Summary
Earlier this week, the Norwegian DPA Datatilsynet banned Meta from using behavioral ads for at least three months, or until the company demonstrates its compliance with Norwegian law. The ban will starts on August 4th and run until October. If Meta doesn't comply, the company risks a daily fine of up to one million Norwegian Krone (NOK), the equivalent of about USD $100K.
This decision by the Norwegian DPA stems from another taken by the Irish DPC (on behalf of European Data Protection Authorities) in January, finding Meta in breach of the GDPR for processing data using contracts as a legal basis. Later this year, Meta switched to claiming legitimate interest, but that was also denied, this time by the Court of Justice of the European Union.
In a press release, the Norwegian DPA highlights the potential risks associated with tracking and profiling, and by extension behavioral advertising: discrimination, misinformation, negative impact on vulnerable people, influence on the democratic process, and more.
"Invasive commercial surveillance for marketing purposes is one of the biggest risks to data protection on the internet today" - Tobias Judin, Head of International in the Norwegian Data Protection Authority (source: Datatilsynet) |
Be mindful, however, that this is not a ban on Meta, nor a ban on advertising for Meta in Norway. The company will still be able to run advertising campaigns, but will need to collect valid consent for behavioral ads:
The Norwegian Data Protection Authority does not ban personalised advertising on Facebook or Instagram as such. The decision does not for example stop Meta from targeting advertising based on information a user put in their bio, such as place of residence, gender and age, or based on interests a user has provided themselves. Nor does the decision stop Meta from showing behavioural advertising to users who have given valid consent to it. - Datatilsynet press release (source: Datatilsynet) |
In a statement, data privacy organization noyb, which was behind the original complaint against Facebook, rejoices over the decision by the Norwegian DPA:
"The decision of the Norwegian DPA is exciting. It clearly seems to be an attempt to bypass the Irish DPC, which wasn't enforcing its own decision against Meta 5 years after noyb's complaints." - Romain Robert, Program Director at noyb (source: noyb) |
Meta is in increasingly deep waters in Europe. The company held the crown for the biggest GDPR data privacy fines imposed last year and has already broken a record earlier in 2023 with a USD $1.2B fine for failing to comply with a 2020 decision on trans-Atlantic data transfers.
As a result, the company's latest social media venture, Threads, is currently not available in the EU. What do you think about it and about the drastic approach by the Norwegian DPA?