Norway is set to impose heavy fines on Meta after ruling that the social media giant’s behavioral advertising practices do not comply with its laws.
Datatilsynet, the Norwegian data protection authority, had given Meta until 4 August to submit evidence it’d changed its approach to harvesting geolocation data to power targeted advertising.
From 14 August the authority will fine Meta 1 million kroner ($98,500) per day until November 3, or until the firm complies with laws set out under GDPR as well as domestic data protection regulations. It clarified this doesn’t amount to a Facebook or Instagram ban in Norway.
Meta faces a total bill of 81 million kroner ($7,978,500) over the fine period, but Datatilsynet reserves the right to ask the European Data Protection Board (EDPB) to extend the fine, or make it permanent.
Behavioral advertising is a method through which publishers can take advantage of user data to push individually-relevant advertising content. In December 2022 the Irish Data Protection Commission (DPC) ruled that Meta unlawfully processed user data for behavioral advertising and fined the firm €390 million.
Datatilsynet cited a July decision from the Court of Justice of the European Union (CJEU) which stated Meta hadn’t changed its policies enough to comply with the law, following the DPC ruling.
The authority said Meta tracks the interests of users and what they post to build a detailed profile on them to determine which content to show them. It contended this is an issue of freedom of information, and that such targeted advertising is “particularly problematic from a democratic perspective”.
Automate personalization with AWS
Learn how you can leverage the benefits of personalization and automation across every customer touch point.
Meta has disagreed with the order and will challenge it. The firm has contended its promised consent changes are in line with prior demands but could be hit with fines of a similar nature by other authorities if authorities disagree.
"Today, we are announcing our intention to change the legal basis that we use to process certain data for behavioral advertising for people in the EU, EEA and Switzerland from ‘Legitimate Interests’ to ‘Consent’," Meta stated on 1 August.
"This change is to address a number of evolving and emerging regulatory requirements in the region, notably how our lead data protection regulator in the EU, the Irish Data Protection Commission (DPC), is now interpreting GDPR in light of recent legal rulings, as well as anticipating the entry into force of the Digital Markets Act (DMA)."
Will Richmond-Coggan, a partner at national law firm Freeths specializing in data protection litigation and enforcement told ITPro all European supervisory authorities can impose recurring fines.
“Other authorities will therefore be watching with interest to see if the Datatilsynet’s approach has the desired effect,” he said.
“One benefit of a recurring fine is that it underscores to businesses the continuing cost of their non-compliance, for as long as they fail to address it. But it is unlikely that such fines will have very much of a deterrent effect. In reality, the value is in the coercive effect of the adverse publicity around a company being in a continuing breach, and the pressure that this brings to bear towards remediating that issue.
“If there is a sense that this contributes to the pressure on Meta to get their house in order, and particularly if it seems that this approach resonates with the public and consumers who start to move away from Meta’s products in response to the adverse publicity, we can expect to see increased enthusiasm for this enforcement model from other supervisory authorities.”
The Irish DPC is the designated supervisory authority when it comes to adjudicating over several big tech companies, including Meta, because they’re headquartered in Ireland. The law, however, lets the likes of Datatilsynet to impose a three-month decision for violations that are deemed sufficiently urgent.
The DPC fined Meta €265 million ($290 million) in November 2022 for data scraping, and a further €390 million ($427 million) in December over its ad targeting policies, bringing the total 12-month fine total to more than €1 billion.
Another fine came in May 2023, with Meta fined a record $1.3 billion by the DPC for breaching GDPR through data transfers to the US that were deemed insufficiently protective of citizens’ rights and freedoms.
The firm subsequently announced plans to ask EU users for their consent on targeted advertising, and that the change would take several months to implement.
