Meta has lost a first bid to get an injunction slapped on a ban Norway's data protection authority imposed on its consentless behavioral ad targeting in July. The order also provides for daily fines for non-compliance.
An Oslo District court rejected Meta's arguments seeking to block the order and ruled in favor of the Datatilsynet. "We are very pleased with the Court’s ruling and the result. This is a big victory for people’s data protection rights," said the DPA's director general, Line Coll.
Meta could seek to appeal the decision to a higher court. But has not confirmed whether or not it will do so.
"We are disappointed by today’s decision and will now consider our next steps," a Meta spokesman told us. "We have already announced our intention to transition all EU and EEA [European Economic Area] users to the GDPR [General Data Protection Regulation] legal basis of Consent, and will continue to work with the Irish Data Protection Commission [DPC] to facilitate this.”
Norway's data protection authority confirmed the daily fines are accruing on Meta for failing to comply with its ban on running ads that are targeting by tracking and profiling local users without their consent.
The DPA's decision arranged for penalties of one million NOK (~$100,000) per day of non-compliance -- starting on August 14 -- suggesting the fines levied already exceed $2 million. Although a spokesman for the authority confirmed none of the money has been collected yet.
The Datatilsynet's order, which was made using emergency powers set out in the GDPR, can only apply for three months since the Norwegian authority is not Meta's lead data supervisor for the GDPR (that's Ireland's DPC). But the order was intended as a stop-gap to respond to the fact Meta has continued to process people's data for ad targeting without having a valid lawful basis.
Meta's claim of contractual necessity for this processing was rejected by EU DPAs at the start of this year. After which it moved to claiming a so-called "legitimate interest" to process people's data for ads. However the EU's top court, the CJEU, slapped that down in July when it handed down a much anticipated judgement in relation to a challenge to Meta's data collection brought years earlier by Germany's competition authority -- ruling that legitimate interests is not appropriate for "personalized advertising" either and Meta must obtain the data subject's consent.
After that, at the start of last month, Meta finally announced an "intention" to switch to a consent-based legal basis for its targeted advertising -- suggesting it would start asking permission from regional users to track and profile them for ad targeting. But its blog post announcing the switch did not say when it would happen. And the Norwegian DPA's point is essentially that unlawful processing is continuing in the meanwhile, hence why it took the stop of issuing an emergency order.
It's not clear why Ireland, which leads on GDPR oversight of Meta, has not acted with similar alacrity to end its unlawful ads processing.
We reached out to the DPC with questions but at press time it had not responded to our requests for an update.
In mid July, the DPC told TechCrunch it had been conducting an assessment of Meta’s ads' compliance following the January GDPR decision striking down its claim of contractual necessity and the more recent CJEU ruling blocking use of LI — saying then that it had passed its assessment to other EU data protection authorities for review. It also said it expected to conclude that process by the middle of August. However there has been no public developments since then (aside from Meta's own announcement of a future, undated switch to consent). So it's not clear what's taking so long for Ireland to act on an issue that affects the rights and privacy of hundreds of millions of Europeans.
Update: The DPC's deputy commissioner, Graham Doyle, has now sent this line: "We await submissions from [Meta] re: change to consent and will be sharing and engaging with the other CSAs [concerned supervisory authorities] when we get them so the process is ongoing."
The Datatilsynet confirmed it's been in contact with the DPC regarding Meta's legal basis for ads but suggested the Irish regulator's attention here is directed at what happens in future, with Meta's incoming "consent process", not on the ongoing unlawful processing that Norway's ban order targets.
"We are in contact with Irish colleagues," its spokesman told us. "The DPC is now following up on the consent process at Meta... and what might happen in the future. And then we're looking at what is currently happening, which is actually separate. But you could say that we are keeping each other in the loop -- but they're not doing anything related to the ongoing processing."
The Norwegian authority could take the further step of referring the matter to the European Data Protection Board (EDPB) and asking it to take a binding decision -- which would apply across the EU (and not be time limited). But it has not yet done so, although the spokesman said it is "intensely assessing" that possibility.
"What is going on -- this surveillance based advertising -- is not just in a Norwegian problem; it is a European problem. And that is why it may be necessary for us to take to the EDPB," he added.