Datatilsynet (Norway) - 21/03530: Difference between revisions
No edit summary |
No edit summary |
||
Line 112: | Line 112: | ||
== Comment == | == Comment == | ||
''We note, that when Article 68(1) GDPR applies the urgency is presumed and the binding opinion from the edpb is required. | ''We note, that when Article 68(1) GDPR applies the urgency is presumed and the binding opinion from the edpb is required. Therefore, it seems that in an Article 68(1) GDPR situation a request under Article 66(2) GDPR to the edpb is not necessary. Nevertheless, the Norwegian DPA stated its intention to <u>request</u> an urgent binding decision from the edpb.'' | ||
''Moreover, it should be highlighted that the territorial scope of the issued order by the Norwegian supervisory authority has national applicability (Art. 55(1) GDPR), and thus, is limited to Norway. However, the EDPB may adopt a decision with a wider territorial scope and without temporal limitations.'' | ''Moreover, it should be highlighted that the territorial scope of the issued order by the Norwegian supervisory authority has national applicability (Art. 55(1) GDPR), and thus, is limited to Norway. However, the EDPB may adopt a decision with a wider territorial scope and without temporal limitations.'' |
Revision as of 13:40, 19 July 2023
Datatilsynet - 21/03530-16 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 58(2)(f) GDPR Article 66(1) GDPR Article 66(2) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | 14.07.2023 |
Fine: | n/a |
Parties: | Meta Platforms Ireland Facebook Norway AS |
National Case Number/Name: | 21/03530-16 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Datatilsynet (Norway) (in EN) |
Initial Contributor: | n/a |
The Norwegian DPA has taken action after Meta shifted its legal basis in the context of behavioural advertising, and issued a temporary ban on Meta for processing personal data for the purpose on behavioural advertisement on the basis of Article 6(1)(b) or 6(1)(f) GDPR.
English Summary
Facts
Following noyb’s complaints, the Irish supervisory authority (DPC) issued decisions (IN-18-5-5 and IN-18-5-7) where it was found that Meta Platforms Ireland (Meta) could not rely on Article 6(1)(b) GDPR (contract) for its processing of personal data for behavioural advertising. In those decisions Meta was ordered to bring its processing operations in compliance with the GDPR, in accordance with the conclusion reached by the binding decisions 3/2022 and 4/2022 of the EDPB.
Following the DPC decisions, Meta shifted its legal basis from Article 6(1)(b) GDPR (contract) to Article 6(1)(f) GDPR (legitimate interest) for most of its processing of personal data for behavioural advertising.
In addition, in a recent judgment C-252/21 Facebook Inc. and Others v Bundeskartellamt by the Court of Justice (hereinafter “Bundeskartellamt Judgment”), the Court of Justice essentially held that Meta cannot rely on Article 6(1)(f) GDPR for processing of personal data for the purposes of personalised advertising. The judgment signifies that Meta’s shift of legal basis to Article 6(1)(f) GDPR is unlawful.
Mutual assistance (Article 61 GDPR)
Following the DPC decisions against Meta and the shift of legal basis in Meta's processing in the context of behavioural advertisement, as well as, the Bundeskartellamt Judgment, the Norwegian supervisory authority – in its role as a concerned supervisory authority (Article 4(22) GDPR) – raised its concerns and requested for mutual assistance under Article 61(1) GDPR from the DPC which is the lead supervisory authority.
- Firstly, the Norwegian authority requested the DPC to issue a temporary ban on certain Meta’s processing operationa until Meta has provided adequate and sufficient commitments to ensure compliance with Articles 6(1) and 21 GDPR. However, the DPC informed the Norwegain DPA that it could not comply with that request.
- Secondly, the Norwegian authority requested the DPC to share information specifying how would the DPC ensure that Meta complies with Article 6(1) GDPR as the DPC decisions foresee. The Norwegian authority viewed, essentially, that the response received from the DPC did not answer to what the authority had requested and rather provided information the authority has not requested. Also, the Norwegian authority said to have not received any explanation from the DPC as to why it was not possible for them to provide the information.
Holding
Urgency procedure (Article 66 GDPR)
Following the ineffective cooperation form the DPC - the lead supervisory authority - the Norwegian authority initiated an urgency procedure according to Article 66 GDPR. The Norwegian authority viewed that Meta’s shift towards legitimate interests was unlawful, and that essentially Meta shifted from one unlawful legal basis to another. Thus, the authority argued that Meta has not brought its processing operations into compliance with Article 6(1) GDPR as the DPC decisions foresee in the context of behavioral advertising.
Under Article 66(1) GDPR, a concerned supervisory authority – such as the Norwegian supervisory authority in this case – may, in exceptional circumstances, immediately adopt provisional measures towards a controller on its own territory with a specified period of validity in accordance with Article 55(1) GDPR, if the authority considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects. In the present case, the Norwegian supervisory authority considered that these conditions are met.
The Norwegian authority viewed that Meta’s persistent state of non-compliance demanded immediate action to protect the rights and freedoms of European data subjects. Additionally, the authority held that, since the DPC did not cooperate with them - as the DPC should under Article 60 GDPR - following the Norwegia nauthority's information request, Article 61(8) GDPR applies, which means that the urgent need to act under Article 66(1) GDPR is presumed to be met and require an urgent binding decision from the EDPB pursuant to Article 66(2) GDPR.
Temporary ban on processing (order)
Consequently, pursuant to Article 66(1) GDPR and 58(2)(f) GDPR the Norwegian supervisory authority issued a temporary ban on processing personal data for behavioural advertising based on Article 6(1)(b) or 6(1)(f) GDPR in the context of Facebook and Instagram.
The order applies with respect to data subjects in Norway and remains valid provisionally for three (3) months from 4 August 2023 until 3 November 2023. Howeverr, the order will be lifted if Meta would impelemnt remedial measures before that date. In this context, the authority welcomes a dialogue with Meta on elements such as limiting the scope of processing of personal data for behavioural advertising and introducing new user settings for behavioural advertising.
Additionally, if the order is not complied with, the authority may impose a coercive fine of up to NOK 1,000,000 (approx. € 90,000) per day.
Urgent binding decision by the EDPB
Furthermore, subsequent to the issuance of the present order, the Norwegian supervisory authority stated the intention of the authority to request an urgent binding decision from the EDPB correspondingly, pursuant to Article 66(2) GDPR, so that that final measures may urgently be adopted.
Comment
We note, that when Article 68(1) GDPR applies the urgency is presumed and the binding opinion from the edpb is required. Therefore, it seems that in an Article 68(1) GDPR situation a request under Article 66(2) GDPR to the edpb is not necessary. Nevertheless, the Norwegian DPA stated its intention to request an urgent binding decision from the edpb.
