Norway’s data protection authority (DPA) wrote to social media giant Meta last week, notifying the company that it would be “banned” from behavioral advertising on Facebook and Instagram.
But this “ban” is more complicated than many people realize.
This article explains the details of Norway’s decision, considers the choices Meta faces going forward, and explores how a series of painful legal outcomes and inter-regulator disputes led to Norway taking this bold move.
Key takeaways from Norway’s Meta decision
Before we look at the background of the decision, there are some important details regarding the “ban” on Meta’s behavioural advertising.
If any of these points seem unclear, keep reading—the context is important.
- The Norweigan DPA has banned Meta from relying on “legitimate interests” to process personal data for the purposes of behavioral advertising.
- The ban only applies to users in Norway.
- The ban will apply from 4 August 2023 and last for an initial three months.
- The ban only affects how Meta uses “first-party data” about users’ activities on its platform. The company already relies on consent for “third-party” behavioral ads.
- Meta can still get consent for first-party behavioral ads.
- Meta can still target ads based on certain types of personal data, including basic profile information, without consent.
- The Norweigan DPA made this decision under the GDPR’s “urgency procedure” and has submitted a request for a “binding decision” from the European Data Protection Board (EDPB) to reinforce its action.
Now let’s look at how we got here and why it’s Norway—rather than Meta’s lead regulator in Ireland—that has implemented this ban.
From ‘consent’ to ‘contract’
This story began in 2016 when the EU’s institutions had just passed the General Data Protection Regulation (GDPR).
At that time, Meta (then “Facebook”) relied on “consent” for most behavioral advertising activities. But “consenting” to behavioral ads was mandatory for anyone wishing to use Meta’s platforms.
Faced with a stricter “consent” definition under the incoming GDPR, the company sought guidance from the Irish Data Protection Commission (DPC). The DPC reportedly suggested that Meta shift to a new legal basis before the GDPR’s May 2018 enforcement date.
On the first day of GDPR enforcement, Meta switched over to “contract”. By agreeing to the Facebook or Instagram terms of service, EU users supposedly agreed to allow Meta to use their data for behavioural advertising purposes.
From ‘contract’ to ‘legitimate interests’
Privacy campaign group Noyb (“None of your business”), headed by Austrian lawyer Max Schrems, took exception to Meta’s interpretation of the “contract” legal basis.
Noyb argued that when relying on “contract” to process personal data, the processing must be “necessary” for performing or entering into a contract with the data subject.
Meta was employing a “GDPR bypass”, claimed Noyb, by forcing users into accepting a violation of their privacy.
During a long investigation into Meta’s legal basis, the Irish DPC initially disagreed with Noyb’s complaint. But the European Data Protection Board (EDPB) stepped in, directing Ireland to order Meta to stop relying on “contract”.
Meta stopped relying on “contract” for EU users in the spring, but the company’s new legal basis of “legitimate interests” was also controversial.
Rather than obtaining consent, Meta provided a long and somewhat inconspicuous opt-out form that required users to explain why they felt Meta should exclude their data from its ad-targeting processes.
From bad to worse
Between Meta’s switch from “contract” to “consent”, the company was hit by two further GDPR-related blows from Europe’s regulators and top court.
First, Meta received the largest ever GDPR fine in May (€1.2 billion) for continuing to transfer personal data from its European subsidiary to its US-based parent in defiance of the July 2020 “Schrems II” judgment.
Second, and most relevant to this article, Meta lost a long-running competition law case at the Court of Justice of the European Union (CJEU).
The CJEU, ruling on a case that originated with Germany’s antitrust regulator, made several disfavorable remarks about Meta’s potential legal bases for “personalized advertising”, including that “legitimate interests” is not suitable for the data-processing activity in question.
(Notably, the court also stated that regulators could consent whether even relying on “consent” was appropriate for a company with a size and market position as significant as Meta’s).
From ‘legitimate interests’ to ‘consent’?
Behind the scenes, the Norweigan DPA had been exchanging increasingly terse correspondence with the Irish DPC.
Norway made it clear that it considered Meta’s reliance on “legitimate interests” to be unlawful under the GDPR, as the law provides individuals with an absolute right to object to direct marketing.
Among other issues, the Norweigan DPA felt that Meta’s opt-out process—which required users to make a case for why their personal data should not be used for behavioral advertising purposes—failed to facilitate this unconditional right.
The regulator requested a timeline from the Irish DPC, setting out its plans for bringing Meta into compliance. Ireland’s one-sentence response on 3 June (“No, I cannot comply with the request”) appears to have nudged Norway towards taking matters into its own hands.
Emboldened by the CJEU decision noted above, Norway invoked Article 66 (1) of the GDPR, which allows a regulator to take urgent unilateral action—without waiting for a company’s main authority (in Meta’s case, the Irish DPC) to take the lead.
This brings us up to date. The Norweigan DPA’s decision, adopted on 14 July, might be a total “ban” on behavioral ads, but it severely limits Meta’s advertising activities.
As noted above, the ban on Meta’s behavioral advertising is restricted to Norweigan users and still allows the company to obtain consent.
But the decision is another blow for Meta as it struggles to extract maximum value from Europeans’ personal data.