta can decide to challenge the Norwegian DPA’s decision in the Oslo District Court.
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.