Moreover, it should be highlighted that the territorial scope of the issued order by the Norwegian supervisory authority has national applicability (Art. 55(1) GDPR), and thus, is limited to Norway. However, the EDPB may adopt a decision with a wider territorial scope and without temporal limitations.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Norwegian Data Protection Authority Meta Platforms Ireland Limited 4 Grand Canal Square Grand Canal Harbour Dublin 2 Ireland Sent via email to dpo@fb.com; [REDACTED] Facebook Norway AS Dronning Eufemias gate 8 0191 Oslo Norway Your reference Our reference Date 21/03530-16 14.07.2023 Urgent and Provisional Measures – Meta 1. Introduction The Norwegian Data Protection Authority (hereinafter “NO SA”, “we”, “us”, or “our”) is the independent supervisory authority responsible for monitoring the application of the General Data Protection Regulation (hereinafter “GDPR”) with respect to Norway. 2 The majority of the Norwegian population is registered users of social media services. Our goal in the present context is to enable individuals to use and benefit from such services free from harm. Specifically, this document sets out measures that are necessary to ensure that data subjects can use the Facebook and Instagram services (hereinafter “Services”) enjoying full respect for their right to data protection, and correspondingly, other fundamental rights and freedoms such as the right to privacy, freedom of information and protections against 3 discrimination. Most data subjects do not fully comprehend the intrusive profiling activities they are subject to in the context of the Services, which is why we see it as important to protect their rights and freedoms. Additionally, there are many vulnerable individuals using the Services who need particular protection. 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regardto the processingof personal dataand onthe freemovement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ [2016] L 119/1. 2 3See section 7.2.1.4. As is made clear by Recital 2–4 GDPR, the right to data protection aims to ensure data subjects’ fundamental rights and freedoms. Postal Address: Office address: Phone: Telefax: Ent. reg: Web Address: P.O. Box 458 Sentrum Trelastgata 3 +47 22 39 69 00 +47 22 42 23 50 974 761 467 datatilsynet.no 0105 OSLOThe present document is also intended to increase legal certainty for third party controllers using the Services for advertising and promotion of their organisations. On 31 December 2022, the Irish Data Protection Commission (hereinafter “IE SA”) issued Decisions IN-18-5-5 and IN-18-5-7 (hereinafter “IE Decisions”). The IE Decisions found that MetaPlatforms Ireland Limited(hereinafter “Meta”,“you”,or “your”) could not rely on Article 6(1)(b) GDPR for its processing of personal data for the purposes of behavioural advertising in the context of the Services. Meta was ordered to bring those processing activities into compliance with Article 6(1) GDPR within three months. On 5 April 2023, the IE SA shared the compliance reports and supporting material that Meta submittedtoit withthesupervisory authoritiesconcerned(hereinafter “CSAs”).Thedocuments showed that Meta has shifted its legal basis to Article 6(1)(f) for a number of processing activities. After having reviewed the documents at hand, we expressed concerns that Meta has failed to show compliance with Article 6(1) and hence with the IE Decisions. Furthermore, we find that additional violations in relation to Article 21 has arisen through the changes Meta adopted pursuant to the IE Decisions. Thus, on 5 May 2023, we formally requested the IE SA, as the lead supervisory authority, to impose a temporary ban on processing of personal data for behavioural advertising purposes. Nevertheless, on 2 June 2023, the IE SA informed us that it could not comply with such a request, as explainedbelow. Sincethat time,the IE SAhas shared with us aprovisionalposition paper outlining its preliminary assessment of the matter. However, no potential course of action has been suggested in case the conclusion of the IE SA’s final assessment should be that Meta failed to comply with the IE Decisions. You have been notified by the IE SA of our intention to impose provisional measures, and you have expressed your opinion accordingly in your letter dated 21 June 2023. You put forward additional views in your letter dated 30 June 2023. We have taken your provided views duly into account. On 4 July 2023, the Grand Chamber of the Court of Justice of the European Union (hereinafter “CJEU”) handed down its judgment in Case C-252/21, Facebook Inc. and Others v Bundeskartellamt (hereinafter “Bundeskartellamt Judgment”). This judgment held that Meta cannot rely on Article 6(1)(f) for processing of personal data for “the purposes of personalised 5 advertising”. After having carefully assessed the evidence at hand, we have reached the conclusion that Meta has not brought its processing operations into compliance with Article 6(1) GDPR as prescribed. We would like to stress that this is a conclusion based on substance rather than 4 Both available at https://edpb.europa.eu/our-work-tools/consistency-findings/register-for- 5ecisions_en?f%5B0%5D=register_decisions_members%3A81 (accessed on 19 June 2023). Bundeskartellamt Judgment, para. 117. 2formalities. In other words, changing the compliance documentation as a paperwork exercise would not amend the problems identified. In our view, the persistent state of non-compliance following the IE Decisions demand immediateactiontoprotecttherightsandfreedoms ofEuropeandatasubjects. TheIEDecisions found serious violations of the GDPR on 31 December 2022, and should a delay in remedying that violation be permitted, data subjects would be at acute risk and in practice lack effective protection under the GDPR. The need to act has become ever more urgent in light of the Bundeskartellamt Judgment, which signifies that Meta’s shift of legal basis to Article 6(1)(f) in April 2023 was unlawful. In light of the above, this letter imposes a temporary ban on Meta’s processing of personal data of data subjects in Norway for targeting ads on the basis of observed behaviour (hereinafter “Behavioural Advertising”) for which Meta relies on Article 6(1)(b) or 6(1)(f) GDPR. For the avoidance of doubt, Behavioural Advertising includes targeting ads on the basis of inferences drawn from observed behaviour as well as on the basis of data subjects’ movements, estimated location and how data subjects interact with ads and user-generated content. This definition is in line with our understanding of the scope of the IE Decisions. Please note the limitations of the scope of our order. The order does not in any way ban Meta from offering the Services in Norway, nor does it preclude Meta from processing personal data for advertisement purposes in general. Only Behavioural Advertising as defined above is affected to the extent that it is based on 6(1)(b) or 6(1)(f) GDPR. Practices such as targeting ads based on information that data subjects have provided in the “About” section of their user profile, or generalised advertising, is out of scope of this order. For example, the order does not itself prevent an advertising campaign on Facebook which, based on profile bio information, targets ads towards females between 30 and 40 years of age residing in Oslo and who have studied engineering. 2. Order Pursuant to Article 58(2)(f) and 66(1) GDPR, we hereby issue the following order to Meta Platforms Ireland Limited and Facebook Norway AS collectively: Personal data shall not be processed for Behavioural Advertising based on Article 6(1)(b) or 6(1)(f) GDPR in the context of the Services. In line with Article 66(1), the order applies with respect to data subjects in Norway and remains valid provisionally for three (3) months. The order applies from 4 August 2023 until 3 November 2023. Nonetheless, the order will be lifted before that date if remedial measures are implemented so that adequate and sufficient commitments to ensure compliance with Article 6(1) and 21 GDPR can be provided. Please confirm compliance with the order by 4 August 2023. 3We consider Meta Platforms Ireland Limited as the controller, within the meaning of Article 4(7)GDPR, fortheprocessingofpersonaldatainquesti6n.FacebookNorwayAS,whosestated purpose is related to sales of digital advertising, is also addressed as a recipient of this order as it is a Norwegian establishment of the controller. The present order is communicated to the other supervisory authorities concerned, to the European Data Protection Board (hereinafter “EDPB”), to the European Commission, and to the EFTA Surveillance Authority in accordance with Article 66(1) of the GDPR and Article 1(m) of the Decision of the EEA Joint Committee No 154/2018. 7 3. Advance notification of a coercive fine In case our order above is not complied with, we may decide to impose a coercive fine of up to NOK 1 000 000 (one million) per day of non-compliance on Meta Platforms Ireland Limited and/or Facebook Norway AS, individually or collectively, pursuant to the Norwegian Personal Data Act Section 29. Any comments or remarks in this regard can be sent to postkasse@datatilsynet.no and tobias@datatilsynet.no by 1 August 2023. 4. Request for an urgent binding decision from the EDPB Subsequent to the issuance of the present order, we intend to request an urgent binding decision from the EDPB correspondingly, pursuant to Article 66(2), so that that final measures may urgently be adopted. This will furthermore ensure a harmonised and consistent application of the GDPR on the European level. In this regard, you have a right to be heard, and we will facilitate your exercise of that right. We therefore invite you to send us any views you may have, be it on procedure or substance. Comments may be put forward by Meta Platforms Ireland Limited, Facebook Norway AS, or both. Please note that in case the EDPB agrees with our assessment, the EDPB may potentially issue a decision with a wider territorial scope and without temporal limitations. We ask you to have this in mind when preparing your response. Please send any comments or remarks you may have to postkasse@datatilsynet.no and tobias@datatilsynet.no by 20 August 2023. 5. Factual background 6 See company registration information from the Brønnøysund Register Centre, available on 7ttps://w2.brreg.no/enhet/sok/detalj.jsp?orgnr=916305656 (last accessed 12 July 2023). Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 amending Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement OJ [2018] L 183/23. 