EU Court Upholds Fines Against Meta for Violating Data Privacy Rules
A court in Oslo, Norway, has upheld the Norwegian Data Protection Authority’s daily fines against Meta for violating data privacy rules through the delivery of behavioral advertising.
The decision follows a ban implemented by the data protection agency, Datatilsynet, in July, which temporarily prohibited Meta and its Facebook social ad business from serving behaviorally targeted ads in the country. The ban was enacted based on litigation initiated by privacy group None Of Your Business (NOYB) in 2018.
The Court of Justice of the European Union (CJEU) ruled in July that Meta could not bypass the consent requirements outlined in the General Data Protection Regulation (GDPR), which applies to the European Economic Area (EEA), including Norway. Meta had argued that consent for targeted advertising was obtained when users accepted its terms and conditions. However, the CJEU rejected this argument.
Following the CJEU ruling, the Irish Data Protection Commission (DPC) sought opinions from various regulatory bodies on its assessment that Meta Ireland had failed to comply with GDPR data processing requirements. Datatilsynet informed the DPC of its intention to temporarily ban Meta’s rule-violating ads. Subsequently, the Norwegian data agency imposed a daily fine of one million Kroner (~$93,200) on Meta Ireland for non-compliance with the targeted ad ban, with the total fines potentially reaching around $8.5 million.
Meta Ireland and Facebook Norway challenged the fine and behavioral ad ban, arguing that the decision was invalid and that Meta was not given adequate time to respond. Meta also objected to the application of GDPR Article 66, which allows data authorities to take immediate measures to protect data subjects’ rights and freedoms.
During the court proceedings, Meta claimed that compliance with the ban would require the suspension of Facebook and Instagram services in Norway. The court, however, ruled in favor of Datatilsynet, supporting the agency’s decision.
We are very pleased with the Court’s ruling and the result, said Line Coll, director general of Datatilsynet. This is a big victory for people’s data protection rights.
Meta expressed disappointment with the verdict and stated that it would consider its next steps. The company had previously announced its intention to transfer all EU and EEA users to the GDPR legal basis of consent and was working with the Irish Data Protection Commission to facilitate this.
The ban on Meta’s services in Norway remains in place, and the fines will continue to be imposed until at least November 3, 2023. The maximum penalty currently stands at approximately $8.5 million, which represents about 0.15 percent of Meta’s Q1 2023 profit.
It remains to be seen whether Meta will appeal the court’s decision. The company has a history of litigious behavior, but the court ruling was clear and thorough, leaving the final decision in Meta’s hands.