Latest update: Latest update: Meta, the parent company of Facebook and Instagram, faces significant legal challenges in Norway and Ireland, impacting personalized advertising on its platforms.
In Norway, the Norwegian Data Protection Authority (Datatilsynet) has taken decisive action against Meta. Datatilsynet invoked an urgent procedure mechanism under Article 66 of the GDPR, following the Court of Justice of the European Union’s decision in Meta vs. Bundeskartellamt and earlier decisions by the Irish Data Protection Authority. Datatilsynet found that Meta’s processing of personal data for behavioral advertising posed GDPR violations and significant risks to data subjects, including those in Norway. Consequently, Datatilsynet issued a temporary ban on Meta’s adaptation of advertising based on monitoring and profiling of users in Norway, effective from August 4, 2023, until October 2023. Failure to comply with the ban may result in Meta facing a compulsory fine of up to NOK one million per day (approximately €88K). Datatilsynet also plans to request an urgent binding decision from the European Data Protection Board (EDPB) on the matter.
On August 7, 2023, Datatilsynet imposed a daily fine of NOK one million per day (approximately €88K) on Meta, effective from August 14, 2023. Despite Meta’s attempts to obtain a temporary injunction against the ban, the Oslo District Court rejected it on September 6, 2023, prompting Meta to initiate legal proceedings against Datatilsynet. The case before the Oslo District Court is expected to commence in 2024.
Additionally, on October 27, 2023, the EDPB issued an urgent Binding Decision related to the processing of personal data for behavioral advertising by Meta, instructing the Irish Data Protection Commission (DPC) to take action on the matter.
In parallel, in Ireland, the Data Protection Commission (DPC) fined Meta Ireland €390 million on January 4, 2023, with €210 million relating to GDPR breaches in its Facebook service and €180 million for breaches related to its Instagram service. The DPC determined that Meta’s processing of personal data for personalized ads based on a contractual basis was not GDPR-compliant.
These developments signify significant changes for Meta’s platforms in Europe. To continue showing personalized ads on Facebook and Instagram, Meta will need explicit consent from users, aligning its data processing activities with the GDPR. European users should now have the option to provide or decline consent for their personal data to be used for behavioral advertising. However, Meta has announced its intention to appeal the DPC’s decision.
This shift may impact the digital advertising industry, as businesses may need to adapt their advertising strategies, relying more on zero-party and first-party data, which users voluntarily share, to maintain effective advertising campaigns. Stay tuned for further updates on this evolving situation as we monitor developments surrounding these regulatory actions.
On January 4th, the Data Protection Commission of Ireland fined Meta Ireland a total of 390 million euros: 210 million euros for GDPR breaches in relation to its Facebook service and 180 million euros for breaches related to its Instagram service.
The DPC found that Meta’s processing on the basis of “contract” for personalized ads is not GDPR-compliant.
Now everyone is wondering: will Meta platforms change? And how will this affect Facebook personalized ads?
When GDPR came into effect in May 2018, Facebook decided to put a consent clause into their Terms and Conditions.
📌 According to the GDPR, an organization can process personal data if the processing “is necessary for the performance of a contract to which the data subject is party”.
By doing this, consent became part of the contract, and the laws for consent no longer applied, only contractual laws. This also applied to more complex types of processing, such as behavioral advertising.
That’s why NOYB filed three complaints against Facebook, Instagram, and Whatsapp (Meta-owned companies). However, according to Meta, the Irish DPC allowed the company to rely on the basis of contract for their processing activities.
On December 6th, 2022, the European Data Protection Board (EDPB) adopted three dispute resolution decisions concerning Meta and overruled the Irish DPC saying that consent is a separate aspect and users must say yes or no to their data being used.
On January 4th, 2023, the Irish Data Protection Commission issued the final verdict: the processing on the basis of a contract is not GDPR-compliant, and fined Meta €390 million.
👉 See the details in our post on the Irish DPC’s fine to Meta
First of all, Meta will have to align its data processing activities to the GDPR: to show personalized ads on Facebook and Instagram, Meta will need the users’ explicit consent. The DPC has given Meta three months to comply.
This might change the way Facebook and Instagram work, at least for EU-based users. Ideally, European users should be able to give or reject their consent to the use of their personal data for behavioral advertising, and, if they reject it, be shown a version of the social media platforms without personalized ads.
However, Meta has already announced that they will appeal the decision of the Irish DPC.
The digital advertising industry is one of the biggest industries online and it’s a fact that personalized ads represent a great source of income.
Many businesses rely on Facebook personalized ads because the amount of data that Meta has at its disposal helps them reach their precise target audience. However, the DPC fine demonstrates once again the DPA’s will to regulate the use of personal information for behavioral advertising.
If Meta switches to consent as a legal basis, they will have to show to EU-based users a yes/no option and allow opt-in. And many people will likely refuse to give their consent.
As with the phasing out of third-party cookies, your ads strategy might have to adapt to this new landscape: businesses will have to rely more on zero-party and first-party data, which are data that users voluntarily share with them. This is not necessarily a bad thing, because this type of data is:
thus making your Facebook ads even more effective!
If you use third party services like Facebook’s pixel, you MUST disclose that in your privacy policy.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.