4On 31 December 2022, the IE SA issued Decisions IN-18-5-5 and IN-18-5-7 in which it found that Meta did not rely on a valid legal basis for “processing of personal data for the purposes of behavioural advertising” in the context of the Services. The IE SA required Meta to take the necessary action to bring its said processing of personal data into compliance with Article 6(1) GDPR in accordance with the conclusion reached by the Binding Decisions 3/2022 and 4/2022 of the EDPB. 9 10 The IE Decisions followed an investigation of the IE SA into, among other things, Meta’s legal basis for processing data for Behavioural Advertising. At the time of the inquiry, Meta relied on Article 6(1)(b) GDPR. However, in the IE Decisions, the IE SA concluded that Meta was not entitled to carry out theprocessing at issueonthebasis Article6(1)(b)GDPR,in accordance with the conclusion reached by the EDPB on this matter. As a consequence, Meta changed its legal basis for some of its processing of personal data for Behavioural Advertising from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR, effective on 5 April 2023. On 5 April 2023, the IE SA shared with the supervisory authorities concerned – including the NO SA – the compliance reports and supporting material that Meta submitted to the IE SA with the aim of showing compliance with the above-mentioned IE Decisions. The IE SA welcomed feedback by 5 May 2023. On 5 May 2023, we formally requested the IE SA, as the lead supervisory authority, in accordance with Article 61(1) GDPR, to: 1. issue a temporary ban on Meta’s processing of personal data for behavioural advertising purposes on the Services based on Article 6(1)(f) GDPR until the lead and the other supervisory authorities concerned are satisfied that Meta has provided adequate and sufficient commitments to ensure compliance with Articles 6(1) and 21 GDPR; and 2. share a timeline with us and the other supervisory authorities concerned specifying how the IE SA will ensure in an expedient manner that Meta complies with Article 6(1) GDPR. We also flagged that we may adopt urgent provisional measures pursuant to Article 66(1) should the IE SA not be in a position to follow our request. 8IN-18-5-5 p. 153 and IN-18-5-7 p. 157, respectively. 9 EDPB Binding Decisions 3/2022 and 4/2022 are available at https://edpb.europa.eu/our-work-tools/our- documents/binding-decision-board-art-65/binding-decision-32022-dispute-submitted_en and https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-42022- dispute-submitted_en (accessed on 19 June 2023). 10 The EDPB Binding Decisions are addressed to the IE SA and do not directly concern Meta. See the Order of the General Court in Case T-709/21, WhatsApp Ireland v European Data Protection Board. 5Our request was shared with Meta by the IE SA. 11 On 2 June 2023, the IE SA informed us that it could not comply with our request. The IE SA referred to a document shared separately with all CSAs on 31 May 2023. Said document stated that the IE SA’s assessments were ongoing and that it was awaiting feedback from Meta in that regard, which had been requested by 2 June 2023. The IE SA also expressed that it would revert to CSAs by the end of June 2023. On 13 June 2023, we were advised by the IE SA that its assessment would not await Meta’s feedback, but that the assessment would nonetheless be delayed until after 4 July so as to take into account the judgment of the Court of Justice of the European Union (hereinafter “CJEU”) in Case C-252/21, Facebook Inc. and Others v Bundeskartellamt, due on that date. Meta expressed its opinion on us potentially adopting urgent provisional measures pursuant to Article 66(1) in a letter dated 21 June 2023. On 11 July 2023, we received a provisional position paper from the IE SA where it set out its preliminary assessment on Meta’s compliance with the IE Decisions, taking into account feedback from CSAs. [REDACTED] No information on potential further action after that date was given even if the IE SA’s final conclusion should be that Meta did not comply with the IE Decisions. Attached to the IE SA’s provisional position paper was a letter from Meta dated 30 June in which it expressed its opinion on matters raised by CSAs, including the NO SA. 6. Legal background 6.1. Principles and lawfulness requirements The protection of personal data and privacy are fundamental rights enshrined in Article 8 of the European Convention on Human Rights, Article 102 of the Norwegian Constitution, as well as 12 in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The GDPR gives effect to these fundamental rights. Article 5(1) GDPR provides that: 1. Personal data shall be: a) processedlawfully,fairlyandin atransparent manner in relation to thedata subject (‘lawfulness, fairness and transparency’); 11 See the IE SA’s reply to our mutual assistance request in the IMI system (stating: “No, I cannot comply with 12e request”) dated 2 June 2023. The Charter of Fundamental Rights of the European Union is not implemented in the EEA agreement and is not part of Norwegian law. However, the GDPR, which is interpreted in light of the Charter, is Norwegian law pursuant to the Norwegian Personal Data Act Section 1. 6 b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); e) kept in a form which permits identification of data subjects for no longer than is necessaryfor thepurposesfor whichthepersonal data areprocessed;personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). The GDPR furthermore provides that controllers must rely on a valid legal basis to process personal data. Such legal basis must be identified at the outset of the processing among the ones exhaustively listed in Article 6(1) GDPR. Article 6(1) GDPR reads: 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; 13 See Art. 6(1) of the GDPR. The notions of “personal data”, “processing”, and “controller” are defined in Art. 4(1), (2) and (7) GDPR. 7 (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. In the present case, Meta has switched to Article 6(1)(f) GDPR as the legal basis for most of its processing of personal data for Behavioural Advertising, which is a novelty in the wake of the IE decisions. Hence, this provision is the focus of our analysis. Article 6(1)(f) lays down three cumulative conditions in order for the processing of personal data to be lawful. Firstly, the pursuit of a legitimate interest by the controller or by a third party; secondly, necessity to process personal data for the purposes of the legitimate interests pursued; and thirdly, that the interests or fundamental rights and freedoms of the person concerned by the data protection do not override the legitimate interest pursued – a so-called balancing test. 14 With regard to the condition relating to the necessity of processing personal data, the CJEU has noted that derogations and limitations in relation to the protection of personal data must apply only in so faras is strictly necessary. Legal bases allowingprocessingofpersonal datawithout 16 a data subject’s consent must be interpreted restrictively. Consequently, necessity implies that the legitimate interest pursued “cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights and freedoms of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed by Articles 7 and 8 of the Charter.” 17 This needs to be assessed in conjunction with the data minimisation 18 principle set out in Article 5(1)(c) GDPR. As regards the condition of balancing the opposing rights and interests at issue, Recital 47 GDPR states that: The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. […]. When assessing whether the interests or fundamental rights and freedoms of data subjects override the legitimate interests of the controller, several factors should be taken into consideration in performing the balancing test. Such factors include how compelling the legitimate interest of the controller is; the nature and source of the legitimate interests; the 14See by analogy CJEU, judgment of 11 December 2019, Case C‑708/1, Asociaţia de Proprietari bloc M5A- ScaraA, para. 40. 15See e.g. CJEU, judgment of 4 May 2017, Case C‑13/16, Rīgas satiksme, para. 30. 16Bundeskartellamt Judgment, para. 93. 17Ibid., para. 108. 18Ibid., para 109; EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, Version 2.0, 8 October 2019, para. 15. 8degree of impact on the interests, rights and freedoms of the data subjects; the nature of the data; the way that data are being processed; the source and accessibility of the data; the reasonable expectations of the data subject; the status of the data controller and data subject as 19 20 well as what safeguards are in place beyond the minimum required by the GDPR. In its guidelines on profiling, which have been endorsed by the EDPB, the Article 29 Working Party stated that: (…) it would be difficult for controllers to justify using legitimate interests as a lawful basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering. 21 The Bundeskartellamt Judgment, which inter alia focused on Meta’s processing of personal data for Behavioural Advertising across its own services and third-party services, is of particular relevance to this case. In relation to Article 6(1)(f), the CJEU stated: In this regard, it is important to note that, despite the fact that the services of an online social network such as Facebook are free of charge, the user of that network cannot reasonably expect that the operator of the social network will process that user’s personal data, without his or her consent, for the purposes of personalised advertising. In those circumstances, it must be held that the interests and fundamental rights of such a user override the interest of that operator in such personalised advertising by which it finances its activity, with the result that the processing by that operator for such purposes cannot fall within the scope of point (f) of the first subparagraph of Article 6(1) of the GDPR. 22 6.2. Right to object In relation to data subjects’ rights, Article 12(1)–(2) GDPR reads: 1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. 19CJEU, judgment of 11 December 2019, Case C‑708/1, Asociaţia de Proprietari bloc M5A-ScaraA, paras. 54– 58. 20See Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP 217), which relates to the provision equivalent to Article 6(1)(f) under the legal framework preceding the GDPR. 21Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP251rev.01), p. 15. 22Bundeskartellamt Judgment, para. 117. 9 2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject. Furthermore, Article 13(2)(b) makes clear that the controller should provide data subjects with information about: the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability The right to object is one of the data subjects’ rights under the GDPR. In this respect, Article 21(1) to (4) GDPR reads: 3. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. 4. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing,whichincludes profilingto theextentthat it is related to such direct marketing. 5. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. 6. