The Norwegian Data Protection Authority imposes a ban on Meta carrying out behavioural advertising based on the surveillance and profiling of users in Norway. The ban will initially apply until October
Meta tracks in detail the activity of users of its Facebook and Instagram platforms. Users are profiled based on where they are, what type of content they show interest in and what they publish, amongst others. These personal profiles are used for marketing purposes – so called behavioural advertising. The Norwegian Data Protection Authority considers that the practice of Meta is illegal and is therefore imposing a temporary ban of behavioural advertising on Facebook and Instagram.
In December last year, the Irish Data Protection Commission issued a decision on behalf of all data protection authorities across the EEA which established that Meta has conducted illegal behavioural advertising. Since then, Meta has made certain changes, but a fresh decision from the Court of Justice of the European Union (curia.europa.eu) has stated that Meta’s behavioural advertising still does not comply with the law. Therefore, the Norwegian Data Protection Authority is now taking action by imposing a temporary ban.
The ban will apply from 4 August and last for three months, or until Meta can show that it complies with the law. Should Meta not comply with the decision, the company risks a coercive fine of up to one million NOK per day. The Norwegian Data Protection Authority’s decision only applies to users in Norway.
Many people in Norway use and enjoy social media – figures from Ipsos (ipsos.com) show that 82% of the adult Norwegian population have Facebook accounts and 65% have Instagram accounts.
- The Norwegian Data Protection Authority’s decision does not ban Facebook or Instagram in Norway. The purpose is rather to ensure that people in Norway can use these services in a secure way and that their rights are safeguarded, says Head of International in the Norwegian Data Protection Authority, Tobias Judin.
The Norwegian Data Protection Authority does not ban personalised advertising on Facebook or Instagram as such. The decision does not for example stop Meta from targeting advertising based on information a user put in their bio, such as place of residence, gender and age, or based on interests a user has provided themselves. Nor does the decision stop Meta from showing behavioural advertising to users who have given valid consent to it.
- All business models must respect privacy as a human right. Users must have sufficient control over their own data, and any tracking must be limited, Judin says.
Meta, the company behind Facebook and Instagram, holds vast amounts of data on Norwegians, including sensitive data. Many Norwegians spend a lot of time on these platforms, and therefore tracking and profiling can be used to paint a detailed picture of these people’s private life, personality and interests. Many people interact with content such as that related to health, politics and sexual orientation, and there is also a danger that this is indirectly used to target marketing to them.
- Invasive commercial surveillance for marketing purposes is one of the biggest risks to data protection on the internet today, Judin says.
When Meta decides what adverts someone is shown, they also decide what not to show someone. This affects freedom of expression and freedom of information in society. There is a risk that behavioural advertising strengthens existing stereotypes or could lead to unfair discrimination of various groups. Behavioural targeting of political adverts in election campaigns is particularly problematic from a democratic perspective.
As tracking is hidden from view, most people find it difficult to understand. There are also are many vulnerable people who use Facebook and Instagram that need extra protection such as children, the elderly and people with cognitive disabilities.
As Meta has its European headquarters in Dublin, it is normally the Irish Data Protection Commission that supervises the company in the EEA. The Norwegian Data Protection Authority can nevertheless intervene directly against Meta when there is an urgent need to act, and in such cases we can issue a decision which is valid for a period of three months. We consider that the criteria for acting urgently in this case are fulfilled, in particular because Meta has recently received both a decision and a judgment against them to which they have not aligned themselves with. If we don’t intervene now, the data protection rights of the majority of Norwegians would be violated indefinitely.
Moving forward, we may take the matter to the European Data Protection Board (EDPB), of which we are a member, after the summer. The EDPB will decide whether the decision may be extended beyond its initial three month validity period.
Meta has expressed its views in relation to the case, and the company disagrees with our assessments. Meta can decide to challenge the Norwegian Data Protection Authority’s decision in the Oslo District Court.