Meta’s use of behavioral ads on Facebook and Instagram has been banned in Norway.

Meta has been prohibited for an interim period from operating behavioral ads on Facebook and Instagram in Norway unless it asks users for their consent to process.
Meta’s use of behavioral ads on Facebook and Instagram has been banned in Norway.

Meta has been prohibited for an interim period from operating behavioral ads on Facebook and Instagram in Norway unless it asks users for their consent to process.
The emergency interim measure in respect of Meta's business was issued by Norway's data protection agency, Datatilsynet. It shall be in place for the initial three months term.

It requires Meta to run other forms of targeted advertising other than behavioral, for instance, contextual targeting that implies it does not depend on tracking and profiling of the users. Alternatively, it may be entitled to continue running behavioral targeted advertising if it has garnered the consent of the user. But if Meta continues down its track with its privacy-unfriendly 'business as usual' in the market — behavioral ads that do not have the opportunity to deny to users being tracked and profiled, it will see fines amounting to a million NOK (~100,000$) per day.

"It finds that the practice of Meta constitutes an infringement of the BDSG or data protection law and is imposing today a temporary ban on Facebook and Instagram of behavioral advertisement," it wrote in announcing the ban order. Added: "We find fulfilled also the criteria for urgent intervention in this case in all respects, especially since Meta has recently received both an initial decision and a judgment by which they have not presented to themselves.". If no action is taken now, the rights of data protection of most Norwegian citizens will be violated eternally, the authority warned in a statement.

Commercial surveillance for marketing purposes was among the biggest risks to data protection on the internet, it also warned.

While the Norwegian DPA is not Meta's lead data supervisor in the region it's able to make use of emergency powers contained in the General Data Protection Regulation, which allow authorities to step in and take action on urgent concerns in order to protect users in its own market. This is why the ban order only applies in Norway.

The move comes in the wake of a ruling by the Court of Justice of the EU earlier this month that has essentially torn up the legal basis Meta currently relies on to micro-target users with ads in the region: namely, legitimate interests.

That is ahead of a major ruling last January out of the DPC of Ireland, where the Irish watchdog found Meta's ads processing to be in breach of the bloc's GDPR, over a previous claim it relied on the legal basis of performance of a contract.

Meta was fined $410M+ for the breach and ordered to fix its compliance — which it promptly did by turning to a claim of legitimate interests for the processing. Yet the CJEU has since indicated that legal basis is likewise inappropriate for its surveillance advertising business, as we reported then. That is why the Norwegian DPA is taking urgent action now.

In December last year, all the data protection authorities throughout the EEA [European Economic Area] issued a decision led by the Irish Data Protection Commission where it determined that Meta has actually been carrying out illegal behavioural advertising. Since then, Meta made some changes but this fresh decision from the Court of Justice of the European Union says that Meta's behavioral advertising is still not according to law. Therefore, it is making a step by imposing a temporary restriction, it wrote.

The ban will be in effect from 4 August and will last for three months, or until Meta can demonstrate that it is in compliance with the law. If Meta does not comply with the ruling, the company faces a coercive fine of up to one million NOK per day. The Norwegian Data Protection Authority's ruling only affects users in Norway.

Reached for comment on the ban order, Meta issued a brief statement (below), in which it tries to pass on the blow by claiming there is still "debate" over whether it can lean on legitimate interests for its behavioral ads business—even though the CJEU decided just a few weeks ago that LI is not a valid legal basis for its ads business. (Its statement does not mention the CJEU ruling at all.)

Here is the full statement by Meta:

The discussions about the legal bases have been ongoing for a long time and businesses still have a regulatory uncertainty in the matter. We continue constructively engaging with the Irish DPC, our lead EU regulator regarding our compliance with its decision. We will review the decision of Norway DPA, and there is no immediate impact on our services.

The tech giant wouldn't comment on whether it might appeal the order.

But it refused to say why its previous claim of "continuing debate" on a point which has lately been clarified by the CJEU was valid or confirmed whether it will revise its model of operation of Facebook and Instagram in Norway.

Since Meta switched to a claim of LI to process user data for behavioral advertising, it has had to offer EU users a way to object to this processing — which is a requirement for relying on the legal ground. This means it does already have a way to offer users a version of its service that does not rely on tracking and profiling for the ad targeting. So it might just blanket-apply that less intrusive form of ad targeting to all users in Norway. But it's not clear whether the firm will be flipping that on in the market. (Or, indeed, changing how it runs Facebook and Instagram in Norway.)

If Meta does not comply with the DPA's ban order, it risks facing daily fines for the next three months, which could stack up into several millions of dollars in penalties.

Perhaps more potentially worrying for Meta, though, is the fact the Norwegian authority has cautioned that it could try to refer the matter to the EDPB — for example by asking it to take a binding decision to extend the ban order beyond the initial three month validity period.

An order by the EDPB may even compel Meta to terminate running its consent-less behavioural advertisement across the entire EU. But the Board may want the Irish DPC to rise to the occasion and take charge in its position as lead data supervisor for Meta; so we shall see whether there will be a swift reaction from European data protection regulators to this latest decision of the CJEU, or if it will follow another slow burn — where any new enforcement delays may accrue to the advantage of Meta.

We have also written to the Irish DPC and asked if it has a view on whether it intends to take any action in this case in light of the CJEU decision and will update the report when any response is received.

Update: Meta's deputy commissioner at the DPC, Graham Doyle, said that the regulator has been reviewing the company's compliance after it enforced GDPR on the legal basis for ads and a CJEU ruling — something that has been passed over to other EU data protection authorities for consideration. This will be completed by the middle of next month. Therefore, Meta will receive more enforcement on the legal basis during the summer.

This is the DPC statement:

Having concluded its decisions in these investigations, the DPC issued these to Meta and is now monitoring compliance with the orders contained in the decisions. In this regard, the DPC has considered Meta's compliance reports with the orders and sought views of all CSAs. The DPC has now prepared a provisional assessment paper on the compliance reports that incorporates CSA views and considered the recent CJEU Bundeskartellamt judgement.

The DPC issued its assessment to all CSAs and they should make a submission to the DPC by Friday, 21 July. Actually, this is the first of our replies from our colleagues, norway colleagues included, "found your analysis very thorough, thoughtful and sensible.". As you can see, this process is very well advanced and the DPC intends to close out by way of a harmonized approach its supervision of Meta on this matter by no later than mid-August. All Supervisory Authorities who are party to this process are aware of this timetable.

Meanwhile, the users of Facebook and Instagram in the EU are still by default left open to Meta's surveillance and profiling without being provided with an up-front opportunity to opt-out of its surveillance — despite the recent CJEU judgment suggesting that consent is most likely the only available basis under which Meta will be permitted to operate its behavioral ads legally in the region.

"Meta, which owns Facebook and Instagram, collects huge amounts of data on Norwegians, including sensitive personal data. Many Norwegians spend a lot of time using these platforms, and, therefore, tracking and profiling can be used to paint an extremely detailed picture of these people's private life, personality, and interests.". Most, by number, engage with topics related to health, politics, and other issues of sexual orientation. To this end, the DPA warned that many are faced with the danger of being sold out indirectly.

Privacy concerns related to Threads, Meta's social network that also tracks people's activity, gathering from it sensitive information like financial and health data, explains why the service has never launched in the EU.

Blog
|
2024-11-03 18:29:20