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. If the controller decides to reject a data subject’s objection made under Article 21(1) GDPR, it must provide the reasoning for the rejection since the controller has the burden of proof in demonstrating that there are compelling legitimate grounds overriding the interests, rights and freedoms of the data subject. The right to object to processing of personal data for direct marketing pursuant to Article 21(2) GDPR is unconditional and irrespective of the legal basis relied on by the controller. Article 21(2) gives data subjects the right to object at any time to processing of personal data concerning them for direct marketing, which includes profiling to the extent that it is related to 10such direct marketing. There is no requirement that the data subject provides any reasoning, as the purpose of the processing is immaterial, and there is no “need for any balancing of 23 interests”. It is enough that the data subject puts forth an objection for the objection to be successful. Whilst direct marketing is not a defined term in the GDPR, the interplay that exists between the 24 GDPR and the ePrivacy Directive – namely that the ePrivacy Directive seeks t25translate the rules of the GDPR into specific rules for the telecommunications sector – entails that there is a presumption that the concept of direct marketing under the ePrivacy Directive will have the same meaning also in the GDPR. 26 In CaseC-102/20, theCJEU clarifiedthatfor acommunicationto be for thepurposesof direct marketing under the ePrivacy Directive, it must be ascertained whether the communication: (1) pursues a commercial purpose; and (2) is addressed directly and individually to a consumer. The advertising messages in issue in Case C-102/20 functioned as follows: a JavaScript code of an advertising server (TAG) is connected with the place in question in the inbox on the internet page consulted by the user of such an email inbox. For that reason, when a user opens the internet page, a request (Adrequest) is sent to the advertising server in order to randomly select an advertising banner from a basket constituted by advertisers and transmit it, such that it appears in the user’s inbox.27 The CJEU concluded in Case C-102/20 that the advertising messages in issue, as described above, are direct marketing. This implies that the advertisements pursue, by their very nature, commercial purposes – at least when the aim of such advertisements is to promote services. 28 When assessing whether a communication is “addressed directly and individually to a consumer”, the CJEU appears to have noted the following characteristics of the advertising messages in question in coming to their conclusion that such advertising messages were addressed directly and individually to a consumer: • the displaying of the advertising message in the inbox of the private email service of the user concerned (para. 48) 23Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes 24 Regulation 2016/679 (WP251rev.01), p. 19. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ [2002] L 201/37. 25See Recital 4 ePrivacy Directive. While this recital refers to Directive 94/46/EC, it follow from Article 94(2) that any references to that directive should be construed as references to the GDPR. 26CJEU, judgment of 25 November 2021 in Case C-102/20, StWL Städtische Werke Lauf a.d. Pegnitz. 27Ibid., para. 22. 28Ibid., para. 48. 11 • thereaching, directly and individually, oftheinboxes of oneormoreemail service users (para. 50) • the recipients of advertising messages are individual in their capacity as users of a provider’s individual email service (para. 51) • the user obtains access to their inbox only after having entered their registration data and password (para. 51) • the displaying in a private space reserved to an individual which is intended for the consultation of private content (para. 51). The CJEU also stated clearly that “it is irrelevant whether the advertising at issue is addressed to a predetermined and individually identified recipient or is sent on a mass, random basis to multiple recipients” (para. 50). The Norwegian Consumer Authority assesses that the same considerations apply for marketing via social media such as Facebook and Twitter as for marketing communications via electronic communication methods, pursuant to Section 15 of the Norwegian Marketing Control Act (in 29 Norwegian: markedsføringsloven). 6.3. Competence, tasks and powers With regard to the tasks and competence of supervisory authorities under the GDPR, Article 55(1) GDPR establishes the general rule that each supervisory authority is competent for the performance of the tasks assigned to it and the exercise of the powers conferred on it in accordance with the GDPR on the territory of its own country. 30 One of the tasks assigned to those supervisory authorities is the task of monitoring the application of the GDPR and enforcing its application, as laid down in Article 57(1)(a) GDPR, while another is the task of cooperating with other supervisory authorities, including sharing information, and providing mutual assistance with a view to ensuring the consistency of application and enforcement of that regulation, as laid down in Article 57(1)(g) GDPR. The 31 powers conferred on those supervisory authorities, for the performance of those tasks, include various investigative and corrective powers, laid down in Article 58, including the power to impose a temporary or definitive limitation including a ban on processing. The performance of those tasks and the exercise of those powers presupposes, however, that a supervisory authority is competent with respect to a particular instance of data processing. 32 29https://www.forbrukertilsynet.no/lov-og-rett/veiledninger-og-retningslinjer/forbrukertilsynets-veiledning- markedsforing-via-e-post-sms-o-l, accessed on 2 May 2023. 30CJEU, judgment of 15 June 2021, Case C‑645/19, Facebook Ireland and Others, para. 47. 31Ibid. para. 48. 32Ibid. para. 49. 12In that regard, without prejudice to the rule on competence set out in Article 55(1) GDPR, Article 56(1) GDPR establishes, with respect to “cross-border processing” (within the meaning ofArticle4(23)GDPR) the“one-stop shop”mechanism,basedonan allocationofcompetences between one “lead supervisory authority” and the other supervisory authorities concerned. Under that mechanism, the supervisory authority of the main establishment or of the single establishment of the controller is to be competent to act as lead supervisory authority for the cross-border processing carried out by that controller, in accordance with the procedure set out 33 in Article 60 GDPR. It must, however, be noted that the GDPR establishes exceptions to the general rule that it is the lead supervisory authority which is competent to adopt decisions in the context of the “one- 34 stop shop” mechanism provided for in Article 56(1) GDPR. Most notably, Article 66 GDPR provides for an urgency procedure. That urgency procedure makes it possible, in exceptional circumstances, where the supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, immediately to adopt provisional measures intended to produce legal effects on its own territory with a specified 35 period of validity which is not to exceed three months. Pursuant to Article 61(8) GDPR, the urgent need to act under Article 66(1) GDPR is presumed to be met if the lead supervisory authority fails to reply within the given time frame or refuses to comply with a mutual assistance request, or otherwise fails to act in a specific case of cross- border processing despite a request to that effect by a supervisory authority concerned. 36 7. Our assessment of Meta’s compliance with Articles 6(1) and 21 GDPR and the need to adopt urgent and provisional measures Under Article 66(1) of the GDPR, a supervisory authority concerned may, in exceptional circumstances, adopt provisional measures towards a controller, if it considers that there is an urgentneedtoactinordertoprotecttherightsandfreedomsofdatasubjects. Asoutlinedbelow, these conditions are in our view met in the present case. 7.1. The NO SA qualifies as a supervisory authority concerned Meta’s processing of personal data for Behavioural Advertising takes place in the context of the activities of several of its European establishments, including Meta and Facebook Norway 37 AS. Thus, the relevant processing qualifies as “cross-border processing” within the meaning of Article 4(23)(a) of the GDPR. Moreover, Meta is presumed to have its “main establishment” in Ireland, as its central administration in the EU/EEA is located in that country. Therefore, 33Ibid. para. 50. 34Ibid. para. 57. 35Ibid. para. 59. 36Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, para. 119. 37On the notion of processing of personal data carried out “in the context of the activities of” an establishment, see EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), Version 2.1 (12 November 2019), pp. 7-9. 13pursuant to Article 56(1) of the GDPR, the IE SA is competent to act as “lead supervisory authority” for such cross-border processing, in accordance with the procedure set out in Article 60 of the GDPR. However, we qualify as a “supervisory authority concerned” within the meaning of Article 4(22) of the GDPR in that procedure, as the controller is established in Norway – through Facebook Norway AS – and dat38subjects residing in Norway are likely to be substantially affected by the processing. As such, we have the powers attributed to supervisory authorities concerned under Article 60(11) and 66 of the GDPR. 7.2. The need to protect the rights and freedoms of data subjects in Norway Based on theevidence providedby the IE SA,we considerthat Meta’sprocessing in the context of the Services for Behavioural Advertising results in several violations of the GDPR, which are likely to entail significant risks for data subjects, including data subjects in Norway. 7.2.1. Analysis of compliance with Article 6(1) GDPR We have a number of concerns pertaining to Meta’s assertion that it has brought its Behavioural Advertising activities into compliance with Article 6(1) GDPR. The below assessment may not be exhaustive as we have chosen to focus on the main issues identified. 7.2.1.1. Definition of processing in scope We find that Meta has incorrectly understood what constitutes “processing of personal data for the purposes of behavioural advertising” in the IE Decisions. 39 In this regard, we note how Meta defines non-behavioural “Limited Advertising Information” [REDACTED]. In this regard, the following two statements from the Meta Privacy Policy, [REDACTED] is of particular interest: [Under “How do we use your information?” and “How we show ads and other sponsored or commercial content”] The ads we show you will always be based on your basic information: your age, the gender you provide, and location. They’ll also be based on certain device information, like the device you’re using and the language you choose on that device, as well as information about the ads we show you and how you engage with those ads. [Under “What is our legal basis” and “Legitimate Interests”] Your activity and information that you provide: (...) Types of content that you view or interact with, and 38 39See Article 4(22)(a) and (b) of the GDPR. IN-18-5-5 para. 10.44(b) and IN-18-5-7 para. 417(b), respectively. 