Norway bans Meta's behavioral advertising with threats of wrist-slap fines

Norwegian data protection authorities have temporarily banned Meta from tracking users for the purposes of serving ads, and threatened the US company with fines of one million Kroner per day if it doesn't comply.

Before you start cackling like Dr Evil, that's about $100K. Meta will not be too concerned about the impact on its cash reserves.

The Datatilsynet, Norway's data protection enforcer, said today that it considers Meta's practice of tracking the activity, location and behavior of Facebook and Instagram users illegal, as determined by a pair of decisions made recently by the European Data Protection Board (EDPB) and Ireland's Data Protection Commission (DPC).

Since those two decisions, the enforcement body noted, Meta has made changes to bring itself into compliance. However, a decision [PDF] made by the Court of Justice of the European Union (CJEU) on July 4 gives what the Datatilsynet believes is justification to take an emergency action to ban Meta's behavioral advertising, at least temporarily, for continued violation of the law. 

Per the CJEU, Meta's data processing operation appears to scoop up protected data – like race and ethnicity, religious affiliation, sexual orientation and other info. Processing that data would put Meta in violation of the EU's General Data Protection Regulation.

Thus, the Datatilsynet took action "to ensure that people in Norway can use these services in a secure way and that their rights are safeguarded," said Tobias Judin, head of the international department at Datatilsynet. "Invasive commercial surveillance for marketing purposes is one of the biggest risks to data protection on the internet today," Judin added.

The Datatilsynet argues that, along with being able to dictate what's shown to its users based on their behavior, Meta also gets to decide what's ultimately not shown to users. That, it argues, can have a limiting effect on freedom of expression and the freedom of information in countries like Norway, where a considerable number of residents use Meta's platforms. 

"There is a risk that behavioral advertising strengthens existing stereotypes or could lead to unfair discrimination of various groups," the Datatilsynet argued.

• Tax prep firms 'recklessly shared' your data with Google and Meta – senators
• Meta's data-hungry Threads skips over EU but lands in Britain
• Google accused of ripping off advertisers with video ads no one saw. Now, the expert view
• Google accused of ripping off advertisers with video ads no one saw. Now, the expert view

Because Meta's European headquarters is in Ireland, emergency data protection actions from other EU nations are only permissible in certain circumstances – and then only for up to three months. 

The Norwegian data authorities argue the need for action is urgent because of the earlier decisions made against Meta by the EDPB and DPC, with which it said the social media kraken had "not aligned themselves" in light of the CJEU's findings. 

The ban, which only applies to data belonging to users in Norway, will go into effect on August 4 and end on November 3, 2023, though the Datatilsynet said it may take the matter to the EDPB in autumn to ask for an extension. 

If Meta doesn't comply it risks fines of one million Kroner per day. Over the course of 91 days that amounts to around $9 million, or a mere 0.16 percent of Meta's Q1 2023 profit. 

In other words, an admin expense.

Meta is free to continue targeted advertising in Norway, the Datatilsynet said, provided the data used is what users freely provide – like profile information – and for users who've provided affirmative consent.  

When asked how Meta will respond to the Datatilsynet's allegations, behavioral advertising ban and potential fines, a spokesperson said Meta continues to engage with the Irish DPC – which they reiterated is Meta's lead EU regulator – "regarding our compliance with [the DPC's] decision." 

As for how it would respond to Norwegian authorities, Meta "will review the Norway DPA's decision," the spokesperson said, adding "there is no immediate impact to our services." ®