This article is more than 1 year old
Norway court upholds miniscule fine against Meta for flouting privacy rules
Targeted ads require data usage consent under EU regulations
A court in Oslo, Norway, has upheld the Norwegian Data Protection Authority's daily fines against Meta for delivering behavioral advertising in violation of data privacy rules.
In July, the data protection agency, known as Datatilsynet, temporarily banned Meta and its Facebook social ad business from serving behaviorally targeted ads within the country, based on litigation in Europe initiated by privacy group None Of Your Business (NOYB) in 2018.
Those cases led to a decision [PDF] in July by the Court of Justice of the European Union (CJEU) that Meta could not bypass consent requirements under the General Data Protection Regulation (GDPR). GDPR applies to the European Economic Area (EEA) in which Norway participates.
Meta had argued that it obtained consent for targeted advertising when users of its services accepted its terms and conditions, but the CJEU rejected that argument.
The Irish Data Protection Commission (DPC), which oversees Meta's Ireland-based EU business unit, then asked various other regulatory bodies to comment on its assessment that Meta Ireland failed to meet GDPR data processing requirements.
Datatilsynet told the DPC it would move to temporarily ban Meta's rule-violating ads. And as of August 14, the Norwegian data agency imposed a fine of one million Kroner (~$93,200) per day on Meta Ireland for failing to comply with its targeted ad ban – up to a maximum of around $8.5 million in fines in total.
Meta Ireland and Facebook Norway challenged the fine and behavioral ad ban, arguing that the decision is invalid and that Meta was not given sufficient time to respond. Meta also objected to the application of GDPR Article 66, which allows data authorities to enact measures immediately when "there is an urgent need to act in order to protect the rights and freedoms of data subjects."
In its defense, Meta told the Oslo court it would have to suspend Facebook and Instagram services in Norway to comply with the order.
"Behavioral marketing is very widespread and has been going on for many years, including the entire period GDPR has been in effect," explains Meta in its machine translated submission [PDF] to the court.
The social ad biz noted in its court argument that the social media megalith recently changed its policies to give users more control over how their data gets handled, and thus the urgent action under Article 66 is unnecessary.
And Meta argued it simply could not comply: "In addition, the urgency procedure will interfere with the ongoing process for the [Irish Data Protection Commission] and in practice represent an impossible obligation. The decision entails de facto that Meta Ireland must temporarily stop Facebook and Instagram services in Norway."
The Oslo court was unmoved by Meta's protestations and sided with Datatilsynet.
"We are very pleased with the Court’s ruling and the result," declared Line Coll, director general of Datatilsynet, in a statement. "This is a big victory for people’s data protection rights."
- Norway bans Meta's behavioral advertising with threats of wrist-slap fines
- Norway to hit Meta with fines over Facebook user privacy from next week
- Meta's data-hungry Threads skips over EU but lands in Britain
- Google accused of ripping off advertisers with video ads no one saw. Now, the expert view
Meta, unsurprisingly, had the opposite reaction.
"We are disappointed by today’s decision and will now consider our next steps," a Meta spokesperson told The Register in an email. "We have already announced our intention to transition all EU and EEA users to the GDPR legal basis of Consent, and will continue to work with the Irish Data Protection Commission to facilitate this."
Meta must obtain approval from the Irish Data Protection Commission for any consent mechanism it deploys. Meanwhile, Meta's services in Norway continue unchanged, as do the fines, which will be imposed at most until November 3, 2023. As previously noted, the maximum extent of the penalty comes to about $8.5 million at current exchange rates, or about 0.15 percent of Meta's Q1 2023 profit.
The Register asked Datatilsynet whether the agency anticipates further legal resistance from Meta.
"On the one hand, Meta is a notoriously litigious company. Taking legal action against regulators appears to be integral to their business model," Tobias Judin, head of the international section for Datatilsynet responded.
"On the other hand, today's court decision was very thorough and clear. Therefore, we do not know whether Meta will appeal. I think only Meta has the answer to that question." ®