14 how you interact with it. This excludes the ads you see and interact with on Meta Products (…) Our understanding of the privacy policy is that Meta considers the processing of: • location information, including GPS location, data subjects’ activity on Meta products and the places data subjects’ like to go and the businesses and people data subjects are near; and • information about ads that Meta shows and how data subjects engage with those ads, to be based on Article 6(1)(b). Meta’s use of location data to inform which ads are displayed to data subjects clearly constitutes Behavioural Advertising. It is unclear to us what this location is estimated on the basis of, if not the data subject’s behaviour. For information about data subjects’ engagement with ads, we understand that data subjects may click on “Hide Ad” and that one effect of this would be that the particular ad is not shown to that data subject again. We agree with Meta’s assertion set out in its letter of 30 June 2023 that this in itself does not constitute processing for Behavioural Advertising. However, to the extent that this or any other engagement with an ad is used to inform which other ads a data subject should see, we find that the processing of personal data does take place for Behavioural Advertising. Therefore, the processing of location data and data subjects’ interactions with ads based on 6(1)(b) is not in line with the IE Decisions, and as such, it is unlawful. 7.2.1.2. Data subjects’ reasonable expectations [REDACTED], Meta relies on an assertion that the data subjects undisputedly want and expect Behavioural Advertising based on monitoring and profiling of their behaviour. This appears to have impacted Meta’s assessment of all elements of Article 6(1)(f). Meta’s assertions in this context are unconvincing and problematic for several reasons: • Limited documentation exists to support Meta’s assertion, and some of the available documentation directly contradicts it. A case in point is the Gallup survey referred to in EDPB Binding Decisions 3/2022 and 4/2022. 40The survey, which was commissioned by NOYB – European Center for Digital Rights, points out that most respondents perceive Facebook’s placement of advertising as primarily being motivated by advertisers’ interests as opposed to data subjects’ interests, and that the bulk of advertising on Facebook is not useful to them. Hence, the majority of data subjects do not want Behavioural Advertising. Another example is our 2019–2020 Data Protection Survey, which more generally showed that 74 % of respondents view 40 An informal translation of the survey is available at https://noyb.eu/sites/default/files/2020- 05/Gallup_Facebook_EN.pdf (accessed on 20 April 2023). 15 Behavioural Advertising negatively. In this regard it may also be relevant to note that in that same survey, only 10 % of respondents expressed trust in how social media 41 platforms such as Facebook, Twitter and LinkedIn process their personal data. • As a precondition for drawing conclusions about data subject’s expectations, Meta appears to believe that data subjects are fully informed of and comprehend how their personal data are processed for Behavioural Advertising, referring to its privacy policies. While it is presently out of scope to assess to what degree Meta’s privacy policies provide effective transparency, and regardless of whether the policies prove to be informative to an average data subject, many data subjects simply do not read them. It would be unrealistic to suggest that any significant proportion of data subjects have the time, capacity or desire to read in detail the privacy policies for all the apps and services they use, including those of the Services, nor that they can somehow be legitimately expected to do so. 42 43Hence, this precondition for Meta’s conclusions appears ill-founded. • Additionally, it is important to avoid fallacious arguments that the contents of a privacy policy can dictate what constitutes data subjects’ reasonable expectations. Recital 47 GDPR usefully clarifies that when assessing what is reasonable to expect from a data subject’s perspective, the starting point of the assessment is the data subject’s relationship with the controller, i.e., not what the controller has told the data subject that they should expect. Moreover, the mere fulfilment of the controllers’ transparency obligations is not sufficient to conclude that the processing is within the data subjects’ reasonable expectations in the context of the assessment under Article 6(1)(f). • If Meta’s assertion holds true – that data subjects want Behavioural Advertising – we fail to understand why Meta is not willing to introduce a prominent and easily available setting for Behavioural Advertising that data subjects can toggle. Meta’s allegation that Behavioural Advertising is in line with data subjects’ preferences, appears leveraged as an argument for why data subjects should not be able to freely exercise their preferences, which seems rather illogical. The IE Decisions,issued subsequent to EDPB Binding Decisions 3/2022 and 4/2022,clearly reject Meta’s representations that Behavioural Advertising is a core element of the Services. Contrastingly, as an example, [REDACTED] states as follows: 41The full survey as well as information about its methodology is available in Norwegian at https://www.datatilsynet.no/regelverk-og-verktoy/rapporter-og- utredninger/personvernundersokelser/personvernundersokelsen-20192020/ (accessed on 20 April 2023). 42Receiving information pursuant to Article 12–14 GDPR is a right for data subjects, and only data subjects decide to what extent they wish to exercise their data protection rights set out in Chapter III GDPR. 43To illustrate this point, the Norwegian Consumer Council organised a reading of the terms for all the apps on an average phone, which lasted for 32 hours – and to add to that, terms and policies are continuously updated. More information on the Norwegian Consumer Council’s #appfail campaign is available at https://www.forbrukerradet.no/side/the-consumer-council-and-friends-read-app-terms-for-32-hours/ (accessed on 20 April 2023). 16 [REDACTED] Finally, we note the statements of the CJEU in the Bundeskartellamt Judgment that data subjects “cannot reasonably expect that the operator of the social network will process that user’s persona44data, without his or her consent, for the purposes of personalised advertising.” In sum, we find that Meta’s assumptions in this regard were incorrect, and as a consequence, Meta’s assessment of the elements of Article 6(1)(f) has been skewed correspondingly. 7.2.1.3. Necessity We find Meta’s assertion of necessity [REDACTED] unconvincing for the following reasons: • Necessity is not granularly assessed for the individual legitimate interests pursued [REDACTED], which is what we consider to be the correct topic of assessment. Instead, Meta has seemingly considered necessity 45lated to overall goals of delivering highly personalised ads and maximising profit – which will invariably require intrusive monitoring. The assessment is therefore based on a flawed premise, which erroneously yields a perceived necessity of processing. • There is no real assessment of whether it would be possible to still pursue a viable and revenue-generating business model if the extent of Behavioural Advertising and the degree of personalisation was curtailed, or if data subjects were granted more choice and involvement. We believe there is a need to assess a wider range of alternative advertising models. Here, it is worth noting that adaptation based on behaviour is just one way of achieving personalisation. Ads can for instance also be personalised based on a data subject’s declaration of their interests for advertising purposes. • [REDACTED] Meta states that the processing is proportionate because it is “[REDACTED]”, which we again disagree with. Meta furthermore points to controls available to data subjects as well as the possibility to lodge objections. Notwithstanding how we would assess the appropriateness and effectiveness of those tools, we would like to point out that they are effectively hidden from view for most data subjects and that it would require many steps and an amount of active effort for data subjects to utilise them. Such tools being available for motivated data subjects does not mitigate the intrusive nature of the processing in general for all data subjects. Meta remains responsible for its processing of personal data, and this responsibility cannot be shifted over to the data subjects. • [REDACTED], Meta points to the necessity to perform Behavioural Advertising as this is allegedly the only way for them to remain competitive in the market, referring 44 45Bundeskartellamt Judgment, para. 117. We note that Meta’s pre-tax profits for 2021 amounted to €1.184 billion. See https://www.rte.ie/news/business/2022/1125/1338373-meta-ireland-ups-provision-for-regulatory-fines-by-2bn/, last accessed on 3 July 2023). 17 to other businesses carrying out this type of processing. We note that the fact that other entities carry out a certain processing is not in itself an argument for its lawfulness. Furthermore, we refer back to the fact that Meta has not assessed the viability of alternative advertising models. Considering that it most likely is possible for Meta to generate a profit and to pursue its legitimate interest in a number of ways that may be less intrusive to data47ubjects, while considering that Meta has not demonstrated any attempts at doing so, we do not agree that the current processing of personal data for Behavioural Advertising fulfils the necessity criterion of Article 6(1)(f). 7.2.1.4. Balancing test We do not share Meta’s conclusions that its interests outweigh the interests, rights and freedoms of data subjects. As an overall observation, [REDACTED] excessively emphasises the benefits of the Services with very little attention left to potential risks and adverse effects. A general lack of balanced and nuanced assessments impacts the credibility [REDACTED]. We believe that certain possible adverse impacts to data subjects and risks to their fundamental rights and freedoms have been underplayed in, or omitted from, Meta’s assessment. The assessment furthermore appears to downplay the impact of the processing on rights and freedoms. We wish to highlight the following points missing [REDACTED]: • There is no overview of data subjects’ interests that may be adversely affected by the processing at hand, though this is an element that needs to be assessed under Article 6(1)(f). • Meta fails to include several relevant elements48hen it comes to the assessment of the likelihood and severity of the potential risks identified [REDACTED]. o Meta does not provide any explanation or reasoning for the qualification of the different risks identified in terms of the severity of the risks and the likelihood of the risks materialising. o As for the risk “potential for discrimination”, Meta states that the likelihood of the risk materialising is “[REDACTED]”. In this regard, Meta refers to the company no longer offering targeting options that relate to certain topics the data subjects may perceive as sensitive. The assessment does not include Meta’s considerations of whether data subjects can be discriminated against on 46[REDACTED] 47It is the controller who bears the burden of proving that personal data are processed lawfully. See Bundeskartellamt Judgment, para. 95. 