Norway wants Facebook behavioral advertising banned across Europe
But Meta was just about to start asking people for their permission!
Norway has told the European Data Protection Board (EDPB) it believes a countrywide ban on Meta harvesting user data to serve up advertising on Facebook and Instagram should be made permanent and extended across Europe.
The Scandinavian country's Data Protection Authority, Datatilsynet, had been holding back Facebook parent Meta from scooping up data on its citizens with the threat of fines of one million Kroner (about $94,000) per day if it didn't comply.
In August, it said Meta hadn't been playing ball and started serving up the daily fines.
However, the ban that resulted in these fines, put into place in July, expires on November 3 – hence Norway's request for a "binding decision."
The July order came after a Court of Justice of the European Union (CJEU) ruling [PDF] earlier that month stating Meta's data processing operation was also hauling in protected data – race and ethnicity, religious affiliation, sexual orientation etc. – when it cast its behavioral ads net.
Norway is not a member of the EU but is part of the European single market, and the CJEU, as Europe's top court, has the job of making sure the application and interpretation of law within the market is compliant with European treaties (this part would apply to Norway) as well as ensuring that legislation adopted by the EU is applied the same way across all Member States. Datatilsynet's ruling said the central processing of that data by the American company was putting Meta in violation of the EU's General Data Protection Regulation.
Meta argued at the time that it already had users' consent for targeted advertising – because they clicked on the Ts&Cs when they signed up to its services, but the CJEU didn't buy that argument.
Datatilsynet, meanwhile, said this week:
We believe that our temporary ban must be made permanent. Furthermore, we believe that the General Data Protection Regulation (GDPR) must be interpreted consistently throughout the EU/EEA, and we ask for the ban to be extended to the rest of Europe.
- Norway court upholds miniscule fine against Meta for flouting privacy rules
- Norway to hit Meta with fines over Facebook user privacy from next week
- Norway bans Meta's behavioral advertising with threats of wrist-slap fines
- NY Attorney General warns Apple, Google to police COVID-19 tracing apps in their souks – or she will herself
Meta has disputed the attempt to refer the whole shebang to the EDPB. Datatilsynet said the company believes, "among other things, that the decision of the Norwegian DPA is invalid and that the DPA does not have a legal basis to request a binding decision from the EDPB."
Meta, which has been fielding GDPR lawsuits in Europe and the UK for years, said last month it would seek explicit consent from people in the EU, EEA, and Switzerland before using their data to serve up ads targeted at them personally.
A spokesperson for Facebook's parent company told us it was "surprised" by the Norwegian authority's actions, "given that Meta has already committed to moving to the legal basis of consent for advertising in the EU/EEA."
It added: "We remain in active discussions with the relevant data protection authorities on this topic via our lead regulator in the EU, the Irish Data Protection Commission, and will have more to share in due course."
The United Kingdom was notably absent from that list of countries that Meta is moving to a "consent" basis for processing, despite the rules being roughly the same under UK GDPR.
The British government is in the process of trying to replace the EU legislation – which is still part of UK law under the Data Protection Act – by passing the Data Protection and Digital Information bill. The new bill, on the face of it, removes several data subject protections including oversight of public surveillance cameras, and potentially data adequacy with the EU, affecting every UK business that collects and processes EU data. Lawmakers behind the bill have criticized the GDPR for having an "overemphasis on consent."
We wonder if Meta knows something we don't. ®