Norway has had it with Meta, threatens $100K fines for data violations

Meta's data privacy woes in Europe continue as Norway has announced an immediate ban on "behavioral advertising" on Facebook and Instagram. Until Meta makes some big changes, it will be fined $100,000 daily for Norwegian user privacy breaches, the Norwegian Data Protection Authority, Datatilsynet, said yesterday.

 

"Meta tracks in detail the activity of users of its Facebook and Instagram platforms," Datatilsynet's press release said. "Users are profiled based on where they are, what type of content they show interest in, and what they publish, amongst others. These personal profiles are used for marketing purposes—so called behavioral advertising. The Norwegian Data Protection Authority considers that the practice of Meta is illegal and is therefore imposing a temporary ban of behavioral advertising on Facebook and Instagram."

 

Norway has not banned the apps. Its ban is focused on restricting data collection for behavioral advertising and starts August 4. The temporary ban could drag on for three months unless Meta takes remedial action sooner.

 

But there's a chance the ban could also be extended by the European Data Protection Board (EDPB). Head of Datatilsynet's international section, Tobias Judin, told Ars that the Norwegian data authority has not yet referred its decision to the EDPB—a step that Reuters reported "could make the fine permanent and widen the decision's territorial scope in Europe." Instead, Datatilsynet is giving Meta time to respond "before taking any next steps."

 

"Once Meta provides its comments, we intend to take the matter to the European Data Protection Board," Judin told Ars.

 

If it does get to that point and the EDPB agrees with Datatilsynet, that "would put additional pressure on Meta," Judin told Reuters.

 

Datatilsynet's decision came after the Irish Data Protection Commission fined Meta more than $500 million, following two similar inquiries into Facebook and Instagram breaches of the EU's General Data Protection Regulation (GDPR). More recently, the EU's highest court ruled on July 4 that Meta's behavioral advertising did not comply with the GDPR.

 

Of that latter case, Judin told Ars, "in essence, the court found Meta’s practices highly problematic under data protection law."

 

Norway is not part of the European Union, but it belongs to the European Economic Area, which means it is part of the EU's single market and is similarly bound by the GDPR. Datatilsynet's press release said that Norway had to take immediate action to protect Norwegian Facebook and Instagram users from "invasive commercial surveillance for marketing purposes" that Judin said "is one of the biggest risks to data protection on the Internet today."

 

"It is so clear that this is illegal that we need to intervene now and immediately," Judin told Reuters. "We cannot wait any longer."

 

Datatilsynet's press release said that "82 percent of the adult Norwegian population have Facebook accounts and 65 percent have Instagram accounts." Meta can continue tracking these users' behaviors, Datatilsynet said, but the company needs to get "valid consent" from each user to comply with the GDPR. Currently, Meta gains such consent through its user agreements at sign-ups, which Datatilsynet said makes sure that Meta's "tracking is hidden from view." That's particularly concerning, Datatilsynet said, considering that "many vulnerable people" use Facebook and Instagram and "need extra protection"—"such as children, the elderly, and people with cognitive disabilities."

 

Judin told Ars that Meta can challenge Datatilsynet's decision at any time in the Oslo District Court, but he hopes the company will instead take prompt action to update its services and ensure compliance with the GDPR.

 

"Considering how clear the Court has been regarding the company’s behavioral advertising, we hope that Meta will do the right thing and simply comply with the law—not drag it out in court once again," Judin told Ars. "If Meta really cares about their users, they should be more protective of users’ data protection rights."

 

Meta did not respond to Ars' request for comment, but a spokesperson told Reuters that the company is reviewing Datatilsynet's decision. This month, Meta has indefinitely delayed launching its new app Threads in the EU over similar regulatory concerns. The company was so cautious to ensure that Threads was not violating GDPR that it started blocking EU users attempting to use VPNs to access the app. In the meantime, the spokesperson said, "there would be no immediate impact on its services." [Update: A Meta spokesperson told Ars, “The debate around legal bases" for data collection "has been ongoing for some time and businesses continue to face a lack of regulatory certainty in this area. We continue to constructively engage" with the Irish Data Protection Commission, "our lead regulator in the EU, regarding our compliance with its decision."]