48We have concerns relating to the risk-based approach in quantifying the impact on the data subjects’ rights and freedoms, as this seems to imply that the impact is of a prospective nature and outside of Meta’s control. 18 the basis of other categories of data, nor whether the type of data identified as sensitive could be processed indirectly by Meta through their Behavioural Advertising activities. 49 o In the same vein, when it comes to the risk for “filter bubbles”, Meta reiterates that certain sensitive or protected characteristics cannot be directly used for targeting. Again, Meta fails to consider whether such categories of data can be processed indirectly, which may imply a higher risk for “filter bubbles”. Moreover, we consider that Meta fails to take into consideration the potential negative societal impacts of such “filter bubbles”, regardless of the sensitivity of the data, and accordingly that this risk is not assessed to the extent appropriate. o In relation to the risks identified, Meta refers to the data subjects being offered a number of mechanisms to provide them with control over the types of 50 advertisements that they see. In our view, these measures would contribute to reducing the potential of discrimination to a rather limited extent. We also question how these ex post tools could be helpful to the data subjects in cases where they do not necessarily understand that they are seeing an ad or how an ad has been targeted towards them. • There is also an assessment of the impact on human rights [REDACTED] pertains to Meta’s legitimate interests, it is arguably relevant also under the balancing test. Meta asserts that its Behavioural Advertising is designed to promote and benefit human rights protection. We find this assessment of human rights norms flawed and one- sided. For example: o Meta states that ensuring the viability of the Services is integral to the right to private life, without touching upon how the large-scale and intrusive processing of personal data may have a detrimental effect on privacy. o Regarding Meta’s statements on information freedom rights, [REDACTED] does not appropriately consider that Meta’s Behavioural Advertising, through its filtering and personalisation of content, may prevent certain data subjects from seeing information that is available to other data subjects. There is no assessment of how this may reinforce stereotypes or how it may affect political participation. • Meta’s assertion that the processing in question fulfils the balancing test appears to be missing proper consideration of inter alia the categories of personal data which are being processed, the extent and manner of processing, and the number of data subjects affected. • Also lacking in the balancing test is an assessment of whether special categories of personal data may be inferred and inadvertently processed in this context, especially in light of C-184/20. Furthermore, while we note that Meta in its letter dated 21 June 49 50[REDACTED] [REDACTED] 19 2023 asserts that it does not process any such data, this is contrasted by the statements of the CJEU in the Bundeskartellamt Judgment. 51 • It appears that Meta has not taken into consideration the impact on vulnerable individuals. • There is no assessment of the nature of Meta’s legitimate interests or how compelling they are. • It appears that the “Why you’re seeing this ad?” tool on Instagram offers less information than the equivalent tool on Facebook. On Facebook, data subjects are presented with two categories for further exploration, “Your activity” and “Advertiser choices”. However, on Instagram, the “Your activity” category appears to be missing. This difference is not explained nor justified [REDACTED]. We also wish to highlight the following irrelevant factors included in Meta’s assessment: • [REDACTED] • [REDACTED], Meta lists safeguards it has adopted as mitigating measures. However, several of the measures listed appear to be measures already required by other provisions of the GDPR. Measures required for compliance with other GDPR provisions are not relevant as safeguards [REDACTED]. o As an example, Meta refers to restrictions on targeting criteria. Several of the categories mentioned [REDACTED] are special categories falling under Article 9 GDPR. Thus, a restriction of processing of these categories of personal data already follows from the GDPR and cannot be considered as a mitigating measure when performing a balancing test under Article 6(1)(f). • In their conclusion of the balancing test, Meta argues that Meta and third parties would be prejudiced if the processing could not be carried out. From this, it appears that Meta takes the approach that the point of departure for the assessment is that Behavioural Advertising is to be used. We do not agree with this approach. The fact that Meta has relied on Behavioural Advertising so far, does not imply that a possible conclusion that they are not able to rely on this kind of advertising on the basis of Article 6(1)(f) should be considered a prejudice inflicted on Meta relevant for the assessment. The legal basis for a processing of personal data should, in any case, be in place before the processing is initiated. 51 52Bundeskartellamt Judgment, paras. 71–72. 53[REDACTED] [REDACTED] 20Regardless of the shortcomings [REDACTED], when assessing whether Meta’s processing for Behavioural Advertising fulfils the balancing test, the following elements are particularly relevant: • Meta’s commercial interests are not in themselves of a highly compelling nature, and there are a number of alternative advertising models that Meta can rely on in pursuit of its commercial interests; • The data subjects cannot reasonably expect processing of their personal data for Behavioural Advertising. 54 • The processing of personal data for Behavioural Advertising entails continuous and comprehensive monitoring of data subjects’ behaviour on platforms many of them use frequently and may perceive as of a private nature; • Intrusive profiling takes place through automated means resulting in detailed inferences that may or may not be correct and that the data subjects may or may not feel comfortable with; • Processing of personal data for Behavioural Advertising is complex and opaque, most data subjects may not fully understand those processing operations, and it is difficult for data subjects to comprehend which inferences are made about them; • The personal data processed in this context, including analyses of what type of content you are likely interested in, will speak to the personal life and personality of data subjects, meaning that it can be highly sensitive; • It may be possible to infer special category data. In this regard, we have recently encountered two examples illustrating the issue: o A queer NO SA employee reviewed their ad topics and ad interests on Instagram and found that they included “Pride” and “Gay Love”. While these two categories are presumably not meant to speak to anyone’s sexual orientation but rather their interests, inferences can be made which would entail adverse effects to data subjects’ data protection rights. Furthermore, Article 9 GDPR may be applicable. o An individual has contacted us because they received content in their Facebook feed that advertised eyewear for people with a certain disease. The individual in question is in fact a caregiver for a child with that particular disease as well as a member of Facebook Groups related to the disease. The individual contacted the organisation having placed the ad, which responded that it had not specified any sensitive categories when targeting the ad. However, the organisation had availed of Meta’s automatised ad optimisation tools. 54Bundeskartellamt Judgment, para. 117. 21 • There are over 250 mil55on average monthly active users on both Facebook and Instagram in the EU. In Norway, approximately 3.56 million adult individuals, or 82 % of the adult population, have a Facebook account, while approximately 2.82 million adult individuals, or 65 % of the adult population have an Instagram account. 56 Around 66 and 42 % of the adul57population in Norway are daily users of Facebook and Instagram, respectively; • There are many vulnerable data subjects in need of particular protection using the Services, such as young people, elderly people and people with cognitive disabilities; • Meta tracks data subjects inter alia across the Facebook and Instagram websites and apps and across locations; 58 • Data protection tools are generally hidden away from sight so that in practice they are effectively reserved for a minority of motivated data subjects looking for them or reading the privacy policy; • Processing of personal data for Behavioural Advertising results in Meta filtering which ads are shown to which data subjects. As a result, certain data subjects may be prevented from seeing information that other groups in society will see, and data subjects cannot control this. Hence, there is a clear adverse effect on data subjects’ freedom of information. This filtering also creates a potential for reinforcement of existing stereotypes, and it can leave data subjects open to discrimination. In the context of political advertising, it may adversely affect political participation. While these effects are often invisible, they are nonetheless profound, both to the data subjects and to society at large. Based on the above, we find that the interests and fundamental rights and freedoms of data subjects outweigh the legitimate interests of Meta. 7.2.1.5. Threat of charging data subjects [REDACTED] states that “[REDACTED]” The same is implied throughout [REDACTED]. This statement, which is not documented, may suggest that certain data subjects would be penalised should supervisory authorities intervene in response to any potential violations of the law related to Behavioural Advertising. In our view, it is Meta’s responsibility to design a business model that is both lawful and viable. Any failure to do so would lead to liability on the part of Meta, not its users. We also 55See information for February 2023 provided by Meta under the Digital Services Act: https://transparency.fb.com/sr/dsa-report-feb2023/ (accessed on 5 May 2023). 56See https://www.ipsos.com/sites/default/files/ct/publication/documents/2023-04/Ipsos%20SoMe- tracker%20Q1%202023.pdf (accessed on 29 June 2023). 