Meta, formerly known as Facebook, has suffered a setback in its attempt to obtain an injunction against the ban imposed by Norway’s data protection authority on its consentless behavioral ad targeting. The Oslo District Court ruled in favor of the Datatilsynet and rejected Meta’s arguments seeking to block the order. The ban, which includes provisions for daily fines for non-compliance, prohibits Meta from running ads that target local users without their consent through tracking and profiling.
Key Takeaway
Meta’s bid for an injunction against Norway’s ban on its surveillance ads has been denied by the Oslo District Court. The court ruled in favor of the Datatilsynet, Norway’s data protection authority, stating that the ban is a victory for people’s data protection rights. Meta could potentially appeal the decision, but has yet to confirm its next steps.
The Court Ruling and Response
The Oslo District Court’s decision to reject Meta’s arguments and uphold the ban was seen as a significant victory for data protection rights. The DPA’s director general, Line Coll, expressed satisfaction with the ruling, emphasizing the importance of safeguarding individuals’ privacy. Meta, on the other hand, expressed disappointment and stated that it would consider its options in light of the decision. The company had previously announced its intention to transition its European users to the GDPR legal basis of consent, and it will continue working with the Irish Data Protection Commission to facilitate this transition.
The Daily Fines and Non-Compliance
Norway’s data protection authority confirmed that Meta is accruing daily fines for failing to comply with the ban on consentless behavioral ad targeting. The fines amount to one million NOK per day (~$100,000), and they have been accumulating since August 14. It is estimated that the fines already exceed $2 million, although no money has been collected thus far. The authority’s order, based on emergency powers granted by the GDPR, can only remain in effect for three months since it is not Meta’s lead data supervisor. However, the order was necessary to address Meta’s continued processing of individuals’ data for ad targeting without a valid lawful basis.
Meta’s Legal Basis and Transition to Consent-Based Advertising
Meta’s claim of contractual necessity for its processing of data was rejected by EU data protection authorities earlier this year. Subsequently, the company argued for a “legitimate interest” basis for its ad targeting activities. However, the Court of Justice of the EU ruled against this approach in July, stating that personalized advertising requires the data subject’s consent. In response, Meta announced its intention to switch to a consent-based legal basis for targeted advertising in August but did not provide a timeline for implementation. The Norwegian DPA contends that unlawful processing is ongoing, leading to the emergency order.
Irish Data Protection Commission’s Involvement
Despite being the lead supervisory authority for Meta’s GDPR compliance, the Irish Data Protection Commission (DPC) has not taken similar actions to address the unlawful ad processing. The DPC had been conducting an assessment of Meta’s compliance following the earlier rulings but has not provided any public updates. The Datatilsynet, Norway’s data protection authority, has been in contact with the DPC regarding Meta’s legal basis for ads but emphasizes that the Irish regulator’s attention is focused on Meta’s proposed “consent process” rather than the ongoing unlawful processing targeted by Norway’s ban order.
There is a possibility that the matter may be referred to the European Data Protection Board (EDPB) for a binding decision that would apply across the EU. The Datatilsynet is currently assessing this option given the wider implications of surveillance-based advertising, which extend beyond Norway.