57Ibid. 58We understand that Meta tracks individuals across third-party websites and apps as well, purportedly in reliance on Article 6(1)(a) GDPR. 22have concerns as to which data subjects Meta would seek to penalise – to be sure, any attempt to penalise data subjects exercising their statutory data protection rights would not be legitimate. 7.2.1.6. Conclusion In sum, we believe that the current processing has not been brought into compliance with Article 6(1). We would like to reiterate that this is a conclusion based on substance rather than formalities. In other words, changing the wording [REDACTED] as a paperwork exercise would not amend the problems identified. Moving forward, looking at the adequate and sufficient commitments Meta may provide to ensure compliance and to lift the ban, we would welcome dialogue on elements such as limiting the scope of processing of personal data for Behavioural Advertising and introducing new user settings for Behavioural Advertising. 7.2.2. Analysis of compliance with Article 21 GDPR Following the change of legal basis of some processing of personal data for Behavioural Advertising to Article 6(1)(f), Meta appeared to frame objections to such processing as objectionsunderArticle21(1)GDPR.Thiswouldimplythatdatasubjectscanonlyobjectbased on grounds relating to their particular situation and that the success of the objection is conditional on a case-by-case assessment. Meta provides advertisements to individual data subjects on the Facebook and Instagram services by displaying them on an individual data subject’s Facebook or Instagram account in various ways, including for example: • Onadatasubject’s Facebook feed(the constantlyupdatinglist ofstatus updates,photos, videos and more from friends, pages, groups and advertisers in the middle of the Facebook home page) • On a data subject’s Instagram feed (the constantly updating list of photos and videos that appear from accounts that people follow and from advertisers) • On a data subject’s Facebook or Instagram stories section (“you can use stories to share everyday moments with your friends and followers”) • On a data subject’s Facebook or Instagram Reels feed (“you can create reels for a global audience or share them with your friends and family”) The digital spaces mentioned above are personalised to each data subject, and they are unique to each and every data subject. For Facebook specifically, this is supported by the following wording in the Facebook Terms of Service : “Your experience on Facebook is unique to you 59https://m.facebook.com/legal/terms (Accessed on 1 May 2023) 23and unlike anyone else’s: from the Posts, Stories, events, ads and other content that you see in Facebook News Feed or our video platform to the Facebook Pages that you follow and other features that you might use, such as Facebook Marketplace and search…”. We understand that an individual data subject’s experience on Instagram is also unique to them. We therefore consider that an individual data subject’s Facebook or Instagram account, including any of an individual data subject’s Facebook or Instagram feeds, is a private digital space unique to that data subject. In addition, only the data subject has access to the above spaces, as they need to log in to their account to gain access. No-one else other than a Facebook or Instagram data subject has access to their personalised, unique spaces. Furthermore, data subjects’ Facebook and Instagram feeds and stories section contain content of a private nature that data subjects’ connections have chosen to share with a specified group of people, such as e.g. their Facebook “friends”, a custom list of their Facebook “friends”, or their “close friends” on Instagram. We consider it is clear that the processing of personal data for Behavioural Advertising pursues a commercial purpose. In light of this, we consider that processing of personal data for Behavioural Advertising in the context of the Services constitutes “personal data processed for direct marketing purposes” pursuant to Article 21(2) GDPR. Consequently, the data subject’s right to object to such processing unconditionally and without providing a reason under Article 21(2) GDPR is triggered. Meta allows data subjects to object to processing for Behavioural Advertising through a dedicated objection channel, accessible to data subjects on the Services by: • Navigating to the Meta Privacy Policy; • Scrolling down to the section entitled “You have the following rights under the GDPR and other relevant data protection laws”; • Clicking the sub-section “Object”; and • Clicking the link “right to object to” or “object”. Going through these steps will lead the data subject to a new page where you have to: • Select your country of residence; • Select whether you need help with either Facebook or Instagram; • Indicate whether you are under or over 18 years of age; • Select whether you want to manage your information or report something to Facebook; • Select the option “I want to object to the use of my information”; and • Select “I want to object to the use of certain activity information to show me ads” 24This last option, "I want to object to the use of certain activity information to show me ads", was added by Meta as a direct result of changing the legal basis of some processing of personal data for Behavioural Advertising from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR. The data subject is then presented with a form where they are prompted to explain how this processing impacts them, and to provide any additional information they believe will help Meta review their objection. The data subject is obliged to enter text in the fields with the titles "Please tell us how that product or service is using your personal information for which you are submitting this objection" and "Please tell us why you want to object to that product or service's use of your personal information", otherwise the data subject cannot submit their objection. Following this, the data subject can send their objection to Meta for consideration. We note that in Meta's privacy policy, it states as follows: You can object to our processing of your information when we rely on legitimate interests or perform a task in the public interest. We will consider several factors when assessing an objection [emphasis added], including: • Our users' reasonable expectations • The benefits and risks to you, us, other users or third parties • Other available means to achieve the same purpose that may be less invasive and do not require disproportionate effort Unless we find that we have compelling legitimate grounds for this processing which are not outweighed by your interests or fundamental rights and freedoms [emphasis added], or the processing is needed for legal reasons, your objection will be upheld. In that case, we will cease processing your information. To learn more about the circumstances in which an objection may be successful, please visit the Help Centre. The data subject is not at this point told that they may object to the processing of their personal data for direct marketing purposes without providing a reason. We further note that in Meta's “Help Centre” the data subject is told how to submit an objection under the heading “How can I submit an objection?”, and this tells the data subject that they will be asked to complete a form where they must explain the reasons for their objection. The datasubjectis alsotoldthattheyshouldusetheformwheretheywanttoobjecttotheprocessing of their personal data for direct marketing. Meta repeatedly states [REDACTED] that it will stop processing personal data for Behavioural Advertising only where objections are “valid”, and that a dedicated team of specialist personnel will assess the validity of objections. Meta further states in its letter dated 21 June 2023 referenced above that it: 25 considers a 'valid objection' to be one that meets two basic criteria, in that it (a) relates to Behavioural Advertising Processing and (b) is submitted by a genuine user based in the European Economic Area (to confirm Meta Ireland is the controller and the GDPR applies). and; At no point in the process does Meta Ireland undertake a balancing assessment to seek to determine whether it has compelling legitimate grounds to override the user's valid objection and continue Behavioural Advertising Processing. We consider that in conjunction with its shift from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR as a legal basis, Meta has introduced restrictions to the right to object to processing for direct marketing purposes under Article 21(2) GDPR that are not legally permissible: • A data subject is at no point informed of Meta's criteria to determine whether an objection to Behavioural Advertising is valid or not. Data subjects are instead told that they must provide reasoning for their objection – even their objection to Behavioural Advertising as a form of direct marketing. They are furthermore informed that all objections submitted through Meta's online form (which is the only way a data subject can submit an objection) will be assessed by Meta before a decision is made as to whether a data subject 's objection is upheld or not. We find that this is not in line with Articles 12(1) and (2) and 13(2)(b) GDPR. • When Meta requires data subjects to provide reasoning for their objection to Behavioural Advertising as a form of direct marketing, Meta requires more personal data than is necessary in order to comply with such request. We find that this is not in line with Article 5(1)(c) GDPR (the data minimisation principle) and further such processing does not appear to have a legal basis under Article 6(1) GDPR. On a side note, pursuant to Article 21(4) GDPR, the right to object shall be explicitly brought to the attention of the data subject and be presented clearly and separately from any other information, at the latest at the time of the first communication with the data subject. 60We cannot see that Meta presents to data subjects the right to object to processing of personal data fordirect marketing clearly andseparately from otherinformation, particularlyas Metarequires data subjects to submit their objections on one form that is tailored only to a data subject's right to object under Article 21(1) GDPR. 7.3. The exceptional circumstances There are several exceptional circumstances at play, pursuant to Article 66(1) GDPR: 60 While the user notification about change of legal basis referenced [REDACTED] would not be sufficient to fulfil Article 21(4) GDPR, we take note of the fact that this notification was not displayed during our tests in the period of 5 April to 5 May 2023. 26 • The IE SA has very recently issued the IE Decisions ordering Meta to bring its Behavioural Advertising into compliance with Article 6(1), which directly affects the rights and freedoms of hundreds of millions of data subjects across Europe and the majority of the adult Norwegian population. • Meta has consequently changed its legal basis as of 5 April 2023 – from Article 6(1)(b) to Article 6(1)(f) – for most of its processing of personal data of data subjects in Europe (including in Norway) for Behavioural Advertising. Indeed, as noted by Meta, this is not just a nominal change, as “[t]o enable its reliance on Article 6(1)(f) GDPR for Behavioural Advertising Processing, [Meta] has […] substantially redesign[ed] its infrastructure, processes, and systems relevant to carrying out Behavioural Advertising 61 Processing”. • Nonetheless, as is evident from our assessment above, Meta’s Behavioural Advertising is clearly still not compliant with Article 6(1) despite the deadline for complying with the IE Decisions has elapsed. • The CJEU addressed the lawfulness of Meta’s processing of personal data in the Bundeskartellamt Judgment of 4 July. As explained above, the court stated that Meta cannot rely on Article 6(1)(f) GDPR for Behavioural Advertising; however, Meta continues to do so. • The existence of exceptional circumstances, which justify the adoption of urgent and provisional measures under Article 66(1) GDPR, is further evidenced by the fact that IE SA has not adopted any measures towards Meta in response to our express request to 62 that effect, nor has it indicated that any measures will be imposed in the future. As noted by Advocate General Bobek in Facebook Ireland and Others, “[a] failure to act in a specific case of cross-border processing by the LSA, despite a request to that effect byanSAC,may[…]enablethelattertoadopttheurgentmeasuresconsiderednecessary to protect the interests of data subjects.” 7.4. The urgent need to act As outlined above, Meta’s processing of personal data for Behavioural Advertising gives rise to several infringements of the GDPR that result in significant risks for data subjects, including data subjects in Norway. While it is true that Meta’s processing for Behavioural Advertising has been ongoing for many years, what is new and what warrants urgent action, is that the IE Decisions to bring the processing into compliance with Article 6(1) was issued on 31 December 2022 with a three-month deadline to comply, as well as the unlawful changes Meta adopted as 64 a result. At present, the IE Decisions have still not been complied with. Despite the fact that European supervisory authorities through the IE Decisions have clearly instructed Meta to 61Meta’s Compliance Reports to the IE SA dated 3 April 2023. 62See section 3 above. 63Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, para. 119. 64Meta’s shift of legal basis for some Behavioural Advertising activities to Article 6(1)(f) on 5 April 2023 is a novelty. Since Article 6(1)(f) is not a suitable legal basis for that processing, this shift arguably constitutes a new violation of the GDPR in its own right. 27remedy the state of non-compliance, after a thorough and extensive inquiry, the violation still persists. This prolonged state of non-compliance demands immediate action, to protect the rights and freedoms of data subjects. Not taking urgent action to ensure compliance with the recent IE Decisions would leave data subjects at acute risk and effectively deprive them of the protections they are entitled to under the GDPR, including the right to seek effective remedy against controllers from supervisory authorities. 65 Furthermore, it would undermine the authority and powers of data protection authorities and invite dilatory strategies from non- compliant controllers. The urgency of the provisional measures must be assessed in relation to the need to protect the 66 rights and freedoms of data subjects. In this regard, see in particular section 7.2.1.4, which shows that the adverse effects on data subjects and their fundamental rights and freedoms are considerable. The unlawful processing affects the majority of the population of Norway and the EEA, and as noted above, the processing entails processing of very private and sensitive personal data through highly opaque and intrusive monitoring and profiling operations. Meta has not taken duly into account the impact of its Behavioural Advertising practices on vulnerable individuals. Additionally, data subjects’ freedom of information, right to political participation and protections against discrimination is at risk. An additional element underpinning urgency is the Bundeskartellamt Judgment of 4 July 2023, which essentially rejected that Meta can rely on Article 6(1)(b) and 6(1)(f) GDPR for Behavioural Advertising. Nonetheless, Meta continues to do so. This recent clarification from the Grand Chamber of the CJEU warrants immediate action. The consequences of not adopting urgent measures is that Meta is allowed to processing of personaldataunlawfullyinviolationofmentionedIEDecisionsindefinitely,whileitessentially continues its dialogue and negotiates with the IE SA. We fear that such a process could potentially take several years. However, compliance with legally binding orders is not a matter of negotiation. The IE Decisions were issued in line with good administration where Meta’s views were duly heard. Therefore, no postponement of compliance with the IE Decisions is acceptable. The only way to ensure data subjects’ rights and freedoms until Meta remedies its processing of personal data for Behavioural Advertising, and to avoid potentially irreparable harm to them, is to urgently impose a temporary ban on the processing activities found unlawful on 31 December 2022 and 4 July 2023. Moreover, it should be stressed that – as noted above – through its shift of legal basis, Meta has introduced restrictions to the right to object to processing for direct marketing purposes. This entails that the exercise of the right at issue is considerably impeded, and that the adoption of urgent measures to remedy this situation is warranted. In this respect, Recital 137 GDPR states 65 66See Article 77 GDPR. See Recital 137 GDPR. 28that an urgent need to act in order to protect the rights and freedoms of data subjects exists “in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded.” We consider that the enforcement of rights of a high number of data subjects could be considerably impeded due to the mentioned obstacles in obtaining the right to object, which were introduced by Meta on 5 April 2023. In any event, in the present case, the urgent need to act may be presumed to be met, in accordance with Article 61(8). Pursuant to Article 61(1), we requested the IE SA to provide a timeline for how it would ensure that Meta complies with Article 6(1) GDPR in an expedient manner. We have not received such information. Instead, we have received a timeline for the finalisation of the IE SA’s assessment of compliance. That is not the same thing, as the information received does not indicate which corrective measures the IE SA is prepared to impose following a finding of non-compliance nor any timeframe for such imposition. The IE SA has not indicated that it intends to share any information additional to the result of its compliance assessment. Furthermore, we have not received any explanation as to why it was not possible to provide the requested information. Therefore, Article 61(8) applies, which means that the urgent need to act under Article 66(1) is presumed to be met. Additionally, the IE SA has not taken any measures against Meta, despite our request to that effect submitted to the IE SA pursuant to Article 61(1) GDPR. Again we refer to the Opinion of Advocate General Bobek in Facebook Ireland and Others, which states that not acting on a request from a CSA may enable the CSA to adopt urgent measures considered necessary to protect the interests of data subjects. For the reasons set out above, we have decided to adopt the urgent and provisional measures laid down in the present order pursuant to Article 66(1) of the GDPR. 8. Need for advance notification Pursuant to Section 16 of the Norwegian Public Administration Act (in Norwegian: forvaltningsloven), a party who has not already expressed their opinion on the case should receive advance notification before a decision is made. In the present case, Meta has expressed its opinion on the case through its letters dated 21 and 30 June 2023, and hence the obligation to provide advance notification does not apply. For the sake of clarity, Facebook Norway AS is merely an establishment of Meta as the controller, and as such, we consider that Meta’s comments also cover and represent Facebook Norway AS’ views. 67 68See Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, para. 119. Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, para. 119. 29In any case, even if the obligation to provide advance notification had applied, the exemption in Section 16 third paragraph letter c would be applicable. This is because you, as a matter of fact, were informed by the IE SA that we may adopt provisional measures entailing a ban, you received a copy of our assessments dated 5 May 2023, and Meta and any relevant subsidiaries had reasonable opportunity and time to express an opinion (which, again, you have done). On a side note, there is an urgent need for us to act, the present order is temporary, it does not entail a financial sanction, and through this letter, Meta has been afforded a right to be heard before the case is assessed by the EDPB in light of potentially adopting final measures. 9. Right of appeal As this decision has been adopted pursuant to Chapter VII GDPR, pursuant to Article 22(2) of theNorwegianDataProtectionAct,thepresentdecisionmaynotbeappealedbeforethePrivacy Appeals Board (in Norwegian: Personvernnemda). However, the present decision may be challenged before Oslo District Court (in Norwegian: Oslo tingrett) in accordance with Article 78(1) GDPR, Article 25 of the Norwegian Data Protection Act and Article 4-4(4) of the Norwegian Dispute Act (in Norwegian: tvisteloven). 69 10. Right to access the case documents As a party in the present case, you have the right to get access to the case documents we hold in accordance with Section 18 of the Norwegian Public Administration Act, unless one of the exceptions set out in Sections 18 or 19 of the latter Act applies. 11. Public access to documents Under Section 3 of the Norwegian Freedom of Information Act (in Norwegian: offentlighetsloven), all case documents we hold are, as a rule, subject to public access. If you believe that you are lawfully entitled to obtain that any of the case documents – including documents you will share with us in response of the present order – be partly or entirely exempted from public access, please notify us and provide an explanation for your claim. If you have any questions regarding the present order, please contact Tobias Judin at tobias@datatilsynet.no. Kind regards Line Coll Director General 69 See Section 22 of the Act of 15 June 2018 No. 38 relating to the processing of personal data (in Norwegian: personopplysningsloven). 30Anna Kristin Ulfarsdottir Specialist Director Anne Eidsaa Hamre Legal Adviser Guro Fiskvik Åsbø Senior Legal Adviser Luca Tosoni Specialist Director Sebastian Forbes Senior Legal Adviser Tanja Czelusniak Senior Legal Adviser Tobias Judin Head of International Section Trine Smedbold Senior Legal Adviser 31